June 8, 2012 - County Website Attacked On Election Night Ballot counting not affected, but access to voting results limited

Paper: U-T San Diego (CA)
Title: County Website Attacked On Election Night Ballot counting not affected, but access to voting results limited
Date: June 8, 2012
Author: Jen Lebron Kuhney, U-T

San Diego County and Hewlett-Packard are investigating what appeared to be a deliberate attempt to shut down the county's public website on election night Tuesday when a high number of people were trying to access information from the county Registrar of Voters.

Officials said Thursday the disruption to the county's main website sdcounty.ca.gov did not affect ballot counting but limited public access to voting results during a high-traffic period.

"We can't be completely sure they were not trying to get into the system, but we have no reason to believe the attack was election-related," said Michael Workman, a spokesman for the county.

The disruption began about 8:15 p.m. and lasted until nearly 10 p.m. The county's firewall recognized the attack as suspicious activity and closed off outside access to the county's websites, including sdvote.com where the election results were posted, for security purposes.

Workman said the sites were only able to come back online when the attack suddenly stopped on its own, though the IT department was doing everything it could to fend off the barrage of hits.

The county said the surge had come from a single, unknown, offshore IP address — a string of numbers that identifies a computer — that sent a flurry of more than one million hits per minute. However, just because an IP address is listed as coming from another country does not mean the attacker is working on foreign soil.

Hewlett-Packard, which provides IT services for the county, said that the event was a distributed denial-of-service attack, in which an attacker saturates a server with overwhelming communication attempts so it cannot respond adequately to legitimate traffic. A distributed denial-of-service attack implies that more than one source was used to carry out the attack, which makes them more difficult to combat than one coming from the same place even though they can appear to come from the same IP address.

Denial-of-service attacks are fairly common ways to shut down websites. They differ from "hacking" in that they do not usually aim to compromise or mine data from a server.

Major sites such as Twitter, WikiLeaks, and Nasdaq have all been crippled by similar attacks.

Charles Renert, the vice president of Websense Labs, a San Diego Internet security firm, said government agencies have become a top-10 victim of denial-of-service attacks.

"It's not unusual for a government organization to receive a high number of hits for something like this," he said. "Doing this to send a political message or send a statement is becoming increasingly common with hacktivism causes."

Officials said they were unsure of the reasons the county was targeted.

Brendan McHugh, a deputy district attorney on they agency's Computer and Technology High-Tech Response Team or "CATCH," said many businesses underreport or do not legally pursue denial-of-service attacks due to the potential costs to the company.

"You don't hear about attacks when it comes to corporations, because they make the business decision to weigh the costs of admitting they've had a security breach," he said.

The county's release said Hewlett-Packard ruled out any technical, hardware or software failure. The IT provider also said the county's website did not crash or fail and that no capacity overload occurred. Rather, the county's internal security system worked the way it was supposed to by detecting the malicious traffic and blocking other potential threats.

Renert said the security system followed a routine way of dealing with a denial-of-service attack.

The county and Hewlett-Packard are looking into who or what may have caused the attack and reviewing what measures can be taken to prevent something similar in the future.

McHugh said the maximum sentence for an individual conducting a denial-of-service attack is three years in state prison. San Diego has rarely, if ever prosecuted an individual for such an attack, McHugh said.

Edition: First Edition
Section: Local
Page: B-1
Record Number: UTS2291497
Copyright 2012, U-T San Diego