It takes a hacker — Ohio asks 'white hats' to find election security issues before nefarious hackers can

Local company 'discovered some things so far,' but nothing concerning
Posted at 4:31 PM, Oct 26, 2020
and last updated 2020-10-26 20:20:58-04

CLEVELAND — With just a few keystrokes, Rob Simon can swindle an online shop.

"They call me a shopping cart at work because I do a lot of shopping cart-related websites," he said.

And he likes doing it too.

"A lot of people can kind of relate to getting free items off of a website. So that's kind of one of the cooler things, I think," Simon said.

But only when he's asked.

Simon is a principal security consultant at TrustedSec, a technology security company.

His entire job is to find vulnerabilities in websites. He hacks companies to help them stay secure.

Now, he's taking a look at Ohio's election system security.

"I definitely think it's a good thing that they're looking at this if they're going to take a proactive step to try to try to take a look at any potential vulnerabilities."

Ohio Secretary of State Frank LaRose opened parts of the election system to a bug bounty program.

If an issue is found, that's the bug, it usually generates a bounty.

But the state isn't offering a reward.

It's all done under the mantle of democratic duty.

"But if they're not going to offer any kind of bounty, it doesn't really provide a lot of incentive other than getting your name out there," Simon said about who might peek behind the curtain to see where the system may be weak.

LaRose announced the project back in August. This crowd-sourced security sweep is the first of its kind for states.

Large companies like Amazon and Google, as well as banks around the world already employ "white hat hackers" to find bugs and issues before more nefarious hackers can.

"Even without this bug bounty program in place, it doesn't necessarily stop bad people from looking at the sites that are already out there," Simon said.

Less than a year ago, that is exactly what happened.

In November of 2019, LaRose announced that a Russian-owned company tried to hack the state's election system. The attempt failed.

"You know, really a bug bounty is part of an information security program," said Alex Hamerstone, who works alongside Simon at TrustedSec. "So it's one element. It's one thing that you can do. It's one tool in the arsenal."

Hamerstone said the bug bounty is a good place to start, and it can't come soon enough.

On Oct. 22, the Federal Bureau of Investigation announced entities in Iran and Russia targeted Florida voters with a disinformation campaign.

"If you're able to get an entire list of names and addresses that might be off of there, that could be useful for social engineering," Simon said about why it is important to keep election sites safe.

"It kind of shows that they're open to learning about any flaws or vulnerabilities," Hamerstone said about the steps LaRose took to stave off any issues before Election Day on Nov. 3.

Simon took a look at the system.

"So I just took a quick look...myself and a co-worker have discovered some things so far...I would just say something that probably falls within the scope of a valid finding for them, but nothing that I would say is alarming or concerning as of yet."

Because of the rules of engagement for this bug bounty program, Simon could not say what he found. He reported the issues to the program's website. LaRose's office has 120 days to fix the issue. After that point, Simon can publicly disclose what he found.

Simon said if there are any major issues, time is running out to fix them before Election Day.