National: Researcher finds trove of political fundraising, old voter data on open internet | CyberScoop

A consulting firm that works with Democratic campaigns unknowingly left sensitive fundraiser information and credentials to old voter record databases open on the internet, according to a report published on Wednesday. Cybersecurity company Hacken says it discovered an unprotected network-attached storage (NAS) device managed by Rice Consulting, a Maryland firm that provides fundraising and mass communication to Democratic clients. Authentication was reportedly disabled on the NAS, and Hacken says that it was indexed by Shodan, an Internet-of-Things search engine. With its contents publicly accessible, the NAS revealed details about Rice Consulting’s clients as well as details about “thousands of fundraisers,” Hacken says. Those details include names, phone numbers, emails, addresses and companies. There were apparently also contracts, meeting notes, desktop backups and employee details. Rice Consulting did not respond to an email request for comment on the Hacken report. When CyberScoop called the firm, the person who answered said “There’s no one here who can tell you anything,” and hung up.

National: The 2018 midterm elections are already hacked. You just don’t know it yet. | Vox

One evening last May in Knoxville, Tennessee, during the night of the local primary election, Dave Ball, the assistant IT director for Knox County, settled into the Naugahyde chair of his dusty home office and punched away at his desktop computer. Ball’s IT staff had finished a 14-hour day, running dress rehearsals to prepare for the ritual chaos of election night. In a few minutes, at exactly 8 pm, the county’s incoming precinct results would become visible to the public online. Curious, Ball typed in the address for the Knox County election website. At 7:53, the website abruptly crashed. Staring back at Ball was a proxy error notice, a gray message plastered against a screen of purgatorial white. It read simply, “Service Unavailable.” Across East Tennessee, thousands of Knox County residents who eagerly awaited the results saw the same error message — including at the late-night election parties for various county candidates, where supporters gathered around computers at Knoxville’s Crowne Plaza Hotel and the nearby Clarion Inn and Suites. Ball was scowling at the screen when the phone on his table buzzed. It was a message from a staffer, still on duty at the IT department: “We’ve got a problem here,” it read. “Looks like a DDOS.” Ball still remembers his next, involuntary exclamation: “Oh, shit.”

National: Mitigating Election Security Risks Rely on System Resiliency, Auditability | Government CIO

A continuous increase of data breaches, the 2016 election interferences and financial security concerns are causing a riff in the public’s cybersecurity trust in government and industry, and could impact whether people show to vote. That’s according to global IT company Unisys’ annual security index, a look at global and national security concerns. The index is a calculated score out of 300 that measures consumer concerns over time across eight areas of security in four categories: national security, financial security, internet security and personal security. This year’s index is 173, same as last year, but 32 percent higher than 10 years ago, according to the report. And the highest security concerns people have are around identity theft and bankcard fraud. In fact, identity theft was one of the top eight security threats measured, coming before national security (including terrorism), disasters and epidemics, financial obligations, bankcard fraud, viruses and hacking, online transactions and personal safety.

National: Security firm finds county election websites lack cybersecurity protections | The Hill

Many county election websites are lacking basic cybersecurity measures that could leave voters vulnerable to misinformation, security firm McAfee said Wednesday. McAfee threat researchers looked at county websites in 20 states and found that many county sites used .com domains instead of .gov ones, which are required to be thoroughly vetted as being official sites by government officials. Researchers found that Minnesota had the highest percentage of non-.gov domains for county election sites at 95.4 percent, followed by Texas at 95 percent and Michigan with 91.2 percent. Steve Grobman, the senior vice president and chief technology officer at McAfee, noted in a blog post that .com and other domains can be bought by anyone, meaning that misinformation about elections could be more easily shared with potential voters.

National: Pipe Bombs Sent to Hillary Clinton, Barack Obama and CNN Offices | The New York Times

Pipe bombs were sent to several prominent Democrats, including former President Barack Obama and former Secretary of State Hillary Clinton, setting off an intense investigation on Wednesday into whether figures vilified by the right were being targeted. From Washington to New York to Florida to Los Angeles, the authorities intercepted a wave of crudely built devices that were contained in manila envelopes. In the center of Manhattan, the Time Warner Center, an elegant office and shopping complex, was evacuated because of a pipe bomb sent to CNN, which has its New York offices there. It was addressed to John O. Brennan, a critic of President Trump who served as Mr. Obama’s C.I.A. director. None of the devices harmed anyone, and it was not immediately clear whether any of them could have. One law enforcement official said investigators were examining the possibility that they were hoax devices that were constructed to look like bombs but would not have exploded.

National: Mega Millions is Safer than Our Election System | The Weekly Standard

Elections security experts say that it is too late to do much to protect our voting systems against tampering for the midterms. The Department of Homeland Security’s efforts to spur ballot integrity upgrades are focused on 2020, but being future-minded is only an illusion: The hackers will always be ahead. When you’re talking about a set of processes as varied as how different states and districts vote—whether they still use outdated and vulnerable machines that leave no paper trail, or store their registration data insecurely online—there’s really no way to either prevent—or detect—ballot interference with anything like absolute certainty. Russians allegedly hacked Illinois and Arizona’s voter databases mere months before the 2016 presidential election. When DHS first detected these attacks it was too late to prevent them, only soon enough to seal up the vulnerabilities. Except that, even if elections officials had wanted to secure their online voter registration rolls in response to the attack, the law wouldn’t have let them.

National: Voting machines are totally hackable. But who’s going to pay to fix them? | NPR

The midterm elections are here. Early voting is already happening in some places. We’re spending the rest of the week on election security and technology, starting with voting machines. Candice Hoke, founding co-director of the Center for Cybersecurity and Privacy Protection at the Cleveland-Marshall College of Law, believes insecure voting machines are the biggest security threat to the midterm elections. And they’re definitely insecure. Last summer at the DefCon hacking conference, security experts hacked and whacked at a variety of voting machines and came away saying the machines were hopelessly vulnerable to even the most basic hacking, like the kind where the default password is still “password.” And lots of them don’t even create paper receipts to ensure the votes were counted correctly. “We have not required voting systems vendors to operate under the same kinds of rules as, say, pharmaceuticals as to the safe and effectiveness of their products,” Hoke said. “So safety, privacy, auditability, transparency, whatever word you want to use, these are all marketing terms in the voting systems arena rather than reflective of some kind of standards that are actually being enforced.”

National: Paper and the Case for Going Low-Tech in the Voting Booth | WIRED

In September 2017, barely two months before Virginians went to the polls to pick a new governor, the state’s board of elections convened an emergency session. The crisis at hand? Touchscreen voting machines. They’d been bought back in the early aughts, when districts across the country, desperate to avoid a repeat of the 2000 “hanging chads” fiasco, decided to go digital. But the new machines were a nightmare, prone to crashes and—worse—hacking. By 2015, Virginia had banned one of the dodgiest models, but others were still in use across the state. Now, with the gubernatorial election looming, officials were concerned that those leftover machines were vulnerable.

They had good reason. Evidence of Russian interference in the US democratic process was mounting. And at the DefCon security conference that summer, whitehat hackers had broken into every electronic voting machine they tried, some in a matter of minutes. (One model had as its hard-coded password “abcde.”) “That really triggered us to action,” recalls Edgardo Cortés, at the time Virginia’s top elections official. So, at the emergency session, he and his colleagues instituted a blanket ban on touchscreen machines. But what next? Virginia officials needed a superior voting technology. They settled on paper. When considered as a form of tech, paper has a killer feature set: It’s intuitive, it doesn’t crash, and it doesn’t need a power source. You can tally ballots rapidly using low-tech scanners, and if it’s necessary to double-check the results (as was the case with several down-ticket contests in Virginia), you can do a manual recount. Paper isn’t perfect, but it’s better than the alternative.

National: Officials prepare for potential false claims of election interference | The Hill

State and federal officials say they are well prepared for the possibility of a cyberattack on American election systems Nov. 6, but experts warn that even a false claim of interference by foreign actors on Election Day could undermine the public’s faith in the voting process. The top cyber official at the Department of Homeland Security (DHS) said it’s a very real possibility that groups will announce they successfully hacked certain election results. That would require swift action from federal authorities to decisively refute any unsubstantiated declarations of election meddling, analysts say. “I could absolutely envision a scenario where someone claims to have had access or claims to have hacked” an election, Christopher Krebs, the undersecretary of the National Protection and Programs Directorate (NPPD), told reporters last week.

National: New study scrutinizes time and effort it takes to vote in each state | Phys.org

Wide variations among the 50 states when it comes to the ease of casting a ballot are impacting the quality of democracy in the United States, a new study shows. Forget voter fraud. States are influencing who votes by making it easier or harder to cast a ballot, and that’s likely shaping election results, said study lead author Scot Schraufnagel, chair of the Department of Political Science at Northern Illinois University. He worked on the study with co-authors Michael J. Pomante II and Quan Li. Pomante II earned his doctorate from NIU in 2016 and works as a professor at Jacksonville University in Florida, while Li is a professor at Wuhan University in China. They created a “Cost of Voting Index”—using what is described in the study as “the largest assemblage of state election laws”—to rank each state according to the time and effort it took to vote in each presidential election year from 1996 through 2016. They analyzed the impact of 33 different variables dealing with registration and voting laws, with differences in registration deadlines carrying the most weight.

National: U.S. Begins First Cyberoperation Against Russia Aimed at Protecting Elections | The New York Times

The United States Cyber Command is targeting individual Russian operatives to try to deter them from spreading disinformation to interfere in elections, telling them that American operatives have identified them and are tracking their work, according to officials briefed on the operation. The campaign, which includes missions undertaken in recent days, is the first known overseas cyberoperation to protect American elections, including the November midterms. The operations come as the Justice Department outlined on Friday a campaign of “information warfare” by Russians aimed at influencing the midterm elections, highlighting the broad threat the American government sees from Moscow’s influence campaign.

National: Google steps up security efforts as most campaigns use its email services | The Washington Post

Google has been stepping up its efforts to protect political campaigns against phishing attacks — one of the most pressing threats facing candidates as hackers continue to target them via email. U.S. political campaigns overwhelmingly use Google as their email provider, according to data collected by anti-phishing start-up Area1 Security. Of the 1,460 candidates the company is tracking who are running for the Senate, House of Representatives or governor, 65 percent use Google as their email provider. The 2018 midterms will be the first test of the security measures Google and other tech companies have adopted since Russian hackers successfully spear phished Hillary Clinton campaign chair John Podesta. Hackers stole more than 50,000 of his emails after a click on a “change password” button on an email disguised as a security alert from Google.

National: Blockchain Might Make Voting Worse — Not Better: Crypto Researchers | CCN

Three researchers with the Initiative for CryptoCurrencies and Contracts (IC3) are questioning whether, as some proponents claim, blockchain technology will be able to change the internet voting sector for the better. In an article published by Business Insider, the scholars argue that while blockchain technology might serve to revolutionize other industries, internet voting might be a sector that doesn’t benefit from the technology at all, and could potentially even be harmed by it. The researchers start off by acknowledging that they understand why blockchain technology is being considered as an option to optimize internet voting. There is little doubt in the fact that the cryptocurrency world has attracted billions of dollars for legitimate reasons and that it has clear potential to revolutionize everything from the global payments sector, to logistics, to retail, to land ownership rights, among other sectors.

National: Experts say latest Russia case exposes US election vulnerabilities | The Hill

The indictment of a Russian national accused of trying to interfere in U.S. elections shows that not enough has been done to stop the country from launching a multimillion-dollar effort to influence American voters, experts say. Both officials and experts have been warning for months that Russia is trying to influence voters after the country successfully launched a cyber and disinformation campaign in the 2016 election. They say Friday’s indictment of a Russian national, revealing details of the alleged attempts to sway the public, combined with a U.S. intelligence warning of ongoing influence campaigns, is arguably the strongest message to date that the U.S.’s penalties against the country haven’t been enough to shut down the campaigns.

National: Pros to government: If your defenses fail, think pen and paper | The Washington Post

After a cyberattack forced a local Alaska government to disconnect its computer systems from the Internet this summer, employees were ready with a Plan B. They picked up pens and paper — and even resorted to typewriters — so that the government could continue its daily work, from collecting property taxes to checking out books at public libraries. They had practiced for this kind of scenario, which helped ensure the multipronged malware attack did not grind public business to a halt, said Eric Wyatt, the Matanuska-Susitna Borough IT director. “Having these plans and being able to go to paper and pen and manual methods was very helpful,” he said. “We could keep our doors open and continue to provide service to our citizens.” The focus of government cybersecurity has largely centered on developing cutting-edge solutions — and shoring up basic vulnerabilities — to prevent attacks on IT systems. But as more and more government business moves online, there’s a growing call among security pros and government officials for a different, albeit slightly more fatalistic, approach. Public agencies, this cohort says, should just assume they will be hacked — and practice how to carry out essential functions without Internet access or even computers in some cases.

National: 5 Risks We Face with E-Voting Technology | Techspective

Technology brings with it a number of conveniences, but it also opens up opportunities for scammers and hackers to take advantage of people through tech fraud. That crime involves using technology in a variety of possible ways to mislead people, steal data, shut down systems and more. Increasingly over the past several years, tech fraud has influenced voter fraud, which also manifests in many ways. People may use fake information at the polls, try to vote more than once or otherwise wrongfully attempt to swing votes in a certain direction. Unfortunately, e-voting could facilitate both tech fraud and election fraud if the platforms aren’t sufficiently locked down.

National: The AI Threat to Democracy | ExtremeTech

Strolling the leafy suburbs of Austin, Texas, one could be forgiven for thinking democracy is in a robust state of health. The trees are changing color and the world appears largely in order, the outcome of inevitable forces leading to ever greater levels of comfort, luxury, and efficiency. But as the historians are fond of reminding us, there’s nothing inevitable about democracy. Other, less equitable systems of government have historically been far more representational of human affairs. And the democratic liberal order has never been more fragile. Democracies have always had their opponents, but for the first time in history, the principal threat to it comes from shifting technological sands rather than power-hungry despots. As some of more perceptive among us have begun shouting from the rooftops, the rise of strong artificial intelligence could well send the spool of democracy unraveling across the floor.

National: McAfee CTO raises concerns about election cyber security | Computer Weekly

Cyber security concerns around voting should be around the processes involved rather than just the electronic equipment used, according to Steve Grobman, senior vice-president and chief technology officer at security firm McAfee. Underlining this issue, he discussed a recent discovery by McAfee of a “big gap” in the security of the way US local jurisdictions communicate with their constituencies. Because US elections are decentralised, being run at a state and local level rather than at a federal level, with every state and locality choosing how to do things, there is very little uniformity. “We have found two big issues with the way local jurisdiction communicate with their constituencies,” said Grobman. Although these issues are US-specific, he told Computer Weekly that the issue is likely to be global given that the failings in the US are underpinned by a lack of cyber security skills, which is a challenge facing most countries around the world.

National: Here’s How Russia May Have Already Hacked the 2018 Midterm Elections | Newsweek

It’s not easy to get in to see Diane Ellis-Marseglia, one of three commissioners who run Bucks County, Pennsylvania. Security is tight at the Government Administration Building on 55 East Court Street in Doylestown, a three-story brick structure with no windows, where she has an office. It also happens to be where officials retreat on election night to tally the votes recorded on the county’s 900 or so voting machines. Guards at the door X-ray bags and scan each visitor with a wand.Unfortunately, Russian hackers won’t need to come calling on Election Day. Cyberexperts warn that they could use more sophisticated means of changing the outcomes of close races or sowing confusion in an effort to throw the U.S. elections into disrepute. The 2018 midterms offer a compelling target: a patchwork of 3,000 or so county governments that administer elections, often on a shoestring budget, many of them with outdated electronic voting machines vulnerable to manipulation. With Democrats on track to take control of the U.S. House of Representatives and perhaps even the Senate, the ­political stakes are high. … The U.S. certainly hasn’t forced the Russians to look hard for places to strike. The midterm elections are rich in targets. Bucks County is ­hardly unique in relying on easily hacked voting machines, whose results could determine control of Congress or individual states. About 30 percent of America’s voting machines are as outdated and nearly unprotected as those in Bucks County, says Marian Schneider, a former Pennsylvania deputy secretary for elections and administration and now president of Verified Voting, a national election-­integrity advocacy group. Ballotpedia, a nonprofit website that tracks elections, lists nearly 400 congressional and top state official races this November as competitive enough to be considered battleground contests.

National: State election chiefs oversee vote while seeking higher office | McClatchy

In three states, the referee for the midterm elections is also on the field as a player. Elected secretaries of state in Georgia and Kansas — who in their official capacities oversee the elections in their states — are running for governor. Ohio’s secretary of state is running for lieutenant governor. All are Republicans. They have faced scattered calls to resign but have refused to do so. Election reformers say the situation underscores the conflict of interest when an official has responsibilities for an election while also running as a candidate. “There is just too much of a temptation if a political party is in a position to run the mechanics of an election to try to tilt it, and it’s a temptation we ought not to encourage,” said former U.S. Rep. Lee Hamilton, an Indiana Democrat who spent 34 years on Capitol Hill. “This is not nuclear physics.” While the three secretaries of state are Republican, concerns about inappropriate actions by partisans who hold the office transcend parties. An independent counsel earlier this month began investigating Kentucky’s Democratic secretary of state, Alison Lundergan Grimes, over allegations that her office accessed voter registration data to check the party affiliation of job applicants. Grimes may seek higher office next year.

National: Thousands in U.S. South may not be able to cast ballots in early voting | Reuters

Thousands of voters in Tennessee were at risk of being blocked from casting regular ballots when early voting opened this week, as officials struggled to process a surge of new registrations ahead of Nov. 6 elections to determine control of the U.S. Congress. The delay disproportionately affected the area around Memphis, a majority African-American city, leading activists to charge the Republican-controlled state government has not done enough to protect the rights of young and minority voters. State officials, however, said they were simply struggling to keep up with a surge in paperwork ahead of Election Day. But young and minority voters could very well tip the U.S. Senate election between Democratic former governor Phil Bredesen and Republican U.S. Representative Marsha Blackburn.

National: Security officials warn of foreign attempts to influence US election | USA Today

Foreign governments continue to try to influence U.S. elections, the director of national intelligence warned Friday in a joint statement from agencies, including the FBI and Justice Department. A Russian national was charged Friday in Virginia with allegedly trying to interfere with the 2018 election, authorities said. Elena Alekseevna Khusyaynova, 44, of St. Petersburg, Russia, was charged with playing a central role in Project Lakhta, which had an operating budget of $10 million from January through June, to provide “information warfare against the United States,” according to the indictment. But a top Department of Homeland Security official said Friday he isn’t aware of any hacking attempts against U.S. election systems this year, as happened in 2016. The continuing threat from Russia, China, Iran and others is to influence U.S. elections through misinformation, he said.

National: States Step Up Election Cybersecurity as Federal Efforts Stall | Bloomberg

States have taken it upon themselves to bolster cyber defenses for the midterm elections instead of waiting for Congress to act. “Cybersecurity is now our focus, it’s what keeps many of us as secretaries of states and local officials up at night,” said Jim Condos, president of the National Association of Secretaries of State and Vermont Secretary of State. Hacks of states’ voter registration systems, voting machines or vote reporting systems could lead to rigged vote counts, confusion at polling booths and public distrust of results, according to interviews with voting advocacy groups, former and current Department of Homeland Security officials, and state election officials. Two dozen states lack several of the strongest measures that could protect them against cyber attacks: mandating voting machines that leave a paper trail and requirements for a post-election audit to check for accuracy of the system.

National: Midterms: how the votes of vulnerable groups are being suppressed | The Guardian

With just over a month before the crucial midterm elections, Americans in some states will return to the polls two years after the election of Donald Trump to face new laws that could make it harder to vote. Since a landmark supreme court ruling in 2013, which repealed key provisions of the 1965 Voting Rights Act, over a dozen states, mostly Republican controlled, have imposed a swathe of laws that critics argue are intended to suppress the franchise among often vulnerable, Democratic leaning, groups. The measures range from complex voter ID laws to restrictive voter registration procedures as well as efforts to cut back on polling places and bids to exclude more former felons from casting a ballot.

National: Twitter Releases Tweets Showing Russian, Iranian Attempts to Influence US Politics | VoA News

On Wednesday, Twitter released a collection of more than 10 million tweets related to thousands of accounts affiliated with Russia’s Internet Research Agency propaganda organization, as well as hundreds more troll accounts, including many based in Iran. The data, analyzed and released in a report by The Atlantic Council’s Digital Forensic Research Lab, are made up of 3,841 accounts affiliated with the Russia-based Internet Research Agency, 770 other accounts potentially based in Iran as well as 10 million tweets and more than 2 million images, videos and other media. Russian trolls targeting U.S. politics took on personas from both the left and the right. Their primary goal appears to have been to sow discord, rather than promote any particular side, presumably with a goal of weakening the United States, the report said.

National: Security Seals Used to Protect Voting Machines Can Be Easily Opened With Shim Crafted from a Soda Can | Motherboard

Voting machine vendors and election officials have long insisted that no one can manipulate voting machines and ballots because tamper-evident seals used to secure them would prevent intruders from doing so without anyone noticing. But a security researcher in Michigan has shown in videos how he can defeat plastic security ties that counties across his state use to protect ballot bags, the cases that store voting machines and the ports that store the memory cards on optical-scan machines—electronic voting machines that record paper ballots scanned into them. He can do so without leaving evidence of tampering. If an intruder obtains physical access to the machines and this port, it’s possible to alter software in the machines using a rogue memory card—something that security researchers at Princeton University demonstrated in the past is possible. Matt Bernhard, a grad student at the University of Michigan and voting machine security expert, posted two videos online last week showing how he can open different types of plastic tamper-evident ties used in Michigan in just seconds, using a shim crafted from an aluminum Dr. Pepper can. By simply curling a small piece of the aluminum around a plastic zip tie and slipping it into the channel that encases the tie, he’s able to open the security device and re-close it, while leaving no marks or damage to indicate it was manipulated. He demonstrated the technique on smooth plastic ties as well as zip ties.

National: Justice Dept. charges Russian woman with interference in midterm elections | The Washington Post

The Justice Department announced Friday it had charged a Russian woman who prosecutors say conspired to interfere with the 2018 U.S. election, marking the first criminal case that accuses a foreign national of interfering in the upcoming midterms. Elena Khusyaynova, 44, was charged with conspiracy to defraud the United States. Prosecutors said she managed the finances of “Project Lakhta,” a foreign influence operation they said was designed “to sow discord in the U.S. political system” by pushing arguments and misinformation online about a host of divisive political issues, including immigration, the Confederate flag, gun control and National Football League protests during the national anthem. The charges against Khusyaynova came just as the Office of the Director of National Intelligence warned that it was concerned about “ongoing campaigns” by Russia, China and Iran to interfere with the upcoming midterm elections and the 2020 race — an ominous message just weeks before voters head to the polls.

National: US voter records from 19 states sold on hacking forum | ZDNet

The voter information for approximately 35 million US citizens is being peddled on a popular hacking forum, two threat intelligence firms have discovered. “To our knowledge this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data,” said researchers from Anomali Labs and Intel471, the two companies who spotted the forum ad. The two companies said they’ve reviewed a sample of the database records and determined the data to be valid with a “high degree of confidence.” Researchers say the data contains details such as full name, phone numbers, physical addresses, voting history, and other voting-related information. It is worth noting that some states consider this data public and offer it for download for free, but not all states have this policy.

National: DHS finds increasing attempts to hack U.S. election systems ahead of midterms | NBC

The Department of Homeland Security says it’s working to identify who — or what — is behind an increasing number of attempted cyber attacks on U.S. election databases ahead of next month’s midterms. “We are aware of a growing volume of cyber activity targeting election infrastructure in 2018,” the department’s Cyber Mission Center said in an intelligence assessment issued last week and obtained by NBC News. “Numerous actors are regularly targeting election infrastructure, likely for different purposes, including to cause disruptive effects, steal sensitive data, and undermine confidence in the election.” The assessment said the federal government does not know who is behind the attacks, but it said all potential intrusions were either prevented or mitigated.

National: U.S. Still Hasn’t Finalized Election Security Plans—and the Midterms Are Weeks Away | Daily Beast

The midterms are less than a month away. But working groups inside the intelligence community charged with overseeing election security are still trying to finalize plans for countering foreign interference in the 2018 elections, three senior officials involved with the efforts told The Daily Beast. The issue came up in a meeting this month that included current senior intelligence officials and former officials who were asked to attend and provide advice. The Federal Bureau of Investigation and the National Security Agency were pinpointed as two of the departments that had made the most progress. The Department of Homeland Security, however, is lagging behind, according to officials inside the meeting.