National: McAfee CTO raises concerns about election cyber security | Computer Weekly

Cyber security concerns around voting should be around the processes involved rather than just the electronic equipment used, according to Steve Grobman, senior vice-president and chief technology officer at security firm McAfee. Underlining this issue, he discussed a recent discovery by McAfee of a “big gap” in the security of the way US local jurisdictions communicate with their constituencies. Because US elections are decentralised, being run at a state and local level rather than at a federal level, with every state and locality choosing how to do things, there is very little uniformity. “We have found two big issues with the way local jurisdiction communicate with their constituencies,” said Grobman. Although these issues are US-specific, he told Computer Weekly that the issue is likely to be global given that the failings in the US are underpinned by a lack of cyber security skills, which is a challenge facing most countries around the world.

National: Here’s How Russia May Have Already Hacked the 2018 Midterm Elections | Newsweek

It’s not easy to get in to see Diane Ellis-Marseglia, one of three commissioners who run Bucks County, Pennsylvania. Security is tight at the Government Administration Building on 55 East Court Street in Doylestown, a three-story brick structure with no windows, where she has an office. It also happens to be where officials retreat on election night to tally the votes recorded on the county’s 900 or so voting machines. Guards at the door X-ray bags and scan each visitor with a wand.Unfortunately, Russian hackers won’t need to come calling on Election Day. Cyberexperts warn that they could use more sophisticated means of changing the outcomes of close races or sowing confusion in an effort to throw the U.S. elections into disrepute. The 2018 midterms offer a compelling target: a patchwork of 3,000 or so county governments that administer elections, often on a shoestring budget, many of them with outdated electronic voting machines vulnerable to manipulation. With Democrats on track to take control of the U.S. House of Representatives and perhaps even the Senate, the ­political stakes are high. … The U.S. certainly hasn’t forced the Russians to look hard for places to strike. The midterm elections are rich in targets. Bucks County is ­hardly unique in relying on easily hacked voting machines, whose results could determine control of Congress or individual states. About 30 percent of America’s voting machines are as outdated and nearly unprotected as those in Bucks County, says Marian Schneider, a former Pennsylvania deputy secretary for elections and administration and now president of Verified Voting, a national election-­integrity advocacy group. Ballotpedia, a nonprofit website that tracks elections, lists nearly 400 congressional and top state official races this November as competitive enough to be considered battleground contests.

National: State election chiefs oversee vote while seeking higher office | McClatchy

In three states, the referee for the midterm elections is also on the field as a player. Elected secretaries of state in Georgia and Kansas — who in their official capacities oversee the elections in their states — are running for governor. Ohio’s secretary of state is running for lieutenant governor. All are Republicans. They have faced scattered calls to resign but have refused to do so. Election reformers say the situation underscores the conflict of interest when an official has responsibilities for an election while also running as a candidate. “There is just too much of a temptation if a political party is in a position to run the mechanics of an election to try to tilt it, and it’s a temptation we ought not to encourage,” said former U.S. Rep. Lee Hamilton, an Indiana Democrat who spent 34 years on Capitol Hill. “This is not nuclear physics.” While the three secretaries of state are Republican, concerns about inappropriate actions by partisans who hold the office transcend parties. An independent counsel earlier this month began investigating Kentucky’s Democratic secretary of state, Alison Lundergan Grimes, over allegations that her office accessed voter registration data to check the party affiliation of job applicants. Grimes may seek higher office next year.

National: Thousands in U.S. South may not be able to cast ballots in early voting | Reuters

Thousands of voters in Tennessee were at risk of being blocked from casting regular ballots when early voting opened this week, as officials struggled to process a surge of new registrations ahead of Nov. 6 elections to determine control of the U.S. Congress. The delay disproportionately affected the area around Memphis, a majority African-American city, leading activists to charge the Republican-controlled state government has not done enough to protect the rights of young and minority voters. State officials, however, said they were simply struggling to keep up with a surge in paperwork ahead of Election Day. But young and minority voters could very well tip the U.S. Senate election between Democratic former governor Phil Bredesen and Republican U.S. Representative Marsha Blackburn.

National: Security officials warn of foreign attempts to influence US election | USA Today

Foreign governments continue to try to influence U.S. elections, the director of national intelligence warned Friday in a joint statement from agencies, including the FBI and Justice Department. A Russian national was charged Friday in Virginia with allegedly trying to interfere with the 2018 election, authorities said. Elena Alekseevna Khusyaynova, 44, of St. Petersburg, Russia, was charged with playing a central role in Project Lakhta, which had an operating budget of $10 million from January through June, to provide “information warfare against the United States,” according to the indictment. But a top Department of Homeland Security official said Friday he isn’t aware of any hacking attempts against U.S. election systems this year, as happened in 2016. The continuing threat from Russia, China, Iran and others is to influence U.S. elections through misinformation, he said.

National: States Step Up Election Cybersecurity as Federal Efforts Stall | Bloomberg

States have taken it upon themselves to bolster cyber defenses for the midterm elections instead of waiting for Congress to act. “Cybersecurity is now our focus, it’s what keeps many of us as secretaries of states and local officials up at night,” said Jim Condos, president of the National Association of Secretaries of State and Vermont Secretary of State. Hacks of states’ voter registration systems, voting machines or vote reporting systems could lead to rigged vote counts, confusion at polling booths and public distrust of results, according to interviews with voting advocacy groups, former and current Department of Homeland Security officials, and state election officials. Two dozen states lack several of the strongest measures that could protect them against cyber attacks: mandating voting machines that leave a paper trail and requirements for a post-election audit to check for accuracy of the system.

National: Midterms: how the votes of vulnerable groups are being suppressed | The Guardian

With just over a month before the crucial midterm elections, Americans in some states will return to the polls two years after the election of Donald Trump to face new laws that could make it harder to vote. Since a landmark supreme court ruling in 2013, which repealed key provisions of the 1965 Voting Rights Act, over a dozen states, mostly Republican controlled, have imposed a swathe of laws that critics argue are intended to suppress the franchise among often vulnerable, Democratic leaning, groups. The measures range from complex voter ID laws to restrictive voter registration procedures as well as efforts to cut back on polling places and bids to exclude more former felons from casting a ballot.

National: Twitter Releases Tweets Showing Russian, Iranian Attempts to Influence US Politics | VoA News

On Wednesday, Twitter released a collection of more than 10 million tweets related to thousands of accounts affiliated with Russia’s Internet Research Agency propaganda organization, as well as hundreds more troll accounts, including many based in Iran. The data, analyzed and released in a report by The Atlantic Council’s Digital Forensic Research Lab, are made up of 3,841 accounts affiliated with the Russia-based Internet Research Agency, 770 other accounts potentially based in Iran as well as 10 million tweets and more than 2 million images, videos and other media. Russian trolls targeting U.S. politics took on personas from both the left and the right. Their primary goal appears to have been to sow discord, rather than promote any particular side, presumably with a goal of weakening the United States, the report said.

National: Security Seals Used to Protect Voting Machines Can Be Easily Opened With Shim Crafted from a Soda Can | Motherboard

Voting machine vendors and election officials have long insisted that no one can manipulate voting machines and ballots because tamper-evident seals used to secure them would prevent intruders from doing so without anyone noticing. But a security researcher in Michigan has shown in videos how he can defeat plastic security ties that counties across his state use to protect ballot bags, the cases that store voting machines and the ports that store the memory cards on optical-scan machines—electronic voting machines that record paper ballots scanned into them. He can do so without leaving evidence of tampering. If an intruder obtains physical access to the machines and this port, it’s possible to alter software in the machines using a rogue memory card—something that security researchers at Princeton University demonstrated in the past is possible. Matt Bernhard, a grad student at the University of Michigan and voting machine security expert, posted two videos online last week showing how he can open different types of plastic tamper-evident ties used in Michigan in just seconds, using a shim crafted from an aluminum Dr. Pepper can. By simply curling a small piece of the aluminum around a plastic zip tie and slipping it into the channel that encases the tie, he’s able to open the security device and re-close it, while leaving no marks or damage to indicate it was manipulated. He demonstrated the technique on smooth plastic ties as well as zip ties.

National: Justice Dept. charges Russian woman with interference in midterm elections | The Washington Post

The Justice Department announced Friday it had charged a Russian woman who prosecutors say conspired to interfere with the 2018 U.S. election, marking the first criminal case that accuses a foreign national of interfering in the upcoming midterms. Elena Khusyaynova, 44, was charged with conspiracy to defraud the United States. Prosecutors said she managed the finances of “Project Lakhta,” a foreign influence operation they said was designed “to sow discord in the U.S. political system” by pushing arguments and misinformation online about a host of divisive political issues, including immigration, the Confederate flag, gun control and National Football League protests during the national anthem. The charges against Khusyaynova came just as the Office of the Director of National Intelligence warned that it was concerned about “ongoing campaigns” by Russia, China and Iran to interfere with the upcoming midterm elections and the 2020 race — an ominous message just weeks before voters head to the polls.

National: US voter records from 19 states sold on hacking forum | ZDNet

The voter information for approximately 35 million US citizens is being peddled on a popular hacking forum, two threat intelligence firms have discovered. “To our knowledge this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data,” said researchers from Anomali Labs and Intel471, the two companies who spotted the forum ad. The two companies said they’ve reviewed a sample of the database records and determined the data to be valid with a “high degree of confidence.” Researchers say the data contains details such as full name, phone numbers, physical addresses, voting history, and other voting-related information. It is worth noting that some states consider this data public and offer it for download for free, but not all states have this policy.

National: DHS finds increasing attempts to hack U.S. election systems ahead of midterms | NBC

The Department of Homeland Security says it’s working to identify who — or what — is behind an increasing number of attempted cyber attacks on U.S. election databases ahead of next month’s midterms. “We are aware of a growing volume of cyber activity targeting election infrastructure in 2018,” the department’s Cyber Mission Center said in an intelligence assessment issued last week and obtained by NBC News. “Numerous actors are regularly targeting election infrastructure, likely for different purposes, including to cause disruptive effects, steal sensitive data, and undermine confidence in the election.” The assessment said the federal government does not know who is behind the attacks, but it said all potential intrusions were either prevented or mitigated.

National: U.S. Still Hasn’t Finalized Election Security Plans—and the Midterms Are Weeks Away | Daily Beast

The midterms are less than a month away. But working groups inside the intelligence community charged with overseeing election security are still trying to finalize plans for countering foreign interference in the 2018 elections, three senior officials involved with the efforts told The Daily Beast. The issue came up in a meeting this month that included current senior intelligence officials and former officials who were asked to attend and provide advice. The Federal Bureau of Investigation and the National Security Agency were pinpointed as two of the departments that had made the most progress. The Department of Homeland Security, however, is lagging behind, according to officials inside the meeting.

National: How hackable are American voting machines? It depends who you ask | ABC

To hear Alex Halderman tell it, hacking the vote is easy. The University of Michigan professor is on a crusade to demonstrate how vulnerable American voting machines are, and some of his arguments are quite compelling. He has rigged mock elections. He has testified to the machines’ vulnerabilities in Congress and in court. He has even managed to turn a commonly used voting machine into an iteration of the classic arcade game Pac-Man. “They’re just computers at the end of the day,” said Halderman, who told the Senate Intelligence Committee last year that states should move back to paper ballots. “Often with voting machines, when you open it up, it’s not that different from a desktop PC or mobile device. The only difference is that it’s going to be 10 years out of date, or sometimes 20 years.”

National: November Elections and the Art of Voter Suppression | Union of Concerned Scientists

Voting rights violations are emerging across several states with less than a month before the conclusion of midterm elections in the United States. As a result of discriminatory election laws and procedures, representation and policy making power could be distorted in favor of powerful, entrenched interests, against the will of a majority of the electorate. The threat of such democratic dysfunction illustrates the need for meaningful electoral reform and the protection of voting rights for all citizens. Early voting is underway in seventeen states, including at least two states where voting rights have already become a flashpoint in pivotal elections. In North Dakota, Senator Heidi Heitkamp and challenger Kevin Cramer is in a race that Cook Political Report rates as a “toss up.” The election could determine control over the US Senate—but the Supreme Court of the United States just refused to block the state’s discriminatory practice of requiring voter identification from a residential street address.

National: Facebook to ban misinformation on voting in upcoming U.S. elections | Reuters

Facebook Inc will ban false information about voting requirements and fact-check fake reports of violence or long lines at polling stations ahead of next month’s U.S. midterm elections, company executives told Reuters, the latest effort to reduce voter manipulation on its service. The world’s largest online social network, with 1.5 billion daily users, has stopped short of banning all false or misleading posts, something that Facebook has shied away from as it would likely increase its expenses and leave it open to charges of censorship. The latest move addresses a sensitive area for the company, which has come under fire for its lax approach to fake news reports and disinformation campaigns, which many believe affected the outcome of the 2016 presidential election, won by Donald Trump.

National: GOP claims of voter fraud threat fuel worries about ballot access in November | The Washington Post

Nine months after President Trump was forced to dissolve a panel charged with investigating voter fraud, GOP officials across the country are cracking down on what they describe as threats to voting integrity — moves that critics see as attempts to keep some Americans from casting ballots in November’s elections. In Georgia, election officials have suspended more than 50,000 applications to register to vote, most of them for black voters, under a rigorous Republican-backed law that requires personal information to exactly match driver’s license or Social Security records. In Texas, the state attorney general has prosecuted nearly three dozen individuals on charges of voter fraud this year, more than the previous five years combined. And in North Carolina, a U.S. attorney and U.S. Immigration and Customs Enforcement (ICE) issued subpoenas last month demanding that virtually all voting records in 44 counties be turned over to immigration authorities within weeks — a move that was delayed after objections from state election officials.

National: More Senate Democrats back alternative to Secure Elections Act | FCW

For much of the past year, Sen. Ron Wyden’s (D-Ore.) Protecting American Votes and Elections Act has taken a backseat to the Republican-led, bipartisan-crafted Secure Elections Act in the election security debate on Capitol Hill. Boosters for the bipartisan effort continue to work to get their bill passed during  the upcoming lame duck session. However, its stall out amid the perceived watering down of security provisions at the request of states in August combined with increasingly sunny forecasts for Democrats in the upcoming midterm elections may have provided an opening for consideration of alternative legislation. On Oct. 11, Wyden’s bill picked up four more Democratic co-sponsors in the Senate, with Tammy Duckworth (Ill.), Tammy Baldwin (Wis.), Maria Cantwell (Wash.) and Gary Peters (Mich.) all signing on.

National: What stands in the way of Native American voters? | Center for Public Integrity

Two years ago, when Chase Iron Eyes decided to run for Congress, he knew he had, as he puts it, “a snowball’s chance in hell” of winning. But Iron Eyes, a member of the Standing Rock Sioux Tribe, still saw the narrowest of paths to victory in the race for North Dakota’s sole congressional seat. If he and the two other Native American candidates running for state offices as Democratic nominees were able to boost Native American voter turnout while simultaneously convincing independent-minded undecided voters to break their way, he explained, he thought he might win. Instead, incumbent Rep. Kevin Cramer, a Republican, coasted to another term by a huge margin.  

National: Online voting is a security nightmare, say experts | Fast Company

Online banking, ecommerce, e-filing taxes. Moving print documents and in-person services online–even those full of sensitive information–has been an inexorable trend for decades. And voting has moved in that direction too, in 32 U.S. states and several countries, starting in those simpler times of the 1990s and early 2000s. That was a giant security blunder, according to a new report from tech and election experts that urges a return to good old paper ballots. “This is a position consistently that computer scientists have been saying for a decade, and computer scientists are the ones who you think would be the most favorable to the idea [of online voting] because, we invent the things.” So says Jeremy Epstein, vice chair of the U.S. Technology Policy Council at the ACM, billed as the largest association of computing experts.

National: Election security groups warn of cyber vulnerabilities for emailed ballots | The Hill

Election security groups are sounding the alarm about emailed ballots ahead of the November midterm elections, warning in a new report that PDF and JPEG ballot attachments sent to election officials could be exploited by hackers. The organizations, including watchdog group Common Cause, issued a report Wednesday that found election workers who receive emailed ballots are at risk of clicking on unsafe attachments, sent from unknown sources, that could contain malware. “In jurisdictions that receive ballots by PDF or JPEG attachment, election workers must routinely click on documents from unknown sources to process emailed or faxed ballots, exposing the computer receiving the ballots — and any other devices on the same network — to a host of cyberattacks that could be launched from a false ballot laden with malicious software,” the report says. “An infected false ballot would enter the server like any other ballot, but once opened, it would download malware that could give attackers backdoor access to the elections office’s network.”

National: Can Elections Be Hacked? Online Voting Threatens 32 States, Report Says | Newsweek

Voters cast a minimum of 100,000 ballots using insecure internet methods in the 2016 election, highlighting an overlooked threat to election integrity, according to a report released Wednesday. Thirty-two states permit some voters—primarily overseas military personnel—to return ballots by email, fax or internet, according to “Email and Internet Voting: The Overlooked Threat to Election Security,” a report produced by the Association for Computing Machinery, Common Cause, the National Election Defense Coalition and R Street. “There are two concerns with email voting,” in which ballots and voter identification information are typically attached as a PDF or JPEG. “One—the ballots can be intercepted and undetectably altered or deleted. This hack was performed at DEF CON in August. And it’s something academics have long known,” Susannah Goodman, one of the authors of the report, told Newsweek. “Second—emailed ballots can be easily spoofed in a spear phishing attack designed to put malware on a county election official’s computer.”

National: To Deter Foreign Hackers, Some States May Also Be Deterring Voters | NPR

A number of states are blocking web traffic from foreign countries to their voter registration websites, making the process harder for some U.S. citizens who live overseas to vote, despite the practice providing no real security benefits. On its face, the “geo-targeting” of foreign countries may seem like a solid plan: election officials around the country are concerned about foreign interference after Russia’s efforts leading up to the 2016 election, so blocking traffic to election websites from outside the United States might seem like an obvious defense starting point. But cybersecurity experts and voting rights advocates say it’s an ineffective solution that any hacker could easily sidestep using a virtual private network, or VPN, a commonly-used and easily-available service. Such networks allow for a computer user to use the Internet and appear in a different location than they actually are.

National: Can Paper Ballots Save Our Democracy? | Slate

In August at DEFCON, the annual hackers’ convention in Las Vegas, J. Alex Halderman, a professor of computer science and an expert in cybersecurity, brought along several of his Diebold Accuvote TSX voting machines. The Accuvote is a touch-screen voting device known as a direct-recording electronic voting machine, which, as the name suggests, records votes and stores them on a memory device. Halderman’s machines were set up as part of the Voting Village, an area dedicated to the cybersecurity of voting machines, where visitors were asked to cast votes in a mock presidential election between George Washington and Benedict Arnold. “Because this is DEFCON, of course almost everyone thought they were clever and voted for Benedict Arnold,” said Halderman. At the end of the mock election, with over 100 votes cast, the machine produced the totals and the winner of the two-man race: the Dark Tangent.

National: Why federal courts may become the next front in the battle to secure our elections | The Hill

Last week, a team of security researchers who run the DefCon hacking convention released a report on voting machines in use around the country that contain structural flaws ripe for exploitation by hackers. Among its dismaying findings, DefCon reported a flaw in one widely used voting tabulator that, if hacked, “could enable an attacker to flip the Electoral College and determine the outcome of a presidential election.” Though it’s been nearly two years since the 2016 election, there remains a startling gap between the well understood need to secure our elections against cyberattacks and the reality on the ground. Computer security experts and leading intelligence and law enforcement voices have sounded the alarm on the persistent and serious threats facing election systems. Yet the actors best positioned to take broad action — state governments, Congress, and election system vendors — have moved slowly, and in some cases stalled.

National: Measure seeks to protect election systems from foreign foes | Associated Press

Foreign nationals would be prohibited from owning or controlling companies that support U.S. election systems under legislation introduced by two senators from Maryland, where officials learned this summer that a Russian oligarch is heavily invested in a company that maintains key parts of their state’s election infrastructure. Democratic Sens. Chris Van Hollen and Ben Cardin are sponsoring the “Protect Our Elections Act,” along with Republican Sen. Susan Collins, of Maine. “We cannot allow Russia or any other foreign adversaries to own our elections systems,” Van Hollen said. “This isn’t just a hypothetical issue — it happened right here in my home state of Maryland.”

National: Voting Experts: Why the Heck Are People Still Voting Online? | Nextgov

The government’s all-hands effort to secure election systems after a Russian assault on the 2016 contest missed one glaring vulnerability: online ballots, according to a Wednesday report by voting security experts. Online voting is not common in the U.S., but Americans cast at least 100,000 online ballots in the 2016 election, according to the authors’ tally. Many of those ballots were cast by military members overseas taking advantage of state laws that allow them to return ballots by email or digital fax. In total, 32 states allow some subset of residents to return ballots by email, fax or through an internet portal, and Alaska and Hawaii offer electronic ballot return for all voters, according to the report from security experts at the Association for Computing Machinery US Technology Policy Committee, Common Cause Education Fund, the National Election Defense Coalition and the R Street Institute.

National: Senators Question Supermicro on Report of Chinese Hardware Hack | Bloomberg

Two U.S. senators sent a letter to Super Micro Computer Inc. asking if and when the company found evidence of tampering with hardware components after a Bloomberg Businessweek report described how China’s intelligence services used subcontractors to plant malicious chips in the company’s server motherboards. Florida Republican Marco Rubio and Connecticut Democrat Richard Blumenthal on Tuesday gave the company until Oct. 17 to respond to a list of questions that also includes whether the company investigated its supply chain and cooperated with U.S. law enforcement. In Bloomberg Businessweek’s report, one official said investigators found that the Chinese infiltration through Super Micro reached almost 30 companies, including Amazon.com Inc. and Apple Inc. Super Micro and both Amazon and Apple disputed the findings. The U.S. Department of Homeland Security said it has “no reason to doubt” the companies’ denials of Bloomberg Businessweek’s reporting.

National: Majority of disabled voters in U.S. faced challenges in casting ballots in ’16 | WHYY

When it comes to expanding voter access, most often the conversation centers around allowing early voting or establishing automatic voting registration. But a forum at the University of Delaware Tuesday focused instead on making voting more accessible for those with disabilities. “We still have this cultural lag where we don’t really expect people with disabilities to be voters,” said Rabia Belt, historian and assistant professor at Stanford Law School. “It’s still quite difficult for people to be able to access polling places, people to receive the accommodations that are legally mandated.” The forum organized by UD’s Center for Disabilities Studies looked at how people with disabilities are underrepresented at the polls.

National: How hackers could disrupt Election Day — and how the bad guys could be stopped | The Boston Globe

Election Day presents a tantalizing target for a malicious hacker. The complex, multifaceted US voting system is rife with technological weak spots, from problems with the electronic voting machines in use in some states to vulnerabilities in the websites government officials use to disseminate information. In an era where public trust in American institutions is at an ebb, and conspiracy theories threaten to metastasize online, public safety officials and cybersecurity experts say they have to be careful how they talk about the vulnerabilities. “If the people do not trust that it’s a fair system, then the whole thing is going to fall apart,” said Cris Thomas, a well-known hacker who often goes by the name “Space Rogue” and now works in security at IBM. … This November, 15 states — none of them in New England — will use at least some electronic voting machines that leave no paper trail, according to the Verified Voting Foundation.