National: Why US elections remain ‘dangerously vulnerable’ to cyber-attacks | The Guardian

Sixteen months ago, Marilyn Marks was just another political junkie watching a high-profile congressional election on her laptop when she saw something she found abnormal and alarming. The date was 18 April 2017, and the election was in Georgia’s sixth congressional district, where the Democrats were hoping to pull off an upset victory against a crowded Republican field in the wake of Tom Price’s (short-lived) elevation to the Trump cabinet as health and human services secretary. By mid-evening, Jon Ossoff, the leading Democrat, had 50.3% of the vote, enough to win outright without the need for a run-off against his closest Republican challenger. Then Marks noticed that the number of precincts reporting in Fulton County, encompassing the heart of Atlanta, was going down instead of up. Soon after, the computers crashed. Election officials later blamed a “rare error” with a memory card that didn’t properly upload its vote tallies. When the count resumed more than an hour later, Ossoff was suddenly down to 48.6% and ended up at 48.1%. (He lost in the run-off to Republican Karen Handel.)

National: DEF CON’s Voting Village tests hacker-government collaboration | CyberScoop

The national conversation on election security came into sharp focus Friday at a renowned hacker conference as U.S. officials and security researchers sought common ground in raising awareness of potential vulnerabilities in election equipment. The goal was to have a more transparent conversation about those vulnerabilities without spreading undue public fear about them. The Voting Village at DEF CON in Las Vegas, a room where white-hat hackers could tinker with voting machines and mock voter registration databases, was a high-profile test of that collaboration. “I’m here to learn,” Alex Padilla, California’s secretary of state, said before touring the village in the bowels of Caesars Palace hotel and casino. …  At the village, Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, stood next to a large ballot-scanner made by Election Systems & Software, one of the country’s biggest voting-equipment vendors. A couple of young researchers were picking the machine apart looking for vulnerabilities and what voting data the old machine might reveal.

National: Pre-Teen Hackers Prove It: The U.S. Election System Simply Isn’t Secure Enough | Futurism

Young kids vs. Dumb Machines: Still not convinced that the U.S. election system is woefully insecure? Chew on this: It took an 11-year-old just 10 minutes to hack a replica of the Florida secretary of state’s website and change its stored election results. The young hacker, Audrey Jones, was one of 39 children between the ages of 8 and 17 to take part in a competition organized by R00tz Asylum, a nonprofit focused on teaching kids white-hat hacking, during annual hacking conference DEFCON. During the one-day R00tz Asylum event, the children set out to infiltrate sites designed to replicate the ones used by 13 battleground states to convey election results to the public (hacking the actual sites would be illegal). All but four of the children succeeded.

National: 4 House Intel members offer election security bill | FCW

A Senate proposal to secure the U.S. election system has a companion bill in the House and a prominent Republican co-sponsor. A bipartisan group of four lawmakers on the House Intelligence Committee have introduced a House version of the Secure Elections Act, which would authorize block grants for states to upgrade voting machines and other equipment, allow the Department of Homeland Security to more quickly share election cybersecurity threat information with state and local governments and streamline the security clearance process for state and local election officials.

National: Hacking the US mid-terms? It’s child’s play | BBC

Bianca Lewis, 11, has many hobbies. She likes Barbie, video games, fencing, singing… and hacking the infrastructure behind the world’s most powerful democracy. “I’m going to try and change the votes for Donald Trump,” she tells me. “I’m going to try to give him less votes. Maybe even delete him off of the whole thing.” Fortunately for the President, Bianca is attacking a replica website, not the real deal. She’s taking part in a competition organised by R00tz Asylum, a non-profit organisation that promotes “hacking for good”. Its aim is to send out a dire warning: the voting systems that will be used across America for the mid-term vote in November are, in many cases, so insecure a young child can learn to hack them with just a few minute’s coaching.

National: Voatz: a tale of a terrible, horrible, no-good, very bad idea | TechCrunch

Let’s get the fish in the barrel out of the way. Voatz are a tech startup whose bright idea was to disrupt democracy by having people vote on their phone, and store the votes on, you guessed it, a blockchain. Does this sound like a bad idea? Welp. It turned out that they seemed awfully casual about basic principles of software security, such as not hard-coding your AWS credentials. It turned out that their blockchain was an eight-node Hyperledger install, i.e. one phenomenologically not especially distinguishable from databases secured by passwords. They have been widely and justly chastised for these things. But they aren’t what’s important.

National: Two-Minute Hack Shows How Easy It Is To Gain Admin Access On An Elections Voting Machine | wccftech

Once again at the Defcon cybersecurity conference in Las Vegas on Friday, hackers posed how easy it is to break into the election voting machines. At the conference, officials from the US Department of Homeland security were present to learn about the problems of the election security. Seemingly, there’s another two-minute hack which will allow anyone to physically gain admin access on a voting machine. It’s definitely alarming for the forthcoming elections. So let’s dive in to see some more details on the hack and how it is performed. Rachel Tobac shared a video on Twitter, showing how she gained physical admin access in less than two minutes. It required no tools and the operation does not require any hardcore hacking techniques. At this point, with hacking options as easy as this, these attacks threaten trust in politics and even leadership to a greater scale. These loopholes can possibly allow alterations being made to the final count, which of course, does make a lot of difference.

National: Election officials’ concerns turn to information warfare as hackers gather in Vegas | CNN

As hackers sit down to break into dozens of voting machines here in Las Vegas this weekend, some state and local election officials that have flown in to witness the spectacle at one of the world’s largest hacking conventions are becoming increasingly concerned about another threat to November’s midterm elections: information warfare. Organizers of a “voting village” at the annual Def Con hacker convention have packed a conference room at Caesars Palace with voting machines and have asked civically-curious hackers to wreak havoc. The event, now in its second year, is supposed to demonstrate vulnerabilities in America’s vast election infrastructure. After a few hours on Friday, one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display animations. While such hacks are a cause of concern for election officials, they are increasingly looking beyond the threats against traditional election infrastructure like voting machines and voting databases and more to the threat of disinformation. What, some of them ask, if they fall victim to a coordinated information warfare campaign?

National: Tensions Flare as Hackers Root Out Flaws in Voting Machines | Wall Street Journal

Hackers at the Defcon computer security conference believe they can help prevent manipulation of U.S. elections. Some election officials and makers of voting machines aren’t so sure. That tension was front and center at Defcon’s second-annual Voting Village, where computer hackers are invited to test the security of commonly used election machines. Organizers see the event as an early test of U.S. election security and a counterpunch to potential outside interference. On the first day of the event, which runs through Sunday, hackers were able to swap out software, uncover network plug-ins that shouldn’t have been left working, and uncover other ways for unauthorized actors to manipulate the vote. These hacks can root out weaknesses in voting machines so that vendors will be pressured to patch flaws and states will upgrade to more secure systems, organizers say. … “You want companies to be building more secure products, but at the same time the public doesn’t necessarily know the full picture,” Ms. Manfra said. “If all you are saying is, ‘Look, even a kid can hack into this’, you’re not getting the full story, which can have the impact of having the average voter not understanding what is going on.”

National: Hackers at Def Con break into voting machines to identify security flaws | Tech2

Def Con, one of the world’s largest security conventions, served as a laboratory for breaking into voting machines on 10 August, extending its efforts to identify potential security flaws in technology that may be used in the November US elections.Hackers will continue to probe the systems over the weekend in a bid to discover new vulnerabilities, which could be turned over to voting machine makers to fix.The three-day Las Vegas-based “Voting Village” also aimed to expose security issues in digital poll books and memory-card readers. “These vulnerabilities that will be identified over the course of the next three days would, in an actual election, cause mass chaos,” said Jake Braun, one of the village’s organizers. “They need to be identified and addressed, regardless of the environment in which they are found.”

National: Campaigns and candidates still easy prey for hackers | Politico

Some bathrooms have signs urging people to wash their hands. But at the Democratic National Committee, reminders hanging in the men’s and women’s restrooms address a different kind of hygiene. “Remember: Email is NOT a secure method of communication,” the signs read, “and if you see something odd, say something.” The fliers are a visible symptom of an increased focus on cybersecurity at the DNC, more than two years after hackers linked to the Russian military looted the committee’s computer networks and inflamed the party’s internal divides at the worst possible time for Hillary Clinton. But the painful lessons of 2016 have yet to take hold across the campaign world — which remains the soft underbelly for cyberattacks aimed at disrupting the American political process.

National: Election officials say money, training needed to improve security | Las Vegas Review-Journal

Regional U.S. election officials attending a hacker conference Friday in Las Vegas said they need more money and training to enhance cybersecurity of their election infrastructure. The thousands of local election officers around the U.S. have neither the cyber-knowledge nor resources to stand up to attacks from adversarial nations and need the support of state and federal governments, they said. But they warned that focusing too much on the vulnerabilities could backfire by undermining citizens’ confidence in the system. “There has never been such a spotlight and emphasis (on election hacking) as there has been since 2016. That is our new reality,’’ California Secretary of State Alex Padilla told an audience attending the annual Defcon computer security conference at Caesars Palace. “If it gets into the mind of anybody that maybe my vote isn’t going to matter, so why should I go vote — that is a form of voter suppression,” he said.

National: US officials hope hackers at Defcon find more voting machine problems | CNET

This election day, US officials are hoping for a vote of confidence on cybersecurity. Hackers at the Defcon cybersecurity conference in Las Vegas on Friday took on voting machines again, after showing how easy it was to break into election machines at last year’s gathering. This time around, officials from the US Department of Homeland Security were on hand to learn directly from hackers who find problems with election security. “We’ve been partners with Defcon for years on a lot of various different issues, so we see a lot of value in doing things like this,” Jeanette Manfra, the DHS’s top cybersecurity official, said at Defcon. In her speech, Manfra invited hackers at Defcon to come find her after to talk more about election security. “We’d love it if you worked for us, we’d love it if you worked with us,” she said.

National: House Intel lawmakers introduce bipartisan election security bill | The Hill

Four lawmakers on the powerful House Intelligence Committee, including two Republicans, are introducing legislation to help states secure the nation’s digital election infrastructure against cyberattacks following Russian interference in the 2016 election. The bill, which is a companion to a measure in the upper chamber spearheaded by Sens. James Lankford (R-Okla.) and Amy Klobuchar (D-Minn.), is a direct response to the effort by Moscow’s hackers to target state websites and other systems involved in the electoral process in the run-up to the 2016 vote. “Although the Russian government didn’t change the outcome of the 2016 election, they certainly interfered with the intention of sowing discord and undermining Americans’ faith in our democratic process,” said Rep. Tom Rooney (R-Fla.) in a statement Friday. “There’s no doubt in my mind they will continue to meddle in our elections this year and in the future.” 

National: Voting Rights Advocates Used to Have an Ally in the Government. That’s Changing. | The New York Times

A new voter ID law could shut out many Native Americans from the polls in North Dakota. A strict rule on the collection of absentee ballots in Arizona is being challenged as a form of voter suppression. And officials in Georgia are scrubbing voters from registration rolls if their details do not exactly match other records, a practice that voting rights groups say unfairly targets minority voters. During the Obama administration, the Justice Department would often go to court to stop states from taking steps like those. But 18 months into President Trump’s term, there are signs of change: The department has launched no new efforts to roll back state restrictions on the ability to vote, and instead often sides with them. Under Attorney General Jeff Sessions, the department has filed legal briefs in support of states that are resisting court orders to rein in voter ID requirements, stop aggressive purges of voter rolls and redraw political boundaries that have unfairly diluted minority voting power — all practices that were opposed under President Obama’s attorneys general.

National: Group Files Lawsuit to Challenge Electoral College | Roll Call

A group is suing two red states and two blue states to change the Electoral College system. Former Massachusetts Gov. William Weld, Harvard Law professor Lawrence Lessig and David Boies, who served as former Vice President Al Gore’s lawyer in Bush v. Gore, make up the group according to the Boston Globe. The group is suing two predominantly Democratic states (California and Massachusetts) and two predominantly Republican states (Texas and South Carolina.) They argue the winner-take-all format of the Electoral College disenfranchises numerous voters and that it violates the principle of “one person, one vote.” Boies said the Electoral College system leads to candidates only campaigning to certain groups of voters and ignoring others.

National: At DEF CON ’18, kids as young as 5 challenged to hack election results websites, voting machines | ABC

At DEF CON, one of the world’s largest hacking conferences, hackers clad in black hoodies made headlines last year when they exposed an array of structural vulnerabilities in voting technology, successfully hacking into every voting machine they attempted to breach. This year’s DEF CON kicks off Friday in Las Vegas, and hackers will again have access to dozens of pieces of equipment — voting machines and pollbooks widely used in U.S. elections, including several models they haven’t previously attempted to crack. Children as young as 5 will compete to hack election results websites, and DEF CON has partnered with children’s hacking organization r00tz Asylum to award prizes to the first and youngest kids to breach the sites and hack equipment.

National: Advocates Say Paper Ballots Are Safest | Bloomberg

In June, voting security advocate Marilyn Marks bought four used optical scanners online from the Canadian government for about $2.50 apiece. Her purchase was meant to make a point: The state of Georgia doesn’t have to spend a lot to replace computerized voting machines considered the most vulnerable in the U.S. And it could do so in time for the midterm elections. Marks’s advice: Don’t listen to lobbyists for vendors pushing unnecessarily fancy and expensive voting equipment. Go back to paper ballots. Buy cheap used scanners to read them. Get it done now. “The Department of Homeland Security has said it. Every cyber expert says it,” she says. Voting machines like Georgia’s “are a national security risk.” As government officials warn of continuing cyberattacks intended to disrupt U.S. elections, Georgia is among 14 states heading into Election Day using touchscreen, computerized machines that don’t meet federal security guidelines because they produce no paper record—so voters can’t verify their choices and officials can’t audit the results.

National: Hackers at convention to ferret out election system bugs | Reuters

Def Con, one of the world’s largest hacker conventions, will serve as a laboratory for breaking into voting machines this week, extending its efforts to identify potential security flaws in technology that may be used in the November U.S. elections.  The three-day “Voting Village,” which opens in Las Vegas on Friday, also aims to expose vulnerabilities in devices such as digital poll books and memory-card readers. Def Con held its first voting village last year after U.S. intelligence agencies concluded the Russian government used hacking in its attempt to support Donald Trump’s 2016 candidacy for president. Moscow has denied the allegations.

National: Def Con steps out of the shadows to fight election cyber threat | Financial Times

Hacking democracy was as easy as abcde. When Carsten Schurmann sat down to hack one of the voting machines used instead of paper ballots in the state of Virginia, he used a simple online tool to discover a flaw in the machine that had been public — and remained unfixed — for 14 years. And he already knew the password, because he had found that on the internet, too. The password was abcde. Wearing a short-sleeved shirt and wire-framed glasses, the Danish computer science professor described how simple it had been to get in to the WINvote machine, after which he was able to tamper with the vote tally. “The machines are all vulnerable,” he said. “I’m not a hacker but I tried the first thing and it worked.”

National: Many states are purging voters from the rolls – On election day, stay away | The Economist

In 1965 President Lyndon Johnson signed the Voting Rights Act. Among other things, this required places with a history of discriminating against non-white voters to obtain federal approval before changing the way they conducted elections. In the ensuing decades it narrowed, and in some cases reversed, racial gaps in voting. Congress repeatedly reauthorised the Act, most recently in 2006 for 25 years. But in 2013 the Supreme Court gutted the pre-clearance provision. Since then states that had been bound by it have purged voters from their rolls at a greater rate than other states. That is part of a dramatic rise in voter purges in recent years. Many on the right say such purges and other policies are essential to ensuring electoral integrity. Others see a darker purpose.

National: More Government Websites Encrypt as Google Chrome Warns Users Non-HTTPS Sites are ‘Not Secure’ | Goverment Technology

Google Chrome, the most widely used Internet browser, has officially started warning users that unencrypted Web pages are “not secure.” Among those “not secure,” as of Aug. 9: The front pages of the official government websites for 14 states and four of the nation’s 10 most populous cities. Encryption — most easily represented with an “HTTPS” rather than “HTTP” in front of a site’s Web address — is the practice of encoding data traveling between a website and its visitor so that any third parties who are able to peek into the data don’t know what’s happening. With encryption, users can reasonably expect that their connection is private. Without it, bad actors can do things like steal information and change a Web page’s content without the user realizing it. It has become more or less the standard for the Internet. According to Google, 93 percent of Web traffic on Chrome takes place on encrypted pages. The tech giant started labeling non-HTTPS pages as “not secure” to push laggards toward encryption.

National: U.S. census citizenship question panned by scientists, civil rights groups | Reuters

As the U.S. government closed a public comment period on Wednesday on its plans for the 2020 census, scientists, philanthropists and civil rights groups used the occasion to again criticize plans to include a question about U.S. citizenship. The comment period gave any member of the public a chance to comment on aspects of the census which is a mandatory, once-a-decade count of the U.S. population that next occurs in April 2020. The comments have not yet been published, but some groups and individuals reinforced their opposition to the Trump administration’s plan to ask census respondents whether they are U.S. citizens.

National: Michael McCaul presses Senate to pass critical bipartisan cyber and election security legislation | Washington Times

Warning of continuing threats to U.S. interests across cyberspace, House Homeland Security Chairman Rep. Michael McCaul on Wednesday again urged the Senate to pass legislation intended to rename and reorganize the Department of Homeland Security’s primary cyber protection wing. The proposal, which the House passed in December, would streamline DHS’s primary operation currently overseeing the defense of federal networks and U.S. critical infrastructure from cyber threats, known as the National Protection and Programs Directorate (NPPD). The bill creates a stand-alone organization for that mission with a more logical name, the Cybersecurity and Infrastructure Security Agency (CISA).

National: Trump team isn’t doing enough to deter Russian cyberattacks, according to our panel of security experts | The Washington Post

The White House insists that it’s mounting a robust response to digital offensives against election systems and other critical infrastructure. We asked The Network, a panel of more than 100 cybersecurity leaders from government, academia and the private sector, to share their opinions in our ongoing, informal survey. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.) Our survey revealed broad doubts among experts about the country’s deterrence strategy, after President Trump chose not to back the U.S. intelligence community’s conclusions that Moscow directed the cyberattacks aimed at disrupting the 2016 presidential election at a July press conference with Russian President Vladimir Putin.

National: “A Horrifically Bad Idea”: Smartphone Voting Is Coming, Just in Time for the Midterms | Vanity Fair

Almost a year ago, the Department of Homeland Security alerted roughly half of all U.S. states that their election systems had been the targets of hackers linked to Russia. Jeanette Manfra, the head of cybersecurity at the Department of Homeland Security, later confirmed the attacks. “We saw a targeting of 21 states and an exceptionally small number of them were actually successfully penetrated,” she told NBC News in February. Even worse, experts have warned that Russia’s attempts at meddling did not end in 2016. “They’re still very active—in making preparations, at least—to influence public opinion again,” Feike Hacquebord, a security researcher at Trend Micro, told the Associated Press in January. The Trump administration, meanwhile, is doing painfully little to prevent future attacks. The president’s repeated denials of Russian meddling is another form of malign neglect. With less than three months to go until Americans return to the polls en masse, the United States remains deeply vulnerable to any hackers who might like to cast a vote of their own.  Enter Voatz. With a name reminiscent of a plot device in Idiocracy, Voatz is a mobile election-voting-software start-up that wants to let you vote from your phone. In the upcoming midterm elections, West Virginians serving overseas will be the first in the U.S. to be able to vote via a smartphone app using Voatz technology, CNN reported Monday. The Boston-based company raised $2.2 million earlier this year, helped along by buzzwords such as “biometrics” and “blockchain,” which it claims allows it to secure the voting process. Its app reportedly requires voters to take and upload a picture of their government-issued I.D., along with a selfie-style video of their face, which facial-recognition technology then uses to ensure the person pictured in the I.D. and the person entering a vote are the same. The ballots are anonymized and recorded on the blockchain.

National: States have a lot of work to do on cybersecurity, and they shouldn’t wait for kids to find the problems | Washington Examiner

Today in Michigan, Ohio, Kansas, Washington, and Missouri, voters head to the polls to vote in primaries. But how safe are state websites with voter information? If you ask the organizers of the kids’ program at DEFCON, the answer is, so unsafe that a kid could probably figure out how to hack it. DEFCON, a top tier cybersecurity conference, has a program for kids called “r00tz,” and this year, part of the agenda is to have them hack replicas of state elections websites. The goal of the event is to both teach the participants basics of hacking, but also scare states into taking action to safeguard web security.

National: Hackers Already Attacking Midterm Elections, Raising U.S. Alarms | Bloomberg

The U.S. midterm elections are at increasing risk of interference by foreign adversaries led by Russia, and cybersecurity experts warn the Trump administration isn’t adequately defending against the meddling. At stake is control of the U.S. Congress. The risks range from social media campaigns intended to fool American voters to sophisticated computer hacking that could change the tabulation of votes. At least three congressional candidates have already been hit with phishing attacks that strongly resemble Russian sabotage in the 2016 campaign. Among them was Senator Claire McCaskill, a Missouri Democrat in one of the year’s most hotly contested races.

National: Cyberattacks Haven’t Stopped but Neither Have Bills to Fight Them | Nextgov

When they took the podium at Thursday’s White House press briefing, national security and intelligence chiefs had one resounding message for the American people: The country is still under attack. “Russia attempted to interfere with the last election and continues to engage in malign influence operations to this day,” said FBI Director Christopher Wray. “This is a threat we need to take extremely seriously and to tackle and respond to with fierce determination and focus.” Wray was joined by Director of National Intelligence Dan Coats, Homeland Security Secretary Kirstjen Nielsen, National Security Agency chief Gen. Paul Nakasone and National Security Adviser John Bolton, all of whom reiterated their commitment to defending against foreign influence campaigns. The briefing came the day after internet researchers urged the government to take more targeted actions against online misinformation campaigns at a Senate Intelligence Committee hearing.

National: Amid cybersecurity fears, tech firms are offering to help secure the U.S. elections for free or at a discount | Fast Company

American democracy is under attack, with foreign spies and trolls throwing wrenches into the workings of U.S. elections—be it attempts to hack candidate websites, scramble voter rolls, or spread fake news on social media platforms. While Washington bickers about whether it’s spending enough on security upgrades ($380 million has been allocated, with Democrats repeatedly asking for more), the overtaxed cities and counties that actually run the polls are scrambling to catch up. Although Silicon Valley has come under fire for its role in recent elections around the world, enabling the social media vandalism of 2016, for instance, several tech firms are now stepping up to boost election security with free or discounted services. “We saw that tech was being used to undermine elections. And the question was, could we be a tech company that was helping to provide our services to help support those elections?” says Matthew Prince, CEO of the content-delivery network and security service Cloudflare.