National: Is the Path to Secure Elections Paved With Open Source Code? | LinuxInsider

Increased use of open source software could fortify U.S. election system security, according to an op-ed published last week in The New York Times.Former CIA head R. James Woolsey and Bash creator Brian J. Fox made their case for open source elections software after security researchers demonstrated how easy it was to crack some election machines in the Voting Machine Hacking Village staged at the recent DefCon hacking conference in Las Vegas. … "They confirmed what we already knew," said James Scott, a senior fellow at the Institute for Critical Infrastructure Technology. "These are extremely vulnerable machines." "Think of what a voting machine is," he told LinuxInsider. "It's a 1980s PC with zero endpoint security in a black box where the code is proprietary and can't be analyzed." Although the researchers at DefCon impressed the press when they physically hacked the voting machines in the village, there are more effective ways to crack an election system. "The easiest way to hack an election machine is to poison the update on the update server at the manufacturer level before the election," Scott explained. "Then the manufacturer distributes your payload to all its machines for you."

National: DefCon hackers made short work of voting machines. Now what? | GCN

The news coming out of last month’s DefCon hacker conference in Las Vegas was not good for voting machine manufacturers -- and unsettling for election officials. A "voting village" was set up where hackers tested the security of about a dozen voting machines. They made their way into every single one. Eric Hodge, director of consulting at CyberScout, helped plan the event. There had been plenty of discussion about the security of these machines, he said. American intelligence officials concluded last year that Russia interfered with the 2016 presidential election, but many state election officials  argued that their voting machines were secure because they were not connected to the internet. The DefCon voting village was set up to actually test the physical machines, which Hodge said never experience much penetration testing. In their testing debut, they didn’t fare too well. … Within minutes, some of the machines were hacked.  “These guys are good," Hodge said. "But, you know, so are the Russians.”

National: Could voting fraud panel create an easy target for hackers? | Associated Press

Officials from both parties had a consistent answer last year when asked about the security of voting systems: U.S. elections are so decentralized that it would be impossible for hackers to manipulate ballot counts or voter rolls on a wide scale. But the voter fraud commission established by President Donald Trump could take away that one bit of security. The commission has requested information on voters from every state and recently won a federal court challenge to push ahead with the collection, keeping it in one place. By compiling a national list of registered voters, the federal government could provide one-stop shopping for hackers and hostile foreign governments seeking to wreak havoc with elections. "Coordinating a national voter registration system located in the White House is akin to handing a zip drive to Russia," said Kentucky Secretary of State Alison Lundergan Grimes, a Democrat who has refused to send data to the commission.

National: Amid DHS leadership shuffle, voting systems remain vulnerable | FCW

Even with the widespread attention and federal protections provided to election systems, state and federal officials alike have concerns that U.S. election systems remain vulnerable to digital meddling. In the final days of the Obama administration, then-Department of Homeland Security Secretary Jeh Johnson formally designated state election assets as U.S. critical infrastructure in response to digital floods of misinformation, as well as Russian cyber espionage on an election software vendor and spear-phishing attempts against local election officials during the lead-up to the November 2016 presidential election. The move allowed state governments to ask DHS for help on a voluntary basis in securing their election infrastructure, but was met with resistance from many state officials and some members of Congress. Amid this resistance -- and the current shuffle in DHS leadership -- Johnson expressed fear on CBS's Face the Nation Aug. 6 that voting systems remain vulnerable to digital meddling. "I'm concerned that we are almost as vulnerable, perhaps, now as we were six, nine months ago," he said.

National: Trump Campaign Turns Over Thousands of Documents in Russia Probe | Bloomberg

Donald Trump’s presidential campaign, his son Donald Trump Jr. and former campaign manager Paul Manafort have started turning over documents to the Senate Judiciary Committee as part of the panel’s expanded investigation of Russian election-meddling. The Trump campaign turned over about 20,000 pages of documents on Aug. 2, committee spokesman George Hartmann said Tuesday. Manafort provided about 400 pages on Aug. 2, including his foreign-advocacy filing, while Trump Jr. gave about 250 pages on Aug. 4, Hartmann said. The committee had asked them last month to start producing the documents by Aug. 2. A company the Judiciary panel says has been linked to a salacious "dossier" on Trump, Fusion GPS, and its chief executive officer, Glenn Simpson, have yet to turn over any requested documents, Hartmann said.

National: Voting System Hacks Prompt Push for Paper-Based Voting | Information Week

Calls for paper-based voting to replace computer-based systems at the DEF CON hacker conference have intensified in the wake of a wave of voting machine hacks earlier this month. … "It's undeniably true that systems that depend on software running in a touchscreen voting machine can't be relied on," Voting Village organizer Matt Blaze said in a Facebook Live feed hosted by US congressmen Will Hurd (R-Texas) and James Langevin (D-R.I.), in the aftermath of the DEF CON hacks. "We need to switch to systems that don't depend on software," said Blaze, a renowned security expert who is a computer science professor at the University of Pennsylvania. Blaze recommends OCR-based systems using paper ballots that provide an audit trail for counting and confirming votes. … "We know that computers can be hacked. What surprised me is that they did it so quickly" with the voting machines at DEF CON, says computer scientist Barbara Simons, president of Verified Voting. "One of the things that 2016 made quite clear is that we have very vulnerable voting systems and we don't do a good job" of protecting them, Simons says. "So we exposed ourselves, and we haven't taken the necessary steps to protect ourselves."

National: DHS Reassures States it Won’t Step on Election Authority | MeriTalk

he designation of the nation’s election systems as critical infrastructure will not infringe upon state and local authority to run elections. In a recent memo to Senate Homeland Security and Governmental Affairs Committee Members, Ranking Member Claire McCaskill, D-Mo., relayed communications from the Department of Homeland Security that reiterated that fact. “This designation does not allow for technical access by the Federal Government into the systems and assets of election infrastructure, without voluntary legal agreements made with the owners and operators of these systems,” DHS told McCaskill, also confirming that there is no intention to change that critical infrastructure designation. “This dynamic is consistent with engagements between the Federal Government and other previously established critical infrastructure sectors and subsectors.”

National: Hacking the Vote: Why Voting Systems Aren’t as Secure as You Might Think | KQED

Defcon is the annual hacker conference in Vegas and the buzz this year centered around the Voting Machine Hacking Village. A dozen electronic voting machines, like you might see at your local polling place, were set up along the walls of a conference room. In the center were tables where hackers took some machines apart. … In fact, until 2015, hacking voting machines — even to do research — was against the law unless you got a special waiver, said Matt Blaze, a computer science professor at the University of Pennsylvania. “So far, only a few dozen people who are computer scientists thinking about this have been able to get access to these machines,” Blaze said. Blaze helped set up the voting village at Defcon. A decade ago he obtained a waiver to study electronic voting machines in California and Ohio. “And my team of graduate students and I were able to very quickly discover a number of really serious and exploitable problems with those systems,” he said.

National: The justices tackle partisan gerrymandering again: In Plain English | SCOTUSblog

Justice Ruth Bader Ginsburg has suggested that it might be the most important case of the upcoming term. On October 3, the Supreme Court will hear oral argument in Gill v. Whitford, a challenge to the redistricting plan passed by Wisconsin’s Republican-controlled legislature in 2011. A federal court struck down the plan last year, concluding that it violated the Constitution because it was the product of partisan gerrymandering – that is, the practice of purposely drawing district lines to favor one party and put another at a disadvantage. The challengers argue that the redistricting plan would allow Republicans to cement control of the state’s legislature for years to come, even if popular support for the party wanes; the lower court’s decision, they contend, merely corrected “a serious democratic malfunction that would otherwise have gone unremedied.” By contrast, the state of Wisconsin counters that if the lower court’s decision is allowed to stand, it will open the door to “unprecedented intervention in the American political process.”

National: Jeh Johnson worries U.S. still “vulnerable” to election meddling | CBS

Former Homeland Security Secretary Jeh Johnson said Sunday he is concerned that the U.S. remains "vulnerable" to election meddling, and that the cyber threat facing the U.S. is "going to get worse before it gets better." "The Department of Homeland Security very much was on alert on Election Day and in the days leading up to it, along with the FBI. And we were very concerned," Johnson said on CBS News' "Face the Nation." He said that "a number of vulnerabilities" in election infrastructure were identified and addressed. "But that process needs to continue," he said. "I'm concerned that we are almost as vulnerable perhaps now as we were six, nine months ago."

National: States ramping up defenses against election hacks | The Hill

States across the nation are ramping up their digital defenses to prevent the hacking of election systems in 2018. The efforts come in the wake of Russia’s interference in the 2016 presidential election, which state officials say was a needed wake up call on cybersecurity threats to election systems and infrastructure. … Security experts are still divided over the extent of hacking risks to actual voting machines. Some say that because many different voting machines are used across the country and because they are not connected to the internet, that would make any large scale attack hard to carry out. … But others contend that digital voting machines are vulnerable and could be targeted to influence actual election outcomes. “Some election functions are actually quite centralized,” Alex Halderman, a University of Michigan computer science professor, told the Senate Intelligence Committee in June. “A small number of election technology vendors and support contractors service the systems used by many local governments. Attackers could target one or a few of these companies and spread malicious code to election equipment that serves millions of voters.”

National: Voting Machine Hackers Have 5 Tips to Save the Next Election | WIRED

American Democracy depends on the sanctity of the vote. In the wake of the 2016 election, that inviolability is increasingly in question, but given that there are 66 weeks until midterm elections, and 14 weeks until local 2017 elections, there's plenty of time to fix the poor state of voting technology, right? Wrong. To secure voting infrastructure in the US in time for even the next presidential election, government agencies must start now. At Def Con 2017 in Las Vegas, one of the largest hacker conferences in the world, Carsten Schurmann (coauthor of this article) demonstrated that US election equipment suffers from serious vulnerabilities. It took him only a few minutes to get remote control of a WINVote machine used in several states in elections between 2004 and 2015. Using a well-known exploit from 2003 called MS03-026, he gained access to the vote databases stored on the machine. This kind of attack is not rocket science and can be executed by almost anyone. All you need is basic knowledge of the Metasploit tool.

National: To Fix Voting Machines, Hackers Tear Them Apart | WIRED

The toughest thing to convey to newcomers at the DefCon Voting Village in Las Vegas this weekend? Just how far they could go with hacking the voting machines set up on site. "Break things, just try to pace yourself," said Matt Blaze, a security researcher from the University of Pennsylvania who co-organized the workshop. DefCon veterans were way ahead of him. From the moment the doors opened, they had cracked open plastic cases and tried to hot-wire devices that wouldn't boot. Within two minutes, democracy-tech researcher Carsten Schürmann used a novel vulnerability to get remote access to a WINVote machine. The Voting Village organizers—including Harri Hursti, an election technology researcher from Finland, and Sandy Clark from the University of Pennsylvania—had set up about a dozen US digital voting machines for conference attendees to mess with. Some of the models were used in elections until recently and have since been decommissioned; some are still in use. Over three days, attendees probed, deconstructed and, yes, even broke the equipment in an effort to understand how it works and how it could be compromised by attackers. Their findings were impressive, but more importantly, they represented a first step toward familiarizing the security community with voting machines and creating momentum for developing necessary defenses.

National: Federal judge denies Common Cause effort to block Trump fraud commission | The Washington Post

A federal judge on Tuesday declined to temporarily bar President Trump’s voting commission from collectingvoter data from states and the District, saying a federal appeals court likely will be deciding the legality of the request. U.S. District Judge Royce C. Lamberth of the District denied an emergency motion by Common Cause, a nonprofit government watchdog group. The group alleged the request for voting history and political party affiliation by the Trump administration violates a Watergate-era law that prohibits the government from gathering information about how Americans exercise their First Amendment rights. Lamberth advised the group to flesh out its claims by documenting the commission’s activity at a recent July 19 meeting while the lawsuit continues.

National: 33 states accepted Department of Homeland Security aid to secure elections | The Hill

The Department of Homeland Security (DHS) provided cybersecurity assistance to 33 state election offices and 36 local election offices leading up to the 2016 presidential election, according to information released by Democratic congressional staff. During the final weeks of the Obama administration, the DHS announced that it would designate election infrastructure as critical, following revelations about Russian interference in the 2016 election. Since January, two states and six local governments have requested cyber hygiene scanning from the DHS, according to a memo and DHS correspondence disclosed Wednesday by the Democratic staff of the Senate Homeland Security and Governmental Affairs Committee. The information is related to the committee’s ongoing oversight of the DHS decision to designate election infrastructure. 

National: DEFCON Hackers Found Many Holes in Voting Machines and Poll Systems | IEEE Spectrum

E-voting machines and voter registration systems used widely in the United States and other countries’ elections can readily be hacked—in some cases with less than two hours’ work. This conclusion emerged from a three-day-long hackathon at the Def Con security conference in Las Vegas last weekend. Some of those hacks could potentially leave no trace, undercutting the assurances of election officials and voting machine companies who claim that virtually unhackable election systems are in place. … “These people who hacked the e-poll book system, when they came in the door they didn’t even know such a machine exists. They had no prior knowledge, so they started completely from scratch,” says Harri Hursti, Hacking Village co-coordinator and data security expert behind the first hack of any e-voting system in 2005.

National: State Voter Registration Systems Are Easier to Hack Than Anyone Wants to Admit | Mother Jones

Last weekend at the DEF CON conference—the annual get together for hackers, spooks, and computer enthusiasts—hackers showed how easily voting machines could be hacked, proving once more how vulnerable they are to cyber attacks. But conference organizers did not restrict the electoral hacking demonstration to voting machines. A virtual voter registration data base was also attacked, and defended, which experts say is just as worrisome. “If you look at all of the reports about foreign actors, malicious actors attacking US election infrastructure in the last election, they were not attacking the election machines,” Harri Hursti, an expert in hacking voting machines, and one of the co-organizers of the voting machine hacking exercises, tells Mother Jones. “They were attacking the back-end network, the underlying infrastructure. This was the simulation that showed how vulnerable [it is] and how hard it is to defend.”

National: Special Counsel Robert Mueller Impanels Washington Grand Jury in Russia Probe | The New York Times

Robert S. Mueller III, the special counsel investigating Russia’s attempts to disrupt last year’s presidential election, has issued subpoenas from a Washington-based grand jury in recent weeks, according to several lawyers involved in the case. At least some of the subpoenas were for documents related to the business dealings of Michael T. Flynn, the retired general who briefly served as President Trump’s national security adviser. Mr. Flynn is under investigation for foreign lobbying work, as well as for conversations he had during the transition with Sergey I. Kislyak, who was Russia’s ambassador to the United States. Mr. Mueller’s team is broadly investigating whether any Trump associates colluded with the Russian government in its attempts to disrupt the election. It is unclear whether the subpoenas issued in recent weeks relate to other members of Mr. Trump’s campaign who have been a focus of the Mueller investigation, including Paul J. Manafort, the former campaign chairman.

National: New lawsuits cite Trump comments, tweets to challenge fraud panel | CNN

Opponents of President Donald Trump's voting integrity commission are seeking to hamstring the effort in court, filing three lawsuits Monday that say the panel is running afoul of federal laws -- and introducing Trump's heated rhetoric against him in court. The new lawsuits add to the legal challenges against the Presidential Advisory Commission on Election Integrity, which recently sent a letter to all 50 states that included a request for voter roll information, including parts of Social Security numbers, that alarmed states and voters. The letter asked for all "publicly available" data, but the long list of pieces of information sought, including the last four digits of Social Security numbers, included several elements that very few states, if any, say they can legally comply with. One lawsuit targets on the request for voter information as a violation of privacy, while the other two focus more generally on whether the commission has been violating government transparency laws.

National: Hacking voting machines takes center stage at DEFCON | Tech Target

"Anyone who says they're un-hackable is either a fool or a liar." Jake Braun, CEO of Cambridge Global Advisors and one of the main organizers of the DEFCON Voting Village, said the U.S. election industry has an attitude similar to what had been seen with the air and space industry and financial sectors. Companies in those sectors, Braun said, would often say they were un-hackable their machines didn't touch the internet and their databases were air-gapped --  until they were attacked by nation-states with unlimited resources and organized cybercrime syndicates and they realized they were "sitting ducks." … Candice Hoke, law professor and co-director of the Center for Cybersecurity and Privacy Protection, said in a DEFCON talk the laws surrounding investigations of potential election hacking were troublesome. "In some states, you need evidence of election hacking in order to begin an investigation. This is an invitation to hackers," Hoke said. "We all know in the security world that you can't run a secure system if no one is looking."

National: New website aims to track Russian-backed propaganda on Twitter | Reuters

A website launched on Wednesday seeks to track Russian-supported propaganda and disinformation on Twitter, part of a growing non-governmental effort to diminish Moscow's ability to meddle in future elections in the United States and Europe. The "Hamilton 68" dashboard (here) was built by researchers working with the Alliance for Securing Democracy, a bipartisan, transatlantic project set up last month to counter Russian disinformation campaigns. The website, supported by the German Marshall Fund, displays a "near real-time" analysis of English-language tweets from a pool of 600 Twitter accounts that analysts identified as users that spread Russian propaganda.

National: Voting machines and election systems – a quick look | Associated Press

Digital voting machines are in the spotlight in Venezuela, where the head of Smartmatic, a maker of election systems used in the country's tumultuous constituent-assembly election, said Wednesday that the official turnout figure had been "tampered with ." The company's CEO said the count was off by at least 1 million votes — possibly in either direction. Tibisay Lucena, head of Venezuela's National Electoral Council, dismissed that allegation as an "irresponsible declaration" that might lead to legal action. The government-stacked electoral council claims more than 8 million people voted in the election for a nearly all-powerful constituent assembly. Independent analysts have expressed doubts at that number. Here's a look at the technology and politics of voting machines and election systems. The voting-machine market is a speck in the prodigious tech sector. Iowa University computer scientist Douglas Jones estimates its annual revenues in the United States at less than $200 million — roughly what Google pulls in every day. It's much harder to get reliable information about the fragmented global market for election systems.

National: Hackers Eviscerate Election Tech Security…Who’s Surprised? | WhoWhatWhy

Over the past two days, all major US news outlets breathlessly reported that hackers in Las Vegas needed little time to expose the security flaws of several types of voting machines this weekend. While it is certainly nice to see the mainstream media cover election integrity issues more than once every four years, anybody following the topic, as WhoWhatWhy routinely does, was hardly surprised that the hackers were so successful. How do we know? Because, in anticipation of what happened at the DEF CON hacking conference, WhoWhatWhy spoke to many of the leading election integrity experts to get their thoughts on the event. Most of them expressed hope that the hackers would raise much-needed awareness of the vulnerabilities of US voting machines. Some of the experts we spoke to ahead of the event expressed concerns that, should the hackers fail to breach the machines, it would give people a false sense of security. It turns out that they did not have to worry about that — at all.

National: Congressmen at DefCon: Please help us, hackers! | The Parallax

For the first time in the 25 years of the world’s largest hacker convention, DefCon, two sitting U.S. Congressmen trekked here from Washington, D.C., to discuss their cybersecurity expertise on stage. Rep. Will Hurd, a Texas Republican, and Rep. Jim Langevin, a Rhode Island Democrat, visited hacking villages investigating vulnerabilities in cars, medical devices, and voting machines; learned about how security researchers plan to defend quantum computers from hacks; and met children learning how to hack for good. … Hurd said security researchers could play an important role in addressing increasingly alarming vulnerabilities in the nation’s voting apparatus. DefCon’s first voting machine-hacking village this weekend hosted a voting machine from Shelby County, Tenn., that unexpectedly contained personal information related to more than 600,000 voters. Village visitors managed to hack the machine, along with 29 others.

National: Kobach appeals order to answer questions under oath | The Kansas City Star

Kansas Secretary of State Kris Kobach is seeking to avoid answering questions under oath about two documents containing plans for changes to U.S. election law. Kobach, who also is vice chairman of President Donald Trump’s commission on election integrity, filed a notice late Monday saying he is appealing to the 10th U.S. Circuit Court of Appeals an order to submit to a deposition by the American Civil Liberties Union in a voting rights case. The closed deposition is scheduled for Thursday. The ACLU said Tuesday that Kobach’s appeal of the deposition order to the 10th Circuit is “bizarre.”Kansas Secretary of State Kris Kobach is seeking to avoid answering questions under oath about two documents containing plans for changes to U.S. election law. Kobach, who also is vice chairman of President Donald Trump’s commission on election integrity, filed a notice late Monday saying he is appealing to the 10th U.S. Circuit Court of Appeals an order to submit to a deposition by the American Civil Liberties Union in a voting rights case. The closed deposition is scheduled for Thursday. The ACLU said Tuesday that Kobach’s appeal of the deposition order to the 10th Circuit is “bizarre.”

National: Hackers at a cybersecurity conference breached dozens of voting machines | Business Insider

Professional hackers were invited to break into dozens of voting machines and election software at this year's annual DEFCON cybersecurity conference. And they successfully hacked every single one of the 30 machines acquired by the conference. The challenge was held at DEF CON's "Voting Village," where hackers took turns breaching ten sample voting machines and voter registration systems, Politico reported. … "Follow the money," Harri Hursti, the cofounder of Nordic Innovation Labs, which helped organize DEF CON, told The Hill. "On the other end of the ballot, that’s where the money is — banks and roads." Hodge said that if officials take care to "store machines, set them up, [and] always have someone keeping an eye on machines," that could go a long way in ensuring the safety of the electoral process.

National: To make our voting tech more secure, policymakers may need to work with the people who can break in them | KPCC

After acquiring a decommissioned voting machine, Anne-Marie “Punky” Chun and her colleagues at Synack set out to hack it. It took them only a matter of hours. “Just looking at the security hygiene, it wasn't very strong,” Chun told Take Two host A Martinez in an interview. “The encryption password, for example, was hard-coded as ‘ABCD.' And it was used on the whole machine." Chun and her team test cyber security in, arguably, the most effective way: by breaking in themselves. So when they though about the best way to check the security of election data, they knew they had to find a voting machine, and preferably an older one.

National: Federal judge set to hear new challenge to Trump fraud commission Tuesday | The Washington Post

A federal judge will hear arguments Tuesday over whether a Watergate-era law prohibiting the government from collecting data on how Americans exercise their First Amendment rights bars President Trump’s Election Integrity Commission from American’s voting records. U.S. District Judge Royce C. Lamberth of the District set the hearing Monday after Common Cause, a nonprofit government watchdog group, alleged that the Trump administration was violating the Privacy Act of 1974 by seeking the “quintessentially First Amendment-protected political party affiliation and voter history data” of every American. The court could rule on the request for a temporary restraining order as early as Tuesday.

National: DHS is refusing to investigate possible breach of voting machines | Business Insider

Pressure to examine voting machines used in the 2016 election grows daily as evidence builds that Russian hacking attacks were broader and deeper than previously known. And the Department of Homeland Security has a simple response: No. DHS officials from former secretary Jeh Johnson to acting Director of Cyber Division Samuel Liles may be adamant that machines were not affected, but the agency has not in fact opened up a single voting machine since November to check. Asked about the decision, a DHS official told TPM: "In a September 2016 Intelligence Assessment, DHS and our partners determined that there was no indication that adversaries were planning cyber activity that would change the outcome of the coming US election." According to the most recent reports, 39 states were targeted by Russian hackers, and DHS has cited–without providing details–domestic attacks in its own reports as well. "Although we continue to judge all newly available information, DHS has not fundamentally altered our prior assessments," the department told TPM.

National: Every Voting Machine at This Hacking Conference Got Totally Pwned | Gizmodo

A noisy cheer went up from the crowd of hackers clustered around the voting machine tucked into the back corner of a casino conference room—they’d just managed to load Rick Astley’s “Never Gonna Give You Up” onto the WinVote, effectively rickrolling democracy. The hack was easy to execute. Two of the hackers working on the touchscreen voting machine, who identified only by their first names, Nick and Josh, had managed to install Windows Media Player on the machine and use it to play Astley’s classic-turned-trolling-track. … The security industry encourages regular software updates to patch bugs and keep machines as impenetrable as possible. But updating the machines used in voting systems isn’t as easy as installing a patch because the machines are subject to strict certification rules.