National: DEF CON hackers’ dossier on US voting machine security is just as grim as feared | The Register

Hackers probing America’s electronic voting systems have painted an astonishing picture of the state of US election security, less than six weeks before the November midterms. The full 50-page report [PDF], released Thursday during a presentation in Washington DC, was put together by the organizers of the DEF CON hacking conference’s Voting Village. It recaps the findings of that village, during which attendees uncovered ways resourceful miscreants could compromise electoral computer systems and change vote tallies. In short, the dossier outlines shortcomings in the electronic voting systems many US districts will use later this year for the midterm elections. The report focuses on vulnerabilities exploitable by scumbags with physical access to the hardware. “The problems outlined in this report are not simply election administration flaws that need to be fixed for efficiency’s sake, but rather serious risks to our critical infrastructure and thus national security,” the report stated. “As our nation’s security is the responsibility of the federal government, Congress needs to codify basic security standards like those developed by local election officials.”

National: Hackers warn about election security ahead of midterms | CNN

The vulnerabilities in America’s voting systems are “staggering,” a group representing hackers warned lawmakers on Capitol Hill on Thursday — just over a month before the midterm elections. The findings are based on a project at the Voting Village at the Def Con hacking conference held in Las Vegas last month, where hackers were invited to attempt to break into voting machines and other equipment used in elections across the country. The hacking group claims they were able to break into some voting machines in two minutes and that they had the ability to wirelessly reprogram an electronic card used by millions of Americans to activate a voting terminal to cast their ballot. “This vulnerability could be exploited to take over the voting machine on which they vote and cast as many votes as the voter wanted,” the group claims in the report.

National: Questions on Pompeo’s certainty about secure midterms | Politico

Secretary of State Mike Pompeo on Wednesday said there was “no question” the U.S. midterm elections would be safe from foreign interference, a level of certitude that is … shall we say, not widely shared? “That’s a dangerous level of confidence for someone in that position to have,” Alex Halderman, a University of Michigan computer science professor at the forefront of the election security debate, told MC. Halderman said that perhaps intelligence sources might not see any indications of foreign planning to further disrupt elections, but “frankly, you don’t know what you don’t know.” Democratic Rep. Mike Quigley said this about Pompeo: “I wish I could be so confident.” Robert Johnston, credited with discovering the DNC hack while working at CrowdStrike and now CEO of Adlumin, told MC there are already signs Russia has interfered in the 2018 races. Some of the suspect incidents have surfaced in California’s congressional races and the U.S. Senate.

National: Widely Used Election Systems Are Vulnerable to Attack, Report Finds | Wall Street Journal

Election machines used in more than half of U.S. states carry a flaw disclosed more than a decade ago that makes them vulnerable to a cyberattack, according to a report to be delivered Thursday on Capitol Hill. The issue was found in the widely used Model 650 high-speed ballot-counting machine made by Election Systems & Software LLC, the nation’s leading manufacturer of election equipment. It is one of about seven security problems in several models of voting equipment described in the report, which is based on research conducted last month at the Def Con hacker conference. The flaw in the ES&S machine stood out because it was detailed in a security report commissioned by Ohio’s secretary of state in 2007, said Harri Hursti, an election-security researcher who co-wrote both the Ohio and Def Con reports. “There has been more than plenty of time to fix it,” he said.

National: The dark web is where hackers buy the tools to subvert elections | CBS

Voter data and the digital weapons hackers use to subvert elections are bought and sold daily on a corner of the internet known as the dark web. It is a network of websites that is tough to access but functions much like the internet we use every day. You can buy everything from guns and drugs to botnets and ransomware. And cyber-criminals can purchase voter records and hacking tools.The dark web is not accessible using typical web browsers like Chrome or Safari. Instead, you are required to log on using a virtual private network, or VPN, and the Tor web browser. Tor is an acronym for “the onion router.” Every computer has an identifying IP address, and the Tor browser can help shield your machine’s location by sending info through several layers of servers.

National: FEC data shows candidates hit snooze button on hacker threat, saying defending cyberattacks is hard | McClatchy

With some 40 days remaining to the crucial midterm elections, signs of digital meddling in campaigns are mounting. But most candidates have spent little or nothing on cybersecurity, and say it’s too hard and expensive to focus on hacking threats with all the other demands of running for office. Only six candidates for U.S. House and Senate spent more than $1,000 on cybersecurity through the most recent Federal Election Commission filing period. Yet those who monitor intrusions and digital mayhem say hackers are active. And various reports cite at least three candidates still in races or ousted in primaries were suffering attempted breaches of their campaigns. “We get things literally every day to my team … to investigate everything from phishing attacks to ‘We think our data was breached’ to ‘We think there was a denial of service attack’ to ‘Someone’s listening on our cell phones.’ So we get, like, the whole range of things every single day,” said Raffi Krikorian, chief technology officer for the Democratic National Committee, the party’s governing body.

National: Native Americans Fight Back at the Ballot Box | Stateline

Tara Benally and her 16-year-old son Delaney After Buffalo set up a plastic table alongside the last dusty highway intersection before the Arizona state line. Here in Monument Valley, in the shadows of the towering red rock monoliths sacred among the Navajo, the two are doing something that’s rarely been done in this part of Utah: conducting a voter registration drive for local Native Americans. For the first time, Navajo and Utes living here have a chance at being fully represented at the local level when they vote in November. Even though Native Americans are the majority in this 14,750-person county, slightly edging out whites, county commissioner and school board district lines were gerrymandered to give white voters disproportionate power for more than three decades.

National: Without offering evidence, Trump accuses China of interfering in U.S. midterm elections | The Washington Post

President Trump on Wednesday directly accused China of interfering in the U.S. midterm elections this fall in retaliation for the ongoing trade war between Washington and Beijing, marking a new front in the deepening hostilities that have threatened to upend bilateral relations. The president made the allegation during his opening remarks at a U.N. Security Council meeting on nonproliferation, asserting that China “has been attempting to interfere in our upcoming 2018 election, coming up in November, against my administration. They do not want me or us to win because I am the first president to ever challenge ­China on trade, and we are winning on trade — we are winning on every level. We don’t want them to meddle or interfere in our upcoming election.”

National: The Crisis of Election Security | The New York Times

It was mid-July 2016 when Neil Jenkins learned that someone had hacked the Illinois Board of Elections. Jenkins was a director in the Office of Cybersecurity and Communications at the Department of Homeland Security, the domestic agency with a congressional mandate to protect “critical infrastructure.” Although election systems were not yet formally designated as such — that wouldn’t happen until January 2017 — it was increasingly clear that the presidential election was becoming a national-security issue. Just a month before, Americans had been confronted with the blockbuster revelation that Russian government actors had hacked the Democratic National Committee’s servers and stolen private email and opposition research against Donald Trump, the Republican presidential candidate. And now, it emerged, someone was trying to infiltrate the election system itself. The Illinois intruders had quietly breached the network in June and spent weeks conducting reconnaissance. After alighting on the state’s voter-registration database, they downloaded information on hundreds of thousands of voters. Then something went wrong, and the attackers crashed a server, alerting officials to their presence.

National: Election security bill won’t pass ahead of midterms, says key Republican | The Hill

Sen. James Lankford (R-Okla.) said Tuesday that a bipartisan election security bill won’t be passed by Congress ahead of November’s midterm elections. Lankford told The Hill that the text of the bill, known as the Secure Elections Act, is still being worked out. And with the House only being in session for a limited number of days before the elections, the chances of an election security bill being passed by then are next to none. “The House won’t be here after this week so it’s going to be impossible to get passed,” Lankford said of the bill.

National: Why lawmakers’ personal accounts are a prime target for foreign hackers | The Washington Post

Foreign government hackers are continuing their assault on the personal email accounts used by lawmakers and congressional staff — and cybersecurity experts are warning that Congress is ill-equipped to deal with the problem. The issue got fresh attention last week, when Sen. Ron Wyden (D-Ore.) revealed — and Google later confirmed — that an unspecified number of senators’ and Senate staff members’ private email accounts were targeted by foreign hackers, as my colleague Karoun Demirjian reported. In a letter to Senate leadership, Wyden said the Senate sergeant-at-arms, the chamber’s main cybersecurity authority, wouldn’t assist them because the cyberattacks didn’t involve official accounts or devices. The threats against personal accounts are well known. The major hacks of Democratic officials during the 2016 election involved nonofficial emails, and officials as high-ranking as White House Chief of Staff John F. Kelly have had their personal accounts hacked. But Congress hasn’t taken action to safeguard their own despite intelligence officials’ warnings that foreign adversaries are still trying to disrupt U.S. politics. The risks hackers will steal or leak information only increase the longer lawmakers wait to secure their personal accounts, said Daniel Schuman, co-founder of the Congressional Data Coalition, which seeks to improve the way Congress stores and shares information online.

National: Report outlines keys to election security | MIT News

The most secure form of voting technology remains the familiar, durable innovation known as paper, according to a report authored by a group of election experts, including two prominent scholars from MIT. The report, issued by the National Academies of Science, Engineering, and Medicine, is a response to the emerging threat of hackers targeting computerized voting systems, and it comes as concerns continue to be aired over the security of the U.S. midterm elections of 2018. The U.S. has a decentralized voting system, with roughly 9,000 political jurisdictions bearing some responsibility for administering elections. However, for all that variation, and while many questions are swirling around election security, the report identifies some main themes on the topic.

National: Congress poised to allow DHS to take the lead on federal cybersecurity | The Washington Post

After years of debate, Congress is poised to vote on legislation that would cement the Department of Homeland Security’s role as the government’s main civilian cybersecurity authority. The Cybersecurity and Infrastructure Security Agency Act, which has been in the works since the Obama administration, would give the department a stand-alone cybersecurity agency with the same stature as other DHS units, such as the Federal Emergency Management Agency. The Senate could vote on the bill, which passed in the House last year, as early as this week as it takes up a slew of cybersecurity-related legislation. Approving the legislation would mark a major shift in Congress’s views on whether DHS should lead the government’s efforts to protect federal computer networks, power plants and other critical infrastructure from digital attacks. Attempts to make DHS the government’s civilian cybersecurity hub have stalled amid resistance from some lawmakers who say the relatively young agency isn’t as well equipped to deal with cyberthreats as the National Security Agency or the FBI.

National: Paper backups and audits: Officials preparing for midterms | GCN

With midterm elections right around the corner, election officials says they’re focused on putting contingency plans in place so voting can continue even if systems are disrupted. Edgardo Cortés, the former Virginia Commissioner of Elections and current Election Security Advisor at the Brennan Center for Justice, said he is focused on low-tech plans to ensure voting continues to take place. These plans include having enough provisional ballots and having a back-up paper poll book at each voting location — “things that will keep the process going and allow people to vote even if we end up with a worst-case situation,” Cortés said at a Sept. 24 Brennan Center event.

National: Risk Limiting Audits (RLAs) Gain Traction With State & Local Election Officials In Advance Of 2018 U.S. Midterm Elections | Free & Fair

To guard against the multitude of election security threats ahead of the 2018 U.S. midterms, state and local jurisdictions are turning to Risk Limiting Audits (RLAs). Two of the more notable RLA initiatives – State of Colorado and Orange County, Ca. – leverage software developed by election technology startup Free & Fair. A Risk Limiting Audit is an evidence-based method that checks the integrity of election tabulation outcomes by comparing a random manual recount sampling of paper ballots to their corresponding digital versions. RLAs are better and more efficient than the random post-election audits used by jurisdictions today, because they generally require a smaller number of ballots to be audited but still provide a much higher statistical probability that the outcome is correct. In November 2017, Colorado completed the first U.S. statewide set of risk-limiting post-election audits in binding elections – with all 56 Colorado counties that had a November election passing. State of Colorado recently earned the Government Innovation Award for its pioneering use of RLAs in binding elections. Free & Fair, which offers transparent, cyber secure and verifiable election systems, developed the software tools for this first U.S. statewide implementation of RLAs beginning with the November 2017 general election.

National: It’s National Voter Registration Day: How to make your voice heard | ABC

At a time when our nation seems so polarized by politics, National Voter Registration Day is something we can all get behind, no matter who we’re voting for. Ahead of the midterm elections, “Good Morning America” is highlighting some ways you can make sure your voice is heard, and how some organizations are stepping up to show there is no excuse to not hit the polls this November. …  Stephanie Young, a spokesperson for the nonpartisan organization When We All Vote, which is co-chaired by former first lady Michelle Obama, told “GMA” that it is important to make voting a “collective” activity.

National: If There Is Meddling With The Midterms, Local Voting Officials May Be To Blame | Buzzfeed

The good news is that the thousands of county and municipal governments that administer elections across the US have a variety of effective cybersecurity programs available to them, free of charge. The bad news is that the vast majority don’t use any of them. In the complex debate about US election security, the focus tends to be on campaigns, parties, states, voting equipment manufacturers, and national trends. But the literal administration of elections, like the printing of ballots, coordinating poll workers, and organizing polling places, falls to more than 10,000 county clerks and local municipalities, according to the nonprofit organization Verified Voting. And those are the people the Department of Homeland Security would like to sign up for its cybersecurity program.

National: Thousands at risk from rightwing push to purge eligible voters from US rolls | The Guardian

In June last year, Luis, a resident of Virginia, was astonished to discover that his name and personal details, including home address, had been posted on the internet by a group known as the Public Interest Legal Foundation (Pilf). Luis’s data had been released by the group, along with hundreds of other names, as an appendix to Pilf’s two-part report called “Alien Invasion”. The front cover showed a UFO hovering ominously over a billboard on which the famous tourism slogan “Virginia is for lovers” had been photoshopped to read: “Virginia is for aliens”. In lurid language, Pilf claimed that it had uncovered proof that “large numbers of ineligible aliens are registering to vote and casting ballots”. It warned its readers: “Your vote is at risk. New alien voters are being added to the rolls month after month, and swift changes must be made to ensure that only Americans are choosing American leaders.” The only problem was that Luis, in common with dozens of other Virginians on the list posted by Pilf, was not in fact an “alien”. He was born in Los Angeles and has always enjoyed US citizenship, with full rights to vote since the age of 18. He also happens to be a federal employee of the US immigration service. Yet here he was, his name attached to a report in which Pilf claimed to have discovered more than 5,000 non-citizens in Virginia who had cast 7,474 votes – every one a criminal act amounting to a felony.

National: Hacks, Security Gaps And Oligarchs: The Business Of Voting Comes Under Scrutiny | NPR

It’s been a tough couple of years for the business of voting. There’s the state that discovered a Russian oligarch now finances the company that hosts its voting data. Then there’s the company that manufactures and services voter registration software in eight states that found itself hacked by Russian operatives leading up to the 2016 presidential election. And then there’s the largest voting machine company in the country, which initially denied and then admitted it had installed software on its systems considered by experts to be extremely vulnerable to hacking. Private companies play a crucial role in elections, from printing and designing ballots, to manufacturing voting machines, to hosting results websites. The industry exists because the local and state governments who run elections don’t have the resources or expertise to maintain all aspects of an election themselves.

National: Election Security Can Be as Simple as Preserving Paper | Inside Science

Joseph Stalin, no friend of free elections, is credited with saying it was not the people who cast the votes that decide elections. It’s the people who count them. Since the 2016 presidential election, considerable thought — but not much money — has gone into seeing if he’s wrong. According to an expert interviewed by NPR, it would cost at most $400 million to make states with vulnerable systems more secure, but a bill to do that died in Congress last month. There have been some changes in voting procedures, but whether the changes will be enough to block foreign and domestic interference with the upcoming midterm elections is simply unknown.

National: America’s unfair voting laws | The Economist

It its latest report on minority voting rights in America, published this month, the bipartisan United States Commission on Civil Rights reports that a range of restrictive voting measures have been enacted by states in recent years. They range from laws demanding that voters produce specific forms of identification to reductions in the number of locations where people can cast their ballot. These laws have a disproportionate effect on the ability of minority groups to exercise their voting rights. And thanks to a 2013 Supreme Court decision that weakens federal authority to restrict such laws, they are remaining on the books. The 1965 Voting Rights Act and its extensions helped dismantle generations of rules and regulations that had disenfranchised minority voters—and in particular black Americans. One of the act’s major provisions mandated that jurisdictions with a history of voter rights discrimination, including Texas, North Carolina, and seven other states, had to “pre-clear” new voting requirements. This involved persuading the federal government or a three-judge panel that the requirements would not be discriminatory in impact.  But in 2013, the Supreme Court struck down the pre-clearance process.

National: Inside Facebook’s Election ‘War Room’ | The New York Times

Sandwiched between Building 20 and Building 21 in the heart of Facebook’s campus, an approximately 25-foot-by-35-foot conference room is under construction. Thick cords of blue wiring hang from the ceiling, ready to be attached to window-size computer monitors on 16 desks. On one wall, a half-dozen televisions will be tuned to CNN, MSNBC, Fox News and other major networks. A small paper sign with orange lettering taped to the glass door describes what’s being built: “War Room.” Although it is not much to look at now, as of next week the space will be Facebook’s headquarters for safeguarding elections. More than 300 people across the company are working on the initiative, but the War Room will house a team of about 20 focused on rooting out disinformation, monitoring false news and deleting fake accounts that may be trying to influence voters before elections in the United States, Brazil and other countries.

National: How Vulnerable Are Electronic Voting Machines? | WBUR

A federal judge ruled this week that Georgia does not have to replace its electronic voting machines with machines that create paper records before the election in November. In her ruling, though, the judge noted she’s “gravely concerned” about Georgia’s slow pace in addressing electronic voting vulnerabilities. Here & Now’s Jeremy Hobson talks with Marian Schneider, president of Verified Voting, a nonpartisan nonprofit that advocates for accurate and verifiable elections, about those vulnerabilities and how secure electronic voting machines are.

On her opinion of the judge’s ruling in Georgia: “I do think that it’s a significant decision, but I think that the judge was concerned about the amount of time before the election, that there wasn’t enough time to smoothly implement paper ballots. “There’s only seven weeks between now and the election, and the early voting would start soon, too. So I think that was a greater concern for the court, but I think the judge made a lot of very significant findings about the vulnerabilities that are present in paperless computer systems that count our votes.”

National: The Plot to Subvert an Election: Unraveling the Russia Story So Far | The New York Times

On an October afternoon before the 2016 election, a huge banner was unfurled from the Manhattan Bridge in New York City: Vladimir V. Putin against a Russian-flag background, and the unlikely word “Peacemaker” below. It was a daredevil happy birthday to the Russian president, who was turning 64. In November, shortly after Donald J. Trump eked out a victory that Moscow had worked to assist, an even bigger banner appeared, this time on the Arlington Memorial Bridge in Washington: the face of President Barack Obama and “Goodbye Murderer” in big red letters. Police never identified who had hung the banners, but there were clues. The earliest promoters of the images on Twitter were American-sounding accounts, including @LeroyLovesUSA, later exposed as Russian fakes operated from St. Petersburg to influence American voters. The Kremlin, it appeared, had reached onto United States soil in New York and Washington. The banners may well have been intended as visual victory laps for the most effective foreign interference in an American election in history.

National: State Elections Agencies Focus on Voting Security Ahead of Midterms | StateTech

During the last election, Russian cyberattackers looking for vulnerabilities scanned 21 state election systems, including those in Illinois, over the 2016 campaigns. While the Department of Homeland Security says the scanning activity did not necessarily breach systems, some individual states have reported compromised data. This year, for instance, the Illinois State Board of Elections reported a 2016 breach of its voter registration system, detailing a SQL injection attack of unknown origin that exposed records in the state’s voter registration database. Since the attack, the Illinois board has worked with state IT experts as well as DHS cybersecurity professionals to keep the database of 18 million records and the servers on which it resides safe from attackers, says Matt Emmons, the agency’s IT director. And there are plenty of hackers out there.

National: DOD’s new cyber strategy stresses election security | FCW

The Defense Department’s newly released cyber strategy draws attention to election meddling, infrastructure protection and greater reliance on commercial technology to get ahead of the curve. A summary of the DOD’s cyber strategy released Sept. 18 boasted an assertive stance on election meddling and attribution, calling out cyber “challenges to [U.S.] democratic processes” as a means for Russia, China, North Korea and Iran to inflict damage without engaging in armed conflict. However, the Pentagon remained firm in its infrastructure protection role. DOD will partner with the private sector and other agencies on improved information sharing “to reduce the risk that malicious cyber activity targeting U.S. critical infrastructure could have catastrophic or cascading consequences,”  the document indicated.

National: Cleanup time for tech firms as midterm elections approach | AlphaStreet

Investigations carried out by federal agencies showed that hackers exploited seemingly minor flaws in the electronic voting system to manipulate the vote tally in the last presidential election. The findings might not surprise Americans as much as it would have done a few years ago, because now we know a bigger threat is hanging over the election process. Skeletons of the illegal online campaign launched by Russian agencies a couple of years ago to rig the presidential election are still tumbling out of the closets of technology companies like Facebook (FB) and Google (GOOG). With the midterm polls around the corner, the security agencies are busy plugging all the loopholes in the system to ensure a free and fair election. That the attackers managed to hack important government websites and breached huge volumes of voter data show the severity of the campaign, and that justifies the extra alert this time. Reports show that hackers, with possible Russia connections, are already doing the groundwork to interfere in the November election.

National: Could white hat hackers boost security of voting machines? | Fifth Domain

Government officials and cybersecurity experts are arguing that companies need to embrace vulnerability disclosure programs to guard against hacking amid pushback from the largest voting machine company in the United States, which has portrayed efforts to test their systems as a tactic of foreign spy-craft. Vulnerability disclosure programs that invite hackers to test computer systems are a show of strength, participants in a Sept. 18 event at the Atlantic Council argued. “Not having a vulnerability disclosure program amounts to cybersecurity negligence,” said Marten Mickos, the head of Hacker One. It’s a myth that companies can test their systems on their own, said Chris Nims, chief information security officer at Oath, a cybersecurity company. Even large companies who perform penetration testing on their own products cannot catch all vulnerabilities, he argued. “The reality is that is simply not true.”

National: Wyden: Senators need protection from ongoing Russian hacking campaign | Politico

Russian hackers behind the 2016 Democratic National Committee hack appear to be targeting the personal email of senators and their staffers, according to Sen. Ron Wyden. In a letter today to Senate leaders, the Oregon Democrat urged support for legislation that would allow the Sergeant at Arms to protect those email systems. The letter from Wyden follows reports in January that the Russian hacking group Fancy Bear — which the U.S. intelligence community identified as one group that penetrated the DNC in the lead-up to the 2016 election — was going after Senate offices.

National: The Cyberthreats That Most Worry Election Officials | Wall Street Journal

As Election Day gets closer, one issue looms large for voters and election officials alike: cybersecurity. Hoping to quell fears about foreign hackers and repel potential threats, many states and counties are beefing up their plans to deal with cyberattacks. They’re shoring up systems to protect their voter databases and hiring security experts to assess the strength of their defenses. They’re coordinating with social-media organizations to stamp out deliberately fraudulent messages that could mislead voters about how to cast a ballot. And they’re banding together to share information and simulating how to respond to potential emergencies. One simulation-based exercise, held by the Department of Homeland Security in mid-August, gathered officials from 44 states, the District of Columbia and multiple federal agencies, the DHS says. “There absolutely is more emphasis on contingency planning” since 2016, says J. Alex Halderman, a professor of computer science at the University of Michigan.