Australia: NSW iVote security flaw may have affected thousands of votes: Researchers | Computerworld

Thousands of NSW state election votes submitted to iVote may have been affected by a server vulnerability according to two security researchers who discovered the issue. University of Melbourne Department of Computing and Information Systems research fellow, Vanessa Teague, and Michigan Centre for Computer Security and Society director ,J.Alex Halderman, posted a blog with their findings on March 22. “The iVote voting website, cvs.ivote.nsw.gov.au, is served over HTTPS. While this server appears to use a safe SSL configuration, the site included additional JavaScript from an external server,” wrote the researchers.

United Kingdom: Security bug in Australia’s online voting system throws doubt on Britain’s digital election goal | Information Age

Britain’s hopes of enabling online voting in general elections by 2020 have faced a dose of reality after a security vulnerability in an Australian system was exposed. The iVote system was introduced for the New South Wales (NSW) State Election in 2011 for voters who are more than 20 kilometres from a polling station, and has also been used in subsequent state by-elections. But its use in NSW’s state election this month has faced intense scrutiny after researchers discovered a major security hole that could allow a hacker to read and manipulate votes. With 66,000 online votes already cast by the time Vanessa Teague and J. Alex Halderman, of the University of Melbourne and University of Michigan respectively, disclosed their revelation, the legitimacy of the entire election has been called into doubt.

Australia: International experts warn of the risks of Australian online voting tools | Sydney Morning Herald

Australia and other countries are a decade or longer away from safe methods of online voting in state and national elections and current tools pose a serious risk to democratic processes, people at a public lecture heard on Monday night. University of Michigan researcher J Alex Halderman and University of Melbourne research fellow Vanessa Teague said online voting in Saturday’s New South Wales election could have been seriously compromised through security weaknesses in the iVote system, being used in the upper house. The pair, in a a public lecture at the Australian National University, said that internet voting continued to raise some of the most difficult challenges in computer security and could not be considered completely safe. They reported faults in the NSW system to electoral authorities last week, ahead of as many as 250,000 voters using online systems to participate in the ballot.

Australia: NSW Electoral Commission downplays iVote flaw | CNET

The NSW Electoral Commission has responded to reports of a flaw in its iVote online voting portal, saying that although the risk of its website being compromised was low, it has taken action to fix the flaw. The Commission has also raised questions about the authors of the findings, noting that the two academics behind the research are also board members for a group that lobbies against online and electronic voting in the United States. According to the Chief Information Officer and Director of IT for the NSW Electoral Commission, Ian Brightwell, the flaw discovered in the iVote system required three or four preconditions in order to be exploited. While Brightwell said a hack was “unlikely,” he said the Commission moved swiftly to respond to the problem.

Australia: Online voting system may have FREAK bug | The Register

Next weekend, voters in the Australian State of New South Wales go to the polls to elect a new government. Some have already cast their votes online, with a system that may be running the FREAK bug. So say Vanessa Teague and J. Alex Halderman, respectively a research fellow in the Department of Computing and Information Systems at at the University of Melbourne and an assistant professor of computer science and engineering at the University of Michigan and director of Michigan’s Center for Computer Security and Society. The system in question is called iVote system and was launched in 2011 to assist voters who live 20 kilometres or more from a polling station, or those will be overseas or interstate on election day. But Teague and Halderman say their proof-of-concept probe on a “practice” system showed it is possible to “… intercepts and manipulate votes … though the same attack would also have succeeded against the real voting server,” the pair wrote in analysis.

Australia: NSW Electoral Commission scrambles to patch iVote flaw | ZDNet

The analytics service used by the New South Wales electronic voting system, iVote, left voters vulnerable to having their ballots changed, according to security researchers. The iVote system was originally implemented ahead of the 2011 state election for vision-impaired voters and those living in rural areas who have difficulty reaching polling places, but the government is expanding the use of the iVote system as part of the election on March 28, and has taken approximately 66,000 votes since early polling opened last week. Researchers Vanessa Teague from the Department of Computing and Information Systems at the University of Melbourne, and J Alex Halderman from the University of Michigan Centre for Computer Security, found that while the voting website uses a safe SSL configuration, it includes JavaScript from an external server that is used to track site visitors. This, they said, would leave the iVote site open to a range of attacks, including FREAK.

Australia: iVote flaw ‘allowed vote to be changed’; electoral commission fixes vulnerability | ABC

A “major security hole” that could allow an attacker to read or change someone’s vote has been discovered in the New South Wales online iVote platform, security experts say. The iVote system allows people to lodge their votes for Saturday’s state election online, instead of visiting a physical polling station. It aims to make voting easier for the disabled or for people who live long distances from polling booths. However computer security researchers said they found a critical issue and alerted the NSW Electoral Commission on Friday afternoon. University of Melbourne research fellow Vanessa Teague, who found the security vulnerability, said it was a difficult hack to pull off, but could potentially affect ballots en masse. “We’ve been told repeatedly that votes are perfectly secret and the whole system is secure and it can’t be tampered with and so on, and we’ve shown very clearly than that’s not true – that these votes are not secret and they can be tampered with,” Ms Teague said.

Australia: Security flaw in New South Wales puts thousands of online votes at risk | Freedom to Tinker

New South Wales, Australia, is holding state elections this month, and they’re offering a new Internet voting system developed by e-voting vendor Scytl and the NSW Electoral Commission. The iVote system, which its creators describe as private, secure and verifiable, is predicted to see record turnout for online voting. Voting has been happening for six days, and already iVote has received more than 66,000 votes. Up to a quarter million voters (about 5% of the total) are expected to use the system by the time voting closes next Saturday. Since we’ve both done extensive research on the design and analysis of Internet voting systems, we decided to perform an independent security review of iVote. We’ll prepare a more extensive technical report after the election, but we’re writing today to share news about critical vulnerabilities we found that have put tens of thousands of votes at risk. We discovered a major security hole allowing a man-in-the middle attacker to read and manipulate votes. We also believe there are ways to circumvent the verification mechanism.

National: Security risks and privacy issues are too great for moving the ballot box to the Internet | Phys.org

Contrary to popular belief, the fundamental security risks and privacy problems of Internet voting are too great to allow it to be used for public elections, and those problems will not be resolved any time soon, according to David Jefferson, who has studied the issue for more than 15 years. Jefferson, a computer scientist in the Lawrence Livermore’s Center for Applied Scientific Computing, discussed his findings in a recent Computation Seminar Series presentation, entitled “Intractable Security Risks of Internet Voting.” His study of Internet voting issues is independent of his Lawrence Livermore research work. Nonetheless, he reminded the audience that “election security is a part of national security,” noting that this is a primary reason he is so passionate about this issue. “I am both a technical expert on this subject and an activist,” Jefferson emphasized in his introductory remarks. “Election security is an aspect of national security and must be treated as such.” The view held by many election officials, legislators and members of the public is that if people can shop and bank online in relative security, there’s no reason they shouldn’t be able to vote on the Internet, Jefferson said. “Advocates argue (falsely) that Internet voting will increase turnout, reduce costs and improve speed and accuracy.” They promote the idea that “you can vote anytime, anywhere, even in your pajamas.”

Australia: NSW’s online gamble: why internet and phone voting is too risky | The Conversation

Up to 250,000 votes are expected to be cast using the iVote electronic voting system between March 16 and the close of polls on March 28 in the New South Wales election. That would represent a massive increase on the 46,864 votes at the 2011 state election and could mean about 5% of the total vote is cast electronically, using a telephone or via the internet. It looks set to be by far the biggest test of electronic voting in Australia, which has largely been limited to small trials in the past, and one of the largest online votes worldwide. If the NSW election proves to be close, those electronic votes could prove crucial. But before electronic voting begins on Monday, people in NSW should be warned: there are many unanswered questions about the integrity and privacy of those votes. Late last year, the federal Joint Standing Committee on Electoral Matters recommended against electronic voting in federal elections. Its report concluded that:

Australia is not in a position to introduce any large-scale system of electronic voting in the near future without catastrophically compromising our electoral integrity.

National: Why Internet voting remains a risky proposition | FCW

Voting in public elections via the Internet could be a national security risk, according to a researcher at Lawrence Livermore National Laboratory’s Center for Applied Scientific Computing. In a presentation titled “Intractable Security Risks of Internet Voting,” computer scientist David Jefferson said the risks of electronic ballots cast via the Web far outweigh the conveniences such systems can offer. He presented his conclusions at a recent LLNL Computation Seminar Series, though his efforts in that area are independent of his work at the lab. In addition to his research into high-performance computing applications at LLNL, he serves on a number of state and federal government panels that focus on election security issues, especially those related to electronic and Internet-based voting, and is on the board of directors of the California Voter Foundation.

Editorials: 5 Ways To Fix America’s Dismal Voter Turnout Problem | ThinkProgress

Voter turnout in the U.S. during the last midterm election hit the lowest point since the 1940s. The number of Americans heading to the polls each election has been declining for the last fifty years and lawmakers have recently been pushing efforts to keep even more people away from the polls. People do not exercise their right to vote for various reasons, some of which are easier to solve than others. According to a U.S. … Voters can already use their smartphones in some cities to simplify daily tasks like tracking how long they have to wait for a bus or train. So why shouldn’t information about polling places be available online? Joe Kiniry, the principal investigator with computer science company Galois, said that while he was working in Denmark, he helped to build a system voters could use to figure out the length of lines at polling places. “Of course it’s doing that by watching people’s cell phones as they walk into the polling place and figuring out how long it took you to get to the front of the line, how long it took you to leave,” he said. “So in the adoption of this cheap, easy technology… we’ve now traded off the cost and efficiency of an election with the privacy of voters.”

Maryland: Paper ballots return to Maryland elections | The Washington Post

Maryland voters will return to casting ballots on paper starting with the presidential election in 2016, election officials said Thursday, adding it to the long list of states that use paper ballots or a blend of paper and digital formats. On Thursday, state lawmakers were given a sneak peek of the new paper voting machines that will be set up in polling centers for the 2016 election. Officials also briefed the legislators on lessons learned from the last election in November. The state has used digital voting machines for the past decade.

Maryland: New voting machines finally on horizon | Baltimore Sun

In an era that increasingly relies on paperless technology, Maryland is about to revert to using old-fashioned pen and paper to elect its leaders. The Board of Public Works is expected to approve a $28 million contract Wednesday to replace Maryland’s touch-screen voting system with machines that scan paper ballots, which voters will mark with a pen or pencil. The contract comes more than seven years after the legislature decided the state should replace tens of thousands of touch screens deemed unreliable and susceptible to fraud. Since then, arguments and tough budget times have repeatedly delayed efforts to replace the machines with a system that has a verifiable paper record. “We, for a generation of elections, have had no paper trail,” said Del. Jon Cardin, a Baltimore County Democrat and a leading proponent of scrapping the touch-screen system. The new system is expected to be in place for the 2016 presidential election.

National: Internet Voting Hack Alters PDF Ballots in Transmission | Threatpost

Threats to the integrity of Internet voting have been a major factor in keeping the practice to a bare minimum in the United States. On the heels of the recent midterm elections, researchers at Galois, a computer science research and development firm in Portland, Ore., sent another reminder to decision makers and voters that things still aren’t where they should be. Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper called “Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering” that explains an attack against common home routers that would allow a hacker to intercept a PDF ballot and use another technique to modify a ballot before sending it along to an election authority. PDF ballots have been used in Internet voting trials in Alaska, and in New Jersey as an voting alternative for those displaced by Hurricane Sandy. The ballots are downloaded, filled out and emailed; the email is equivalent to putting a ballot into a ballot box. Election authorities then either print the ballots and count them by hand, or count them with an optical scanner. The Galois attack is by no means the only attack that threatens Internet voting; malware on a voter’s machine could redirect traffic or cause a denial of service condition at the election authority. But the attack described in the paper is certainly a much more quiet attack that the researchers say is undetectable, even in a forensics investigation.

National: Simple hack could alter Internet ballots | The Hill

Basic cyberattacks could tamper with electronically submitted ballots, leaving no trace behind, according to research from computer science firm Galois. On the heels of election watchdog groups criticizing Alaska’s use of ballots submitted online, Galois demonstrated that electronic ballots could be modified through simply hacking into home routers, which often have minimal security measures. “An off-the-shelf home Internet router can be easily modified to silently alter election ballots,” said the researchers, Daniel Zimmerman and Joseph Kiniry. A few states now allow voters to receive and return a ballot electronically. Election officials argue it is a way to increase voter participation, while technologists insist heightened turnout isn’t worth the high risk of fraud.

Alaska: Electronic ballots raise concerns in outstanding Alaska races | The Hill

Election watchdog groups are worried about the role electronically submitted ballots in Alaska might play in the state’s two tight federal elections. Ballots returned online are vulnerable to cyberattacks and lack a proper paper trail, said government accountability advocate Common Cause and election oversight group Verified Voting. Alaska’s gubernatorial and Senate races have both dragged on long after Election Day, with opponents split by narrow margins. Early Wednesday, The Associated Press declared former Alaska Department of Natural Resources Commissioner Dan Sullivan (R) the winner over incumbent Sen. Mark Begich (D-Alaska), even though 30,000 ballots remain uncounted. Begich has yet to concede. Former Valdez, Alaska, Mayor Bill Walker (I) maintains a thin lead over incumbent Alaska Gov. Sean Parnell (R), although the race remains too close to call. If either race “is to be determined by ballots sent over the Internet, its legitimacy is in doubt,” said Verified Voting President Pamela Smith.

National: Voting glitches hurt Texas, Georgia | The Hill

Texas and Georgia struggled the most with glitchy electronic voting machines on Election Day, according to an analysis by watchdog Verified Voting. Some machines simply wouldn’t boot up, and others unexpectedly shut down. Faulty touch screens were another issue — some registered a vote for the wrong candidate, while others just went blank. Pamela Smith, the group’s president, said poor machine management and outdated equipment is likely responsible for the malfunctions, which were seen nationwide. U.S. electronic voting machines are rapidly aging. Just over a decade ago, an influx of federal funds allowed many states to buy up electronic voting machines. Since then, budgets have dried up and more than half of those states have taken steps back toward paper ballots as electronic fallibilities increase. Given those trends, glitches are expected, Smith said. Verified Voting runs call centers around the country on Election Day, fielding reports of voting difficulties. “Some of the problems that we saw in the early voting period, we also saw on Election Day,” Smith said. “Most of the issues we heard about were not enough equipment or equipment breaking down.”

Oregon: Portland security firm has a warning for email voting | Portland Business Journal

It only took a couple days and tweaks to about 50 lines of code for a pair of security researchers from Portland-based Galois to demonstrate how hackers could change an election if email voting were to move beyond the pilot phase. Researchers Joseph Kiniry and Dan Zimmerman were able to show how files could be intercepted between the voter and election office through a relatively easy hack of standard router software. The duo looked at routers that are commonly used by household Internet Service Providers. “We did experiments on how it could be deployed if we were a bad guy,” Kiniry said. “Unfortunately, the state of security on these devices on the Internet is so poor.” Plus, he noted detecting that something was wrong was difficult and would take security experts to figure out the router was not working properly.

National: States ditch electronic voting machines | The Hill

States have abandoned electronic voting machines in droves, ensuring that most voters will be casting their ballots by hand on Election Day. With many electronic voting machines more than a decade old, and states lacking the funding to repair or replace them, officials have opted to return to the pencil-and-paper voting that the new technology was supposed to replace. Nearly 70 percent of voters will be casting ballots by hand on Tuesday, according to Pamela Smith, president of election watchdog Verified Voting. “Paper, even though it sounds kind of old school, it actually has properties that serve the elections really well,” Smith said. It’s an outcome few would have predicted after the 2000 election, when the battle over “hanging chads” in the Florida recount spurred a massive, $3 billion federal investment in electronic voting machines. States at the time ditched punch cards and levers in favor of touch screens and ballot-scanners, with the perennial battleground state of Ohio spending $115 million alone on upgrades. Smith said the mid-2000s might go down as the  “heyday” of electronic voting. Since then, states have failed to maintain the machines, partly due to budget shortfalls.

Alaska: Online Voting Leaves Cybersecurity Experts Worried | IEEE Spectrum

Some Americans who lined up at the ballot boxes on Tuesday may have wished for the convenience of online voting. But cybersecurity experts continue to argue that such systems would be vulnerable to vote tampering — warnings that did not stop Alaska from allowing voters to cast electronic ballots in a major election that had both a Senate seat and the governorship up for grabs. There was no evidence of tampering during the first use of Alaska’s online voting system in 2012. But cybersecurity experts have gone on the record as saying that hackers could easily compromise or alter online voting results without being detected. Alaska’s own election site includes a disclaimer about votes cast through online voting or by fax. “When returning the ballot through the secure online voting solution, your are voluntarily waiving your right to a secret ballot and are assuming the risk that a faulty transmission may occur,” according to Alaska’s Division of Elections website.

National: States ditch electronic voting machines | The Hill

States have abandoned electronic voting machines in droves, ensuring that most voters will be casting their ballots by hand on Election Day. With many electronic voting machines more than a decade old, and states lacking the funding to repair or replace them, officials have opted to return to the pencil-and-paper voting that the new technology was supposed to replace. Nearly 70 percent of voters will be casting ballots by hand on Tuesday, according to Pamela Smith, president of election watchdog Verified Voting. “Paper, even though it sounds kind of old school, it actually has properties that serve the elections really well,” Smith said. It’s an outcome few would have predicted after the 2000 election, when the battle over “hanging chads” in the Florida recount spurred a massive, $3 billion federal investment in electronic voting machines.

Editorials: Online voting rife with hazards | Barbara Simons/USA Today

Today Americans are voting in an election that could shift control of the U.S. Senate and significantly impact the direction our nation will take in the next few years. Yet, 31 states will allow over 3 million voters to cast ballots over the Internet in this election, a practice that computer security experts in both the federal government and the private sector have warned is neither secure nor trustworthy. Most states’ online voting is limited to military and overseas voters, but Alaska now permits all voters to vote over the Internet. With a hotly contested Senate seat in Alaska, the use of an online voting system raises serious concerns about the integrity of Alaska’s election results. Alaska’s State Election Division has even acknowledged that its “secure online voting solution” may not be all that secure by posting this disclaimer on its website: “When returning the ballot through the secure online voting solution, your are [sic] voluntarily waving [sic] your right to a secret ballot and are assuming the risk that a faulty transmission may occur.” Unfortunately, faulty transmission is only one of the risks of Internet voting. There are countless ways ballots cast over the Internet can be hacked and modified by cyber criminals.

Editorials: Why we don’t have online voting (and won’t for a long while) | Michael Cochrane/World Magazine

Society deems the voting process so important that it must be 100 percent reliable. We may tolerate failures with our cars and computers, but not our elections. The degree to which an election is free and fair is the very heart of our representative form of democracy in the United States. Technological advancements that might make the voting process more efficient or convenient could also chip away at that integrity, which requires a voting system that is available, secure, and verifiable. At an early October panel discussion on internet voting hosted by the Atlantic Council, Pamela Smith, president of Verified Voting, addressed voting system availability. “If the equipment should happen to break down, you need something else to vote on to replace it. Otherwise people are disenfranchised by that malfunction,” she said. … “Any voting system that you use has to be able to demonstrate clearly to the loser and their supporters that they lost,” Smith said. “And to do that, you need actual evidence. Voters need to be able to see that their votes were captured the way that they meant for them to be and election officials need to be able to use that evidence to demonstrate that votes were counted correctly.”

Editorials: Dangers of Internet Voting | Kurt Hyde/New American

Yesterday’s USA Today had an article entitled “Internet Voting ‘not ready for prime time.'” The story quotes Verified Voting as saying that there are about three million people eligible to vote online in today’s elections, most of them members of the military. Numerous security risks are cited that are inherent in Internet voting. Readers of The New American have often been warned about the dangers of Internet voting. For instance, the October 9, 2000 issue carried an article entitled “Voting on the Web,” in which readers were told of the dangers to electoral integrity due to the inherent insecurity of the Internet. … There are a great number of security weaknesses in Internet voting: no voter-verified paper audit trail, denial of service attacks, spoofing, eavesdropping by servers along the way capturing people’s passwords and enabling verification of vote selling, just to name a few. There are also security weaknesses in the user devices such as laptops or smart phones. They include key-stroke monitors, stored passwords, and many others. There are numerous special interests in both the United  States and foreign counties for whom the outcome of our elections is of major importance. They have the resources to exploit these security weaknesses, and it’s well worth their investment.

National: Can we trust the Internet with our most basic civic duty? | DecodeDC

Americans across the country will participate Tuesday in one of the most basic civic duties: voting. For many, that means taking time off work, driving to a designated polling place and casting their ballot through standalone voting machines. But what if the process of voting could be vastly different? Today we can do almost anything on the Internet from banking to ordering take-out, so it only feels natural that we should be able to vote that way too. … Not all elections experts think going online is a great idea. But Thad Hall, a professor of political science at the University of Utah, is ready. You know it’s kind of the ultimate easy, convenient way to vote. And I don’t have to have a piece of paper, I don’t have to mail it back, I can send my ballot instantaneously. If Hurricane Sandy comes, I don’t have to worry about voting because I can just vote from my phone or I can vote from a computer somewhere.” But then there are the naysayers, many of them statisticians and engineers who think the Internet is too insecure for such a sacred thing as voting.

Alaska: Hackers Could Decide Who Controls Congress Thanks to Alaska’s Terrible Internet Ballots | The Intercept

When Alaska voters go to the polls tomorrow to help decide whether the U.S. Senate will remain in Democratic control, thousands will do so electronically, using Alaska’s first-in-the-nation internet voting system. And according to the internet security experts, including the former top cybersecurity official for the Department of Homeland Security, that system is a security nightmare that threatens to put control of the U.S. Congress in the hands of foreign or domestic hackers. Any registered Alaska voter can obtain an electronic ballot, mark it on their computers using a web-based interface, save the ballot as a PDF, and return it to their county elections department through what the state calls “a dedicated secure data center behind a layer of redundant firewalls under constant physical and application monitoring to ensure the security of the system, voter privacy, and election integrity.” That sounds great, but even the state acknowledges in an online disclaimer that things could go awry, warning that “when returning the ballot through the secure online voting solution, your are voluntarily waving [sic] your right to a secret ballot and are assuming the risk that a faulty transmission may occur.”

Kansas: Electronic voting machines may soon phase out, but not in Sedgwick Co. | KSN-TV

New national data released Monday indicates that nearly 70 percent of American voters will cast their ballots Tuesday by hand, using paper ballots. According to Verified Voting, an election watchdog, the growing trend of return to paper ballots is due to a “deterioration of voting machines.” KSN News reached out to Sedgwick Co. elections officials to learn more about the use of electronic voting machines locally, as well as in counties across the state, to find out why a majority of counties across the nation are turning back the clock and opting for paper ballots instead. In the 2012 general election, voters in Sedgwick Co. experienced their fair share of blunders at the ballot box. “We do have one polling place that their ballots would not read and this one precinct they would not read on our machines, as well,” said Tabitha Lehman, the Sedgwick Co. Elections Commissioner, in 2012.

National: Internet voting “not ready for prime time” | USA Today

Voting machines are so 20th century. Shouldn’t we able to vote on our smart phones by now? Here’s where a cornerstone of American democracy runs smack dab into the limits of computer science, say experts. Internet voting is “completely not ready for prime time. The security and reliability issues are significant,” says Marc Rotenberg, of the Electronic Privacy Information Center, a non-profit in Washington D.C. Despite that, about 3 million Americans will be eligible to vote online this election, according to Verified Voting, a non-profit that promotes election accuracy, transparency and verifiability. Most are members of the armed services who are deployed overseas. According to Dan Wallach, an expert on electronic voting system and professor of computer science at Rice University, no Internet voting systems are secure. “It turns out to be really hard to build a network system that’s hard to break into.” JPMorgan, Target and Home Depot have learned that lesson, and they have far more money and expertise available to them than local election officials, Wallach says.

National: If we can buy shoes online, why can’t we vote? | El Paso Inc.

Elections are just around the corner, and yes, there is an app for that. But it won’t vote for you. In a buzzing and ringing world, technology has become an integral part of society, where almost anything can be done with the press of a fingertip. But when voting is involved, things get a little tricky. With more than a million apps in the Google Play store and 900,000 apps in the Apple Store, users can download a variety of voting and polling apps. Several states, including Tennessee and Louisiana, have released voting apps that are free or can be purchased in the Apple and Android store for smartphones. New Hampshire is developing its own app for the midterm elections. Voters can’t cast ballots with these apps, but they can use them to find polling locations, ask for absentee ballots, look at sample ballots and more.