National: Here’s How Russia May Have Already Hacked the 2018 Midterm Elections | Newsweek

It’s not easy to get in to see Diane Ellis-Marseglia, one of three commissioners who run Bucks County, Pennsylvania. Security is tight at the Government Administration Building on 55 East Court Street in Doylestown, a three-story brick structure with no windows, where she has an office. It also happens to be where officials retreat on election night to tally the votes recorded on the county’s 900 or so voting machines. Guards at the door X-ray bags and scan each visitor with a wand.Unfortunately, Russian hackers won’t need to come calling on Election Day. Cyberexperts warn that they could use more sophisticated means of changing the outcomes of close races or sowing confusion in an effort to throw the U.S. elections into disrepute. The 2018 midterms offer a compelling target: a patchwork of 3,000 or so county governments that administer elections, often on a shoestring budget, many of them with outdated electronic voting machines vulnerable to manipulation. With Democrats on track to take control of the U.S. House of Representatives and perhaps even the Senate, the ­political stakes are high. … The U.S. certainly hasn’t forced the Russians to look hard for places to strike. The midterm elections are rich in targets. Bucks County is ­hardly unique in relying on easily hacked voting machines, whose results could determine control of Congress or individual states. About 30 percent of America’s voting machines are as outdated and nearly unprotected as those in Bucks County, says Marian Schneider, a former Pennsylvania deputy secretary for elections and administration and now president of Verified Voting, a national election-­integrity advocacy group. Ballotpedia, a nonprofit website that tracks elections, lists nearly 400 congressional and top state official races this November as competitive enough to be considered battleground contests.

National: States Step Up Election Cybersecurity as Federal Efforts Stall | Bloomberg

States have taken it upon themselves to bolster cyber defenses for the midterm elections instead of waiting for Congress to act. “Cybersecurity is now our focus, it’s what keeps many of us as secretaries of states and local officials up at night,” said Jim Condos, president of the National Association of Secretaries of State and Vermont Secretary of State. Hacks of states’ voter registration systems, voting machines or vote reporting systems could lead to rigged vote counts, confusion at polling booths and public distrust of results, according to interviews with voting advocacy groups, former and current Department of Homeland Security officials, and state election officials. Two dozen states lack several of the strongest measures that could protect them against cyber attacks: mandating voting machines that leave a paper trail and requirements for a post-election audit to check for accuracy of the system.

National: Security Seals Used to Protect Voting Machines Can Be Easily Opened With Shim Crafted from a Soda Can | Motherboard

Voting machine vendors and election officials have long insisted that no one can manipulate voting machines and ballots because tamper-evident seals used to secure them would prevent intruders from doing so without anyone noticing. But a security researcher in Michigan has shown in videos how he can defeat plastic security ties that counties across his state use to protect ballot bags, the cases that store voting machines and the ports that store the memory cards on optical-scan machines—electronic voting machines that record paper ballots scanned into them. He can do so without leaving evidence of tampering. If an intruder obtains physical access to the machines and this port, it’s possible to alter software in the machines using a rogue memory card—something that security researchers at Princeton University demonstrated in the past is possible. Matt Bernhard, a grad student at the University of Michigan and voting machine security expert, posted two videos online last week showing how he can open different types of plastic tamper-evident ties used in Michigan in just seconds, using a shim crafted from an aluminum Dr. Pepper can. By simply curling a small piece of the aluminum around a plastic zip tie and slipping it into the channel that encases the tie, he’s able to open the security device and re-close it, while leaving no marks or damage to indicate it was manipulated. He demonstrated the technique on smooth plastic ties as well as zip ties.

Maryland: In Wake of Russian Meddling, Critics Say Maryland’s Online Ballot System Is Potential Target – NBC4

Requests for absentee ballots are on the rise ahead of the November election — the first general contest since learning of Russian efforts to access voting systems, including those right here in the Washington area. But critics, including a host of computer security experts, say a system designed to make voting easier also makes it more of a target for hackers intending to interfere in U.S. elections. Maryland officials, however, argue those concerns are hypothetical and say they’ve put the necessary safeguards in place. At issue is Maryland’s online ballot delivery system, which allows any voter to request and download an absentee ballot from the internet. Maryland doesn’t allow residents to vote online, so users of this system must mail in their ballots.’ 

Verified Voting in the News: State has new laws and the Air National Guard to help secure 2018 midterm election | TechRepublic

Changes to election procedures and assistance from the Washington Air National Guard are underway, as Washington state prepares for the 2018 midterm elections. After learning that it was one of the 21 states whose voter registration database was targeted, Washington is taking extra measures to stay secure. While Washington’s voter registration database wasn’t breached, rumors are swirling that those states targeted in 2016 could be targeted again in 2018, according to Danielle Root, voting manager at the Center for American Progress. “Many national security experts and officials have warned that 2016 was likely a testing ground for Russia,” said Root, so states must stay vigilant. Voter registration databases are an obvious target for attack, said Dan Weiske, advisor to the National Cybersecurity Center. “Any of the publicly connected systems, like the registration systems, are going to be the largest areas of attack and the highest risk,” said Weiske. “There’s a lot of data that sits on those, and it’s accessible by the public.”

National: How hackable are American voting machines? It depends who you ask | ABC

To hear Alex Halderman tell it, hacking the vote is easy. The University of Michigan professor is on a crusade to demonstrate how vulnerable American voting machines are, and some of his arguments are quite compelling. He has rigged mock elections. He has testified to the machines’ vulnerabilities in Congress and in court. He has even managed to turn a commonly used voting machine into an iteration of the classic arcade game Pac-Man. “They’re just computers at the end of the day,” said Halderman, who told the Senate Intelligence Committee last year that states should move back to paper ballots. “Often with voting machines, when you open it up, it’s not that different from a desktop PC or mobile device. The only difference is that it’s going to be 10 years out of date, or sometimes 20 years.”

Verified Voting in the News: Internet voting experiment stirs security fears | Politico

West Virginia is about to take a leap of faith in voting technology — but it could put people’s ballots at risk. Next month, it will become the first state to deploy a smartphone app in a general election, allowing hundreds of overseas residents and members of the military stationed abroad to cast their ballots remotely. And the app will rely on blockchain, the same buzzy technology that underpins bitcoin, in yet another Election Day first. “Especially for people who are serving the country, I think we should find ways to make it easier for them to vote without compromising on the security,” said Nimit Sawhney, co-founder of Voatz, the company that created the app of the same name that West Virginia is using. “Right now, they send their ballots by email and fax, and — whatever you may think of our security — that’s totally not a secure way to send back a ballot.” But cybersecurity and election integrity advocates say West Virginia is setting an example of all the things states shouldn’t do when it comes to securing their elections, an already fraught topic given fears that Russian operatives are trying again to tamper with U.S. democracy.

India: US scientists ‘hack’ electronic voting machines ahead of polls in 5 states: Report | Business Today

The Election Commission of India announced the dates for Assembly polls in Chhattisgarh, Madhya Pradesh, Mizoram, Rajasthan and Telangana last week. Along with the dates, the poll regulating authority in India announced that VVPAT-enabled electronic voting machines will be used during these polls. Additionally, the country is looking at an eventful General Elections in 2019. Now, with barely a month left before states go to elections, scientists at the University of Michigan claim to have found a way to ‘hack’ Indian EVMs. A video posted online showed the scientists at the US university supposedly manipulating voting results on an electronic voting machine (EVM) via mobile text messages after attaching a home-made device to the machine, a BBC News report said.

National: Online voting is a security nightmare, say experts | Fast Company

Online banking, ecommerce, e-filing taxes. Moving print documents and in-person services online–even those full of sensitive information–has been an inexorable trend for decades. And voting has moved in that direction too, in 32 U.S. states and several countries, starting in those simpler times of the 1990s and early 2000s. That was a giant security blunder, according to a new report from tech and election experts that urges a return to good old paper ballots. “This is a position consistently that computer scientists have been saying for a decade, and computer scientists are the ones who you think would be the most favorable to the idea [of online voting] because, we invent the things.” So says Jeremy Epstein, vice chair of the U.S. Technology Policy Council at the ACM, billed as the largest association of computing experts.

National: Can Paper Ballots Save Our Democracy? | Slate

In August at DEFCON, the annual hackers’ convention in Las Vegas, J. Alex Halderman, a professor of computer science and an expert in cybersecurity, brought along several of his Diebold Accuvote TSX voting machines. The Accuvote is a touch-screen voting device known as a direct-recording electronic voting machine, which, as the name suggests, records votes and stores them on a memory device. Halderman’s machines were set up as part of the Voting Village, an area dedicated to the cybersecurity of voting machines, where visitors were asked to cast votes in a mock presidential election between George Washington and Benedict Arnold. “Because this is DEFCON, of course almost everyone thought they were clever and voted for Benedict Arnold,” said Halderman. At the end of the mock election, with over 100 votes cast, the machine produced the totals and the winner of the two-man race: the Dark Tangent.

Texas: Can Hackers Mess With Texas’s Elections? | Texas Monthly

When we think about those who defend the territorial integrity of our nation and state, we tend to imagine well-equipped members of the U.S. armed forces, or perhaps a square-jawed detachment of Texas Rangers. Increasingly, however, the twenty-first century battle for control of the American homeland is being fought in the computerized elections systems overseen by our humble county clerks.

Here in Texas, votes in federal and state elections are tallied independently by 254 local officials, one in each county seat, from big cities like Houston and Dallas to tiny courthouse towns like Tahoka and Floydada. If a hostile country decides to hack an election in Texas, that means pitting Russia’s (or Iran’s or North Korea’s or China’s) most skilled hackers against a group of officials and volunteers who may not even know their way around an iPhone. “We’re asking county clerks, and for that matter local poll workers, to defend against a nation-state adversary,” says Dan Wallach, computer science professor at Rice and expert on election security issues. “That’s not a fair fight.”

Michigan: Experts: Modem use makes Michigan elections vulnerable | Detroit Free Press

With the Nov. 6 election less than 30 days away, Michigan officials tout the fact that the state’s election machines are not connected to the Internet — eliminating a major hacking risk. But does that fact alone make Michigan’s election machines impervious to hacking? Many researchers and election integrity activists say no. They say Michigan could be vulnerable as one of at least four states — along with Florida, Illinois, and Wisconsin — that use cellular modems to transmit unofficial election results. In an Oct. 2 letter to the U.S. Department of Homeland Security and the U.S. Election Assistance Commission, 30 academics, security experts and election integrity activists — including a computer science professor at the University of Michigan — expressed “grave concerns” about the devices.

National: How hackers could disrupt Election Day — and how the bad guys could be stopped | The Boston Globe

Election Day presents a tantalizing target for a malicious hacker. The complex, multifaceted US voting system is rife with technological weak spots, from problems with the electronic voting machines in use in some states to vulnerabilities in the websites government officials use to disseminate information. In an era where public trust in American institutions is at an ebb, and conspiracy theories threaten to metastasize online, public safety officials and cybersecurity experts say they have to be careful how they talk about the vulnerabilities. “If the people do not trust that it’s a fair system, then the whole thing is going to fall apart,” said Cris Thomas, a well-known hacker who often goes by the name “Space Rogue” and now works in security at IBM. … This November, 15 states — none of them in New England — will use at least some electronic voting machines that leave no paper trail, according to the Verified Voting Foundation.

Florida: Florida Wrestles with Election Cybersecurity | American Prospect

Ever since the infamous election of 2000, Florida has been ground zero in the struggle to improve the technology and security of voting. Unfortunately, those critical issues have been conflated with deliberate political efforts to suppress voting and undermine confidence in voting systems, and 2018 is no exception. The reforms instituted since the 2000 debacle, such as early voting, served to make voting more convenient and restored confidence that all votes would be counted accurately. Even Republican Governor Rick Scott, no fan of convenience or expanding the franchise, finally went along with online voter registration last year. Thanks to the work of county election officials and civic reform groups, as well as good-faith efforts by Scott’s Republican predecessor, Charlie Crist, Florida had already made significant strides on election administration and had extended voting rights to certain disenfranchised former felons as well.

Verified Voting in the News: State moves forward with first mobile voting app, despite fears from security experts | TechRepublic

During the 2018 midterms, deployed military personnel from West Virginia will be the first in the nation to vote in a federal election on their smartphones using a blockchain-based app—despite numerous concerns from cybersecurity experts. Concern over voting security in the midterm elections is rising, after the Department of Homeland Security detected Russian hackers targeting voter registration databases in at least 21 states in 2016. While most of the systems were not breached, and there is no evidence that Russian agents were able to manipulate voter data or election results, it’s likely that the cybercriminals were scanning them for vulnerabilities to potentially exploit in the future, the department said. … Cybersecurity experts are less confident in the safety and viability of a system like Voatz. “This is the last thing that people need to be thinking about when it comes to voting right now,” said Joseph Lorenzo Hall, chief technologist at the nonpartisan Center for Democracy and Technology. “There are so many more boring pieces of low-hanging fruit, like two-factor authentication, password management, and defending against phishing attacks. But that’s unfortunately not as exciting to most people as the blockchain voting stuff.”

National: Ahead of US election, angst over hacking threats | AFP

At a Boston technology conference last month, computer scientist Alex Halderman showed how easy it was to hack into an electronic voting machine and change the result, without leaving a trace. Halderman staged a mock election in which three conference attendees voted for George Washington, but an infected memory card switched the result to give a 2-1 victory to Benedict Arnold, the military officer who sold secrets during the Revolutionary War. Halderman’s demonstration was on a voting machine still in use in 20 US states, which had no paper ballots that could be compared to the electronic output, and thus no way to determine if vote totals had been altered. “What keeps me up at night is the threat that a hostile nation-state could probe every swing state or swing district (and) find the ones most weakly protected, to silently change the results of a national election,” the University of Michigan professor said.

National: Are wireless voting machines vulnerable? | McClatchy

Barely a month before midterm elections, voting integrity advocates and electronic voting experts want the federal government to issue an official warning to states that use voting machines with integrated cellular modems that the machines are vulnerable to hacks, potentially interfering with the ballot counting. Once seen as a useful tool to provide quick election results, voting machines with cellular modems are now subject to fierce debate over how easy it would be to break into them and change the results. Such machines are certified for use in Florida, Illinois, Michigan and Wisconsin. … But a number of voting machine researchers take issue with such assertions, saying that cellular networks increasingly overlap with the internet and open avenues for hackers to interfere with unofficial early results even when there are paper ballots that can be tallied for a slower official count. They say interfering with unofficial early results, even when corrected later, could increase mistrust among voters and add uncertainty immediately after elections conclude.

National: Congress falls flat on election security as midterms near | The Hill

Congress has failed to pass any legislation to secure U.S. voting systems in the two years since Russia interfered in the 2016 election, a troubling setback with the midterms less than six weeks away. Lawmakers have repeatedly demanded agencies step up their efforts to prevent election meddling but in the end struggled to act themselves, raising questions about whether the U.S. has done enough to protect future elections. A key GOP senator predicted to The Hill last week that a bipartisan election security bill, seen as Congress’s best chance of passing legislation on the issue, wouldn’t pass before the midterms. And on Friday, House lawmakers left town for the campaign trail, ending any chance of clearing the legislation ahead of November. Lawmakers have openly expressed frustration they were not able to act before the 2018 elections.

National: Voting Machines Are Still Absurdly At Risk | WIRED

While Russian interference operations in the 2016 US presidential elections focused on misinformation and targeted hacking, officials have scrambled ever since to shore up the nation’s vulnerable election infrastructure. New research, though, shows they haven’t done nearly enough, particularly when it comes to voting machines. The report details vulnerabilities in seven models of voting machines and vote counters, found during the DefCon security conference’s Voting Village event. All of the models are in active use around the US, and the vulnerabilities—from weak password protections to elaborate avenues for remote access—number in the dozens. The findings also connect to larger efforts to safeguard US elections, including initiatives to expand oversight of voting machine vendors and efforts to fund state and local election security upgrades.

National: After election hacking presentation, Katko pushes bill to boost security | Auburn Citizen

Dr. J. Alex Halderman inserted a memory card infected with malicious software into an electronic voting machine. It wasn’t an actual case of election hacking, but Halderman’s demonstration served a purpose: To show two members of Congress, including U.S. Rep. John Katko, what can happen if hackers gain access to voting machines. Halderman, director of the University of Michigan’s Center for Computer Security and Society, invited Katko, R-Camillus, and U.S. Rep. Mike Quigley, an Illinois Democrat, to cast votes using the Diebold AccuVote TS voting machine. Halderman programmed a mock election: A presidential race between George Washington and Benedict Arnold. There were two votes cast for Washington and one for Arnold. But the receipt printed from the voting machine revealed the effect of the malicious software. The paper showed Arnold received two votes and Washington netted one.

Verified Voting in the News: State expands use of post-election audits | StateScoop

Wisconsin officials were praised Friday by election-security advocates for expanding the state’s use of post-election audits. The Wisconsin Elections Commission announced that it voted unanimously Tuesday to require audits in 5 percent of precincts throughout the state after every vote, beginning with the Nov. 6 general election. The decision is evidence that the clock has not run out yet on states seeking to improve their ballot-security procedures before Election Day, said representatives of Verified Voting, which advocates for paper-based voting systems and Public Citizen, a consumers’ rights group. Under Wisconsin’s new system, election officials will randomly select at least 183, or 5 percent, of the state’s 3,660 precincts to review voting equipment. The audit sample will include at least one precinct from each of the state’s 72 counties, but no more than two precincts from any single municipality. 

National: Defcon Voting Village report: bug in one system could “flip Electoral College” | Ars Technica

Today, six prominent information-security experts who took part in DEF CON’s Voting Village in Las Vegas last month issued a report on vulnerabilities they had discovered in voting equipment and related computer systems. One vulnerability they discovered—in a high-speed vote-tabulating system used to count votes for entire counties in 23 states—could allow an attacker to remotely hijack the system over a network and alter the vote count, changing results for large blocks of voters. “Hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election,” the authors of the report warned.

National: DEF CON hackers’ dossier on US voting machine security is just as grim as feared | The Register

Hackers probing America’s electronic voting systems have painted an astonishing picture of the state of US election security, less than six weeks before the November midterms. The full 50-page report [PDF], released Thursday during a presentation in Washington DC, was put together by the organizers of the DEF CON hacking conference’s Voting Village. It recaps the findings of that village, during which attendees uncovered ways resourceful miscreants could compromise electoral computer systems and change vote tallies. In short, the dossier outlines shortcomings in the electronic voting systems many US districts will use later this year for the midterm elections. The report focuses on vulnerabilities exploitable by scumbags with physical access to the hardware. “The problems outlined in this report are not simply election administration flaws that need to be fixed for efficiency’s sake, but rather serious risks to our critical infrastructure and thus national security,” the report stated. “As our nation’s security is the responsibility of the federal government, Congress needs to codify basic security standards like those developed by local election officials.”

National: Hackers warn about election security ahead of midterms | CNN

The vulnerabilities in America’s voting systems are “staggering,” a group representing hackers warned lawmakers on Capitol Hill on Thursday — just over a month before the midterm elections. The findings are based on a project at the Voting Village at the Def Con hacking conference held in Las Vegas last month, where hackers were invited to attempt to break into voting machines and other equipment used in elections across the country. The hacking group claims they were able to break into some voting machines in two minutes and that they had the ability to wirelessly reprogram an electronic card used by millions of Americans to activate a voting terminal to cast their ballot. “This vulnerability could be exploited to take over the voting machine on which they vote and cast as many votes as the voter wanted,” the group claims in the report.

National: Questions on Pompeo’s certainty about secure midterms | Politico

Secretary of State Mike Pompeo on Wednesday said there was “no question” the U.S. midterm elections would be safe from foreign interference, a level of certitude that is … shall we say, not widely shared? “That’s a dangerous level of confidence for someone in that position to have,” Alex Halderman, a University of Michigan computer science professor at the forefront of the election security debate, told MC. Halderman said that perhaps intelligence sources might not see any indications of foreign planning to further disrupt elections, but “frankly, you don’t know what you don’t know.” Democratic Rep. Mike Quigley said this about Pompeo: “I wish I could be so confident.” Robert Johnston, credited with discovering the DNC hack while working at CrowdStrike and now CEO of Adlumin, told MC there are already signs Russia has interfered in the 2018 races. Some of the suspect incidents have surfaced in California’s congressional races and the U.S. Senate.

National: Report outlines keys to election security | MIT News

The most secure form of voting technology remains the familiar, durable innovation known as paper, according to a report authored by a group of election experts, including two prominent scholars from MIT. The report, issued by the National Academies of Science, Engineering, and Medicine, is a response to the emerging threat of hackers targeting computerized voting systems, and it comes as concerns continue to be aired over the security of the U.S. midterm elections of 2018. The U.S. has a decentralized voting system, with roughly 9,000 political jurisdictions bearing some responsibility for administering elections. However, for all that variation, and while many questions are swirling around election security, the report identifies some main themes on the topic.

Verified Voting in the News: Blockchain-enabled voting has started in West Virginia | StateScoop

est Virginia residents living overseas have started casting their ballots this November’s elections using a mobile app that runs on blockchain encryption, state officials announced Monday. The votes that have come in so far are the first general-election ballots in the state’s experiment with a new form of voting technology that has drawn scrutiny from election-security analysts. Overseas voters started using the app for the November elections starting last Friday. … But the prospect of casting votes with a mobile app has been roundly criticized by people who study election technology. Marian Schneider, the president of Verified Voting, told StateScoop last month that ballots submitted over the internet face the same threats as other online transactions. “All the problems with internet voting are present in the app West Virginia is using,” she said.

National: If There Is Meddling With The Midterms, Local Voting Officials May Be To Blame | Buzzfeed

The good news is that the thousands of county and municipal governments that administer elections across the US have a variety of effective cybersecurity programs available to them, free of charge. The bad news is that the vast majority don’t use any of them. In the complex debate about US election security, the focus tends to be on campaigns, parties, states, voting equipment manufacturers, and national trends. But the literal administration of elections, like the printing of ballots, coordinating poll workers, and organizing polling places, falls to more than 10,000 county clerks and local municipalities, according to the nonprofit organization Verified Voting. And those are the people the Department of Homeland Security would like to sign up for its cybersecurity program.

National: Election Security Can Be as Simple as Preserving Paper | Inside Science

Joseph Stalin, no friend of free elections, is credited with saying it was not the people who cast the votes that decide elections. It’s the people who count them. Since the 2016 presidential election, considerable thought — but not much money — has gone into seeing if he’s wrong. According to an expert interviewed by NPR, it would cost at most $400 million to make states with vulnerable systems more secure, but a bill to do that died in Congress last month. There have been some changes in voting procedures, but whether the changes will be enough to block foreign and domestic interference with the upcoming midterm elections is simply unknown.

National: How Vulnerable Are Electronic Voting Machines? | WBUR

A federal judge ruled this week that Georgia does not have to replace its electronic voting machines with machines that create paper records before the election in November. In her ruling, though, the judge noted she’s “gravely concerned” about Georgia’s slow pace in addressing electronic voting vulnerabilities. Here & Now’s Jeremy Hobson talks with Marian Schneider, president of Verified Voting, a nonpartisan nonprofit that advocates for accurate and verifiable elections, about those vulnerabilities and how secure electronic voting machines are.

On her opinion of the judge’s ruling in Georgia: “I do think that it’s a significant decision, but I think that the judge was concerned about the amount of time before the election, that there wasn’t enough time to smoothly implement paper ballots. “There’s only seven weeks between now and the election, and the early voting would start soon, too. So I think that was a greater concern for the court, but I think the judge made a lot of very significant findings about the vulnerabilities that are present in paperless computer systems that count our votes.”