The “Days since last vulnerability found” indicator for the iVote system used in New South Wales’ elections was reset to zero on Wednesday thanks to a new research note from University of Melbourne cryptographer Dr Vanessa Teague. Or rather, the software vendor was notified 45 days earlier to keep with the terms of the source code access agreement while the rest of us found out today. iVote was purchased from Scytl Australia, a subsidiary of Barcelona-based election technology vendor Scytl Secure Electronic Voting, and is based on the system used by SwissPost. In March this year, Teague and her colleagues Sarah Jamie Lewis and Olivier Pereira found a flaw in the proof used by SwissPost system to prevent electoral fraud. Later that month, they detailed a second flaw that could be exploited to result in a tampered election outcome. NSWEC claimed it was safe from the second flaw, and had patched the first. In July, NSWEC ordered Scytl to release parts of the source code in a bid to prove it contained no further vulnerabilities. Vulnerabilities have now been found. “I examined the decryption proof and, surprise, it can easily be faked while passing verification,” Teague tweeted on Wednesday morning. “This exposes NSW elections to undetectable electoral fraud by trusted insiders & suppliers, people who guessed the passwords of the trusted insiders, people who successfully phished the trusted insiders, etc.” Teague’s analysis is detailed in the 8-page Faking an iVote decryption proof [PDF].Full Article: Flaws found in NSW iVote system yet again | ZDNet.
Articles about voting issues in the Commonwealth of Australia.
Australia: Australia concluded China was behind hack on parliament, political parties – sources | Colin Packham/Reuters
Australian intelligence determined China was responsible for a cyber-attack on its national parliament and three largest political parties before the general election in May, five people with direct knowledge of the matter told Reuters. Australia’s cyber intelligence agency – the Australian Signals Directorate (ASD) – concluded in March that China’s Ministry of State Security was responsible for the attack, the five people with direct knowledge of the findings of the investigation told Reuters. The five sources declined to be identified due to the sensitivity of the issue. Reuters has not reviewed the classified report. The report, which also included input from the Department of Foreign Affairs, recommended keeping the findings secret in order to avoid disrupting trade relations with Beijing, two of the people said. The Australian government has not disclosed who it believes was behind the attack or any details of the report.Full Article: Exclusive: Australia concluded China was behind hack on parliament, political parties – sources - Reuters.
Victoria’s Electoral Commissioner, Warwick Gately AM, says that Victoria should legislate to allow Internet voting because “there is an inevitability about remote electronic voting over the internet.” According to Mr Gately, the NSW iVote system has, “proven the feasibility of casting a secret vote safely and securely over the internet”. The key word here is “proven”. Anyone can claim that their system is secure and protects people’s privacy, but how would we know? Elections have special requirements. Ballot privacy is mandated by law. And elections must demonstrate that the result accurately reflects the choice of the people. So, what has iVote proven? In 2015, our team found that the iVote site was vulnerable to an internet-based attacker who could read and manipulate votes. The attack wouldn’t have raised any security warnings at either the voter’s or the NSW Electoral Commission (NSWEC) end, but it should have been apparent from iVote’s telephone-based verification. When the NSWEC claimed that “some 1.7 per cent of electors who voted using iVote® also used the verification service and none of them identified any anomalies with their vote,” we took that as reasonable evidence that the security problem hadn’t been exploited. But it wasn’t true.Full Article: Where’s the proof internet voting is secure? | Pursuit by The University of Melbourne.
Australia: New South Wales iVote source code released for researchers to poke around in | Asha Barbaschow/ZDNet
The Australian Electoral Commission has revealed the nation’s core electoral systems experienced no successful cyber-attacks during the 2019 federal election campaign. But the agency, which has been increasingly worried by the prospect of external interference, won’t say whether any attempts to compromise the systems were detected. In a bid to guard Australia’s systems against the threat of compromise, the AEC introduced monitoring through a dedicated security operations centre in the lead up to the May 18 ballot. It follows what the agency has described as a worsening cyber environment in the years since the July 2016 election through events like Russia’s alleged cyber interference in the 2016 US election. Many of these concerns stem from the ageing nature of the country’s system for election and roll management, which have been in place since the early 90s and are in dire need of replacement.Full Article: Electoral systems evade cyber-attack during federal poll - Strategy - Security - iTnews.
The ACT Electoral Commission is planning to introduce limited online voting in time for next year’s territory election to allow Canberrans to cast their ballot if travelling overseas. The electronic voting system, which could bear resemblance to NSW’s iVote system, will be developed as part of a refresh of the commission’s election management system. The refresh of the commission’s existing custom-made TIGER system was handed $1.5 million in this month’s territory budget, with separate funding for electronic voting also set aside. The core system has been in place since 1995 and is used to support all administrative tasks associated an ACT election every four years. TIGER, which contains the the electoral role information on around 300,000 ACT electors in a Microsoft Access 365 format, is also used to “support referendums, interstate elections and small external fee-for-service elections”.Full Article: ACT to introduce limited online voting next year - Strategy - Security - Software - iTnews.
Australia: Politicians need more public money to thwart election cyber attacks: ASPI | Julian Bajkowski /iTnews
The spectre of state-sponsored cyber interference in democratic elections across the world has been a staple example of why nations like Australia need top-notch digital defences. Especially since the Internet Research Agency’s free-for-all in the 2016 US poll coincided with the delivery of an unexpected Trump Tweetocracy, with the degree of Russia’s influence hotly contested ever since. Now, after a considerable amount of research helped along by the Australian Computer Society, the cyber security boffins at the Australian Strategic Policy Institute reckon they have reasonable solution to boost the defences of our political parties big and small: Give them more taxpayer’s money.Full Article: Politicians need more public money to thwart election cyber attacks: ASPI - Finance - Security - iTnews.
The Australian Signals Directorate (ASD) has appointed Rachel Noble as the new head of the Australian Cyber Security Centre (ACSC). Noble is currently serving as Deputy Secretary Executive Group in the Department of Home Affairs. The Group is responsible for enterprise strategy, risk, assurance, security and ministerial, media and intelligence services. Noble has previously held a series of leadership positions in Home Affairs; Defence, including two previous roles at ASD, and the Department of the Prime Minister and Cabinet (PM&C). “I’m delighted that Rachel’s agreed to return to ASD to take this important and challenging role, said ASD director-general Mike Burgess in a statement on Wednesday. “The cyber threat is real and Rachel is ideally qualified to confront it.”Full Article: Rachel Noble to head up Australian Cyber Security Centre | ZDNet.
An Australian election is on again. The triennial ritual where the electorate makes a choice of which parliamentarian to elect — who will then decide what sort of greying, white male party apparatchik becomes the Prime Minister. With the dumping of racist and homophobic candidates being a daily occurrence, the campaign is plumbing the depths expected upon its announcement. However, on the plus side, Russian trolls and foreign actors have not stoked or created the scandals that are occurring — this is pure, unabashed, organic, embarrassing Australian politics. For the folks able to take their eyes off the sideshow, a common refrain from the technically minded has been the lack of policy directed towards them. But this week, like an ancient Greek god that hasn’t had a good laugh in a while, the Labor party decided to announce it would erect a AU$3 million Blockchain Academy in Perth if it is elected. This was followed in short order by AU$2 million being put towards a Broadmeadows cyber training centre, adding to the AU$3 million National Centre of Artificial Intelligence Excellence announced last month. On the opposing side, Morrison government said last month it would spend AU$156 million to build a cyber workforce and fight cybercrime if re-elected.Full Article: Technology problems are not going to be sorted out by more Kool-Aid | ZDNet.
The Morrison government’s election promise to spend $156 million to bolster Australia’s cyber defences is a start but more like a “drop in a bucket,” says Security in Depth’s Michael Connory. The “cyber resilience and workforce package” will include $50 million to hire more staff under a workforce expansion program; $40 million for a ‘countering foreign cyber criminals’ capacity within the existing Australian Cyber Security Centre (ACSC); and $26 million for ACSC to expand its assistance to the community. Michael Connory, security advisor at Security in Depth told CIO Australia the fund is “nowhere near adequate” to help deal with the cyber threats facing Australian businesses and citizens. “It’s significantly better than the other political parties are pledging, but it’s still not close to enough,” he said. “$40 million focused on placing 230+ new cyber experienced staff for military cyber operations – while this is absolutely necessary, the figure probably needs to be doubled.” Connory said at this time Australia “immediately” needs an additional 2,300 individuals to manage the $500 million cost of cybercrime that Australians lost last year.Full Article: Government's $156M cybersecurity pledge a 'drop in the bucket': White hat hacker - ARN.
Every time election season comes around, the same question crops up again and again: why can’t we just vote online? We can shop, order takeaway and request an Uber from our phones; why can’t we vote over the internet as well? The main reason: maintaining the security and integrity of elections is actually a lot more complicated than it seems. But let’s take a closer look. While we can secure things like online banking to a reasonable degree, our elections are based on the principle of anonymity and this makes it far more challenging to protect them. Our online banking systems permanently record how much people spend and where, so that we can verify whether our balances are correct. But a record of each person’s vote would be extremely limiting to democracy because it would open up the door to peer pressure and coercion. This could stop people from truly expressing their democratic will. The need to keep elections anonymous brings up some major problems: without records, how can we ensure that the final vote tally is an accurate representation of what the people want? How do we know that the result hasn’t been meddled with by a political party or a foreign power? In paper-based voting systems, we rely on simplicity and having observers from each side at every step of the process. This has been relatively effective at preventing large-scale compromises and errors. When we use electronic and internet-based voting systems, we can’t see what’s actually going on inside the computers and servers, and the vast majority of the electorate doesn’t have the specific knowledge to understand the technical processes that underlie these systems. Electronic and internet-based systems also open up the possibility for widespread election tampering that could slip by undetected, corrupting the entire system. This isn’t feasible in a paper-based election because it would require collusion between far too many people, which would surely be discovered.Full Article: Federal election 2019: why can't we just vote online? - Crikey.
The international Five Eyes network of cyber spies believes Australia is at risk from foreign interference in its federal election, including direct hacks and targeted “fake news”, a security conference has been told. Disinformation is proving to be a broader challenge for the agencies because of how it intersects with free speech, one expert said. Australia’s top secret cyber security agency revealed on Wednesday it is on high alert to guard Australia against such threats during the campaign. Scott MacLeod, assistant director-general for “Protect, Assure and Enable” at the Australian Signals Directorate, made a rare public appearance at the CyberUK security conference in Scotland on Wednesday. Alongside colleagues from security agencies in the other Five Eyes nations, MacLeod said electoral security was a critical priority.Full Article: Cyber spooks hint at hard work defending election from hackers.
With the date of next month’s federal ballot now set, the agency in charge of Australia’s electoral systems has switched on its new security operations centre to protect against external interference. The short-term SOC capability was established late last month in preparation for Prime Minister Scott Morrison calling the election last week. It will be used it to detect any compromises – or compromise attempts – made against the Australian Electoral Commission’s systems in the lead up to, during and following the May 18 election. The resilience of Australia’s core electoral systems – the age of which remains an ongoing concern for the agency – is particularly acute in this year’s election following Russia’s alleged cyber interference in the 2016 US election. Monitoring services will be provided by Technical Security Services (TSS), which was established by Defence Signals Directorate (now Australian Signals Directorate) alumni Richard Byfield. For up to the next ten weeks or until the results of the election are declared, the company will provide a real-time alerting system for significant cyber security events, as well as at least daily review of log files.Full Article: Electoral Commission spins up cyber ops centre - Strategy - Security - iTnews.
The Australian Electoral Commission (AEC) will be given AU$10.8 million over the next two years to upgrade its IT infrastructure and implement more polling place technology under the 2019-20 Federal Budget. The funding will be separated into AU$4 million in 2019-20 and AU$6.7 million in 2020-21. It will specifically see the AEC “approach the market to scope the deployment of new polling place technology and upgrades to the AEC’s ageing core ICT infrastructure”, according to the Budget documents. The funding follows electronic voting for citizens previously gaining bipartisan support, with both former Prime Minister Malcolm Turnbull and current opposition leader Bill Shorten advocating for electronic voting following the 2016 federal election. “We’re a grown-up democracy; it shouldn’t be taking eight days to find out who’s won and who’s lost,” Shorten said while conceding the election a week after polls closed.Full Article: Australian Budget 2019: Electoral Commission gets AU$11m for polling place tech and IT upgrades | ZDNet.
The Federal Government has allocated an unspecified amount in Tuesday’s Federal Budget to improve cyber security arrangements for the forthcoming election. The amount was not specified due to what the government said were national security reasons. The Budget papers say the money will be for mitigating potential threats through enhanced monitoring and response capabilities. It will also be spent towards the creation of cyber “Sprint Teams” within the Australian Cyber Security Centre and a Cyber Security Response Fund. In February this year, it was announced that the network of the Australian Parliament had been breached by hackers whose affiliations have not yet been revealed. The networks of the three major political parties — Liberal, Labor and National — were also infiltrated.Full Article: iTWire - Govt allocates funds to boost election security.
The Joint Standing Committee on Electoral Matters is tasked with overseeing the Australian electoral system, specifically the activities of the Australian Electoral Commission (AEC). Its Status Report [PDF], released on Friday, follows the November publication of the Report on the conduct of the 2016 federal election and matters related thereto [PDF], which made 31 recommendations to the AEC regarding cybersecurity, in particular where the manipulation of elections was concerned. One of the recommendations made by the committee was that the Australian government establish a permanent taskforce to “prevent and combat cyber manipulation in Australia’s democratic process” and to “provide transparent, post-election findings regarding any pertinent incidents”. Specifically, the taskforce, the committee wrote, would focus on “systemic privacy breaches”. In its latest report, the committee again recommended the taskforce be established.Full Article: Committee pushes 'cyber taskforce' for security of Australia's election system | ZDNet.
Some New South Wales voters have had trouble casting their ballot as issues plaguing the state’s electronic voting system ran into election day. Technical issues began on Friday night but continued Saturday morning as thousands flooded iVote to register and cast their ballot. Frustrated voters then turned to the telephone registration system, which itself was then overloaded, with some told to call back later. Some New South Wales voters have had trouble casting their ballot as issues plaguing the state’s electronic voting system ran into election day. Technical issues began on Friday night but continued Saturday morning as thousands flooded iVote to register and cast their ballot.Full Article: Fury as online voting system crashes on NSW election day | | Express Digest.
The Australian Parliament said on Friday that hackers had tried to break into its computer network, which includes lawmakers’ email archives, but that so far there were no indications that data had been stolen. “Following a security incident on the parliamentary computing network, a number of measures have been implemented to protect the network and its users,” Parliament’s presiding officers, Tony Smith and Scott Ryan, said in a joint statement. “All users have been required to change their passwords. This has occurred overnight and this morning.” “There is no evidence that any data has been accessed or taken at this time, however this will remain subject to ongoing investigation,” the statement read. Australian news outlets reported that security agencies were investigating the possibility that a foreign government was behind the attack, possibly China’s.Full Article: Australian Parliament Reports Cyberattack on Its Computer Network - The New York Times.
In 2016, an Instagram account called @army_of_jesus_ posted an image of the son of God, imploring viewers to “like if you believe” or “keep scrolling if you don’t”. It received almost 88,000 likes. The account, as revealed later by security researchers, was run by Russian internet trolls. While much attention has been paid to attempts to influence the 2016 US presidential election on Facebook and Twitter, the role of the image-based social media platform has been largely overlooked. In fact, according to two recent reports, Instagram became the platform of choice for Russia’s infamous Internet Research Agency (IRA).Full Article: Instagram spreads political misinformation and Australian elections are vulnerable - Science News - ABC News.
Australia’s electoral systems will be actively monitored around the clock by a new security operations centre during the upcoming federal election. The Australian Electoral Commission has put out the call for vendors capable of providing “short-term, event based security monitoring” of its internal systems in a bid to protect against unauthorised interference. The centre would be used to detect “common or generic system or network compromises or compromise attempts against the AEC’ systems” in the lead up to, during and following the election. It will also spot “defined specific compromise attempts against electoral systems”, according to a brief posted on the digital marketplace late last month.Full Article: Aussie electoral systems get 24x7 monitoring for 2019 election - Strategy - Security - iTnews.