As Black Hat and DEF CON organizers, researchers and members of the cyber community scramble to figure out how they can salvage or, better yet, enhance the experience as the events go virtual amid the COVID-19 pandemic, security will be a top priority. Meanwhile, other aspects of the conferences are expected to change more drastically, for better or worse. Organizers of the August 2020 events are aware the remote shows will have to emphasize security, as the new format presents a tempting challenge to adversaries who may want to make a name for themselves by hacking into the shows’ remote infrastructure, perhaps hijacking a presentation or disrupting access. While members of the cyber community acknowledged the issue, they don’t seem to be fretting it too heavily. “Sure, there is always a concern, but if cybersecurity conferences can’t figure out how to secure their virtual events, well, they probably shouldn’t claim to be a cybersecurity conference,” said Patrick Wardle, a frequent Black Hat/DEF CON presenter, principal security researcher at Jamf, and founder of Objective-See. “And such conferences already have had to secure their websites and networks at in-person events. And oftentimes such networks were part of a public venue or… belonged to the venue itself, and thus a purely virtual event may be in a way, simpler to secure.”
National: Voting Village brings equipment to lawmakers to boost urgency on election security | Sean Lyngaas/CyberScoop
A year from the 2020 election and with a new round of election security funding stalled in Congress, the DEF CON Voting Village organizers have again taken to Capitol Hill to raise awareness about software vulnerabilities in voting equipment. This time, they brought the equipment with them to drive home their point. “If we’re going to meaningfully introduce funding or introduce new technologies for 2020, time is rapidly running out to be able to do that,” Matt Blaze, a professor at Georgetown University and co-organizer of the Voting Village, told CyberScoop. “We need to act pretty fast.” A handful of House Democrats and their staffers sauntered up to equipment on display, including a ballot-marking device and an electronic voting machine, to ask the researchers about the software bugs they found. “This is really helpful in understanding that these aren’t just abstract problems, that these are real things,” Blaze, an expert in cryptology, told CyberScoop. This is the second time in a month that the Voting Village has hosted an event on Capitol Hill. Last month, Blaze and Harri Hursti, another village organizer, unveiled the village’s annual report on flaws in voting gear that could be exploited by hackers.
At the world’s premier hackers convention, hacking a voter system was as easy as ever, according to media reports. A summary of the “Voting Village” event posted last week said hackers at Defcon “compromised every single machine over the 2.5-day event, many of them with trivial attacks that require no sophistication or special knowledge on the part of the attacker.” “In most cases, vulnerabilities could be exploited under election conditions surreptitiously…an attack that could compromise an entire jurisdiction could be injected in any of multiple places,” according to a full version of the report. In many cases, physical ports were unprotected, passwords were either left unset or in their default configuration and security features went unused or in some cases, were disabled, the report added. Attendees were given access to over 100 machines at the event, including direct-recording electronic voting machines, electronic poll books, Ballot Marking Devices, Optical scanners and hybrid systems. One machine, based on an old PC hardware, had no BIOS password set on the machine. The BIOS (Basic Input Out System) controls the basic functions of a PC.
National: Hacker conference report details persistent vulnerabilities to US voting systems | Maggie Miller/The Hill
U.S. voting systems remain vulnerable to cyberattacks three years after documented efforts to penetrate election machines, according to a report released Thursday. The report is based on the findings of the white-hat hacker DEF CON Voting Village, an annual gathering of hackers that uses election machines to find vulnerabilities that could allow someone to interfere with the voting process. This year’s event allowed hackers to test voting equipment, including e-poll books, optical scan paper voting devices and direct recording electronic voting machines — all certified for use in at least one U.S. voting jurisdiction. “Voting Village participants were able to find new ways, or replicate previously published methods, of compromising every one of the devices in the room in ways that could alter stored vote tallies, change ballots displayed to voters, or alter the internal software that controls the machines,” the report said. Despite the “disturbing” findings of the report, the authors wrote that the findings were “not surprising,” particularly in light of the fact that many of the election equipment cyber vulnerabilities found were “reported almost a decade earlier.” Equipment that was tested included those made by leading voting machines companies Election Systems and Software (ES&S) and Dominion Systems.
In three short years, the Defcon Voting Village has gone from a radical hacking project to a stalwart that surfaces voting machine security issues. This afternoon, its organizers released findings from this year’s event—including urgent vulnerabilities from a decade ago that still plague voting machines currently in use. Voting Village participants have confirmed the persistence of these flaws in previous years as well, along with a raft of new ones. But that makes their continued presence this year all the more alarming, underscoring how slow progress on replacing or repairing vulnerable machines remains. Participants vetted dozens of voting machines at Defcon this year, including a prototype model built on secure, verified hardware through a Defense Advanced Research Projects Agency program. Today’s report highlights detailed vulnerability findings related to six models of voting machines, most of which are currently in use. That includes the ES&S AutoMARK, used in 28 states in 2018, and Premier/Diebold AccuVote-OS, used in 26 states that same year.
A group of guys are starring into a laptop, exchanging excited giggles. Every couple minutes there’s an “oooooh” that morphs into an expectant hush. The Las Vegas scene seems more like a college dorm party than a deep dive into the democratic process. Cans of Pabst Blue Ribbon are being tossed around. One is cracked open and spews foam all over a computer keyboard. “That’s a new vulnerability!” someone yells. The laptop that’s drawing the most attention in this moment is plugged into a voting machine that was used just last year in Virginia. “Right now, we’re trying to develop a way to remotely control the voting machine,” said a hacker named Alex. He’s seated next to Ryan, and like a lot of the hackers at the Defcon conference, they didn’t feel comfortable giving their full names. What they’re doing — messing around with voting equipment, the innards of democracy — falls into a legal gray area. The voting machine looks sort of like a game of Operation. The cover is off and dozens of cords are sticking out, leading to multiple keyboards and laptop computers. No one could get that kind of access on a real Election Day, which is when most people come into contact with voting machines for a few minutes at most. Election supervisors are quick to point out that any vulnerabilities found under these conditions aren’t indicative of problems that actually could be exploited during an election. All the same, hackers like Alex and Ryan say the work they’re doing is important because it’s the highest profile public investigation of the equipment U.S. citizens use to vote. And if they can exploit it, so could government-sponsored specialists working for another nation’s intelligence agency.
National: Election Security Lessons from DEFCON 27 | Ciara Torres-Spelliscy/Brennan Center for Justice
Given the extent of foreign interference in the 2016 election, every American should be concerned about election security in 2020. But what can computer hackers teach us about it? To find out, I went to Las Vegas earlier this month to attend DEFCON 27, the largest annual hacking conference in the United States, knowing this was probably my last chance to see a legal election hacking. Voting machines are protected from reverse engineering under the Digital Millennium Copyright Act. But the Library of Congress, which has certain authorities under the law, set a three-year window to allow third parties access to voting machines to test their security. Barring an extension by the Library of Congress, 2019 is the third and last year these hacks are legal. DEFCON is a huge event, and I saw fellow conference-goers all over Las Vegas with their distinctive glowing badges. I was only interested in the DEFCON Voting Village, which included a large assortment of voting equipment for participants to test, hack, and break.
Vermont: Ethical Hackers Breach Vermont Voting Machines, But Officials Say No Need To Panic | Peter Hirschfeld/Vermont Public Radio
Elections security experts have discovered new ways to manipulate the type of voting machine used in Vermont, but local elections officials say it’s unlikely that bad actors could exploit those vulnerabilities to change the results of an election. At a recent technology conference in Las Vegas, ethical hackers from across the country tried to infiltrate some of the voting machines used in U.S. elections. Probing for vulnerabilities in ballot tabulators is an annual tradition at the DEF CON Hacking Conference. This year, however, hackers tried to gain access to the same type of voting machine used by 135 towns in Vermont. Montpelier City Clerk John Odum retrieved one of the machines from a vault last week and placed it on a desk in his office. It’s a pretty ancient-looking piece of technology — like something you might have seen in a middle school computer room in the early 1990s. “As I understand it, the memory cards that we use, the technology was originally developed for the original Tandy laptops,” Odum said, “so this is some old stuff.” The machine is called an AccuVote, and its name is clearly meant to inspire confidence in the results it spits out. But when white-hat hackers set to work on this tabulator at DEF CON earlier this month, they quickly found all kinds of ways to manipulate results.
National: Hackers can easily break into voting machines used across the U.S.; play Doom, Nirvana | Igor Derysh/Salon
Voting machines used in states across the United States were easily penetrated by hackers at the Def Con conference in Las Vegas on Friday. Participants at Def Con, a large annual hacker conference, were asked to try their skills on voting machines to help expose weaknesses that could be used by hostile actors. A video published by CNN shows a hacker break into a Diebold machine, which is used in 18 different states, in a matter of minutes, using no special tools, to gain administrator-level access. Hackers also quickly discovered that many of the voting machines had internet connections, which could allow hackers to break into machines remotely, the Washington Post reported. Motherboard recently reported that election security experts found that election systems used in 10 different states have connected to the internet over the last year, despite assurances from voting machine vendors that they are never connected to the internet and therefore cannot be hacked. The websites where states post election results are even more susceptible. The event had 40 child hackers between the ages of 6 and 17 attempt to break into a mock version of the sites. Most were able to alter vote tallies and even change the candidates’ names to things like “Bob Da Builder,” CNNreported. “Unfortunately, it’s so easy to hack the websites that report election results that we couldn’t do it in this room because [adult hackers] would find it boring,” event organizer Jake Braun told CNN.
National: At Def Con, hackers and lawmakers came together to tackle holes in election security | Taylor Telford/The Washington Post
As Sen. Ron Wyden (D-Ore.) toured the Voting Village on Friday at Def Con, the world’s hacker conference extraordinaire, a roomful of hackers applied their skills to voting equipment in an enthusiastic effort to comply with the instructions they had been given: “Please break things.” Armed with lock-pick kits to crack into locked hardware, Ethernet cables and inquiring minds, they had come for a rare chance to interrogate the machines that conduct U.S. democracy. By laying siege to electronic poll books and ballot printers, the friendly hackers aimed to expose weaknesses that could be exploited by less friendly hands looking to interfere in elections. Wyden nodded along as Harri Hursti, the founder of Nordic Innovation Labs and one of the event’s organizers, explained that the almost all of the machines in the room were still used in elections across the United States, despite having well-known vulnerabilities that have been more or less ignored by the companies that sell them. Many had Internet connections, Hursti said, a weakness savvy attackers could abuse in several ways. Wyden shook his head in disbelief. “We need paper ballots, guys,” Wyden said. After Wyden walked away, a few hackers exchanged confused expressions before figuring out who he was. “I wasn’t expecting to see any senators here,” one said with a laugh.
DHS, security experts worry about nation-state or other actors waging a disruptive or other attack on the 2020 election to sow distrust of the election process. When DEF CON debuted its first-ever Voting Village in 2017, it took just minutes for researcher Carsten Schürmann to crack into a decommissioned WinVote voting system machine via WiFi and take control of the machine such that he could run malware, change votes in the database, or even shut down the machine remotely. Several other researchers were able to break into other voting machines and equipment by pulling apart the guts and finding flaws by hand that year, and then again on other machines in the 2018 event. The novelty of the live hacking of decommissioned voting machines has worn off a bit now and there weren’t many surprises – nor did the organizers expect many – at this year’s Voting Village, held at DEF CON in Las Vegas last week. But once again the event shone a white hot light on blatant security weaknesses in decommissioned voting machine equipment and systems. “DEF CON is not about proving that voting machines can be hacked. They all can be hacked and 30 years from now, those can be hacked, too. It’s about making sure we understand the risk,” Harri Hursti, Nordic Innovation Labs, one of the founders of the Voting Village, told attendees last week. Hursti as well as other security experts, government officials, and hackers at this year’s event doubled down on how best to secure the 2020 US presidential election: ensuring there’s an audit trail with paper ballots; employing so-called risk-limiting audits (manually checking paper ballots with electronic machine results); and proper security hygiene in voting equipment, systems, and applications.
For the last two years, hackers have come to the Voting Village at the DefCon security conference in Las Vegas to tear down voting machines and analyze them for vulnerabilities. But this year’s Village features a fancy new target: a prototype secure voting machine created through a $10 million project at the Defense Advanced Research Projects Agency. You know it better as Darpa, the government’s mad science wing. Announced in March, the initiative aims to develop an open source voting platform built on secure hardware. The Oregon-based verifiable systems firm Galois is designing the voting system. And Darpa wants you to know: its endgame goes way beyond securing the vote. The agency hopes to use voting machines as a model system for developing a secure hardware platform—meaning that the group is designing all the chips that go into a computer from the ground up, and isn’t using proprietary components from companies like Intel or AMD. “The goal of the program is to develop these tools to provide security against hardware vulnerabilities,” says Linton Salmon, the project’s program manager at Darpa. “Our goal is to protect against remote attacks.” Other voting machines in the Village are complete, deployed products that attendees can take apart and analyze. But the Darpa machines are prototypes, currently running on virtualized versions of the hardware platforms they will eventually use. A basic user interface is currently being provided by the secure voting firm VotingWorks.
National: Senator: Status quo on voting machine security is a ‘danger to our democracy’ | Alfred Ng/CNET
In the aftermath of the 2016 US presidential election, lawmakers have seen little change in security for voters. But if voting machine security standards don’t change by the 2020 presidential election, Sen. Ron Wyden warns, the consequences could be far worse than the cyberattacks of 2016. The Democrat from Oregon, who is a member of the Senate Intelligence committee, told the Defcon hacking conference that US voting infrastructure is failing to keep elections secure from potential cyberattacks. He made the comments in a Friday speech at the Voting Village, a special section of the Las Vegas conference dedicated to election security. “If nothing happens, the kind of interference we will see form hostile foreign actors will make 2016 look like child’s play,” Wyden said. “We’re just not prepared, not even close, to stop it.” Election security has been a major concern for lawmakers since the 2016 election, which saw unprecedented interference by the Russians. Though no votes are believed to have been changed, the Russians targeted election systems in all 50 states, according to the Senate Intelligence Committee. Legislation to protect elections has been trudged along in Congress. Multiple members of Congress were at Defcon to discuss the issue, as well as to learn about cybersecurity policy.
National: DARPA’s $10 million voting machine couldn’t be hacked at Defcon (for the wrong reasons) | Alfred Ng/CNET
For the majority of Defcon, hackers couldn’t crack the $10 million secure voting machine prototypes that DARPA had set up at the Voting Village. But it wasn’t because of the machine’s security features that the team had been working on for four months. The reason: technical difficulties during the machines’ setup. Eager hackers couldn’t find vulnerabilities in the DARPA-funded project during the security conference in Las Vegas because a bug in the machines didn’t allow hackers to access their systems over the first two days. (DARPA is the Defense Advanced Research Projects Agency.) Galois brought five machines, and each one had difficulties during the setup, said Joe Kiniry, a principal research scientist at the government contractor. “They seemed to have had a myriad of different kinds of problems,” the Voting Village’s co-founder Harri Hursti said. “Unfortunately, when you’re pushing the envelope on technology, these kinds of things happen.” It wasn’t until the Voting Village opened on Sunday morning that hackers could finally get a chance to look for vulnerabilities on the machine. Kiniry said his team was able to solve the problem on three of them and was working to fix the last two before Defcon ended.
Hacker summer camp is here again! You know what that means: WIRED is back in Las Vegas for the annual Black Hat and Defcon security conferences, where we’re digging into the latest and greatest hacks on display. First, let’s talk about iPhones. A researcher found it’s possible to break into one just by sending a text message. To help uncover similar vulnerabilities in the future, Apple is handing out new, hacker-friendly iPhones to its favorite security researchers, and paying up to $1.5 million in bug bounties. Moving on to planes. Boeing’s 787 jets might not be very secure, it turns out—Andy Greenberg talked to a security researcher who found multiple serious flaws in the code for one of the plane’s components. (The 787 is distinct from the 737 MAX plane grounded earlier this year, although a recent test flight of that jet had its ups and downs, as WIRED’s transportation desk reports.) That’s not all that’s happening in Vegas. Safecrackers can unlock an ATM in minutes without leaving a trace. Apple pay buttons can make websites less safe. Have you heard of DDOS attacks? Kindly meet their cousin, the DOS attack. Lily Hay Newman also looked at two very old bugs that have continued to persist, one in desk phones and another in a ubiquitous encryption algorithm. Lastly, check out this very cool fake hospital, where real medical devices get hacked on purpose.
One of the scarier notions in the world today is the prospect of American voting machines being compromised at scale: voters thrown off rolls, votes disregarded, vote tallies edited, entire elections hacked. That’s why the nation’s lawmakers and civil servants flocked (relatively speaking) to Def Con in Las Vegas this week, where hackers at its Voting Village do their best to prove the potential vulnerabilities — including, in some cases, remote command and control — of voting systems. There are several ways to help secure voting. One, thankfully, is already in place; the decentralization of systems such that every state and county maintains its own, providing a bewildering panoply of varying targets, rather than a single tantalizing point of failure. A second, as security guru Bruce Schneier points out, is to eschew electronic voting machines altogether and stick with good old-fashioned paper ballots.
National: Def Con draws election officials to Las Vegas in effort to combat hackers | Miranda Willson/Las Vegas Sun
Ahead of the annual hacker and cybersecurity conference Def Con in Las Vegas this weekend, organizers anticipate that the part of the event devoted to election security will entice more local, state and federal election officials than ever before. Drawing tens of thousands of hackers, researchers, lawyers and others interested in cybersecurity every year to Las Vegas, Def Con has included a so-called “Voting Village” in its weekend-long programming for the past three years to address election security and how to protect elections from hacking. This is the first time that Def Con explicitly invited local and state election officials to attend, and many seem to be taking advantage of the opportunity, said Harri Hursti, co-founder of the Voting Village and founder of computer and network security company Nordic Innovation Labs. “We never intended this to be a main or big thing. It became a big thing because of popular demand,” Hursti said. Among those attending the conference are representatives from the Clark County Election Department and the Nevada Secretary of State’s Office.
National: Inside the DEF CON hacker conference’s election security-focused Voting Village | Joe Uchill/Axios
The DEF CON hacker conference’s Voting Village event has become a testing ground for our national debate over voting security, referenced by Senate reports, several congressmen and even a presidential candidate (albeit incorrectly, see below). This year’s version, happening next week, comes with some upgrades. The big picture: Now in its third year, the event is traditionally one of the only places where many security researchers get a chance to audit the security of election systems.
Background: Voting Village burst onto the scene in 2017, when it took hackers only a matter of minutes to discover serious problems with machines. That was despite it being the first time many of the hackers had seen the systems.
A new challenge at this year’s DEF CON will let kid hackers take aim at simulated election campaign financial disclosure portals and use their findings to stage disinformation campaigns. DEF CON’s Voting Village and AI Village have teamed up with r00tz Asylum, a nonprofit dedicated to educating kids about white-hat hacking, to teach budding infosec enthusiasts ages 8–16 about digital threats to democracy. Like the Voting Village, which lets adults explore flaws in election infrastructure, r00tz Asylum gives kids a chance to poke holes in election security. Last year, r00tz Asylum made its first foray into election security. Kids used SQL injection to access and manipulate synthetic state election results websites, where they could change the candidates and displayed vote counts. It took two 11-year-old hackers just 15 minutes to crack a replica of the Florida Secretary of State’s website and change its vote count reports.
National: First look at the DEFCON Voting Village | Eric Geller, Mary Lee and Natasha Bertrand/Politico
Sen. Ron Wyden (D-Ore.) and former 2020 presidential candidate Rep. Eric Swalwell (D-Calif.) will speak at this year’s DEFCON Voting Village, MC can reveal. The lawmakers will join California Secretary of State Alex Padilla and former NSA national threat operations director Sherri Ramsay in the election security-focused corner of the cybersecurity conference, which runs Aug. 8-11 in Las Vegas. “The overwhelming interest we are seeing from government leaders demonstrates that securing our democracy is a national security priority,” Voting Village co-founder Harri Hursti says in a press release set to go out this morning, “and we need policy solutions that address the concerns brought to light each year by this Village.” The Voting Village sparked controversy last year when the National Association of Secretaries of State dismissed its findings about voting technology vulnerabilities by saying the test conditions were unrealistic. NASS said at the time that it looked forward to working more closely with the village’s organizers this year. That appears to have happened: This year’s event will “feature a significant increase” in government speakers, including “prominent state and local election authorities,” the organizers said. Other speakers will hail from the DHS Cybersecurity and Infrastructure Security Agency, the Defense Advanced Research Projects Agency and the Pentagon. And good news for attendees seeking a hands-on experience: Per the organizers, there will also be “a more extensive array of voting equipment” this year.
Technology brings with it a number of conveniences, but it also opens up opportunities for scammers and hackers to take advantage of people through tech fraud. That crime involves using technology in a variety of possible ways to mislead people, steal data, shut down systems and more. Increasingly over the past several years, tech fraud has influenced voter fraud, which also manifests in many ways. People may use fake information at the polls, try to vote more than once or otherwise wrongfully attempt to swing votes in a certain direction. Unfortunately, e-voting could facilitate both tech fraud and election fraud if the platforms aren’t sufficiently locked down.
Voting in Australia has long followed the same formula – use pencils to mark on a piece of paper behind a cardboard booth, then folding said paper and slotting it into a box. For years, having humans manually count paper ballots have created an electoral system that is deemed highly secure and tamper-resistant. Compulsory voting in the country has helped secure against suppression tactics that have affected elections in the US and the UK. In the digital age, it is tempting to move voting online; the Australian Electoral Commission (AEC) tried dabbling in e-voting in 2013. However, experts warned that e-voting brings more harm than good. The trouble of electronic voting has been in the spotlight for the past few years at DefCon, the world’s largest hacker conference taking place annually in the US, where hackers have been showcasing vulnerabilities to the US election equipment, databases, and infrastructure. In fact, this year an 11-year-old managed to hack into replica websites to manipulate vote tallies in just 10 minutes.
National: Def Con researchers came to Washington to poke holes in voting machine security | The Washington Post
Not long ago, lawmakers might have been wary about showcasing the work of hackers who specialize in penetrating voting equipment. But on Thursday, organizers from the Def Con Voting Village — a collection of security researchers who hack election systems in hopes of making them more secure — received a warm welcome on Capitol Hill. The organizers were in town to unveil a new report identifying vulnerabilities in several widely used voting machines they tested during the Def Con hacking conference in Las Vegas over the summer, including a flaw in a vote tabulator that could allow a malicious actor to hack it remotely. They presented their findings in a meeting hosted by Rep. Jackie Speier (D-Calif.) and attended by staffers from the offices of Sen. Amy Klobuchar (D-Minn.), who is sponsoring an election security bill, and several other Democrats. The event highlights how the cybersecurity experts behind the Voting Village, which is only in its second year, are reaching beyond the niche and often apolitical community of Def Con in hopes of influencing the debate over how to secure the country’s election systems. The issue has received a wave of new attention since the 2016 election, when Russian hackers probed election administration systems in 21 states.
While Russian interference operations in the 2016 US presidential elections focused on misinformation and targeted hacking, officials have scrambled ever since to shore up the nation’s vulnerable election infrastructure. New research, though, shows they haven’t done nearly enough, particularly when it comes to voting machines. The report details vulnerabilities in seven models of voting machines and vote counters, found during the DefCon security conference’s Voting Village event. All of the models are in active use around the US, and the vulnerabilities—from weak password protections to elaborate avenues for remote access—number in the dozens. The findings also connect to larger efforts to safeguard US elections, including initiatives to expand oversight of voting machine vendors and efforts to fund state and local election security upgrades.
National: Defcon Voting Village report: bug in one system could “flip Electoral College” | Ars Technica
Today, six prominent information-security experts who took part in DEF CON’s Voting Village in Las Vegas last month issued a report on vulnerabilities they had discovered in voting equipment and related computer systems. One vulnerability they discovered—in a high-speed vote-tabulating system used to count votes for entire counties in 23 states—could allow an attacker to remotely hijack the system over a network and alter the vote count, changing results for large blocks of voters. “Hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election,” the authors of the report warned.
National: DEF CON hackers’ dossier on US voting machine security is just as grim as feared | The Register
Hackers probing America’s electronic voting systems have painted an astonishing picture of the state of US election security, less than six weeks before the November midterms. The full 50-page report [PDF], released Thursday during a presentation in Washington DC, was put together by the organizers of the DEF CON hacking conference’s Voting Village. It recaps the findings of that village, during which attendees uncovered ways resourceful miscreants could compromise electoral computer systems and change vote tallies. In short, the dossier outlines shortcomings in the electronic voting systems many US districts will use later this year for the midterm elections. The report focuses on vulnerabilities exploitable by scumbags with physical access to the hardware. “The problems outlined in this report are not simply election administration flaws that need to be fixed for efficiency’s sake, but rather serious risks to our critical infrastructure and thus national security,” the report stated. “As our nation’s security is the responsibility of the federal government, Congress needs to codify basic security standards like those developed by local election officials.”
The vulnerabilities in America’s voting systems are “staggering,” a group representing hackers warned lawmakers on Capitol Hill on Thursday — just over a month before the midterm elections. The findings are based on a project at the Voting Village at the Def Con hacking conference held in Las Vegas last month, where hackers were invited to attempt to break into voting machines and other equipment used in elections across the country. The hacking group claims they were able to break into some voting machines in two minutes and that they had the ability to wirelessly reprogram an electronic card used by millions of Americans to activate a voting terminal to cast their ballot. “This vulnerability could be exploited to take over the voting machine on which they vote and cast as many votes as the voter wanted,” the group claims in the report.
Australia: If it ain’t broke, don’t fix it: Australia should stay away from electronic voting | IDM Magazine
The civic experience of interacting with analogue voting interfaces is as Australian as the democracy sausage. Voters are confronted with tiny pencils, plus physical security measures that involve huddling in a cardboard booth and origami-scale folding. The use of paper ballots – and human counting of those ballots – creates one of the most secure electoral systems imaginable. And the Australian tradition provides another sometimes under-recognised component of electoral security: compulsory voting. This practice secures against the voter suppression tactics used to undermine elections in the United States. In the digital era, smartphones are so prevalent that it might seem tempting to move to voting online. In 2013 the Australian Electoral Commission (AEC) explored internet voting. But cyber security experts say: if it ain’t broke, don’t fix it. The problems the US has had with electronic voting provide a perfect illustration of what can go wrong.
National: Lawmakers dismiss ES&S’s claim that spies benefit from election hacking demos | The Washington Post
The nation’s leading voting equipment vendor made the bombastic claim that foreign spies may be infiltrating events where ethical hackers test vulnerabilities in voting machines — such as the Def Con hacking conference that took place this month in Las Vegas — to glean intelligence on how to hack an election. “[F]orums open to anonymous hackers must be viewed with caution, as they may be a green light for foreign intelligence operatives who attend for purposes of corporate and international espionage,” Election Systems and Software wrote in a letter made public Monday to a bipartisan group of lawmakers on the Senate Intelligence Committee. ES&S was responding to bipartisan group of lawmakers on the Senate Intelligence Committee who inquired about the security of the company’s machines after researchers at Def Con discovered new vulnerabilities in voting equipment made by ES&S and other vendors. Yet the company’s response took issue with the idea of testing by independent hackers in the first place: “We believe that exposing technology in these kinds of environments makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention.”
Earlier this month, Bianca Lewis, who is eleven years old, was wearing a T-shirt printed with the words “No time for Barbie, there’s hacking to be done” and sitting in front of a computer at the annual Def Con hacking conference, in Las Vegas, meddling with a replica of the Florida Secretary of State’s election Web site. She’d already surreptitiously entered the site’s database through what is known as an SQL injection. “First, you open the site,” she explained, “then you type a few lines of code into the search bar, and you can delete things and change votes. I deleted Trump. I deleted every single vote for him.” Lewis was visiting an event at the conference run by R00tz Asylum, a nonprofit that teaches hacking to kids, where organizers had replicated thirteen Secretary of State Web sites and invited kids to hack them. The day the conference began, as programmers were finishing coding the sites, the National Association of Secretaries of State issued a press release complaining that Def Con “utilizes a pseudo environment which in no way replicates state election systems, networks, or physical security.” That was true enough—these sites were only look-alikes—but they were constructed from data scraped from the actual state sites, and contained known vulnerabilities that had been exploited by hackers in the past. One of the organizers, Jake Braun, rolled his eyes when I asked him about the association’s letter. “It’s totally tone-deaf,” he said. “A nation-state is literally hacking our democracy—wouldn’t you want to take any help you could possibly get? If they don’t think that the Russians are not doing what we’re doing here all year, as opposed to just a weekend, then they are fucking idiots, right?”