DEF CON

Tag Archive

National: 5 Risks We Face with E-Voting Technology | Techspective

Technology brings with it a number of conveniences, but it also opens up opportunities for scammers and hackers to take advantage of people through tech fraud. That crime involves using technology in a variety of possible ways to mislead people, steal data, shut down systems and more. Increasingly over the past several years, tech fraud has influenced voter fraud, which also manifests in many ways. People may use fake information at the polls, try to vote more than once or otherwise wrongfully attempt to swing votes in a certain direction. Unfortunately, e-voting could facilitate both tech fraud and election fraud if the platforms aren’t sufficiently locked down.

Full Article: 5 Risks We Face with E-Voting Technology.

Australia: E-voting systems are still too vulnerable to be feasible for Australia | Tech Wire Asia

Voting in Australia has long followed the same formula – use pencils to mark on a piece of paper behind a cardboard booth, then folding said paper and slotting it into a box. For years, having humans manually count paper ballots have created an electoral system that is deemed highly secure and tamper-resistant. Compulsory voting in the country has helped secure against suppression tactics that have affected elections in the US and the UK. In the digital age, it is tempting to move voting online; the Australian Electoral Commission (AEC) tried dabbling in e-voting in 2013. However, experts warned that e-voting brings more harm than good. The trouble of electronic voting has been in the spotlight for the past few years at DefCon, the world’s largest hacker conference taking place annually in the US, where hackers have been showcasing vulnerabilities to the US election equipment, databases, and infrastructure. In fact, this year an 11-year-old managed to hack into replica websites to manipulate vote tallies in just 10 minutes.

Full Article: E-voting systems are still too vulnerable to be feasible for Australia.

National: Def Con researchers came to Washington to poke holes in voting machine security | The Washington Post

Not long ago, lawmakers might have been wary about showcasing the work of hackers who specialize in penetrating voting equipment. But on Thursday, organizers from the Def Con Voting Village — a collection of security researchers who hack election systems in hopes of making them more secure — received a warm welcome on Capitol Hill. The organizers were in town to unveil a new report identifying vulnerabilities in several widely used voting machines they tested during the Def Con hacking conference in Las Vegas over the summer, including a flaw in a vote tabulator that could allow a malicious actor to hack it remotely. They presented their findings in a meeting hosted by Rep. Jackie Speier (D-Calif.) and attended by staffers from the offices of Sen. Amy Klobuchar (D-Minn.), who is sponsoring an election security bill, and several other Democrats. The event highlights how the cybersecurity experts behind the Voting Village, which is only in its second year, are reaching beyond the niche and often apolitical community of Def Con in hopes of influencing the debate over how to secure the country’s election systems. The issue has received a wave of new attention since the 2016 election, when Russian hackers probed election administration systems in 21 states. 

Full Article: The Cybersecurity 202: Def Con researchers came to Washington to poke holes in voting machine security - The Washington Post.

National: Voting Machines Are Still Absurdly At Risk | WIRED

While Russian interference operations in the 2016 US presidential elections focused on misinformation and targeted hacking, officials have scrambled ever since to shore up the nation’s vulnerable election infrastructure. New research, though, shows they haven’t done nearly enough, particularly when it comes to voting machines. The report details vulnerabilities in seven models of voting machines and vote counters, found during the DefCon security conference’s Voting Village event. All of the models are in active use around the US, and the vulnerabilities—from weak password protections to elaborate avenues for remote access—number in the dozens. The findings also connect to larger efforts to safeguard US elections, including initiatives to expand oversight of voting machine vendors and efforts to fund state and local election security upgrades.

Full Article: Voting Machines Are Still Absurdly At Risk | WIRED.

National: Defcon Voting Village report: bug in one system could “flip Electoral College” | Ars Technica

Today, six prominent information-security experts who took part in DEF CON’s Voting Village in Las Vegas last month issued a report on vulnerabilities they had discovered in voting equipment and related computer systems. One vulnerability they discovered—in a high-speed vote-tabulating system used to count votes for entire counties in 23 states—could allow an attacker to remotely hijack the system over a network and alter the vote count, changing results for large blocks of voters. “Hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election,” the authors of the report warned.

Full Article: Defcon Voting Village report: bug in one system could “flip Electoral College” | Ars Technica.

National: DEF CON hackers’ dossier on US voting machine security is just as grim as feared | The Register

Hackers probing America’s electronic voting systems have painted an astonishing picture of the state of US election security, less than six weeks before the November midterms. The full 50-page report [PDF], released Thursday during a presentation in Washington DC, was put together by the organizers of the DEF CON hacking conference’s Voting Village. It recaps the findings of that village, during which attendees uncovered ways resourceful miscreants could compromise electoral computer systems and change vote tallies. In short, the dossier outlines shortcomings in the electronic voting systems many US districts will use later this year for the midterm elections. The report focuses on vulnerabilities exploitable by scumbags with physical access to the hardware. “The problems outlined in this report are not simply election administration flaws that need to be fixed for efficiency’s sake, but rather serious risks to our critical infrastructure and thus national security,” the report stated. “As our nation’s security is the responsibility of the federal government, Congress needs to codify basic security standards like those developed by local election officials.”

Full Article: DEF CON hackers' dossier on US voting machine security is just as grim as feared • The Register.

National: Hackers warn about election security ahead of midterms | CNN

The vulnerabilities in America’s voting systems are “staggering,” a group representing hackers warned lawmakers on Capitol Hill on Thursday — just over a month before the midterm elections. The findings are based on a project at the Voting Village at the Def Con hacking conference held in Las Vegas last month, where hackers were invited to attempt to break into voting machines and other equipment used in elections across the country. The hacking group claims they were able to break into some voting machines in two minutes and that they had the ability to wirelessly reprogram an electronic card used by millions of Americans to activate a voting terminal to cast their ballot. “This vulnerability could be exploited to take over the voting machine on which they vote and cast as many votes as the voter wanted,” the group claims in the report.

Full Article: Hackers warn about election security ahead of midterms - WISC.

Australia: If it ain’t broke, don’t fix it: Australia should stay away from electronic voting | IDM Magazine

The civic experience of interacting with analogue voting interfaces is as Australian as the democracy sausage. Voters are confronted with tiny pencils, plus physical security measures that involve huddling in a cardboard booth and origami-scale folding. The use of paper ballots – and human counting of those ballots – creates one of the most secure electoral systems imaginable. And the Australian tradition provides another sometimes under-recognised component of electoral security: compulsory voting. This practice secures against the voter suppression tactics used to undermine elections in the United States. In the digital era, smartphones are so prevalent that it might seem tempting to move to voting online. In 2013 the Australian Electoral Commission (AEC) explored internet voting. But cyber security experts say: if it ain’t broke, don’t fix it. The problems the US has had with electronic voting provide a perfect illustration of what can go wrong. Every year hackers and cyber security experts from across the globe converge “In Real Life” (IRL) on Las Vegas to attend one of the world’s largest and longest-running annual hacker conventions: DefCon.

Full Article: If it ain't broke, don't fix it: Australia should stay away from electronic voting | IDM Magazine.

National: Lawmakers dismiss ES&S’s claim that spies benefit from election hacking demos | The Washington Post

The nation’s leading voting equipment vendor made the bombastic claim that foreign spies may be infiltrating events where ethical hackers test vulnerabilities in voting machines — such as the Def Con hacking conference that took place this month in Las Vegas — to glean intelligence on how to hack an election. “[F]orums open to anonymous hackers must be viewed with caution, as they may be a green light for foreign intelligence operatives who attend for purposes of corporate and international espionage,”  Election Systems and Software wrote in a letter made public Monday to a bipartisan group of lawmakers on the Senate Intelligence Committee. ES&S was responding to bipartisan group of lawmakers on the Senate Intelligence Committee who inquired about the security of the company’s machines after researchers at Def Con discovered new vulnerabilities in voting equipment made by ES&S and other vendors. Yet the company’s response took issue with the idea of testing by independent hackers in the first place: “We believe that exposing technology in these kinds of environments makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention.”

Full Article: The Cybersecurity 202: Lawmakers dismiss voting machine maker's claim that spies benefit from election hacking demos - The Washington Post.

National: Election-Hacking Lessons from the 2018 Def Con Hackers Conference | The New Yorker

Earlier this month, Bianca Lewis, who is eleven years old, was wearing a T-shirt printed with the words “No time for Barbie, there’s hacking to be done” and sitting in front of a computer at the annual Def Con hacking conference, in Las Vegas, meddling with a replica of the Florida Secretary of State’s election Web site. She’d already surreptitiously entered the site’s database through what is known as an SQL injection. “First, you open the site,” she explained, “then you type a few lines of code into the search bar, and you can delete things and change votes. I deleted Trump. I deleted every single vote for him.” Lewis was visiting an event at the conference run by R00tz Asylum, a nonprofit that teaches hacking to kids, where organizers had replicated thirteen Secretary of State Web sites and invited kids to hack them. The day the conference began, as programmers were finishing coding the sites, the National Association of Secretaries of State issued a press release complaining that Def Con “utilizes a pseudo environment which in no way replicates state election systems, networks, or physical security.” That was true enough—these sites were only look-alikes—but they were constructed from data scraped from the actual state sites, and contained known vulnerabilities that had been exploited by hackers in the past. One of the organizers, Jake Braun, rolled his eyes when I asked him about the association’s letter. “It’s totally tone-deaf,” he said. “A nation-state is literally hacking our democracy—wouldn’t you want to take any help you could possibly get? If they don’t think that the Russians are not doing what we’re doing here all year, as opposed to just a weekend, then they are fucking idiots, right?”

Full Article: Election-Hacking Lessons from the 2018 Def Con Hackers Conference | The New Yorker.

National: Kids at hacking conference show how easily US elections could be sabotaged | The Guardian

At the world’s largest hacking conference, there was good news and bad news for fans of free and fair elections. The good news is that hacking the US midterms – actually changing the recorded votes to steal the election for a particular candidate – may be harder than it seems, and most of the political actors who could pose a threat to the validity of an election are hesitant to escalate their attacks that far. The bad news is that it doesn’t really matter. While the actual risk of a hacker seizing thousands of voting machines and altering their records may be remote, the risk of a hacker casting the validity of an election into question through one of any number of other entry points is huge, and the actual difficulty of such an attack is child’s play. Literally.

Full Article: Kids at hacking conference show how easily US elections could be sabotaged | Technology | The Guardian.

Editorials: I Just Hacked a State Election. I’m 17. And I’m Not Even a Very Good Hacker. | River O’Connor/Politico

It took me around 10 minutes to crash the upcoming midterm elections. Once I accessed the shockingly simple and vulnerable set of tables that make up the state election board’s database, I was able to shut down the website that would tally the votes, bringing the election to a screeching halt. The data were lost completely. And just like that, tens of thousands of votes vanished into thin air, throwing an entire election, and potentially control of the House or Senate—not to mention our already shaky confidence in the democratic process itself—into even more confusion, doubt, and finger-pointing. I’m 17. And I’m not even a very good hacker. I’ve attended the hacking convention DEF CON in Las Vegas for over five years now, since I was 11 years old. While I have a good conceptual understanding of how cyberspace and the internet work, I’ve taken only a single Python programming class in middle school. When I found out that the Democratic National Committee was hosting a security competition for kids and teens, however, my interest in politics fed into curiosity about how easy it might be to mess with a U.S. election. Despite that limited experience, I understood immediately when I got to Las Vegas this year why the professionals tend to refer to state election security as “child’s play.”

Full Article: I Just Hacked a State Election. I’m 17. And I’m Not Even a Very Good Hacker. - POLITICO Magazine.

National: How DHS is gearing up to protect the midterms from hackers | CNBC

With all the concern over cybersecurity heading into the midterm elections, it’s actually quite difficult for outsiders to directly manipulate votes. Unlike corporate networks and email systems, voting machines aren’t connected to the internet, making them hard to access. So as government officials prepare for the hotly contested congressional elections in November, their focus is more on protecting the integrity of the systems that support the pre- and post-voting periods than on the ballots themselves. “This is about more than just voting machines,” Jeanette Manfra, the top cybersecurity official at the Department of Homeland Security, told CNBC in an interview on Wednesday. “If an [attacker] was intent on sowing discord, how could they do that? It involves us looking at the broad elections administration process.”

Full Article: How DHS is gearing up to protect the midterms from hackers.

Editorials: Election officials have plenty to learn from hackers | Alex Padilla/The Hill

Every year, DEFCON convenes thousands of hackers who attempt to breach the security of important technologies in an effort to expose vulnerabilities. For the past two years, this has included voting machines in a room dubbed the “Voting Village.”  Rather than watch from the sidelines, or read about the findings in the news, I wanted to see for myself. So, I went to DEFCON. I listened, I observed and I had the opportunity to address attendees. While it’s important to constantly search for and understand the vulnerabilities of any voting system, a unifying message at the conference — from hackers to elections officials alike — is that we must be on alert and Congress must invest more to better secure our elections. Threats to the integrity of our elections are constantly evolving. Not too long ago, a primary focus for election officials was securing voting machines. Today, cyberattack vectors have expanded — and so must our defenses. 

Full Article: Election officials have plenty to learn from hackers | TheHill.

National: Hacking an American Election Is Child’s Play, Just Ask These Kids | Roll Call

In March, Hawaii Democrat Rep. Tulsi Gabbard introduced the Securing America’s Elections Act to require the use of paper ballots as backup in case of alleged election hacking. Now voting advocates are suing Georgia to do the same thing. Some voting systems are so easy to hack a child can do it. Eleven year old Emmett Brewer hacked into a simulation of Florida’s state voting website in less than 10 minutes at the DefCon hacking conference last week in Las Vegas, according to Time. Of the approximately 50 children age 8 to 17 who took part in the Election Voting Hacking Village at DefCon, 30 were able to hack into imitation election websites within three hours, Time reported. The kids were able to rewrite vote tallies so that they totaled as much as 12 billion, and change the names of parties and candidates, according to the Guardian.

Full Article: Hacking an American Election Is Child’s Play, Just Ask These Kids.

National: Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms | Dark Reading

Two 11-year-old budding hackers last week at DEF CON in Las Vegas used SQL injection attack code to break into a replica of the Florida Secretary of State’s website within 15 minutes, altering vote count reports on the site. Meanwhile, further down the hall in the adult Voting Machine Hacking Village at Caesars Palace, one unidentified hacker spent four hours trying to break into a replica database that housed the real, publicly available state of Ohio voter registration roll. He got as far as the secured server — penetrating two layers of firewalls with a Khali Linux pen testing tool — but in the end was unable to grab the data from the database, which included names and birthdates of registered voters. “He got to the secure file server but didn’t know how to write the query to pull the data out,” says Alon Nachmany, solution engineer with Cyberbit, which ran the voter registration database simulation. That he got as close to the data as he did was no small feat, however. “He got very far, but he didn’t have the skill needed to pull the file itself,” Nachmany says.

Full Article: Election Websites, Back-End Systems Most at Risk of ....

National: US voting systems: Full of holes, loaded with pop music, and ‘hacked’ by an 11-year-old | The Register

DEF CON Hackers of all ages have been investigating America’s voting machine tech, and the results weren’t great. For instance, one 11-year-old apparently managed to hack and alter a simulated Secretary of State election results webpage in 10 minutes. The Vote Hacking Village, one of the most packed-out locations at this year’s DEF CON hacking conference in Las Vegas, saw many of the most commonly used US voting machines hijacked using a variety of wireless and wired attacks – and replica election websites so poorly constructed they were thought too boring for adults to probe, and left to youngsters to infiltrate. The first day saw 39 kids, ranging in age from six to 17, try to crack into facsimiles of government election results websites, developed by former White House technology advisor Brian Markus. The sites had deliberate security holes for the youngsters to exploit – SQL injection flaws, and similar classic coding cockups. All but four of the children managed to leverage the planted vulnerabilities within the allotted three-hour contest. Thus, it really is child’s play to commandeer a website that doesn’t follow basic secure programming practices nor keep up to date with patches – something that ought to focus the minds of people maintaining election information websites. 

Full Article: US voting systems: Full of holes, loaded with pop music, and 'hacked' by an 11-year-old • The Register.

National: State officials bristle as researchers — and kids — at Def Con simulate election hacks | The Washington Post

For the second year in a row, hackers at the Def Con computer security conference in Las Vegas set out to show just how vulnerable U.S. elections are to digital attacks. At one gathering geared for kids under 17, elementary school-aged hackers cracked into replicas of state election websites with apparent ease. At the Def Con Voting Village, a section of the conference that showcased hands-on hacks, security researchers picked apart voting machines and exposed new flaws that could potentially upend a race. And hackers got close to being able to manipulate a heavily-guarded mock voter registration database. But during the weekend-long hack-a-thon, these faux election hackers had a hard time winning over some of the people they wanted to reach most.

Full Article: The Cybersecurity 202: State officials bristle as researchers -- and kids -- at Def Con simulate election hacks - The Washington Post.

National: DEF CON’s Voting Village tests hacker-government collaboration | CyberScoop

The national conversation on election security came into sharp focus Friday at a renowned hacker conference as U.S. officials and security researchers sought common ground in raising awareness of potential vulnerabilities in election equipment. The goal was to have a more transparent conversation about those vulnerabilities without spreading undue public fear about them. The Voting Village at DEF CON in Las Vegas, a room where white-hat hackers could tinker with voting machines and mock voter registration databases, was a high-profile test of that collaboration. “I’m here to learn,” Alex Padilla, California’s secretary of state, said before touring the village in the bowels of Caesars Palace hotel and casino. …  At the village, Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, stood next to a large ballot-scanner made by Election Systems & Software, one of the country’s biggest voting-equipment vendors. A couple of young researchers were picking the machine apart looking for vulnerabilities and what voting data the old machine might reveal.

Full Article: DEF CON’s Voting Village tests hacker-government collaboration.

National: Pre-Teen Hackers Prove It: The U.S. Election System Simply Isn’t Secure Enough | Futurism

Young kids vs. Dumb Machines: Still not convinced that the U.S. election system is woefully insecure? Chew on this: It took an 11-year-old just 10 minutes to hack a replica of the Florida secretary of state’s website and change its stored election results. The young hacker, Audrey Jones, was one of 39 children between the ages of 8 and 17 to take part in a competition organized by R00tz Asylum, a nonprofit focused on teaching kids white-hat hacking, during annual hacking conference DEFCON. During the one-day R00tz Asylum event, the children set out to infiltrate sites designed to replicate the ones used by 13 battleground states to convey election results to the public (hacking the actual sites would be illegal). All but four of the children succeeded.

Full Article: Pre-Teen Hackers Prove It: The U.S. Election System Simply Isn’t Secure Enough.