National: Kids at hacking conference show how easily US elections could be sabotaged | The Guardian

At the world’s largest hacking conference, there was good news and bad news for fans of free and fair elections. The good news is that hacking the US midterms – actually changing the recorded votes to steal the election for a particular candidate – may be harder than it seems, and most of the political actors who could pose a threat to the validity of an election are hesitant to escalate their attacks that far. The bad news is that it doesn’t really matter. While the actual risk of a hacker seizing thousands of voting machines and altering their records may be remote, the risk of a hacker casting the validity of an election into question through one of any number of other entry points is huge, and the actual difficulty of such an attack is child’s play. Literally.

Editorials: I Just Hacked a State Election. I’m 17. And I’m Not Even a Very Good Hacker. | River O’Connor/Politico

It took me around 10 minutes to crash the upcoming midterm elections. Once I accessed the shockingly simple and vulnerable set of tables that make up the state election board’s database, I was able to shut down the website that would tally the votes, bringing the election to a screeching halt. The data were lost completely. And just like that, tens of thousands of votes vanished into thin air, throwing an entire election, and potentially control of the House or Senate—not to mention our already shaky confidence in the democratic process itself—into even more confusion, doubt, and finger-pointing. I’m 17. And I’m not even a very good hacker. I’ve attended the hacking convention DEF CON in Las Vegas for over five years now, since I was 11 years old. While I have a good conceptual understanding of how cyberspace and the internet work, I’ve taken only a single Python programming class in middle school. When I found out that the Democratic National Committee was hosting a security competition for kids and teens, however, my interest in politics fed into curiosity about how easy it might be to mess with a U.S. election. Despite that limited experience, I understood immediately when I got to Las Vegas this year why the professionals tend to refer to state election security as “child’s play.”

National: How DHS is gearing up to protect the midterms from hackers | CNBC

With all the concern over cybersecurity heading into the midterm elections, it’s actually quite difficult for outsiders to directly manipulate votes. Unlike corporate networks and email systems, voting machines aren’t connected to the internet, making them hard to access. So as government officials prepare for the hotly contested congressional elections in November, their focus is more on protecting the integrity of the systems that support the pre- and post-voting periods than on the ballots themselves. “This is about more than just voting machines,” Jeanette Manfra, the top cybersecurity official at the Department of Homeland Security, told CNBC in an interview on Wednesday. “If an [attacker] was intent on sowing discord, how could they do that? It involves us looking at the broad elections administration process.”

Editorials: Election officials have plenty to learn from hackers | Alex Padilla/The Hill

Every year, DEFCON convenes thousands of hackers who attempt to breach the security of important technologies in an effort to expose vulnerabilities. For the past two years, this has included voting machines in a room dubbed the “Voting Village.”  Rather than watch from the sidelines, or read about the findings in the news, I wanted to see for myself. So, I went to DEFCON. I listened, I observed and I had the opportunity to address attendees. While it’s important to constantly search for and understand the vulnerabilities of any voting system, a unifying message at the conference — from hackers to elections officials alike — is that we must be on alert and Congress must invest more to better secure our elections. Threats to the integrity of our elections are constantly evolving. Not too long ago, a primary focus for election officials was securing voting machines. Today, cyberattack vectors have expanded — and so must our defenses. 

National: Hacking an American Election Is Child’s Play, Just Ask These Kids | Roll Call

In March, Hawaii Democrat Rep. Tulsi Gabbard introduced the Securing America’s Elections Act to require the use of paper ballots as backup in case of alleged election hacking. Now voting advocates are suing Georgia to do the same thing. Some voting systems are so easy to hack a child can do it. Eleven year old Emmett Brewer hacked into a simulation of Florida’s state voting website in less than 10 minutes at the DefCon hacking conference last week in Las Vegas, according to Time. Of the approximately 50 children age 8 to 17 who took part in the Election Voting Hacking Village at DefCon, 30 were able to hack into imitation election websites within three hours, Time reported. The kids were able to rewrite vote tallies so that they totaled as much as 12 billion, and change the names of parties and candidates, according to the Guardian.

National: Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms | Dark Reading

Two 11-year-old budding hackers last week at DEF CON in Las Vegas used SQL injection attack code to break into a replica of the Florida Secretary of State’s website within 15 minutes, altering vote count reports on the site. Meanwhile, further down the hall in the adult Voting Machine Hacking Village at Caesars Palace, one unidentified hacker spent four hours trying to break into a replica database that housed the real, publicly available state of Ohio voter registration roll. He got as far as the secured server — penetrating two layers of firewalls with a Khali Linux pen testing tool — but in the end was unable to grab the data from the database, which included names and birthdates of registered voters. “He got to the secure file server but didn’t know how to write the query to pull the data out,” says Alon Nachmany, solution engineer with Cyberbit, which ran the voter registration database simulation. That he got as close to the data as he did was no small feat, however. “He got very far, but he didn’t have the skill needed to pull the file itself,” Nachmany says.

National: US voting systems: Full of holes, loaded with pop music, and ‘hacked’ by an 11-year-old | The Register

DEF CON Hackers of all ages have been investigating America’s voting machine tech, and the results weren’t great. For instance, one 11-year-old apparently managed to hack and alter a simulated Secretary of State election results webpage in 10 minutes. The Vote Hacking Village, one of the most packed-out locations at this year’s DEF CON hacking conference in Las Vegas, saw many of the most commonly used US voting machines hijacked using a variety of wireless and wired attacks – and replica election websites so poorly constructed they were thought too boring for adults to probe, and left to youngsters to infiltrate. The first day saw 39 kids, ranging in age from six to 17, try to crack into facsimiles of government election results websites, developed by former White House technology advisor Brian Markus. The sites had deliberate security holes for the youngsters to exploit – SQL injection flaws, and similar classic coding cockups. All but four of the children managed to leverage the planted vulnerabilities within the allotted three-hour contest. Thus, it really is child’s play to commandeer a website that doesn’t follow basic secure programming practices nor keep up to date with patches – something that ought to focus the minds of people maintaining election information websites. 

National: State officials bristle as researchers — and kids — at Def Con simulate election hacks | The Washington Post

For the second year in a row, hackers at the Def Con computer security conference in Las Vegas set out to show just how vulnerable U.S. elections are to digital attacks. At one gathering geared for kids under 17, elementary school-aged hackers cracked into replicas of state election websites with apparent ease. At the Def Con Voting Village, a section of the conference that showcased hands-on hacks, security researchers picked apart voting machines and exposed new flaws that could potentially upend a race. And hackers got close to being able to manipulate a heavily-guarded mock voter registration database. But during the weekend-long hack-a-thon, these faux election hackers had a hard time winning over some of the people they wanted to reach most.

National: DEF CON’s Voting Village tests hacker-government collaboration | CyberScoop

The national conversation on election security came into sharp focus Friday at a renowned hacker conference as U.S. officials and security researchers sought common ground in raising awareness of potential vulnerabilities in election equipment. The goal was to have a more transparent conversation about those vulnerabilities without spreading undue public fear about them. The Voting Village at DEF CON in Las Vegas, a room where white-hat hackers could tinker with voting machines and mock voter registration databases, was a high-profile test of that collaboration. “I’m here to learn,” Alex Padilla, California’s secretary of state, said before touring the village in the bowels of Caesars Palace hotel and casino. …  At the village, Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, stood next to a large ballot-scanner made by Election Systems & Software, one of the country’s biggest voting-equipment vendors. A couple of young researchers were picking the machine apart looking for vulnerabilities and what voting data the old machine might reveal.

National: Pre-Teen Hackers Prove It: The U.S. Election System Simply Isn’t Secure Enough | Futurism

Young kids vs. Dumb Machines: Still not convinced that the U.S. election system is woefully insecure? Chew on this: It took an 11-year-old just 10 minutes to hack a replica of the Florida secretary of state’s website and change its stored election results. The young hacker, Audrey Jones, was one of 39 children between the ages of 8 and 17 to take part in a competition organized by R00tz Asylum, a nonprofit focused on teaching kids white-hat hacking, during annual hacking conference DEFCON. During the one-day R00tz Asylum event, the children set out to infiltrate sites designed to replicate the ones used by 13 battleground states to convey election results to the public (hacking the actual sites would be illegal). All but four of the children succeeded.

National: Hacking the US mid-terms? It’s child’s play | BBC

Bianca Lewis, 11, has many hobbies. She likes Barbie, video games, fencing, singing… and hacking the infrastructure behind the world’s most powerful democracy. “I’m going to try and change the votes for Donald Trump,” she tells me. “I’m going to try to give him less votes. Maybe even delete him off of the whole thing.” Fortunately for the President, Bianca is attacking a replica website, not the real deal. She’s taking part in a competition organised by R00tz Asylum, a non-profit organisation that promotes “hacking for good”. Its aim is to send out a dire warning: the voting systems that will be used across America for the mid-term vote in November are, in many cases, so insecure a young child can learn to hack them with just a few minute’s coaching.

National: Two-Minute Hack Shows How Easy It Is To Gain Admin Access On An Elections Voting Machine | wccftech

Once again at the Defcon cybersecurity conference in Las Vegas on Friday, hackers posed how easy it is to break into the election voting machines. At the conference, officials from the US Department of Homeland security were present to learn about the problems of the election security. Seemingly, there’s another two-minute hack which will allow anyone to physically gain admin access on a voting machine. It’s definitely alarming for the forthcoming elections. So let’s dive in to see some more details on the hack and how it is performed. Rachel Tobac shared a video on Twitter, showing how she gained physical admin access in less than two minutes. It required no tools and the operation does not require any hardcore hacking techniques. At this point, with hacking options as easy as this, these attacks threaten trust in politics and even leadership to a greater scale. These loopholes can possibly allow alterations being made to the final count, which of course, does make a lot of difference.

National: Election officials’ concerns turn to information warfare as hackers gather in Vegas | CNN

As hackers sit down to break into dozens of voting machines here in Las Vegas this weekend, some state and local election officials that have flown in to witness the spectacle at one of the world’s largest hacking conventions are becoming increasingly concerned about another threat to November’s midterm elections: information warfare. Organizers of a “voting village” at the annual Def Con hacker convention have packed a conference room at Caesars Palace with voting machines and have asked civically-curious hackers to wreak havoc. The event, now in its second year, is supposed to demonstrate vulnerabilities in America’s vast election infrastructure. After a few hours on Friday, one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display animations. While such hacks are a cause of concern for election officials, they are increasingly looking beyond the threats against traditional election infrastructure like voting machines and voting databases and more to the threat of disinformation. What, some of them ask, if they fall victim to a coordinated information warfare campaign?

National: Tensions Flare as Hackers Root Out Flaws in Voting Machines | Wall Street Journal

Hackers at the Defcon computer security conference believe they can help prevent manipulation of U.S. elections. Some election officials and makers of voting machines aren’t so sure. That tension was front and center at Defcon’s second-annual Voting Village, where computer hackers are invited to test the security of commonly used election machines. Organizers see the event as an early test of U.S. election security and a counterpunch to potential outside interference. On the first day of the event, which runs through Sunday, hackers were able to swap out software, uncover network plug-ins that shouldn’t have been left working, and uncover other ways for unauthorized actors to manipulate the vote. These hacks can root out weaknesses in voting machines so that vendors will be pressured to patch flaws and states will upgrade to more secure systems, organizers say. … “You want companies to be building more secure products, but at the same time the public doesn’t necessarily know the full picture,” Ms. Manfra said. “If all you are saying is, ‘Look, even a kid can hack into this’, you’re not getting the full story, which can have the impact of having the average voter not understanding what is going on.”

National: Hackers at Def Con break into voting machines to identify security flaws | Tech2

Def Con, one of the world’s largest security conventions, served as a laboratory for breaking into voting machines on 10 August, extending its efforts to identify potential security flaws in technology that may be used in the November US elections.Hackers will continue to probe the systems over the weekend in a bid to discover new vulnerabilities, which could be turned over to voting machine makers to fix.The three-day Las Vegas-based “Voting Village” also aimed to expose security issues in digital poll books and memory-card readers. “These vulnerabilities that will be identified over the course of the next three days would, in an actual election, cause mass chaos,” said Jake Braun, one of the village’s organizers. “They need to be identified and addressed, regardless of the environment in which they are found.”

National: Election officials say money, training needed to improve security | Las Vegas Review-Journal

Regional U.S. election officials attending a hacker conference Friday in Las Vegas said they need more money and training to enhance cybersecurity of their election infrastructure. The thousands of local election officers around the U.S. have neither the cyber-knowledge nor resources to stand up to attacks from adversarial nations and need the support of state and federal governments, they said. But they warned that focusing too much on the vulnerabilities could backfire by undermining citizens’ confidence in the system. “There has never been such a spotlight and emphasis (on election hacking) as there has been since 2016. That is our new reality,’’ California Secretary of State Alex Padilla told an audience attending the annual Defcon computer security conference at Caesars Palace. “If it gets into the mind of anybody that maybe my vote isn’t going to matter, so why should I go vote — that is a form of voter suppression,” he said.

National: US officials hope hackers at Defcon find more voting machine problems | CNET

This election day, US officials are hoping for a vote of confidence on cybersecurity. Hackers at the Defcon cybersecurity conference in Las Vegas on Friday took on voting machines again, after showing how easy it was to break into election machines at last year’s gathering. This time around, officials from the US Department of Homeland Security were on hand to learn directly from hackers who find problems with election security. “We’ve been partners with Defcon for years on a lot of various different issues, so we see a lot of value in doing things like this,” Jeanette Manfra, the DHS’s top cybersecurity official, said at Defcon. In her speech, Manfra invited hackers at Defcon to come find her after to talk more about election security. “We’d love it if you worked for us, we’d love it if you worked with us,” she said.

Florida: An 11-year-old changed election results on a replica Florida state website in under 10 minutes | PBS

An 11-year-old boy on Friday was able to hack into a replica of the Florida state election website and change voting results found there in under 10 minutes during the world’s largest yearly hacking convention, DEFCON 26, organizers of the event said. Thousands of adult hackers attend the convention annually, while this year a group of children attempted to hack 13 imitation websites linked to voting in presidential battleground states. The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state’s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called “DEFCON Voting Machine Hacking Village,” a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals.

National: At DEF CON ’18, kids as young as 5 challenged to hack election results websites, voting machines | ABC

At DEF CON, one of the world’s largest hacking conferences, hackers clad in black hoodies made headlines last year when they exposed an array of structural vulnerabilities in voting technology, successfully hacking into every voting machine they attempted to breach. This year’s DEF CON kicks off Friday in Las Vegas, and hackers will again have access to dozens of pieces of equipment — voting machines and pollbooks widely used in U.S. elections, including several models they haven’t previously attempted to crack. Children as young as 5 will compete to hack election results websites, and DEF CON has partnered with children’s hacking organization r00tz Asylum to award prizes to the first and youngest kids to breach the sites and hack equipment.

National: Hackers at convention to ferret out election system bugs | Reuters

Def Con, one of the world’s largest hacker conventions, will serve as a laboratory for breaking into voting machines this week, extending its efforts to identify potential security flaws in technology that may be used in the November U.S. elections.  The three-day “Voting Village,” which opens in Las Vegas on Friday, also aims to expose vulnerabilities in devices such as digital poll books and memory-card readers. Def Con held its first voting village last year after U.S. intelligence agencies concluded the Russian government used hacking in its attempt to support Donald Trump’s 2016 candidacy for president. Moscow has denied the allegations.

National: Def Con steps out of the shadows to fight election cyber threat | Financial Times

Hacking democracy was as easy as abcde. When Carsten Schurmann sat down to hack one of the voting machines used instead of paper ballots in the state of Virginia, he used a simple online tool to discover a flaw in the machine that had been public — and remained unfixed — for 14 years. And he already knew the password, because he had found that on the internet, too. The password was abcde. Wearing a short-sleeved shirt and wire-framed glasses, the Danish computer science professor described how simple it had been to get in to the WINvote machine, after which he was able to tamper with the vote tally. “The machines are all vulnerable,” he said. “I’m not a hacker but I tried the first thing and it worked.”

National: States have a lot of work to do on cybersecurity, and they shouldn’t wait for kids to find the problems | Washington Examiner

Today in Michigan, Ohio, Kansas, Washington, and Missouri, voters head to the polls to vote in primaries. But how safe are state websites with voter information? If you ask the organizers of the kids’ program at DEFCON, the answer is, so unsafe that a kid could probably figure out how to hack it. DEFCON, a top tier cybersecurity conference, has a program for kids called “r00tz,” and this year, part of the agenda is to have them hack replicas of state elections websites. The goal of the event is to both teach the participants basics of hacking, but also scare states into taking action to safeguard web security.

National: Voting-machine makers are already worried about Defcon | Engadget

Last year, Defcon’s Voting Village made headlines for uncovering massive security issues in America’s electronic voting machines. Unsurprisingly, voting-machine makers are working to prevent a repeat performance at this year’s show. According to Voting Village organizers, they’re having a tough time getting their hands on machines for white-hat hackers to test at the next Defcon event in Las Vegas (held in August). That’s because voting-machine makers are scrambling to get the machines off eBay and keep them out of the hands of the “good guy” hackers. Village co-organizer Harri Hursti told attendees at the Shmoocon hacking conference this month they were having a hard time preparing for this year’s show, in part because voting machine manufacturers sent threatening letters to eBay resellers. The intimidating missives told auctioneers that selling the machines is illegal — which is false.

National: DEF CON Voting Village grows this year | POLITICO

Black Hat and DEF CON are just around the corner, and one of the biggest headlines from last year’s conferences was the Voting Village where hackers broke into voting machines en masse. This year’s Voting Village at DEF CON will be three times the size of last year’s event to accommodate the massive demand from 2017, event organizer Harri Hursti told Tim. But it wasn’t easy to get to that point: Hursti said voting machine vendors unhappy with the publicity about hacked equipment threw up hurdles that forced them to get creative, like visiting government auctions to buy equipment to probe.

National: Voting-machine makers are already worried about Defcon | Endgadget

Last year, Defcon’s Voting Village made headlines for uncovering massive security issues in America’s electronic voting machines. Unsurprisingly, voting-machine makers are working to prevent a repeat performance at this year’s show. According to Voting Village organizers, they’re having a tough time getting their hands on machines for white-hat hackers to test at the next Defcon event in Las Vegas (held in August). That’s because voting-machine makers are scrambling to get the machines off eBay and keep them out of the hands of the “good guy” hackers. Village co-organizer Harri Hursti told attendees at the Shmoocon hacking conference this month they were having a hard time preparing for this year’s show, in part because voting machine manufacturers sent threatening letters to eBay resellers. The intimidating missives told auctioneers that selling the machines is illegal — which is false. 

National: Hackers to Help Make Voting Machines Safe Again | CPO Magazine

Following the recent declaration by the U.S. National Security Agency that Russian hackers tried to infiltrate the electronic voting machines used in the last U.S. presidential election, many people are calling for a lot of things especially for the electronic voting machines to be scrapped. Although the Russians did not succeed, more questions are still left on the table. U.S. senators looking for answers have constituted a committee and is hoping to pass a bipartisan bill called the Securing America’s Voting Equipment (SAVE) Act. The bill will enlist help from the Department of Homeland Security to organize an event like the one held at the DEFCON hackers conference in July, themed the “Voting Machine Hacking Village.”

National: The fix is in for hackable voting machines: use paper | Naked Security

Want better security of election voting results? Use paper. With the US almost halfway between the last national election and the 2018 mid-terms, not nearly enough has been done yet to improve the demonstrated insecurity of current electronic voting systems. Multiple experts say one obvious, fundamental move should be to ensure there is a paper trail for every vote. That was a major recommendation at a panel discussion this past week that included representatives of the hacker conference DefCon and the Atlantic Council think tank, which concluded that while there is progress, it is slow.

National: DEFCON hopes voting machine hacking can secure systems | TechTarget

A new report pushes recommendations based on the research done into voting machine hacking at DEFCON 25, including basic cybersecurity guidelines, collaboration with local officials and an offer of free voting machine penetration testing. It took less than an hour for hackers to break into the first voting machine at the DEFCON conference in July. This week, DEFCON organizers released a new report that details the results from the Voting Village and the steps needed to ensure election security in the future. Douglas Lute, former U.S. ambassador to NATO and retired U.S. Army lieutenant general, wrote in the report that “last year’s attack on America’s voting process is as serious a threat to our democracy as any I have ever seen in the last 40+ years – potentially more serious than any physical attack on our Nation. Loss of life and damage to property are tragic, but we are resilient and can recover. Losing confidence in the security of our voting process — the fundamental link between the American people and our government — could be much more damaging,” Lute wrote. “In short, this is a serious national security issue that strikes at the core of our democracy.”

National: Voting Machines: A National Security Vulnerability? | Atlantic Council

The political instability that has resulted from Russian meddling in the 2016 US presidential elections has put the focus on voting machines as a national security vulnerability, Douglas Lute, a former US permanent representative to NATO, said at the Atlantic Council on October 10. “I don’t think I’ve seen a more severe threat to American national security than the election hacking experience of 2016,” said Lute. There is a “fundamental democratic connection between the individual voter and the democratic outcome” of an election, he said, adding: “If you can undermine that, you don’t need to attack America with planes and ships. You can attack democracy from the inside.” … Lute delivered a keynote address at the Atlantic Council to call for a sense of urgency among policymakers and all stakeholders able to play a role in the solution to insecure voting machines. He also highlighted the findings presented in the DEF CON Report on Cyber Vulnerabilities in US Election Equipment, Databases, and Infrastructure, launched at the Council, which help to shed light on the technological dimensions of this national security threat. Ultimately, as Lute writes in the foreword, “this report makes one key point: our voting systems are not secure.”

National: Report details election vulnerabilities uncovered at DEFCON | GCN

When attendees at the July DEFCON conference breached every poll book and voting machine that event organizers had in the Voting Machine Hacking Village, elections officials took notice. A new report from DEFCON, the National Governors Association, the Atlantic Council, the Center for Internet Security and a number of universities and top technology vendors provides a more detailed look at just how vulnerable the entire U.S. election system – equipment, databases and infrastructure —  is to hacking and urges policymakers to shore up security gaps. Vulnerabilities start with an insecure supply chain. Many parts used in voting machines are manufactured overseas, and the report authors suggested that bad actors could compromise the equipment “well before that voting machine rolls off the production line.” Voting Village participants found voting machines with universal default passwords and ones that broadcast their own Wi-Fi access point, which would allow hackers to connect. Once hackers gained access, they could escalate their privileges so they could run code, change votes in the database or turn the machine off remotely. Additionally, unprotected, uncovered USB ports provided easy inputs for thumb drives or keyboards.