Georgia: Voter records exposure raises election security concerns | SC Magazine

Despite Georgia Secretary of State Brian Kemp’s contentions that reports questioning the security of the state’s election systems are fake news, a breach discovered in 2016 exposed the records of more than six million George voters, according to a lawsuit. “The data was open to anyone in the world who had an internet connection,” said Marilyn Marks, executive director of the Coalition for Good Governance, one of the plaintiffs in the suit cited by CNN. “Even when confronted with a security disaster, she noted, Kemp, who’s currently running at a GOP gubernatorial candidate, blamed “managers under his supervision for their incompetence and [left] the security disaster without so much as a forensic review of the impacts of the security failures.”

Georgia: Concerns over Georgia’s election security grow | WGCL

Concerns over Georgia’s election security are growing as November’s election draws closer. To advocate for you, we asked for a sit-down with the man running Fulton County’s elections. CBS46 obtained new details about the extent of suspected Russian probing of some of Fulton County’s website, and what going to paper ballots might really entail. Robert Mueller’s indictment of a dozen Russians fueled the fire. “I think the Russians were mostly focused on public opinion through social media,” said Richard Barron, the Fulton County director of registration and elections. Still, court documents reveal several Russian operatives checked out websites for Georgia and, specifically, Fulton and Cobb counties. Since we’re advocating for transparency, we wanted to find out what that really means.

National: Researchers show how to alter emailed ballots in use in 30 states | McClatchy

Top computer researchers gave a startling presentation recently about how to intercept and switch votes on emailed ballots, but officials in the 30 or so states said the ease with which votes could be changed wouldn’t alter their plans to continue offering electronic voting in some fashion. Two states — Washington and Alaska — have ended their statewide online voting systems. The developments, amid mounting fears that Russians or others will try to hack the 2018 midterm elections, could heighten pressure on officials on other U.S. states to reconsider their commitment to online voting despite repeated admonitions from cybersecurity experts. But a McClatchy survey of election officials in a number of states that permit military and overseas voters to send in ballots by email or fax — including Alabama, Kansas, Missouri, North Carolina, South Carolina and Texas — produced no immediate signs that any will budge on the issue. Some chief election officers are handcuffed from making changes, even in the name of security, by state laws permitting email and fax voting. … Researchers at the DefCon convention were sharply critical of any sort of electronic voting, including voting by smartphone, which will occur for the first time in November. West Virginia announced last week that it will allow military personnel posted overseas and registered to vote in West Virginia to vote via smartphone in the Nov. 6 election, using an app created by Voatz, a Boston-based startup.

National: Research shows gap in House, Senate candidates’ website security | CyberScoop

Nearly 30 percent of House of Representatives candidates have significant security issues in their websites compared to less than 5 percent of Senate candidates, according to new research. The disparity underscores the challenge that smaller, resource-strapped campaigns have in making themselves less vulnerable to hacking. About 3 in 10 House candidate websites scanned by election-security expert Joshua Franklin and his research team were not using important security protocols for routing data or had a major certificate issue. The scans, most of which took place in June, covered the websites of more than 500 House candidates and nearly 100 Senate candidates. “The House has significantly more candidates running and that provides more opportunities for security errors,” Franklin told CyberScoop. He presented his findings at the DEF CON conference in Las Vegas. The major political parties’ Senate candidates also tend to be more experienced on the campaign trail and have bigger staffs for those statewide races.

National: US voting systems: Full of holes, loaded with pop music, and ‘hacked’ by an 11-year-old | The Register

DEF CON Hackers of all ages have been investigating America’s voting machine tech, and the results weren’t great. For instance, one 11-year-old apparently managed to hack and alter a simulated Secretary of State election results webpage in 10 minutes. The Vote Hacking Village, one of the most packed-out locations at this year’s DEF CON hacking conference in Las Vegas, saw many of the most commonly used US voting machines hijacked using a variety of wireless and wired attacks – and replica election websites so poorly constructed they were thought too boring for adults to probe, and left to youngsters to infiltrate. The first day saw 39 kids, ranging in age from six to 17, try to crack into facsimiles of government election results websites, developed by former White House technology advisor Brian Markus. The sites had deliberate security holes for the youngsters to exploit – SQL injection flaws, and similar classic coding cockups. All but four of the children managed to leverage the planted vulnerabilities within the allotted three-hour contest. Thus, it really is child’s play to commandeer a website that doesn’t follow basic secure programming practices nor keep up to date with patches – something that ought to focus the minds of people maintaining election information websites. 

National: Hacking competitions help the military; they could secure elections too | Washington Examiner

Public-facing websites and services used by the Marine Corps were targeted by hackers over the weekend – but that was part of the plan. To help identify vulnerabilities In the Marine Corps Enterprise Network, the Department of Defense and HackerOne, a service that runs crowd-sourced security testing, launched Hack the Marine Corps, a “bug bounty program” that pays hackers to identify and report vulnerabilities. As the United States faces increasing cybersecurity threats, programs such as Hack the Marine Corps are a great way to identify and fix potential problems before they really do become damaging security breaches. Hack the Marine Corps has already been successful. The program kicked off with a live event in Las Vegas with nearly 100 ethical hackers who, during the nine-hour event, identified 75 unique security vulnerabilities. True to the idea of “bug bounty,” the Marine Corps shelled out more than $80,000 to those who had identified problems.

National: Fears of Voting Machine Hacking Erupts as an Issue in US Election | Coda Story

The potential for Russian hacking of election systems in the 2018 midterm elections has emerged as an urgent and destabilizing issue in the run-up to the U.S. elections. State and local election officials are accused of mismanagement and a lack of focus on the dangers of election systems hacking. Five U.S. states rely on outdated electronic voting systems with no paper trail, according to The Guardian, which also reported that eight more states will be using antiquated systems vulnerable to Russian cyberattack over at least part of their territory in the upcoming November elections.

Georgia: 6 million Georgia voters’ records exposed: ‘Could have easily been compromised’ | CNN

Georgia’s shotgun-toting, Trump-style Republican candidate for governor Brian Kemp has sought to assure voters that his state’s election system is secure and that any allegations to the contrary are “fake news.” But Kemp, who is also the secretary of state in charge of Georgia’s elections, is now being accused in a federal lawsuit of failing to secure his state’s voting system and allowing a massive breach that exposed voter records and other sensitive election information. The allegations in the lawsuit come as the subject of election security has come into focus nationally, particularly as the November’s midterm elections approach. The suit describes how a private researcher discovered the records of more than 6 million registered Georgia voters, password files and encryption keys could be accessed online by anyone looking. Days after the lawsuit was filed, technicians erased the hard drives of the server in question.

National: State officials bristle as researchers — and kids — at Def Con simulate election hacks | The Washington Post

For the second year in a row, hackers at the Def Con computer security conference in Las Vegas set out to show just how vulnerable U.S. elections are to digital attacks. At one gathering geared for kids under 17, elementary school-aged hackers cracked into replicas of state election websites with apparent ease. At the Def Con Voting Village, a section of the conference that showcased hands-on hacks, security researchers picked apart voting machines and exposed new flaws that could potentially upend a race. And hackers got close to being able to manipulate a heavily-guarded mock voter registration database. But during the weekend-long hack-a-thon, these faux election hackers had a hard time winning over some of the people they wanted to reach most.

National: Why US elections remain ‘dangerously vulnerable’ to cyber-attacks | The Guardian

Sixteen months ago, Marilyn Marks was just another political junkie watching a high-profile congressional election on her laptop when she saw something she found abnormal and alarming. The date was 18 April 2017, and the election was in Georgia’s sixth congressional district, where the Democrats were hoping to pull off an upset victory against a crowded Republican field in the wake of Tom Price’s (short-lived) elevation to the Trump cabinet as health and human services secretary. By mid-evening, Jon Ossoff, the leading Democrat, had 50.3% of the vote, enough to win outright without the need for a run-off against his closest Republican challenger. Then Marks noticed that the number of precincts reporting in Fulton County, encompassing the heart of Atlanta, was going down instead of up. Soon after, the computers crashed. Election officials later blamed a “rare error” with a memory card that didn’t properly upload its vote tallies. When the count resumed more than an hour later, Ossoff was suddenly down to 48.6% and ended up at 48.1%. (He lost in the run-off to Republican Karen Handel.)

National: DEF CON’s Voting Village tests hacker-government collaboration | CyberScoop

The national conversation on election security came into sharp focus Friday at a renowned hacker conference as U.S. officials and security researchers sought common ground in raising awareness of potential vulnerabilities in election equipment. The goal was to have a more transparent conversation about those vulnerabilities without spreading undue public fear about them. The Voting Village at DEF CON in Las Vegas, a room where white-hat hackers could tinker with voting machines and mock voter registration databases, was a high-profile test of that collaboration. “I’m here to learn,” Alex Padilla, California’s secretary of state, said before touring the village in the bowels of Caesars Palace hotel and casino. …  At the village, Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, stood next to a large ballot-scanner made by Election Systems & Software, one of the country’s biggest voting-equipment vendors. A couple of young researchers were picking the machine apart looking for vulnerabilities and what voting data the old machine might reveal.

National: Pre-Teen Hackers Prove It: The U.S. Election System Simply Isn’t Secure Enough | Futurism

Young kids vs. Dumb Machines: Still not convinced that the U.S. election system is woefully insecure? Chew on this: It took an 11-year-old just 10 minutes to hack a replica of the Florida secretary of state’s website and change its stored election results. The young hacker, Audrey Jones, was one of 39 children between the ages of 8 and 17 to take part in a competition organized by R00tz Asylum, a nonprofit focused on teaching kids white-hat hacking, during annual hacking conference DEFCON. During the one-day R00tz Asylum event, the children set out to infiltrate sites designed to replicate the ones used by 13 battleground states to convey election results to the public (hacking the actual sites would be illegal). All but four of the children succeeded.

National: 4 House Intel members offer election security bill | FCW

A Senate proposal to secure the U.S. election system has a companion bill in the House and a prominent Republican co-sponsor. A bipartisan group of four lawmakers on the House Intelligence Committee have introduced a House version of the Secure Elections Act, which would authorize block grants for states to upgrade voting machines and other equipment, allow the Department of Homeland Security to more quickly share election cybersecurity threat information with state and local governments and streamline the security clearance process for state and local election officials.

Florida: Reports of election site hacking rankle Florida officials | Associated Press

Child’s play or a signs of a serious security problem in one of the nation’s swing states? That’s the question confronting Florida election officials who are pushing back against reports that an 11-year-old hacked a replica of the state’s election website. Multiple media outlets over the weekend reported that children at a hacking conference in Las Vegas were able to easily hack into a version of the website that reports election results to the public. An 11-year-old boy got into Florida’s site within 10 minutes, while an 11-year-old girl did it in 15 minutes, according to the organizers of the event called DEFCON Voting Machine Hacking Village. …  Florida’s election website that displays results is not connected to the actual local election systems responsible for tabulating votes. Instead, on election night supervisors upload unofficial results to state officials through a completely different network.

Ohio: Counties Consider Move from Electronic to Paper Voting Systems | Government Technology

A new generation of voting machines may soon be on the way thanks to a bill signed by Gov. John Kasich, which will allow $114.5 million to be distributed among Ohio’s 88 counties. “New” generation, however, may mean taking a step back in time. Voters in 41 counties, including Butler, Montgomery and Greene, have been using direct-recording electronic voting machines, or DREs, which requires the use of a touchscreen. But now, more counties are considering using paper ballots, as no DRE machine is currently certified for use in Ohio. That leaves many counties looking at a switch to paper ballots and optical-scanning equipment to count ballots, or hybrid systems coming at more than twice the price that employ touchscreens to mark a paper ballot. “I know people think that’s going backwards,” Butler County Board of Elections Director Diane Noonan said. “But you have to look at these machines and understand that paper is not what they think it is.” Warren, Preble and Clark counties already use paper ballots.

Wisconsin: Voters Worry About Ballot Security, Officials Say All’s Well | WUWM

Tuesday is primary election day in Wisconsin. With races for governor, U.S. Senate and other offices, turnout is expected to be the highest since the presidential election in November 2016. Donald Trump’s win in that election spurred a lot of national concern over election tampering. While some voters still aren’t sure the system is secure, Wisconsin officials say the public shouldn’t be worried about ballot security. After early voting last week at the Zeidler Municipal Building in downtown Milwaukee, Anthony Brown said he considers hacking of voting machines a legitimate threat. “Anything that somebody can access from the other side of the world — I mean anywhere — any computer-oriented person can dictate what’s going on inside of that machine,” Brown said.

National: Election officials say money, training needed to improve security | Las Vegas Review-Journal

Regional U.S. election officials attending a hacker conference Friday in Las Vegas said they need more money and training to enhance cybersecurity of their election infrastructure. The thousands of local election officers around the U.S. have neither the cyber-knowledge nor resources to stand up to attacks from adversarial nations and need the support of state and federal governments, they said. But they warned that focusing too much on the vulnerabilities could backfire by undermining citizens’ confidence in the system. “There has never been such a spotlight and emphasis (on election hacking) as there has been since 2016. That is our new reality,’’ California Secretary of State Alex Padilla told an audience attending the annual Defcon computer security conference at Caesars Palace. “If it gets into the mind of anybody that maybe my vote isn’t going to matter, so why should I go vote — that is a form of voter suppression,” he said.

Florida: An 11-year-old changed election results on a replica Florida state website in under 10 minutes | PBS

An 11-year-old boy on Friday was able to hack into a replica of the Florida state election website and change voting results found there in under 10 minutes during the world’s largest yearly hacking convention, DEFCON 26, organizers of the event said. Thousands of adult hackers attend the convention annually, while this year a group of children attempted to hack 13 imitation websites linked to voting in presidential battleground states. The boy, who was identified by DEFCON officials as Emmett Brewer, accessed a replica of the Florida secretary of state’s website. He was one of about 50 children between the ages of 8 and 16 who were taking part in the so-called “DEFCON Voting Machine Hacking Village,” a portion of which allowed kids the chance to manipulate party names, candidate names and vote count totals.

Michigan: Wayne County Board of Canvassers will dig into election night website issues | Michigan Radio

The Wayne County Board of Canvassers wants to know what went wrong with the county’s election website during last week’s primary. The board is expected to meet Monday with the CEO of ElectionSource, the Grand Rapids-based company that runs the county’s election results reporting website, to try and get answers. As returns started coming in Tuesday night, it was clear the website was having problems. Some initial results were reported incorrectly, causing inexplicable fluctuations and leading many to doubt whether the numbers could be trusted at all. And the website shut down altogether for several hours during the night, before coming back online Wednesday morning. County elections officials insist the vote count was always accurate. ElectionSource blamed the problems on software glitches that resulted from too-large data files, and too much web traffic overwhelming data uploads.

Australia: Flaws in ACT election systems could reveal voters’ votes | ZDNet

Two newly revealed flaws in the Australian Capital Territory (ACT) electronic voting systems could have allowed voters to be linked to their votes, breaking the core democratic concept of the secret ballot. The vulnerabilities were disclosed in a detailed technical write-up on Monday by independent security researcher T Wilson-Brown, who originally discovered and confirmed the flaws in early January. Elections ACT had agreed in March to public disclosure on April 9, but on April 10 it pulled out. Four months later, Wilson-Brown has published them, to allow time for changes to be made before the next ACT election in 2020. The first vulnerability stems from Elections ACT publishing online the individual, and their preference allocations under the ACT’s preferential voting system, for later analysis.

National: Hackers at convention to ferret out election system bugs | Reuters

Def Con, one of the world’s largest hacker conventions, will serve as a laboratory for breaking into voting machines this week, extending its efforts to identify potential security flaws in technology that may be used in the November U.S. elections.  The three-day “Voting Village,” which opens in Las Vegas on Friday, also aims to expose vulnerabilities in devices such as digital poll books and memory-card readers. Def Con held its first voting village last year after U.S. intelligence agencies concluded the Russian government used hacking in its attempt to support Donald Trump’s 2016 candidacy for president. Moscow has denied the allegations.

National: More Government Websites Encrypt as Google Chrome Warns Users Non-HTTPS Sites are ‘Not Secure’ | Goverment Technology

Google Chrome, the most widely used Internet browser, has officially started warning users that unencrypted Web pages are “not secure.” Among those “not secure,” as of Aug. 9: The front pages of the official government websites for 14 states and four of the nation’s 10 most populous cities. Encryption — most easily represented with an “HTTPS” rather than “HTTP” in front of a site’s Web address — is the practice of encoding data traveling between a website and its visitor so that any third parties who are able to peek into the data don’t know what’s happening. With encryption, users can reasonably expect that their connection is private. Without it, bad actors can do things like steal information and change a Web page’s content without the user realizing it. It has become more or less the standard for the Internet. According to Google, 93 percent of Web traffic on Chrome takes place on encrypted pages. The tech giant started labeling non-HTTPS pages as “not secure” to push laggards toward encryption.

National: Trump team isn’t doing enough to deter Russian cyberattacks, according to our panel of security experts | The Washington Post

The White House insists that it’s mounting a robust response to digital offensives against election systems and other critical infrastructure. We asked The Network, a panel of more than 100 cybersecurity leaders from government, academia and the private sector, to share their opinions in our ongoing, informal survey. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.) Our survey revealed broad doubts among experts about the country’s deterrence strategy, after President Trump chose not to back the U.S. intelligence community’s conclusions that Moscow directed the cyberattacks aimed at disrupting the 2016 presidential election at a July press conference with Russian President Vladimir Putin.

Florida: Bill Nelson: The Russians have penetrated some Florida voter registration systems | Tampa Bay Times

Russian operatives have “penetrated” some of Florida’s voter registration systems ahead of the 2018 midterms, U.S. Sen. Bill Nelson said Wednesday, adding new urgency to concerns about hacking. bThe state, however, said it has received “zero information” supporting his claim. “They have already penetrated certain counties in the state and they now have free rein to move about,” Nelson told the Tampa Bay Times before a campaign event in Tampa. He said something similar a day earlier in Tallahassee but declined to elaborate. “That’s classified,” the Democrat said Tuesday. He is facing a re-election challenge in November from Gov. Rick Scott, whose administration said it has no knowledge of the allegations made by Nelson.

National: States have a lot of work to do on cybersecurity, and they shouldn’t wait for kids to find the problems | Washington Examiner

Today in Michigan, Ohio, Kansas, Washington, and Missouri, voters head to the polls to vote in primaries. But how safe are state websites with voter information? If you ask the organizers of the kids’ program at DEFCON, the answer is, so unsafe that a kid could probably figure out how to hack it. DEFCON, a top tier cybersecurity conference, has a program for kids called “r00tz,” and this year, part of the agenda is to have them hack replicas of state elections websites. The goal of the event is to both teach the participants basics of hacking, but also scare states into taking action to safeguard web security.

National: Hackers Already Attacking Midterm Elections, Raising U.S. Alarms | Bloomberg

The U.S. midterm elections are at increasing risk of interference by foreign adversaries led by Russia, and cybersecurity experts warn the Trump administration isn’t adequately defending against the meddling. At stake is control of the U.S. Congress. The risks range from social media campaigns intended to fool American voters to sophisticated computer hacking that could change the tabulation of votes. At least three congressional candidates have already been hit with phishing attacks that strongly resemble Russian sabotage in the 2016 campaign. Among them was Senator Claire McCaskill, a Missouri Democrat in one of the year’s most hotly contested races.

Editorials: Congress must not ignore the ‘flashing red light’ on election security | Steny Hoyer/The Hill

In a Senate hearing on Wednesday, technology experts testified that Russia and other foreign actors are continuing efforts to influence our elections. Meanwhile, intelligence agencies have already identified cyber threats against states’ election systems and made clear that this year’s midterm elections remain a target for disruption. If we do nothing, the very fabric of our democracy will be put at grave risk. The Republican-led Congress, however, continues to ignore this threat, even as Trump administration officials acknowledge that election security is a major concern. When House Republican leaders brought an appropriations bill to the Floor in July, they did so without providing funds to assist states in making their voting technology secure, accurate, and verifiable. House Republicans unanimously rejected an amendment offered by Rep. Mike Quigley (D-Ill.) to provide those resources, and Senate Republicans rejected a similar amendment last week.

National: Cyberattacks Haven’t Stopped but Neither Have Bills to Fight Them | Nextgov

When they took the podium at Thursday’s White House press briefing, national security and intelligence chiefs had one resounding message for the American people: The country is still under attack. “Russia attempted to interfere with the last election and continues to engage in malign influence operations to this day,” said FBI Director Christopher Wray. “This is a threat we need to take extremely seriously and to tackle and respond to with fierce determination and focus.” Wray was joined by Director of National Intelligence Dan Coats, Homeland Security Secretary Kirstjen Nielsen, National Security Agency chief Gen. Paul Nakasone and National Security Adviser John Bolton, all of whom reiterated their commitment to defending against foreign influence campaigns. The briefing came the day after internet researchers urged the government to take more targeted actions against online misinformation campaigns at a Senate Intelligence Committee hearing.

National: Amid cybersecurity fears, tech firms are offering to help secure the U.S. elections for free or at a discount | Fast Company

American democracy is under attack, with foreign spies and trolls throwing wrenches into the workings of U.S. elections—be it attempts to hack candidate websites, scramble voter rolls, or spread fake news on social media platforms. While Washington bickers about whether it’s spending enough on security upgrades ($380 million has been allocated, with Democrats repeatedly asking for more), the overtaxed cities and counties that actually run the polls are scrambling to catch up. Although Silicon Valley has come under fire for its role in recent elections around the world, enabling the social media vandalism of 2016, for instance, several tech firms are now stepping up to boost election security with free or discounted services. “We saw that tech was being used to undermine elections. And the question was, could we be a tech company that was helping to provide our services to help support those elections?” says Matthew Prince, CEO of the content-delivery network and security service Cloudflare.