Netherlands: How to hack the upcoming Dutch elections – and how hackers could have hacked all Dutch elections since 2009 | Weblog Sijmen Ruwhof

As everybody has read in the newspapers, the recent American elections involved multiple and severe hacking attacks. Tens of thousands of confidential and private emails from Hillary Clinton and the Democratic National Committee (DNC) were leaked via WikiLeaks. It is thought by many that this helped Trump to win the election. Journalists from Dutch TV station RTL contacted me last week and wanted to know whether the Dutch elections could be hacked. They had been tipped off that the current Dutch electoral software used weak cryptography in certain parts of its system (SHA1). I was stunned and couldn’t believe what I had just heard. Are we still relying on computers for our voting process? The Dutch government banned electronic voting for cyber-security reasons on June 4th, 2009. We returned to using red pencil and paper and have done so ever since. … Seems pretty solid right with all the visible paper? Hold on!

Editorials: Alabama has the right approach to election security | Lt. Col. Tony Shaffer/AL.com

To stop cyberattacks on voting, America should follow the state’s lead on paper ballots

There’s no evidence that hacking impacted the 2016 elections. But there’s growing evidence that elections in 2018 and 2020 could be at risk. The threat could come from North Korea, Iran, or any of a host of foreign adversaries. The challenges are getting clearer. In August, Chicago’s Board of Elections reported that sensitive information about the city’s 1.8 million registered voters was left exposed online for an unknown period. Earlier in the summer, the Department of Homeland Security confirmed that foreign agents targeted voting systems in 21 states in the last election. Other news reports found that hackers successfully compromised election technology vendors who program voting systems. In the fight to secure America’s voting systems, Alabama is already employing the most crucial defensive weapon: paper ballots. The transparency and simplicity of the state’s system is tough to hack and relatively easy to verify. To guard against a foreign attack on our nation’s election systems, we need action to ensure others follow Alabama’s example.

Estonia: Possible security risk affects 750,000 Estonian ID-cards | Estonian World

An international team of researchers has informed the Estonian authorities of a vulnerability potentially affecting digital use of Estonian ID cards issued since October 2014; all the cards issued to e-residents are also affected. On 30 August, an international team of researchers informed the Estonian Information System Authority (RIA) of a vulnerability potentially affecting the digital use of Estonian ID cards. The possible vulnerability affects a total of almost 750,000 ID-cards issued starting from October 2014, including cards issued to e-residents. The ID-cards issued before 16 October 2014 use a different chip and are not affected. Mobile-IDs are also not impacted. …  In the light of current events, some Estonian politicians called to postpone the upcoming local elections, due to take place on 16 October. In Estonia, approximately 35% of the voters use digital identity to vote online.

National: America is Not Ready for Another Attack on Elections | Newsweek

The United States remains woefully unprepared for an attack on its nationwide elections system, seven months after the 2016 presidential campaign season was consumed by Russia’s multipronged attempts to undermine democracy by damaging Hillary Clinton’s candidacy. Just six of the 10 states that requested additional money to firm up cybersecurity at their election agencies are expecting to receive it, Politico reported Tuesday, while 21 states have called on new federal funding to strengthen local election security or replace outdated voting machines susceptible to hacking and intrusion.

Editorials: 5 ways to address election system weaknesses | Eric Hodge/GCN

Over the past few months, a steady stream of information has surfaced about Russian efforts to hack the 2016 presidential election. The attacks were specifically focused on voter databases and voting software, with attempts to alter or delete voter information in Illinois and Arizona and intrusions into campaign databases. Experts believe that the goal was to change the outcome of the election. In the past, the voting process wasn’t seen as a target for hackers. Most cyber criminals go after credit card data or Social Security numbers in order to steal peoples’ identities for financial gain. The 2016 presidential elections revealed a new way of thinking. Election hacking wasn’t driven by the desire to make money, but by an effort to meddle with election results, directly by targeting voter data and indirectly through leaks of confidential information to the media.

Estonia: Potential security risk could affect 750,000 Estonian ID cards | ERR

Last Thursday, Estonia’s Information System Authority (RIA) was informed by an international group of researchers that a potential security risk had been detected affecting all national ID cards issued in Estonia after October 2014. Estonian experts have determined that the potential risk does indeed exist, affecting 750,000 currently valid ID cards issued after Oct. 17, 2014. ID cards issued prior to this date use a different chip and are unaffected by this risk. Likewise unaffected is the SIM card-based Mobile-ID system, which the government is recommending people sign up for.

Germany: Merkel ally cites thousands of cyber attacks from Russian IP addresses | Reuters

A top leader of German Chancellor Angela Merkel’s conservative party said her website had been hit by thousands of cyber attacks — many from Russian IP addresses — before Sunday’s televised election debate. German intelligence and government officials have often voiced concerns that Moscow could seek to interfere in the Sept. 24 national election, in which Merkel is widely expected to win a fourth term. Russia has repeatedly denied trying to influence foreign elections. Julia Kloeckner, vice chairman of Merkel’s Christian Democratic Union (CDU), said on Monday that her political website had seen some 3,000 attacks on Sunday before the debate between Merkel and Social Democratic leader Martin Schulz.

National: Evidence of Russian Election-Data Tampering Mounts as Urgency to Investigate It Does Not | Slate

Russia’s attempts to interfere with the 2016 U.S. election directly at the ballot box may have been more aggressive than we previously understood. The New York Times published an alarming investigation on Friday about hackers’ efforts to tamper with electoral systems and the government’s surprising lack of response to the threat. The article builds on revelations reported by the Intercept in June that Russia’s military intelligence agency had breached VR Systems, a company that provides electronic poll books to counties in eight states, beginning in August 2016. Hackers infiltrated at least two other unnamed companies providing essential election apparatuses like voter databases and registration operations in the months leading up to November, anonymous intelligence officials told the Times, and election systems in at least 21 states had been targeted. (In June, Bloomberg reported that Russian hackers had accessed election-related systems in 39 states. It’s unclear why the Times now estimates fewer states were penetrated.)

Editorials: In Election Interference, It’s What Reporters Didn’t Find That Matters | Nicole Perlroth/The New York Times

The story started, as many do, with our own confusion. The most unusual of presidential elections — one marred by Russian trolls, a digital Watergate-style break-in and the winning candidate’s dire warnings of a “rigged election” — was followed by the most unusual period of acceptance. In the immediate aftermath of the 2016 election, government officials, the Clinton campaign, intelligence analysts, and civic and legal groups all appeared to calmly accept claims that votes had not been hacked. I had been on the cyber beat for six years and had grown accustomed to deep, often lengthy digital forensics analyses of cyberattacks against a wide range of targets: Silicon Valley start-ups, multinational conglomerates, government agencies and our own Times breach by Chinese government hackers. In the vast majority of cases, it takes investigators months or years to discover that hackers had indeed been lurking undetected on victims’ machines.

Editorials: Can America handle the truth of the tarnished 2016 election? | Will Bunch/Philadelphia Inquirer

Something smelled wrong about the election from the very start. In the weeks before the presidential balloting took place, millions of voters were bombarded with “fake news” about the candidates on Facebook and other social media sites. And when the vote tallies were announced, the nation was shocked by the results. There was scattered unrest, even violence — and loud whispers that the election had somehow been stolen. Some wondered about the role of Cambridge Analytica, the firm founded by a billionaire backer of Donald Trump. Then, something remarkable — unprecedented, really — took place. The nation’s highest court decided to launch a thorough investigation of what really happened on Election Day. What the justices eventually uncovered was shocking — a scheme to change results from the actual polling places when they were tallied electronically. What happened next was perhaps more surprising: The Supreme Court justices ordered a new national election. Yes, this scenario actually just played out. In Kenya.

Germany: CDU politician accuses Russia of hacking website | Politico.eu

A senior politician of German Chancellor Angela Merkel’s conservative Christian Democratic Union (CDU) lashed out at Russia after her website appeared to be hacked Sunday. Julia Klöckner, the leader of the CDU in the state of Rhineland Palatinate, said on Twitter: “Today a massive hacker attack on my homepage – with greetings from Russia. [As] if this has something to do with the election.”

Norway: Election security may delay results | News from Norway

As Norwegian voters head into election booths to cast their ballots, state officials have already been working for months to ensure the highest possible security around their choices for Parliament. Some of the security measures now in place may cause some delays in election results early next week, but that’s a risk the officials are willing to take. “We’ll just have to use the time it takes to count up all the ballots,” one local official told Norwegian Broadcasting (NRK) just after being told on Friday that all municipalities must conduct at least one manual count of all absentee and early voting and those ballots cast on Election Day next Monday. Instead of simply feeding ballots into scanners attached to the Internet, people will also count the votes.

National: Russian Election Hacking Efforts, Wider Than Previously Known, Draw Little Scrutiny | The New York Times

The calls started flooding in from hundreds of irate North Carolina voters just after 7 a.m. on Election Day last November. Dozens were told they were ineligible to vote and were turned away at the polls, even when they displayed current registration cards. Others were sent from one polling place to another, only to be rejected. Scores of voters were incorrectly told they had cast ballots days earlier. In one precinct, voting halted for two hours. Susan Greenhalgh, a troubleshooter at a nonpartisan election monitoring group, was alarmed. Most of the complaints came from Durham, a blue-leaning county in a swing state. The problems involved electronic poll books — tablets and laptops, loaded with check-in software, that have increasingly replaced the thick binders of paper used to verify voters’ identities and registration status. She knew that the company that provided Durham’s software, VR Systems, had been penetrated by Russian hackers months before. “It felt like tampering, or some kind of cyberattack,” Ms. Greenhalgh said about the voting troubles in Durham.

South Carolina: Watchdogs want full report cards on election weaknesses | The State

State election officials say that despite millions of cyber attempts to gain access to South Carolina’s voter registration system in the past year, no one has succeeded. But two election watchdogs complain that problems have been discovered and they want to be shown evidence of their severity. … Initial assessments by the S.C. National Guard’s Military Department Defense Cyber Operations and the U.S. Department of Homeland Security done in the wake of the Russian hacking of the presidential election found weaknesses in all county offices and at the state elections agency. The elections agency later hired the Charleston-based cybersecurity firm Soteria to plug the holes. But a USC computer science professor and a Lowcountry elections watchdog want to see the full assessments for themselves. “Every single county has at least a critical or high vulnerability,” said University of South Carolina computer science professor and elections analyst Duncan Buell. “They were not doing the no-brainer things for election security.” The Homeland Security assessment found the same level of vulnerability in servers used by the state agency, he said.

Iowa: Cybersecurity firm to review Linn County election system | The Gazette

The Linn County election commissioner has retained a Corridor-based cybersecurity firm to review the county’s voter registration and election system. Linn County Auditor Joel Miller said the review of the system by ProCircular will support the countywide school board elections Sept. 12. “This is a continuation of our efforts to improve the integrity of the voting process to ensure that our systems and records are secure, and that every vote is accurately counted,” Miller said. He also cited a “sense of urgency” because of the U.S. Department of Homeland Security’s recent declaration that voting systems are considered “critical infrastructure.”

Minnesota: Are our elections secure? Minnesota’s in better shape than most states | WDAY

With the CIA and the FBI agreeing that Russia attempted to interfere in the 2016 election to help Donald Trump, many Minnesotans are concerned about protecting the integrity of the state’s election system. They shouldn’t be too worried, Minnesota Secretary of State Steve Simon said Tuesday, Aug. 29, during a visit to Detroit Lakes. “My biggest surprise about this job is the time, effort and energy that I and the rest of the staff spend on cyber security issues,” said Simon, who was elected in 2014. He campaigned on running the office with a Joan Growe-style of excellence, and expected to deal with straightforward issues: expanding access to voting, removing barriers to voting, making business services as streamlined as possible.

National: Cyber experts were blocked in their push to patch voting systems in 2016 | McClatchy

They knew Russian operatives might try to tamper with the nation’s electronic voting systems. Many people inside the U.S. government and the Obama White House knew. In the summer of 2016, a cluster of volunteers on a federally supervised cybersecurity team crafting 2018 election guidelines felt compelled to do something sooner. Chatting online, they scrambled to draw up ways for state and local officials to patch the most obvious cyber vulnerabilities before Election Day 2016. Their five-page list of recommendations focused on two gaping holes in the U.S. election system. It warned that internet voting by at least some citizens in 32 states was not secure and should be avoided. And, critically, it advised how to guard voting and ballot-counting machines that the experts knew could be penetrated even when disconnected from the internet. But the list was stopped in its tracks. A year later, even as U.S. intelligence agencies warn that Russian operatives have their eyes on 2018 and beyond, America’s more than 7,000 election jurisdictions nationwide still do not have access to those guidelines for shielding the voting process.

National: President Trump’s cybersecurity advisers resign with dire warning | Metro US

Eight advisers on President Trump’s cybersecurity team have resigned, leaving behind a scathing message for him: He has “given insufficient attention to the growing threats” facing the United States, and his inaction has “threatened the security of the homeland.” The advisers comprised more than one-quarter of the National Infrastructure Advisory Council (NIAC). The 28-member panel, established in 2001 and drawn from the private sector, government and academia, advises the Department of Homeland Security on cybersecurity and infrastructure protection. They excoriated Trump on those fronts, saying he has failed to be “adequately attentive to the pressing national security matters” or “responsive to sound advice received from experts.” Those departing experts cited the president’s response to the violence in Charlottesville, in which he defended white supremacists, his withdrawal from the Paris Agreement on climate change and his inaction on safeguarding the U.S. election system after the Russian attacks on the 2016 election.

Editorials: Outdated technology is a greater threat than hackers to US elections | Antonio Mugica/Washington Examiner

The recent DefCon hacking conference demonstrated why America needs to modernize its voting systems with more technology, not less. Participants exposed vulnerabilities in various pieces of election technology at DefCon’s Voting Machine Hacking Village and, predictably, had no difficulty infiltrating many of the systems. The twist? They were hacking into technology that hadn’t been updated since the early 2000s. Interestingly, the key takeaways from this hack-a-thon closely mirror the recommendations recently put forth to Congress by 100 security experts. They include the need for multiple levels of encryption, post-election audits and secure servers. But it’s important to remember that these findings aren’t new. And my company, Smartmatic, has been using such measures to protect voters for over a decade, so we know the technology exists. The hackers at DefCon highlighted the dramatically archaic state of U.S. voting machines and reminded the public to prioritize securing voting infrastructure for upcoming elections. In a field where the half-life of software can be just a few months, it’s no surprise hackers took down equipment that was over a decade old. The concerning part is that some of this technology is still used in elections today.

National: How secure are America’s voting machines? | PRI

At a recent DefCon security conference, organizers wanted to test how voting machines could be hacked. The result? It took just 90 minutes for the hackers to get into the machines. Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, in Washington, DC, says the hack took that long only because the individual had to leave the facility to go buy a USB keyboard. “When he came back, there were two open USB ports on the back of this machine, which was a decertified AVS WINVote,” Hall explains. “He did the ‘three-fingered salute’— the Windows control-alt-delete — and it dropped to Task Manager. Then he could load whatever he wanted. They installed Winamp and played the now-famous Rick Astley song, ‘Never Gonna Give You Up.’” Some of the machines the hackers “attacked” are still in use, but for the most part, they were purchased on eBay or GovDeals (the government version of eBay), Hall says. Most were two or three years old and not running the most current software. Nevertheless, the experiment exposed serious flaws in virtually every type of machine.

National: U.S. state election officials still in the dark on Russian hacking | Reuters

The federal government has not notified U.S. state election officials if their voting systems were targeted by suspected Russian hackers during the 2016 presidential campaign, and the information will likely never be made public, a top state election chief told Reuters. “You’re absolutely never going to learn it, because we don’t even know it,” Judd Choate, state election director for Colorado and president of the National Association of State Election Directors, said in an interview on Thursday during the group’s summer conference. Nearly 10 months after Republican Donald Trump’s upset presidential victory over Democrat Hillary Clinton, Choate said he had not spoken to a single state election director who had been told by the U.S. Department of Homeland Security if their state was among those attacked. The lack of information-sharing on the election breaches reflects the difficulty state and federal officials have had in working together to protect U.S. voting from cyber threats. All U.S. elections are run by state and local governments, which have varying degrees of technical competence.

National: My Conversation With a Leading Election Technology Researcher Should Terrify You | Patriot NOT Partisan

Def Con is a 25 year old hacking convention where the worlds best hackers come together often highlighting security vulnerabilities in technology. This year, Def Con made news by raising awareness of our voting machine insecurities by challenging hackers to hack into the voting machines commonly used in this country for elections. These Def Con hacks took place in the “Voting Village”. I spoke with Voting Village organizer and leading election technology researcher, Harri Hursti, about the results of the experiment and the challenges we face in securing our elections in the future.

AM: Tell me about Def Con and the “Voting Village” and the role you played in the experiment.

HH: I was the co-organizer of the Village along with professor Matt Blaze.

AM: What was the main purpose of this exhibition?

HH: Education. We wanted to let the security community learn more about the machines and the designs. So far, only a very small group of people have been allowed to study and research these machines. As a result there was a lot of misinformation, rumors and false claims, and finding proven facts was difficult. The broader community which has 1st hand experience can help the public and the policy makers to get the facts known and drive better policies and practices to secure the elections.

National: Many County Election Officials Still Lack Cybersecurity Training | NBC

Despite Russia’s attempt to hack the 2016 U.S. election and the voter registration systems of 21 states, an NBC News investigation reveals that election officials in the most heavily populated counties of three crucial swing states still haven’t received formal training on how to detect and fight attacks. Election officials in three of Pennsylvania’s four biggest counties — Philadelphia, Allegheny and Bucks, which together account for nearly a third of the state’s voters — told NBC News they never received cybersecurity training, which experts say is crucial for officials to identify risks. NBC reached out to election officials in every county in Arizona, Pennsylvania and Michigan and got responses from 60 percent of the counties. Officials from all 15 Arizona counties responded, but only five said their officials had received cybersecurity training. In Pennsylvania, where 42 of 67 counties responded, eight counties said their workers had training. In Michigan, 40 of the state’s 83 counties responded, and only 12 indicated receiving formal training.

National: Proposed legislation discourages Russia-U.S. cyber pact, while prioritizing election security | SC Magazine

A U.S. intelligence bill that recently passed committee in the Senate contains key provisions designed to defend the electoral process from Russian meddling and other foreign interference, as well as curtail any possible White House effort to form a joint cybersecurity unit with the Kremlin. Passed in the Senate Intelligence Committee by a 14-1 margin this past July and made public just days ago, the Intelligence Authorization Act for Fiscal year 2018 explicitly forbids the U.S. government from using federal resources to form a cyber partnership with Russia, unless the U.S. Director of National Intelligence (DNI) first submits a report that congressional intelligence committee members can review 30 days in advance of such an agreement. This key clause is a blatant rebuke of President Donald Trump, who fleetingly announced a U.S.-Russian cyber unit in July before backing off the idea amidst backlash.

Georgia: Election hacking suit over Georgia race could be sign of what’s to come | USA Today

First elections, then probes into hacking. Now, the lawsuits over election hacking. A group of Democrat and Republican voters in Georgia is suing the state to overturn its fiercely fought June special election, saying evidence the state’s voter database was exposed to potential hackers for at least eight months invalidates the results. The lawsuit, which went to pre-trial conferences this week, could be a sign of disputes to come as revelations mount about the vulnerability of the U.S. election system and Russian attempts to infiltrate it. “As public attention finally starts to focus on the cybersecurity of election systems, we will see more suits like this one, and eventually, a woke judge will invalidate an election,” said Bruce McConnell, vice president of the EastWest Institute and former Department of Homeland Security deputy undersecretary for cybersecurity during the Obama administration. Plaintiffs argue the disclosure in August 2016 by Logan Lamb, a Georgia-based computer security expert, that much of Georgia’s voting system was inadvertently left out in the open on the Internet without password protection from August 2016 to March 2017 should make the results moot. What’s more, Georgia’s use of what the plaintiffs say are insecure touch-screen voting computers, which they claim don’t comply with Georgia state requirements for security testing, means the election results couldn’t legally be certified, they say.

National: Could Offering Spy Secrets To State Officials Help Safeguard Future Elections? | NPR

Congress could authorize top-secret security clearances for each state’s chief election official to help protect voting systems from cyberattacks and other potential meddling. That provision, which was part of the Senate Intelligence Committee’s 2018 policy bill for U.S. spy agencies, is one of the first concrete steps that lawmakers have taken to try to defend future elections from the sort of foreign interference that plagued the 2016 presidential race. The Senate panel is one of two congressional committees investigating what the American intelligence community says was a Russian government campaign to undermine the U.S. democratic system, discredit Hillary Clinton and help Donald Trump win. The Senate Intelligence panel included language that would require Director of National Intelligence Dan Coats to set up the clearances for state leaders in its annual bill setting policy for the intelligence community.

Georgia: Man who uncovered Georgia’s voter data speaks out | CBS

The man who sounded the alarm about Georgia’s voting system sat down with CBS46 for a one-on-one interview. He tackles the question of whether your vote is safe. The 29-year-old says he’d heard Georgia’s election system was vulnerable and wanted to play around with it to “see what he could accomplish.” … “If a bad guy wanted to have everyone’s voter registration information, they probably have it today,” says Lamb, who is a cybersecurity researcher. He says this because one year ago, he did a simple Google search on the Georgia Secretary of State’s website. The cybersecurity researcher uncovered more than he could have ever expected. First, he found voter lists. “I thought that was pretty strange,” says Lamb. “So I immediately wrote a little bit of code to just download the website.” When he returned from lunch, he says, “I was shocked to find that I had about 15 gigabytes of data…voter registration information. I had full names, dates of birth, addresses, last four digits of social security numbers, driver’s license numbers. There were databases that are used on election day for actually accumulating the vote.” He believes the website was also vulnerable to a well-known hack and the server was not secure.

National: Senate bill bans joint cyber initiative with Russia | FCW

An authorization bill introduced Aug. 18 by Sen. Richard Burr (R-N.C.) pushes back against a proposal floated by the Trump administration to set up a joint cyber initiative with Russia. The bill also establishes a strategy to protect U.S. election systems and pushes for increased pay rates for federal cyber professionals. It is not the first bill to call for a prohibition on potential U.S.-Russia cyber cooperation. Following President Donald Trump’s tweet on July 9 stating that he and Russian President Vladimir Putin had “discussed forming an impenetrable Cyber Security unit” in the future to guard against election hacking, a bipartisan group of legislators expressed alarm at the idea. Although Trump later backtracked, Senate Democrats introduced a standalone bill three days later to deny funding for any such plan.

Illinois: Massive Chicago Voter Breach Underscores Importance of Cloud Security | eSecurity Planet

In a vivid reminder of the need to secure data in the cloud, researchers at UpGuard recently came across more than 1.8 million Chicago voters’ personal information exposed online in a misconfigured Amazon S3 bucket belonging to voting machine company Election Systems & Software (ES&S). The publicly downloadable data, which was discovered on August 11 by UpGuard director of strategy Jon Hendren, included voters’ names, birthdates, addresses, phone numbers, driver’s license numbers and the last four digits of Social Security numbers. The data was put together by ES&S for the Chicago Board of Election Commissioners prior to the 2016 election. Since Chicago only had 1.5 million active voters in November 2016, the data appears to cover all of Chicago’s voters, both active and inactive. This is part of a larger trend — other recent breaches linked to misconfigured Amazon servers have exposed 14 million Verizon customers’ data, more than 3 million WWE fan’s personal information, 4 million Dow Jones customers’ personal data, over 60,000 sensitive Pentagon files, and approximately 48,000 Indian citizens’ personal data.

Kenya: Spoilt Votes, Insecure Systems Among Issues in Nasa Petition | allAfrica.com

The contention whether or not rejected and spoilt votes should have been factored in, during computation of the 50 per cent plus one threshold for winning a presidential election is yet again expected to feature in the 2017 presidential election petition. In its 14-point relief pleadings, the National Super Alliance (NASA) is seeking to convince the Supreme Court bench to review a precedence set in the 2013 presidential election petition where the court decided that rejected votes ought not to be included in calculating tallies in favour of any candidate. NASA has also lined up a series of affidavits among them those filed by election officials, its presidential agents and technology experts, all poking holes on crucial election processes which the alliance argues compromised the credibility of the August 8 General Election.