Editorials: A Solution to Hackers? More Hackers | Kevin Roose/The New York Times

If there’s a single lesson Americans have learned from the events of the past year, it might be this: Hackers are dangerous people. They interfere in our elections, bring giant corporations to their knees, and steal passwords and credit card numbers by the truckload. They ignore boundaries. They delight in creating chaos. But what if that’s the wrong narrative? What if we’re ignoring a different group of hackers who aren’t lawless renegades, who are in fact patriotic, public-spirited Americans who want to use their technical skills to protect our country from cyberattacks, but are being held back by outdated rules and overly protective institutions? In other words: What if the problem we face is not too many bad hackers, but too few good ones? The topic of ethical hacking was on everyone’s mind at Def Con, the hacker convention last week in Las Vegas. It’s the security community’s annual gathering, where thousands of hackers gathered to show their latest exploits, discuss new security research and swap cyberwar stories. Many of the hackers I spoke to were gravely concerned about Russia’s wide-ranging interference in last year’s election. They wanted to know: How can we stop attacks like these in the future?

National: DEFCON Hackers Found Many Holes in Voting Machines and Poll Systems | IEEE Spectrum

E-voting machines and voter registration systems used widely in the United States and other countries’ elections can readily be hacked—in some cases with less than two hours’ work. This conclusion emerged from a three-day-long hackathon at the Def Con security conference in Las Vegas last weekend. Some of those hacks could potentially leave no trace, undercutting the assurances of election officials and voting machine companies who claim that virtually unhackable election systems are in place. … “These people who hacked the e-poll book system, when they came in the door they didn’t even know such a machine exists. They had no prior knowledge, so they started completely from scratch,” says Harri Hursti, Hacking Village co-coordinator and data security expert behind the first hack of any e-voting system in 2005.

National: Hacking voting machines takes center stage at DEFCON | Tech Target

“Anyone who says they’re un-hackable is either a fool or a liar.” Jake Braun, CEO of Cambridge Global Advisors and one of the main organizers of the DEFCON Voting Village, said the U.S. election industry has an attitude similar to what had been seen with the air and space industry and financial sectors. Companies in those sectors, Braun said, would often say they were un-hackable their machines didn’t touch the internet and their databases were air-gapped —  until they were attacked by nation-states with unlimited resources and organized cybercrime syndicates and they realized they were “sitting ducks.” … Candice Hoke, law professor and co-director of the Center for Cybersecurity and Privacy Protection, said in a DEFCON talk the laws surrounding investigations of potential election hacking were troublesome. “In some states, you need evidence of election hacking in order to begin an investigation. This is an invitation to hackers,” Hoke said. “We all know in the security world that you can’t run a secure system if no one is looking.”

National: Hackers Eviscerate Election Tech Security…Who’s Surprised? | WhoWhatWhy

Over the past two days, all major US news outlets breathlessly reported that hackers in Las Vegas needed little time to expose the security flaws of several types of voting machines this weekend. While it is certainly nice to see the mainstream media cover election integrity issues more than once every four years, anybody following the topic, as WhoWhatWhy routinely does, was hardly surprised that the hackers were so successful. How do we know? Because, in anticipation of what happened at the DEF CON hacking conference, WhoWhatWhy spoke to many of the leading election integrity experts to get their thoughts on the event. Most of them expressed hope that the hackers would raise much-needed awareness of the vulnerabilities of US voting machines. Some of the experts we spoke to ahead of the event expressed concerns that, should the hackers fail to breach the machines, it would give people a false sense of security. It turns out that they did not have to worry about that — at all.

National: Congressmen at DefCon: Please help us, hackers! | The Parallax

For the first time in the 25 years of the world’s largest hacker convention, DefCon, two sitting U.S. Congressmen trekked here from Washington, D.C., to discuss their cybersecurity expertise on stage. Rep. Will Hurd, a Texas Republican, and Rep. Jim Langevin, a Rhode Island Democrat, visited hacking villages investigating vulnerabilities in cars, medical devices, and voting machines; learned about how security researchers plan to defend quantum computers from hacks; and met children learning how to hack for good. … Hurd said security researchers could play an important role in addressing increasingly alarming vulnerabilities in the nation’s voting apparatus. DefCon’s first voting machine-hacking village this weekend hosted a voting machine from Shelby County, Tenn., that unexpectedly contained personal information related to more than 600,000 voters. Village visitors managed to hack the machine, along with 29 others.

National: Hackers at a cybersecurity conference breached dozens of voting machines | Business Insider

Professional hackers were invited to break into dozens of voting machines and election software at this year’s annual DEFCON cybersecurity conference. And they successfully hacked every single one of the 30 machines acquired by the conference. The challenge was held at DEF CON’s “Voting Village,” where hackers took turns breaching ten sample voting machines and voter registration systems, Politico reported. … “Follow the money,” Harri Hursti, the cofounder of Nordic Innovation Labs, which helped organize DEF CON, told The Hill. “On the other end of the ballot, that’s where the money is — banks and roads.” Hodge said that if officials take care to “store machines, set them up, [and] always have someone keeping an eye on machines,” that could go a long way in ensuring the safety of the electoral process.

National: To make our voting tech more secure, policymakers may need to work with the people who can break in them | KPCC

After acquiring a decommissioned voting machine, Anne-Marie “Punky” Chun and her colleagues at Synack set out to hack it. It took them only a matter of hours. “Just looking at the security hygiene, it wasn’t very strong,” Chun told Take Two host A Martinez in an interview. “The encryption password, for example, was hard-coded as ‘ABCD.’ And it was used on the whole machine.” Chun and her team test cyber security in, arguably, the most effective way: by breaking in themselves. So when they though about the best way to check the security of election data, they knew they had to find a voting machine, and preferably an older one.

France: Wikileaks releases Macron campaign’s emails | IT PRO

Wikileaks has published Emmanuel Macron’s leaked presidential campaign emails as a searchable archive, meaning millions of internet users will be able to access the 71,848 emails sent and received during Macron’s leadership bid. The whistleblowing website revealed more than 20,000 of the emails were sent or received by addresses associated with the campaign, with the others emails it couldn’t verify. Macron’s office said the now French President’s email account was hacked on 5 May – just a few days before he defeated second favourite candidate Marine Le Pen. This is despite the campaign team reportedly planting false data to try and fool any hackers from stealing the data.

National: DHS is refusing to investigate possible breach of voting machines | Business Insider

Pressure to examine voting machines used in the 2016 election grows daily as evidence builds that Russian hacking attacks were broader and deeper than previously known. And the Department of Homeland Security has a simple response: No. DHS officials from former secretary Jeh Johnson to acting Director of Cyber Division Samuel Liles may be adamant that machines were not affected, but the agency has not in fact opened up a single voting machine since November to check. Asked about the decision, a DHS official told TPM: “In a September 2016 Intelligence Assessment, DHS and our partners determined that there was no indication that adversaries were planning cyber activity that would change the outcome of the coming US election.” According to the most recent reports, 39 states were targeted by Russian hackers, and DHS has cited–without providing details–domestic attacks in its own reports as well. “Although we continue to judge all newly available information, DHS has not fundamentally altered our prior assessments,” the department told TPM.

National: Every Voting Machine at This Hacking Conference Got Totally Pwned | Gizmodo

A noisy cheer went up from the crowd of hackers clustered around the voting machine tucked into the back corner of a casino conference room—they’d just managed to load Rick Astley’s “Never Gonna Give You Up” onto the WinVote, effectively rickrolling democracy. The hack was easy to execute. Two of the hackers working on the touchscreen voting machine, who identified only by their first names, Nick and Josh, had managed to install Windows Media Player on the machine and use it to play Astley’s classic-turned-trolling-track. … The security industry encourages regular software updates to patch bugs and keep machines as impenetrable as possible. But updating the machines used in voting systems isn’t as easy as installing a patch because the machines are subject to strict certification rules.

National: Hackers Demonstrate How Vulnerable Voting Machines Are | US News & World Report

We shouldn’t need another reminder, but the DefCon hacking conference in Las Vegas provided one over the weekend anyway: Voting machines are highly susceptible to electronic attacks. You might remember the topic of hacking elections from such recent presidential campaigns as: last year’s. And while – this is important – there’s no evidence that hackers manipulated actual vote tallies in 2016, there’s every reason to believe that cyber-malefactors will try to do just that in future. And the DefCon gang proved how easy that would be. The convention set up a Voting Machine Hacking Village where attendees could see what they could do against more than 30 voting machines (procured, no kidding, via eBay and government auctions). It took less than 90 minutes before a hacker was able to crack the poorly-secured Wi-Fi on one voting machine (which is, thankfully, outdated and was apparently last used in 2015); another programmed a machine to play Rick Astley’s ghastly song, “Never Gonna Give You Up.” Imagine casting your vote on Election Day and getting rickrolled for your trouble.

National: Hackers at DefCon conference exploit vulnerabilities in voting machines | USA Today

It took less than a day for attendees at the DefCon hacking conference to find and exploit vulnerabilities in five different voting machine types. “The first ones were discovered within an hour and 30 minutes. And none of these vulnerabilities has ever been found before, they’ll all new,” said Harri Hursti, co- coordinator of the event. One group even managed to rick-roll a touch screen voting machine, getting it to run Rick Astley’s song “Never Gonna Give You Up,” from 1987. … The groups weren’t able change votes, noted Hursti, a partner at Nordic Innovation Labs and an expert on election security issues. “That’s not what we’re trying to do here today. We want to look at the fundamental compromises that might be possible,” he said.

National: Hackers descend on Las Vegas to expose voting machine flaws | Politico

Election officials and voting machine manufacturers insist that the rites of American democracy are safe from hackers. But people like Carten Schurman need just a few minutes to raise doubts about that claim. Schurman, a professor of computer science at the University of Copenhagen in Denmark, used a laptop’s Wi-Fi connection Friday to gain access to the type of voting machine that Fairfax County, Virginia, used until just two years ago. Nearby, other would-be hackers took turns trying to poke into a simulated election computer network resembling the one used by Cook County, Illinois. …  Before the 2016 election, former FBI Director James Comey assuaged fears by telling Congress that the system was so “clunky” — comprised of a mishmash of different kinds of machines and networks, with each state’s results managed by a consortium of state and county officials — that its overall integrity was fairly safe. Election security advocates aren’t as confident. Barbara Simons, Board Chair of Verified Voting, a nonprofit that since 2003 has studied U.S. elections equipment, said that the vulnerabilities on display in Las Vegas only served to reiterate a need for the country to adopt a nationwide system of verifiable paper ballots and mandatory, statistically significant audits. While numerous states have starting moving in this direction, Simons worries it’s not enough.

National: These Hackers Reveal How Easy It Is To Hack US Voting Machines | Forbes

In a muggy little room in the far corner of Caesar’s Palace, wide-eyed and almost audibly buzzing is Carsten Schurmann. The German-born hacker has just broken into a U.S. voting machine with his Apple Mac in a matter of minutes. He can turn it on and off, he can read all the information stored within and if he felt like it, he could probably change some votes if the system was in use. “This is insane,” he says. But today, that machine is not in use, it’s being opened up for anyone to try what Schurmann did. A host of technically-minded folk have gathered at DEF CON’s Voting Machine Village, where they’re tinkering with more than 25 commonly used systems used across American elections. They might just save the next election from Russian hackers. Those machines are, co-organizer Matt Blaze says, horribly insecure. Blaze’s hope is the public will be made aware of their many, many flaws, and demand elections be protected from outside, illegal interference, following the much-documented attempts by Russia to install Donald Trump as president.

National: Hackers Scour Voting Machines for Election Bugs | VoA News

Hackers attending this weekend’s Def Con hacking convention in Las Vegas were invited to break into voting machines and voter databases in a bid to uncover vulnerabilities that could be exploited to sway election results. The 25-year-old conference’s first “hacker voting village” opened on Friday as part of an effort to raise awareness about the threat of election results being altered through hacking. Hackers crammed into a crowded conference room for the rare opportunity to examine and attempt to hack some 30 pieces of election equipment, much of it purchased over eBay, including some voting machines and digital voter registries that are currently in use.

National: Hackers breach each of dozens voting machines brought to conference | The Hill

One of the nation’s largest cybersecurity conferences is inviting attendees to get hands-on experience hacking a slew of voting machines, demonstrating to researchers how easy the process can be. “It took me only a few minutes to see how to hack it,” said security consultant Thomas Richards, glancing at a Premier Election Solutions machine currently in use in Georgia. The DEF CON cybersecurity conference is held annually in Las Vegas. This year, for the first time, the conference is hosting a “Voting Machine Village” where attendees can try to hack a number of systems and help catch vulnerabilities. The conference acquired 30 machines for hackers to toy with. Every voting machine in the village was hacked.

National: Defcon hackers break voting machines easily with old exploits | CNET

When the password for a voting machine is “abcde” and can’t be changed, the integrity of our democracy might be in trouble. The Advanced Voting Solutions WinVote machine, dubbed “America’s worst voting machine,” came equipped with this simple password even as it was used in some of the country’s most important elections. AVS went out of business in 2007, but Virginia used its insecure machines until 2015 before dropping them for scrap metal. That means this vulnerable hunk of technology was used in three presidential elections, starting with George W. Bush’s re-election in 2004 to Barack Obama’s in 2012. In addition to Virginia, Pennsylvania and Mississippi used the WinVote without knowing all the ways it could be hacked. Unlike other technology — your phone, your laptop, connected cars — security wasn’t really a focus. 

Editorials: Election hacking requires better vigilance | Matthew V. Masterson/Washington Times

This week, hackers from across the globe are gathering in Las Vegas at the annual DEF CON conference for an exercise ripped straight from news headlines — trying to hack U.S. election systems. It’s a unique exercise that has raised a lot of eyebrows in the election community. For me, it’s yet another moment to focus on the topic of election system security and the need for constant vigilance. For all of the hype surrounding the DEF CON exercise and beyond the 2016 election system hacking attempts shaping news headlines these days, attempts to hack into government-controlled systems isn’t exactly a new concept or exercise. There were 10 federal agency cyber breaches in 2014, including targets such as the White House, State Department, Office of Personnel Management (OPM) and Nuclear Regulatory Commission. In fiscal 2016, OPM found federal agencies faced 31,000 “cyber incidents” that led to “compromise of information or system functionality.”

National: It took DEF CON hackers minutes to pwn these US voting machines | The Register

After the debacle of the 2000 presidential election count, the US invested heavily in electronic voting systems – but not, it seems, the security to protect them. This year at the DEF CON hacking conference in Las Vegas, 30 computer-powered ballot boxes used in American elections were set up in a simulated national White House race – and hackers got to work physically breaking the gear open to find out what was hidden inside. In less than 90 minutes, the first cracks in the systems’ defenses started appearing, revealing an embarrassing low level of security. Then one was hacked wirelessly. “Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we’ve uncovered even more about exactly how,” said Jake Braun, who sold DEF CON founder Jeff Moss on the idea earlier this year. “The scary thing is we also know that our foreign adversaries – including Russia, North Korea, Iran – possess the capabilities to hack them too, in the process undermining principles of democracy and threatening our national security.”

National: U.S. elections are an easier target for Russian hackers than once thought | Los Angeles Times

When Chris Grayson pointed his Web browser in the direction of Georgia’s elections system earlier this year, what he found there shocked him. The Santa Monica cybersecurity researcher effortlessly downloaded the confidential voter file of every registered Georgian. He hit upon unprotected folders with passwords, apparently for accessing voting machines. He found the off-the-shelf software patches used to keep the system secure, several of which Grayson said could be easily infected by a savvy 15-year-old hacker. “It was like, holy smokes, this is all on the Internet with no authentication?” Grayson said in an interview. “There were so many things wrong with this.” … Among the most alarmed have been pedigreed computer security scholars, who warn that a well-timed hack of a vendor that serves multiple states could be enough to cause chaos even in systems that were thought to be walled off from one another. And they say security lapses like those in Georgia reveal the ease with which hackers can slip in.

National: Voter Registration Data from 9 States Available for Sale on Dark Web | Dark Reading

Threat intelligence company LookingGlass Cyber Solutions says it has discovered over 40 million voter records from nine different states being traded in an underground forum for stolen credit card data and login credentials. The voter records being offered for sale include the voter’s full first, last and middle name, voter ID, birthdate, voter status, party affiliation, residential address and other details. The data belongs to voters in Arkansas, Colorado, Connecticut, Delaware, Florida, Michigan, Ohio, Oklahoma and Washington State. Over the last two days, voter databases from at least two of the states—Arkansas and Ohio—were sold for a mere $2 each, or a total of $4 for almost 10 million voter records. That suggests financial gain is not the primary reason for the activity, according to LookingGlass. ‘Logan,’ the individual who has advertised the data and is selling it on a site called RaidForums, has hinted at possessing voter records for an additional 20 to 25 states, says Jonathan Tomek, director of threat research at LookingGlass Cyber Solutions.

National: Senate panel moves bill to deter foreign meddling in US | Associated Press

The Senate is moving forward with legislation to combat cyberattacks and deter foreign interference amid an investigation into Russian meddling in the 2016 election. The bill approved by the Senate intelligence committee 14-1 Thursday will now move to the Senate floor. According to the panel, the legislation would ensure the intelligence community is well-positioned to detect cyberattacks, strengthen information-sharing with states to protect voting systems and “send a message to Moscow that we will not accept their aggressive actions.”

Editorials: As Hackers Target U.S. Voting Machines, We Need Leaders Who’ll Put Country Over Party | Karen Hobert Flynn/Just Security

“If there has ever been a clarion call for vigilance and action against a threat to the very foundation of our democratic political system, this episode is it,” former Director of National Intelligence James Clapper told senators in May. Clapper’s warning about the impact of Russian interference in the 2016 election and the potential damage from future cyberattacks around the world packed a particularly powerful wallop. Over the next few days in Las Vegas, a group of white hat hackers will run a “Voting Machine Hacking Village,” using real U.S. voting machines to back up Clapper’s alarm with a demonstration of the vulnerability of some of our voting systems. This private effort, part of DEF CON, the world’s largest hacker convention, highlights a serious public problem: our election infrastructure was attacked and will be again; our federal and state governments must do much more to protect our most cherished right as Americans, our vote.

Russia: ‘Big hunt’ for Russian hackers, but no obvious election link | Associated Press

Pyotr Levashov appeared to be just another comfortable member of Russia’s rising middle-class—an IT entrepreneur with a taste for upmarket restaurants, Thai massages and foreign travel. Then police raided his vacation rental in Barcelona, marching him out in handcuffs to face charges of being one of the world’s most notorious spam lords. Levashov’s April 7 arrest was one in a series of American-initiated operations over the past year to seize alleged Russian cybercriminals outside their homeland, which has no extradition agreement with the United States. They come at a fraught moment in relations between Moscow and Washington, where politicians are grappling with the allegation that Kremlin hackers intervened in the U.S. election to help President Donald Trump. Through their lawyers, several defendants have suggested their arrests are linked to the election turmoil. Experts say that’s possible, though an Associated Press review of the cases found no firm evidence to back the claim.

California: Worried about election hacking, L.A. County officials are turning to hackers for help | Los Angeles Times

Local election officials are looking for some good hackers. As part of an effort to create a new voting system, Los Angeles County computer specialists are headed this week to Defcon, one of the world’s largest hacking conventions, where attendees will try to compromise a new target — voting equipment. County Registrar-Recorder Dean C. Logan said he hopes Defcon’s new Voting Village will give his staff more to worry about as they work to revamp the way Los Angeles County votes. Defcon, which draws 20,000 participants to Las Vegas yearly, has set aside a space this year for hackers to pick apart voting machines, assail voter-registration databases and carry out mock attacks on various voting processes from around the country.

National: Hackers plan to break into 30 voting machines to put election meddling to the test | USA Today

Think of it as a stress test for democracy. Hackers plan to spend this weekend trying to break into more than 30 voting machines used in recent elections to see just how far they can get. U.S. election officials have consistently said that despite Russian attempts to affect the outcome of the 2016 presidential election, no votes were tampered with. … However, experts in election voting software say no states routinely perform post-election vote audits to ensure that the reported vote count tallies with ballots, Singer said. Moreover, there were no forensic examinations of any of the voting machines used in the 2016 presidential election, in part because many election-machine vendor contracts prohibit it, Singer said. That’s a red flag for hackers at DefCon.

National: Top hacker conference to target voting machines | Politico

Hackers will target American voting machines—as a public service, to prove how vulnerable they are. When over 25,000 of them descend on Caesar’s Palace in Las Vegas at the end of July for DEFCON, the world’s largest hacking conference, organizers are planning to have waiting what they call “a village” of different opportunities to test how easily voting machines can be manipulated. Some will let people go after the network software remotely, some will be broken apart to let people dig into the hardware, and some will be set up to see how a prepared hacker could fiddle with individual machines on site in a polling place through a combination of physical and virtual attacks. … With all the attention on Russia’s apparent attempts to meddle in American elections—former President Barack Obama and aides have made many accusations toward Moscow, but insisted that there’s no evidence of actual vote tampering—voting machines were an obvious next target, said DEFCON founder Jeff Moss. Imagine, he said, what a concerted effort out of Russia or anywhere else could do.

National: Facebook funds Harvard group trying to fight election hacking | The Hill

Facebook said on Wednesday that it will give funding to a nonprofit at Harvard that is trying to curb cyberattacks aimed political groups and election systems. The social media giant’s money will go to Defending Digital Democracy, a group led by former campaign chairs for Hillary Clinton and Mitt Romney, based at Harvard’s Kennedy School of Government. Though Facebook is providing the initial funding for the center, it said that it hopes other participants will help the organization transition into a group with several members who share information and analysis in “critical areas of the democratic process.”
At Black Hat, an IT security conference, Facebook Chief Security Officer Alex Stamos said the project was born out of the company realizing that no one was taking responsibility for issues of election hacking. “A huge amount of harm falls outside what we considered to be our problem,” Stamos said. “The real problems is that those issues is generally not anybody else’s problem either.”

National: Voting Machine Hacking Village at DEF CON | Gizmodo

… DEF CON is getting more deeply involved with election security than ever before—this year, the event will host its first Voting Machine Hacking Village. DEF CON villages are offshoots of the main event, where attendees get to tinker with technology. At the vote-hacking village, they’ll be invited to tamper with voting hardware and software. In addition to the hackers, the village is expecting visitors from Congress, the National Institute of Standards and Technology, the Department of Homeland Security, and voting machine vendors. Moss hopes to discover just how easy it is to compromise a voting system. Although states test components of their systems, Moss couldn’t find any examples of a state testing their complete voting apparatus. Most manufacturers, he explained, test voting machines for their ability to withstand humidity rather than hackers. This is worrisome, particularly at a time when Americans are suddenly obsessed with qualifying the security of their electoral systems.

National: Five things to watch for at ‘hacker summer camp’ | The Hill

The largest cybersecurity event of the year kicks off this week, as the Black Hat, Def Con and BSides conferences launch back-to-back-to-back in Las Vegas. … In a subversive move, attendees at Def Con will be able to attend its first Voting Machine Village. The Village offers a side conference on voting machine insecurity and a playground of real voting machines for hackers to toy with.