Huddled in the corner of a small room in the Salt Palace Convention Center are a group of hackers and a row of 12 voting machines. The machines, all of which were used during the 2016 election in Utah, are now strewn in pieces across a table as attendees of HackWest’s first annual cybersecurity conference pour over them, searching for vulnerabilities. And they’ve found a pretty major one. Any hacker can enter a voting booth, remove the card reader from the machine, turn off the machine, then power it back on again. Once the voting machine has turned back on, the screen will display a “no card reader” error message. All the hacker has to do from there is pop the card reader back in, and the machine will display the system setup.
An unusual question is capturing the attention of cyberspecialists, Russia experts and Democratic Party leaders in Philadelphia: Is Vladimir V. Putin trying to meddle in the American presidential election? Until Friday, that charge, with its eerie suggestion of a Kremlin conspiracy to aid Donald J. Trump, has been only whispered. But the release on Friday of some 20,000 stolen emails from the Democratic National Committee’s computer servers, many of them embarrassing to Democratic leaders, has intensified discussion of the role of Russian intelligence agencies in disrupting the 2016 campaign. The emails, released first by a supposed hacker and later by WikiLeaks, exposed the degree to which the Democratic apparatus favored Hillary Clinton over her primary rival, Senator Bernie Sanders of Vermont, and triggered the resignation of Debbie Wasserman Schultz, the party chairwoman, on the eve of the convention’s first day. Proving the source of a cyberattack is notoriously difficult. But researchers have concluded that the national committee was breached by two Russian intelligence agencies, which were the same attackers behind previous Russian cyberoperations at the White House, the State Department and the Joint Chiefs of Staff last year. And metadata from the released emails suggests that the documents passed through Russian computers. Though a hacker claimed responsibility for giving the emails to WikiLeaks, the same agencies are the prime suspects. Whether the thefts were ordered by Mr. Putin, or just carried out by apparatchiks who thought they might please him, is anyone’s guess.
The Illinois State Board of Elections’ online voter registration system remained down Thursday afternoon in the wake of a cyberattack last week. The attack on the statewide Illinois Voter Registration System occurred July 12, and the system was shut off July 13 as a precaution once the board realized the severity of the attack, according to a message sent to local election authorities. Hackers exploited “a chink in the armor in one small data field in the online registration system,” said Ken Menzel, the board’s general counsel.
Arizona voters deserve to know if their personal information on file with the state of Arizona remains safe from identify thieves. If there is any threat to the security of the voter registration database, it deserves not only an investigation but full disclosure of the outcome. Right now, every voter in the state has legitimate reason to at least wonder if their personal information has been compromised. A couple of weeks ago, the FBI investigated a hacking threat against the state’s voter registration database and deemed the threat credible, labeling it an “8 out of 10” on the severity scale. The database contains not only names and addresses but also driver license numbers, partial Social Security numbers and other personal information that identity thieves can match with other partial personal information and commit fraud. As the investigation progressed, the state shut down its voter registration website.
United Kingdom: Second referendum petition: Inquiry removes at least 77,000 fake signatures, as hackers claim responsibility for ‘prank’ | Telegraph
Parliamentary authorities have removed around 77,000 allegedly fake signatures from an online petition which calls for a re-run of the Brexit referendum – with hackers taking responsibility for adding thousands of counterfeit names. It follows a formal inquiry launched less than three hours earlier, amid claims some of the more than three and a half million signatures it has gained since Friday may be fraudulent. A statement posted on the House of Commons’ petitions committee Twitter account on Sunday afternoon said: “We are investigating allegations of fraudulent use of the petitions site. Signatures found to be fraudulent will be removed”.
National: Russian government hackers penetrated DNC, stole opposition research on Trump | The Washington Post
Russian government hackers penetrated the computer network of the Democratic National Committee and gained access to the entire database of opposition research on GOP presidential candidate Donald Trump, according to committee officials and security experts who responded to the breach. The intruders so thoroughly compromised the DNC’s system that they also were able to read all email and chat traffic, said DNC officials and the security experts. The intrusion into the DNC was one of several targeting American political organizations. The networks of presidential candidates Hillary Clinton and Donald Trump were also targeted by Russian spies, as were the computers of some GOP political action committees, U.S. officials said. But details on those cases were not available. A Russian Embassy spokesman said he had no knowledge of such intrusions. Some of the hackers had access to the DNC network for about a year, but all were expelled over the past weekend in a major computer cleanup campaign, the committee officials and experts said.
One day after a number of documents supposedly stolen during a hack on the Democratic National Committee servers were posted online, a cybersecurity expert says it is a clear act of “cyberwar.” “It’s really strange for a Russian intelligence agency,” Dave Aitel, an ex-NSA research scientist who’s now CEO of Immunity, told Tech Insider. “That’s straight up cyberwar.” At least two different groups associated with the Russian government were found inside the networks of the DNC over the past year, reading emails, chats, and downloading private documents, as was reported on Tuesday. The hack, which was investigated by the FBI and cybersecurity firm Crowdstrike, was linked to Russia through a lengthy technical analysis, which was detailed on the firm’s blog. Aitel called the analysis “pretty dead on.”
A series of data breaches overseas are spurring concerns that hackers could manipulate elections in the United States.Since December, hundreds of millions of voters in the U.S., the Philippines, Turkey and Mexico have had their data discovered on the web in unprotected form. In some instances, legitimate security researchers found the information, but in others, malicious hackers are suspected of pilfering the data for criminal purposes.The data breaches are raising questions as the U.S. considers whether to move toward electronic balloting. More people than ever are using the internet to register to vote and to request mail-in ballots. Some states have even become vote-by-mail only in recent years. “If you can’t keep the voter registration records safe, what makes you think you can keep the votes safe?” asked Pamela Smith, president of election watchdog Verified Voting.For a politically inclined hacker, insecure voter data could “very easily” create a pathway to “massive” voter fraud, said Joseph Kiniry, CEO of Free & Fair, which advocates for secure digital election systems. “If you can go in there and delete rows based on someone’s name or political affiliation, we will have a massively screwed up election process on the day,” he said.
National: Voter ID Laws May Have Actually Increased The Likelihood Of Voter Fraud—By Hackers | Fast Company
Over the past 16 years, only 10 cases of voter impersonation—out of 146 million registered voters—have ever been identified. And yet each election, a vocal political contingent made up primarily of Republicans complains about an alleged epidemic of voter fraud and impersonation. To combat it, they propose—and in many cases successfully pass—laws requiring voters to provide verification of their identity with an ID card, along with verbal confirmation of various pieces of personal data, before they are permitted to vote. As election officials become more reliant on electronic databases, the potential for hackers to commit voter manipulation and election fraud has gone way up. But it’s these very voter ID laws that are partly to blame, despite legislators’ claims that they would make elections safer, according to Joseph Kiniry, CEO of Free and Fair, a provider of secure election services and systems. “The best thing [hackers] could do is to screw up that data prior to the election,” says Kiniry.
Mexico: Millions of Mexican voter records leaked to Amazon’s cloud, says infosec expert | Ars Technica
A leaked database containing the voting records of millions of Mexican voters has been discovered by a security researcher. Chris Vickery, who works for MacKeeper, said he first spotted the Mexican voters’ roll—containing the records of 87 million voters in Mexico—on April 14. Vickery told Ars that he found the database with Shodan, a search engine that can find pretty much anything connected to the Internet. “The search term that returned this database was just ‘port:27017’ (the default MongoDB port),” Vickery said. “There really was nothing special about the search terms. It was just a stroke of luck that I saw it and followed up.” He added that the database was not accessible over HTTP: “You had to use a MongoDB client, but all you needed was the IP address. There was nothing protecting it at all.”
Every modern presidential election is at least in part defined by the cool new media breakthrough of its moment. In 2000, there was email, and by golly was that a big change from the fax. The campaigns could get their messages in front of print and cable news reporters — who could still dominate the campaign narrative — at will, reducing what had been a 24-hour news cycle to an hourly one. The 2004 campaign was the year of the “Web log,” or blog, when mainstream reporters and campaigns officially began losing any control they may have had over political news. Anyone with a computer could weigh in with commentary, news and, often, searing criticism of mainstream reporters and politicians — “Media Gatekeepers be damned!” Then 2008: Facebook made it that much easier for campaigns to reach millions of people directly, further reducing the influence of newspaper, magazine and television journalists. In 2012, Twitter shrank the political news cycle to minutes if not seconds, exponentially adding to the churn of campaign news.
The personal information of more than 50 million Filipinos has been exposed in a breach of the Philippine electoral commission. According to security researchers at Trend Micro, the hack contains a huge amount of very sensitive personal data, including the fingerprints of 15.8 million individuals and passport numbers and expiry dates of 1.3 million overseas voters. The website of the Commission on Elections, Comelec, was initially hacked on March 27, by a group identifying itself as Anonymous Philippines, the local fork of the wider hacker collective. The homepage was defaced with a message accusing Comelec of not doing enough to ensure the security of voting machines used in the country’s upcoming election.
The breach could be the biggest-yet hack of government-held data, according to Trend Micro. A breach of the Philippines’ Commission on Elections (Comelec) affecting about 55 million people could be the largest hack of government-held data ever, according to security specialists. Government representatives have downplayed the seriousness of the breach, which took place late last month, but IT security firm Trend Micro said its analysis of the exposed data found that it included sensitive information such as passport numbers and fingerprint records. “Every registered voter in the Philippines is now susceptible to fraud and other risks,” Trend said in an advisory. “With 55 million registered voters in the Philippines, this leak may turn out as the biggest government related data breach in history.”
A cyber-attack on the website of the Philippines Commission on Elections (Comelec) has resulted in personally identifiable information (PII) of roughly 55 million people being leaked online. While there are no exact details on the number of affected people, it appears that hackers managed to grab the entire voter database, which includes information on the 54.36 million registered voters for the 2016 elections in the Philippines. Information on voters abroad also leaked, along with other sensitive data. Should the data in this leak prove genuine, it would make the breach one of the largest so far this year, on par with the recent hack of a database apparently containing details of almost 50 million Turkish citizens, which determined Turkey’s authorities to launch a probe into the incident. It would also be the largest breach after the Office of Personnel Management attack last year.
The official website of the Commission on Elections (Comelec) was hacked Sunday night, more than a month before the May 9 polls, raising fears that the voting machines may also be compromised. The poll body’s database was leaked online after hackers defaced its website, www.comelec.gov.ph. Comelec officials, however, allayed public fears about the security of the automated election system (AES) after the hacking. The database was published on two mirror sites by a hacker group affiliated with Anonymous Philippines. The hackers urged the Comelec to implement the security features of the vote counting machines. The group said the database has a file size of around 340 gigabytes, with some of the tables supposedly encrypted by the Comelec. “But we have the algorithm to decrypt those data,” the hackers said. “What happens when the electoral process is so mired with questions and controversies? Can the government still guarantee that the sovereignty of the people is upheld? We request the implementation of the security features on the PCOS (precinct count optical scan) machines,” said Anonymous.
Is the Supervisor of Elections computer system vulnerable to hackers? Dan Sinclair, who is running against Sharon Harrington, says it is. In a FOX 4 exclusive, Sinclair and his team show how they were able to infiltrate one of the Supervisor of Elections servers. Using a structured query languange.injection, Sinclair and David Levin were able to gain immediate access to a server. From there, they collected the passwords for everyone that works in the Supervisor of Elections office for Lee County.
Alleged voting records of millions of American citizens have been uploaded to the dark web on a site affiliated with a well-known cybercrime forum. Although the information is not particularly sensitive in its own right, its presence on the site shows that even easily obtainable personal data can be of interest to hackers. The datasets appear to include voters’ full names, dates of birth, the date they registered to vote, addresses, local school districts, and several other pieces of information. The dumps also include voting records from previous elections and political affiliations. The two largest files are 1.2 GB and 1 GB, respectively, and each contain at least a million entries. The folder containing the files is called “US_Voter_DB,” though Motherboard could not independently verify the contents’ legitimacy. It’s not entirely clear where the data was sourced from. On December 28 last year, news site CSO Online reported that a database configuration issue had left 191 million voter records exposed to the open internet. That data was discovered by security researcher Christopher Vickery, who found his own personal information within the dump.
It’s a sad feature of contemporary life that data breaches are as common as changes in the weather. Still, the news that a misconfigured database resulted in the exposure of about 191 million registered voters’ personal information is incredibly alarming. For years, skeptical political theorists have warned that, although new technology held great potential for voting, it came with many potential threats to voter privacy and security. Unfortunately, some of these valid concerns were hijacked by conspiracy theorists, especially after a notorious series of scandals were linked to Diebold voting machines in the 2004 presidential election. But given this week’s news, it’s time to return to the question of how technology can compromise voter security, with an eye to developing constructive solutions.
First and last names. Recent addresses and phone numbers. Party affiliation. Voting history and demographics. A database containing this information from 191 million voter records was mysteriously published over the last week, the latest example of personal voter data becoming freely available, alarming privacy experts who say the information can be used for phishing attacks, identity theft and extortion. No one knows who built the database, or precisely where all the data came from, and whether its disclosure resulted from an inadvertent release or from hacks. The disclosure was discovered by an information technology specialist, Chris Vickery, who quickly alerted the authorities and published his findings on Databreaches.net. NationBuilder, a nonpartisan political data firm, has said it may have been the source of some of the data, although the actual database that was released was not the company’s.
A group of Chinese hackers have targeted a Taiwanese news organizations and the opposition Democratic Progressive Party in order to get the information on upcoming presidential and legislative election like the policies and speeches from the leaders participating in the elections. This report is the second part of the one revealed by FireEye last week which exposed China spying on the Japanese government using Dropbox. China was also blamed for spying on pro-democracy protesters in Hong Kong with an Android spyware disguised as an OccupyCentral app to keep an eye on the protesters. FireEye in August 2015 caught Chinese hackers spying on Tibetan activists and as well as dozens of organizations in Bangladesh, Nepal, and Pakistan. The hackers attacked their targets through phishing emails; one of the emails had this subject line: “DPP’s Contact Information Update,” which indicated this to be a state-sponsored attack from a group known as “APT16” according to the security research team “FireEye”.
Georgia Secretary of State Brian Kemp announced plans Thursday to offer 6.2 million registered voters a year of free credit and identity theft monitoring services. The announcement came more than two weeks after a massive data breach at the agency exposed those voters’ personal information, including Social Security numbers and birth dates. An agency spokesman said the move is expected to cost $1.2 million, paid by the agency through reserve funds. Kemp said he has contracted with Austin, Texas-based CSID for services that will be available within 10 to 14 business days. Additionally, he said all Georgia voters in the breach whose identity is compromised will be eligible for identity theft restoration services if their identity is compromised over the next year.
Wellington is a town of political junkies and digital hotshots. We are the coolest – and smartest – little capital. So perhaps it was obvious what the Wellington City Council would say about having internet elections here: “Of course.” But in fact the council’s decision is wrong. The risks – hacking, mainly – are too great, and the benefits – internet voting is supposed to boost voter turnout – are small. Software expert Nigel McNie warned councillors against internet voting and cited the problem of the Death Star. It had just one little hole of vulnerability, but it was big enough to let a bomb through. Now of course geeks disagree about the risk from hacking. Some say internet voting can be made safe, or as safe as can be reasonably expected. But everyone knows that no system is guaranteed against hackers.
Estonians can vote over the internet in their national elections. Brazilians vote using electronic terminals that have Braille on the keypads and that have cut the tabulation time from a month to six hours. Some local British elections have let people vote by text message. It’s the year 2015, after all. So why do Canadian elections still happen the centuries-old way — by marking paper ballots and depositing them in a box? Especially when advocates say higher-tech voting methods could make the process more accessible? “There’s a number of reasons,” said Nicole Goodman, research director at the Centre for E-Democracy and an assistant professor at the University of Toronto’s global-affairs school. Goodman has extensively researched internet voting at other levels of government in Canada, particularly municipal elections in Ontario, where in last year’s contests 97 local governments out of 414 offered online voting. At the municipal level, Canada is a world leader in voting via the internet, Goodman says. But so far, no province or federal electoral authority has attempted it even in a small trial. One reason? “Lack of political will,” Goodman said. Elections Canada, by law, has to takes its cues on how to run elections from Parliament, and no recent government has made it a priority to introduce potentially radical new voting methods — especially one such as internet balloting that might get whole new demographics, including traditionally non-voting youth, to suddenly take part. Another concern that has held back any internet voting system is security. “People want 100 per cent assurance that this cannot be tampered with,” said Jean-Pierre Kingsley, Canada’s former chief electoral officer. “I’m absolutely sure that we’ll be able to find something, but at this stage we’re not there yet.”
Online voting at next year’s local government elections is in jeopardy after the Christchurch City Council today rejected it. The company hired to conduct the online trial said without Christchurch it might not be viable – and it was rushing to try to reassure councillors and others that such voting is secure from hackers. On Monday, Checkpoint reported IT experts held grave fears about online voting, which has already been agreed to by councils in Palmerston North, Porirua, Whanganui, Rotorua and Matamata Piako. Today at a full meeting of the Christchurch City Council, IT experts pleaded with councillors to reject it based on security fears. One of them, Jonathan Hunt, reeled off a list of overseas examples where online voting has failed.
National: Federal Election Commission refuses to release computer security study | Center for Public Integrity
Next to the Federal Election Commission’s front door is a quotation from former U.S. Supreme Court Justice Louis Brandeis: “Sunlight is said to be the best of disinfectants.” But the agency is refusing to uncloak a pricey, taxpayer-funded study that details decay in the security and management of its computer systems and networks, which the Center for Public Integrity revealed had been successfully infiltrated by Chinese hackers in October 2013. The report — known within the FEC as the “NIST study” — also provides recommendations on how to fix the FEC’s problems and bring its computer systems in line with specific National Institute of Standards and Technology computer security protocols.
If we can bank and shop online, why can’t we also vote online? This once-common refrain — I certainly used to ask the question — has been answered in recent years by revelations that hackers have penetrated some of our largest financial institutions, retailers, entertainment studios and, of course, the federal government. We can do our banking and shopping online because, as Lawrence Livermore computer scientist David Jefferson said earlier this year, “Financial losses in e-commerce can be insured or absorbed, but no such amelioration is possible in an election. And, of course, the stakes are generally much higher in a public election than in an e-commerce system.” Jefferson’s view that online voting — and especially e-mail — is extremely vulnerable to being hacked, intercepted or manipulated is shared by many experts, including those at the National Institute of Standards and Technology and the U.S. Election Assistance Commission.
A team of researchers in Athens say they’ve designed the world’s first encrypted e-voting system where voters can verify that votes cast actually go to the intended candidate. The process happens on a distributed, publicly-available ledger, much like the blockchain — the peer-reviewed software architecture that underpins bitcoin. The digital ballot box, called DEMOS, decreases the probability of election fraud as more voters use the system to verify their votes. The voting system starts by generating a series of randomized numbers. Each voter gets two sets of numbers, or ‘keys’: a key corresponding to the voter, and a key that corresponds to the voter’s preferred candidate. This is akin to the blockchain’s private and public key combination which authenticates bitcoin transactions.
United Kingdom: Why can’t the UK vote online? The answer is simple – we fail at passwords | Information Age
In an age where so many of us handle our banking, tax returns and bill paying online, many have asked why can’t we cast a vote via the internet as well? Last year, over eight in ten (83%) of UK adults were active online – just imagine if we saw this sort of turnout for 2020’s election. However, moving voting online has its own risks as well. And much of this is down to poor password security. Much of this insecurity is rooted in existing Electronic Voting Machines – or EVMs – which are already in use throughout the world. India, for example, adopted EVMs for its 2004 parliamentary elections, with 380 million voters casting their ballots on more than a million machines. In the United States, push button or touchscreen style EVMs have been used regularly since 1976. However, across the world, EVMs have been roundly criticized for being susceptible to hacking and fraud. In India, It was successfully demonstrated that the 2009 election victory of the Congress Party of India could easily have been rigged – forcing the election commission to review the current EVMs.
The Nigerian presidential elections are in full swing. And as if the Independent Nigerian Electoral Commission doesn’t have enough things to worry about, their website just got hacked by some people calling themselves the Nigerian Cyber Army. As is customary, there is a rambling signature left by the hackers, in place of the usual website. It’s not like the website is essential to the elections or anything. Their software and servers are likely not pointed to that url. This, as far as I can tell, has absolutely no bearing on the outcome of the election, which is more physical than digital. It’s more of egg on their face. We are reaching out to INEC for comment. “Sorry x0 Your Site has been STAMPED by TeaM Nigerian Cyber Army. FEEL SOME SHAME ADMIN!!”, the hackers said on the defaced site.
For the second day in a row, an apparent cyberattack took down the state of Maine’s website. A Twitter account with the handle Vikingdom2015 posted Tuesday morning that Maine.gov will be offline for more than five hours. Another post said other hackers helped make the website unaccessible. Service to Maine.gov was restored by 9:45 a.m. The outages lasted about 2 1/2 hours. On Monday, Vikingdom2015 took credit for knocking out Maine.gov for three hours.