Americans tend to replace their smartphones every two or three years. By contrast, most Americans use voting machines that are at least a decade old and based on engineering and designs from the 1990s. The perils of ignoring the latter may not be apparent until the electoral system is suddenly wracked by mishaps — think of Florida, circa 2000. Unfortunately, the likelihood of major dysfunction grows as voting machines age. It’s fair to blame Washington for a portion of the mess and assume it won’t play a critical role in the solution. Determined to avoid a reprise of the Florida mishap, Congress allocated funds and mandated the purchase of new equipment in 2002. Then, with the mandates still in place, lawmakers turned off the funding spigot, leaving state and local governments to take up the slack. In next year’s presidential election, some voting machines in 43 states will be at least a decade old and dangerously close to the end of their expected lifespan, according to a new report from the Brennan Center for Justice. In 14 states, some voters will encounter machines that are 15 or more years old, meaning they pre-date Facebook and the widespread use of flat-screen televisions.
In 2010, the District of Columbia decided to test its online absentee voter system. So officials held a mock election and challenged the public to do their best to hack it. It was an invitation that Alex Halderman, a computer-security expert at the University of Michigan, couldn’t resist. “It’s not every day that you’re invited to hack into government computers without going to jail,” he says. In less than 48 hours, Halderman and his students gained complete control of the system and rigged it to play the Michigan fight song each time a vote was cast. The students were ecstatic, but Halderman, who has a long history of exposing cybersecurity weaknesses, takes a more sober view. “This is the foundation of democracy we’re talking about,” he says.
The electronic voting system that has been used in Estonia since 2005 cannot guarantee fair elections because of fundamental security weaknesses and poor operational procedures, according to an international team of security and Internet voting researchers. The analysis performed by the team’s members, some of whom acted as observers during 2013 local elections in Estonia, revealed that sophisticated attackers, like those employed by nation states, could easily compromise the integrity of the country’s Internet voting system and influence the election outcome, often without a trace. The team chose to analyze the Estonian system because Estonia has one of the highest rates of Internet voting participation in the world — over 21 percent of the total number of votes during the last local election were cast through the electronic voting system. During their observation of the local elections and by later watching the procedural videos released by the Estonian election authority, the researchers identified a large number of poor security practices that ranged from election officials inputting sensitive passwords and PINs while being filmed to system administrators downloading critical applications over insecure connections and using personal computers to deploy servers and build the client software distributed to voters. The researchers also used open-source code released by the Estonian government to replicate the electronic voting system in their laboratory and then devised several practical server-side and client-side attacks against it.
National: Federal Election Commission still in ‘significant’ danger of hacking | Center for Public Integrity
The Federal Election Commission’s computer and IT security continues to suffer from “significant deficiencies,” and the agency remains at “high risk,” according to a new audit of the agency’s operations. “FEC’s information and information systems have serious internal control vulnerabilities and have been penetrated at the highest levels of the agency, while FEC continues to remain at high risk for future network intrusions,” independent auditor Leon Snead & Company of Rockville, Md., writes. The audit, released today, comes less than two weeks after a Center for Public Integrity investigation that revealed Chinese hackers infiltrated the FEC’s IT systems during the initial days of October’s government shutdown — an incursion that the agency’s new leadership has vowed to swiftly address. The Chinese hacking attack is believed by FEC leaders and Department of Homeland Security officials to be the most serious act of sabotage in the agency’s 38-year history.
The Georgian government of President Mikheil Saakashvili, long a favorite of U.S. conservatives for championing pro-democratic “color revolutions,” is under fire for its own alleged suppression of a domestic opposition movement headed by a billionaire tycoon. Saakashvili was lauded as a reformer after he became president in 2004, following the Rose Revolution, and he has bravely challenged Russian hegemony in the region. But he has also shown a tendency to overreach, as in the imprudent military moves that offered Russia a pretext for invading Georgia in 2008. Now, critics charge, his government has been overly zealous in combating political challengers at home. Saakashvili’s rival is a wealthy businessman named Bidzina Ivanishvili, who made a fortune in Russia before returning home to form a political party called Georgian Dream. Ivanishvili’s supporters allege a series of repressive moves by the government, including a cyber attack that has caught up not just Georgian activists but U.S. lawyers, lobbyists and security advisers for Georgian Dream.
Highly sophisticated malware being used to spy on several countries, mostly in the Middle East, that has been around for more than two years has been discovered by Kaspersky Lab, the research arm of the Russian security products company announced May 28. Detected by researchers as Worm.Win32.Flame – or more simply, Flame – it’s designed to carry out cyber espionage and steal valuable information, including, but not limited to, computer display contents, information about targeted systems, stored files, contact data and audio conversations, Kaspersky Lab says.Kaspersky Lab’s chief security expert, Alex Gostev, characterizes Flame as a super-cyberweapon such as Stuxnet and Duqu, and in his blog contends it’s “one of the most complex threats ever discovered. It’s big and incredibly sophisticated. It pretty much redefines the notion of cyberwar and cyberespionage.”
A complex targeted cyber-attack that collected private data from countries such as Israel and Iran has been uncovered, researchers have said. Russian security firm Kaspersky Labs told the BBC they believed the malware, known as Flame, had been operating since August 2010. The company said it believed the attack was state-sponsored, but could not be sure of its exact origins. They described Flame as “one of the most complex threats ever discovered”. Research into the attack was carried out in conjunction with the UN’s International Telecommunication Union. They had been investigating another malware threat, known as Wiper, which was reportedly deleting data on machines in western Asia. In the past, targeted malware – such as Stuxnet – has targeted nuclear infrastructure in Iran. Others like Duqu have sought to infiltrate networks in order to steal data. This new threat appears not to cause physical damage, but to collect huge amounts of sensitive information, said Kaspersky’s chief malware expert Vitaly Kamluk.