SALES, RENTALS & LAYAWAYS

PROTECTING EVERYTHING THAT HAS EVER BEEN OF VALUE TO YOU

Open 24/7/365

We Have A Life-Time Warranty /
Guarantee On All Products. (Includes Parts And Labor)

Tensions Flare As Hackers Root Out Flaws In Voting Machines (#GotBitcoin?)

Defcon hack-a-thon conference aims to help test election security, but makers of voting equipment raise doubts. Tensions Flare As Hackers Root Out Flaws In Voting Machines (#GotBitcoin?)

Hackers at the Defcon computer security conference believe they can help prevent manipulation of U.S. elections. Some election officials and makers of voting machines aren’t so sure.

That tension was front and center at Defcon’s second-annual Voting Village, where computer hackers are invited to test the security of commonly used election machines. Organizers see the event as an early test of U.S. election security and a counterpunch to potential outside interference. On the first day of the event, which runs through Sunday, hackers were able to swap out software, uncover network plug-ins that shouldn’t have been left working, and uncover other ways for unauthorized actors to manipulate the vote.

These hacks can root out weaknesses in voting machines so that vendors will be pressured to patch flaws and states will upgrade to more secure systems, organizers say.

Yet some manufacturers and security experts believe the hack-a-thon is unlikely to uncover the type of real-world issues that would come up in an election.

“Anybody could break into anything if you put it in the middle of a floor and gave them unlimited access and unlimited time,” said Leslie Reynolds, executive director of the National Association of Secretaries of State.

Election Systems & Software LLC, a leading manufacturer of voting equipment, was reluctant to have its systems tested at the conference. The company played down the expected findings from the event in a letter to customers. Hackers “will absolutely access some voting systems internal components because they will have full and unfettered access to a unit without the advantage of trained poll workers, locks, tamper-evident seals, passwords, and other security measures that are in place in an actual voting situation.”

Kathy Rogers, senior vice president of government relations for ES&S, said the letter was sent “in response to numerous inquiries by our customers as to what equipment might be at Defcon and what they might expect.”

In the letter, ES&S also warned election officials ahead of the conference that unauthorized use of its software violated the company’s licensing agreements, according to a copy of the letter viewed by The Wall Street Journal. Voting Village organizer Jake Braun disagreed with this interpretation of the agreements.

The states and vendors are making a mistake by not participating in the voting village, which amounts to a thorough security test for any machine involved, Mr. Braun said. “This is not a cyber-mature industry,” he said.

Some state and local election officials at the conference said the companies that sell voting equipment are more interested in maintaining their profit margins than improving the security of their machines.

ES&S had two employees attend Defcon to “learn about any ideas for enhancements to voting security,” Monica Tesi, a spokeswoman for the company, said. Making voting equipment available to “potential bad actors, foreign or otherwise,” could harm national security, Ms. Tesi said, adding that Defcon has no security or identity requirements and that anyone who pays the $280 registration fee can enter.

Dominion Voting, another voting machine maker, declined to comment and wouldn’t say whether it had employees present at the hacking conference.

Mr. Braun disputed the assertion that the Voting Village hacking could threaten national security, saying it would be naive to assume that Russia wasn’t already looking for voting system flaws. “I think it would be a national security threat not do so it,” said Mr. Braun. Representatives for Defcon didn’t immediately respond on Sunday when asked to comment on ES&S’s criticism of its security policies.

Election cybersecurity has been a national concern since 2016, when Russian-government hackers allegedly broke into systems at the Democratic National Committee, launched an influence campaign on Facebook Inc.’s social network, and targeted more than 20 voter registration systems, government officials say.

Russia has repeatedly denied interfering in the election.

Earlier this month, senior intelligence officials in the Trump administration warned that Russia was again engaging in “pervasive” efforts to interfere in the November elections.

In March, Congress appropriated $380 million to shore up the nation’s election systems—money that has now been allocated to 50 states and five territories to pay for improved election equipment, and security training and testing, according to the Election Assistance Commission, the agency responsible for disbursing the funds.

Jeanette Manfra, a senior cybersecurity official at the Department of Homeland Security, said that security researchers at Defcon were doing important work by finding vulnerabilities in voting systems that could be used by bad actors. But she said she sympathized with concerns from election officials that the vote-hacking village could unintentionally lower public confidence in American elections—considered a chief goal of Russian interference.

“You want companies to be building more secure products, but at the same time the public doesn’t necessarily know the full picture,” Ms. Manfra said. “If all you are saying is, ‘Look, even a kid can hack into this’, you’re not getting the full story, which can have the impact of having the average voter not understanding what is going on.”

“It’s really, really difficult to actually manipulate the vote count itself,” she said.

But it’s still worth uncovering any potential security flaws in these machines, because there are plenty of others—organized criminals for example—who might want to throw an election, said Joseph Lorenzo Hall, chief technologist with the nonprofit Center for Democracy & Technology.

“Everybody’s talking about Russians, but we have to be clear that there are other threats here,” said Mr. Hall on Friday while mingling with hackers at the Defcon Voting Village. It’s a conference room deep in the bowels of Caesars Palace—littered with voting machines, memory cards and scanners.

A few minutes later, Mr. Hall stopped talking and cast a wary eye over at two attendees who were examining a big gray vote scanning machine in the corner of the room. He was worried they might plug it in and fire up its powerful engine without supervision. “We’re OK with destructive testing of these things. I just don’t want you to hurt yourself,” he said. “There are things that will take your fingers off in there.”

Grade Schoolers Hack Into Election Websites In Under 10 Minutes

Proving you don’t have to be Russian to influence an election, 50 American kids wreaked havoc on a group of voting websites.

On Friday, an 11-year-old boy hacked into a Florida state election website and changed the voting results in under ten minutes. And no, he wasn’t Russian. He was one of 50 kids attending DEFCON 26, a giant hacking convention, and was participating in an event called the “Voting Machine Hacking Village.” Luckily, the website wasn’t real ⏤ it was a replica ⏤ but the point was the same nonetheless. If kids can change election results, the integrity of our elections is probably not safe.

During that event, the 50 kids all tried to hack over a dozen imitation websites that were designed to impersonate election sites in battleground states. Most of the kids, who were all between the ages of 8 and 16, managed to crack the sites in under 30 minutes and were able to alter party and candidate names, as well as tweak the candidates’ vote counts.

In response to the news, the National Association of Secretaries of State responded with concern but naturally expressed some doubt that what they did could successfully be done on the real websites. At least they hope not, for the sake of their jobs.”It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols,” the statement read.

Voting Machine Used in Half of U.S. Is Vulnerable to Attack, Report Finds

The flaw in Election Systems & Software’s Model 650 high-speed ballot-counting machine was detailed in 2007.

Election machines used in more than half of U.S. states carry a flaw disclosed more than a decade ago that makes them vulnerable to a cyberattack, according to a report to be delivered Thursday on Capitol Hill.

The issue was found in the widely used Model 650 high-speed ballot-counting machine made by Election Systems & Software LLC, the nation’s leading manufacturer of election equipment. It is one of about seven security problems in several models of voting equipment described in the report, which is based on research conducted last month at the Def Con hacker conference.

The flaw in the ES&S machine stood out because it was detailed in a security report commissioned by Ohio’s secretary of state in 2007, said Harri Hursti, an election-security researcher who co-wrote both the Ohio and Def Con reports. “There has been more than plenty of time to fix it,” he said.

While the Model 650 is still being sold on the ES&S website, a company spokeswoman said it stopped manufacturing the systems in 2008. The machine doesn’t have the advanced security features of more-modern systems, but ES&S believes “the security protections on the M650 are strong enough to make it extraordinarily difficult to hack in a real world environment,” the spokeswoman said via email. The machines process paper ballots and can therefore be reliably audited, she said.

The Def Con report is the latest warning from researchers, academics and government officials who say election systems in the U.S. are at risk to tampering. Earlier this month, the National Academies of Sciences, Engineering, and Medicine recommended U.S. states move away from voting machines that don’t include paper ballots. And senior intelligence officials have described Russian efforts to interfere in the 2018 midterm elections as deep, real and ongoing.

Voting security took on new urgency following the 2016 election. Russian hackers were accused by U.S. intelligence agencies of probing the election infrastructure of at least 21 states, breaching a small number of voter-registration databases, and promoting divisive propaganda on social media.

Moscow denies the allegations. U.S. officials say there is no evidence vote tallies were manipulated.

ES&S has said it considers cybersecurity a top priority and has never experienced a breach. However, the company didn’t employ a senior cybersecurity official until April. It said the 2016 election raised the specter of cybersecurity to a new level.

The Def Con report was written by participants in a “Voting Village” last month at the conference, in which hackers were invited to test the security of commonly used election systems.

Many flaws listed in the report can only be exploited when an attacker gets physical access to machines. However, the report describes two techniques hackers could leverage to get remote access and, for example, change a vote count.

To leverage the 11-year-old flaw, hackers need to save malicious files on a storage drive that is then plugged into a machine. Mr. Hursti said he believes that because the removable devices used by these machines are no longer manufactured and commonly bought on sites such as eBay , it is possible for a hacker to sell an infected disk.

Model 650 vote counts could also be modified remotely via a networking bug, the report says.

In a close race, vote tampering could be devastating, Mr. Hursti said. “If you make a small modification in a small number of counties, that’s enough to swing the state,” he said.

ES&S has said Def Con, which is open to anyone, isn’t an appropriate venue for security research and that information gleaned about its systems could be misused.

In an interview last month, Christopher Wlaschin, ES&S’s vice president of systems security, said there is value in so-called white hat, or ethical, hacking. “What I’m not in favor of is submitting hardware and software and source code to anonymous people,” he said.

Tensions between ES&S and Def Con organizers has made coordinating security work ahead of the November midterm elections more difficult, according to federal officials.

ES&S has said it works closely with state and local officials who want to replace existing machines. Last year, ES&S granted a loan to Virginia so it could quickly swap out paperless machines weeks ahead of a gubernatorial election, the company said.

Election security researchers and politicians aren’t convinced ES&S is doing enough. The company hasn’t adopted common internet security standards that secure against phishing attacks and make it harder to intercept messages, according to staffers for Sen. Ron Wyden (D., Ore.). The U.S. issued a directive last year requiring all agencies to adopt such standards.

In a statement, Mr. Wyden said the security failings raise questions about ES&S’s commitment. “It’s like going to a restaurant—if the bathroom’s dirty, you start to wonder what the kitchen looks like,” he said.

The ES&S spokeswoman said the company “has been dedicated to the security of our nation’s elections since its founding 40 years ago and proactively evolves security practices as threats evolve.”

 

 

Updated: 11-21-2019

Election Security Agency Grapples With Staffing, Budget Cuts

Executive director and general counsel both stepped down last month.

The federal agency responsible for setting election security standards is grappling with key leadership vacancies and inadequate funding, a new report by a government watchdog office has found.

The U.S. Election Assistance Commission, which is focused exclusively on the voting process, is struggling to help state and local officials bolster the security of their voting systems, the agency’s inspector general said in a report released Wednesday.

The commission has sought to promote cybersecurity best practices and to serve as a central resource for state and local governments, which have the primary responsibility for administering elections. But the inspector general’s report says that the commission’s efforts are faltering amid staffing shortages and years of budget cuts.

Two of the agency’s most senior officials—the executive director and general counsel—stepped down last month, and the agency has begun looking for their successors, the report said.

The agency’s acting executive director and chief information officer, Mona Harrington, said in a letter to the inspector general dated Monday that the agency “concurs” with the findings about its troubles.

The federal agency responsible for setting election security standards is grappling with key leadership vacancies and inadequate funding, a new report by a government watchdog office has found.

The U.S. Election Assistance Commission, which is focused exclusively on the voting process, is struggling to help state and local officials bolster the security of their voting systems, the agency’s inspector general said in a report released Wednesday.

The commission has sought to promote cybersecurity best practices and to serve as a central resource for state and local governments, which have the primary responsibility for administering elections. But the inspector general’s report says that the commission’s efforts are faltering amid staffing shortages and years of budget cuts.

Two of the agency’s most senior officials—the executive director and general counsel—stepped down last month, and the agency has begun looking for their successors, the report said.

The agency’s acting executive director and chief information officer, Mona Harrington, said in a letter to the inspector general dated Monday that the agency “concurs” with the findings about its troubles.

“Investment in the EAC to support effective and secure elections and the funding of programs can no longer be ignored,” Ms. Harrington wrote in the letter. “We are hopeful that the president and Congress can work together to acknowledge the importance of the EAC’s mission and adequately fund the commission going forward.”

The commission had to set aside plans to hire its own cybersecurity expert because of a lack of funding, the report said.

The Trump administration repeatedly has pledged a “whole-of-government” effort to defend against election interference. Democrats have criticized President Trump and congressional Republicans for what they perceive as not prioritizing the issue and blocking legislation that would mandate stricter standards and boost federal funding.

The White House didn’t immediately respond to a request for comment.

Election officials say that they are better prepared than three years ago, when U.S. intelligence agencies have concluded that Russian hackers and internet trolls sought to disrupt the 2016 U.S. presidential election and boost Mr. Trump’s campaign.

.S. officials have said that no votes were manipulated in 2016. Moscow has denied interfering in the election.

National security agencies, along with state and local governments, have rolled out election-security initiatives, including increased information-sharing about cyber threats and major purchases of more secure voting machines.

The Election Assistance Commission, which is an independent agency with bipartisan leadership, was founded to promote best practices for election administration after ballot-counting problems plagued the 2000 U.S. presidential election.

In 2019, the agency sustained a cut to its budget for salaries and administrative tasks, which lowered the budget to $7.9 million from $8.6 million the year before.

On Monday, more than three dozen Democratic lawmakers released a letter calling for more funding for the commission.

Updated: 8-5-2020

Hackers Get Green Light To Test Election Voting Systems

After years of keeping security researchers at bay, election-equipment makers open their devices to testing.

Election Systems & Software LLC, the top U.S. seller of voting-machine technology, is calling a truce in its feud with computer-security researchers over the ways they probe for vulnerabilities of the company’s systems.

With the U.S. presidential election less than three months away, ES&S Chief Information Security Officer Chris Wlaschin on Wednesday will unveil the company’s outreach effort to security researchers at the annual Black Hat hacker convention that is taking place virtually this year, according to ES&S.

Mr. Wlaschin will detail a new vulnerability disclosure policy, which spells out, for example, the “safe harbor” protections that ES&S will provide legitimate researchers if they identify and notify the company of bugs in its systems, ES&S said.

Those provisions are standard across many industries, from computer equipment to cars to medical devices, as manufacturers seek outside help to ensure their systems are secure. But the makers of election equipment, ES&S in particular, have been reluctant to allow outside security experts to test their systems, researchers have said.

The company’s move follows the Department of Homeland Security last week urging increased cooperation between security researchers, election officials and vendors as it released guidance for election administrators on coordinating to address security vulnerabilities.

ES&S and some election officials had previously defended their reluctance to work with outside security researchers, at times arguing that some hackers have used unrealistic scenarios and published hyped claims to gain attention, and that real-world polling had safeguards such as poll workers and fellow voters that made hacking equipment unlikely.

U.S. national-security officials have warned about the threat to elections from foreign adversaries. U.S. intelligence officials have said Russia has probed state election systems and interfered through social media during the 2016 presidential election. Russia has denied meddling in U.S. elections.

For Omaha, Neb.-based ES&S, Wednesday’s expected announcement marks a turnaround from two years ago when the manufacturer and hackers clashed at Black Hat’s sister conference, called Defcon.

There, ES&S criticized a group of hackers who sought to test voting equipment. The company, at the time, said unauthorized use of its software violated its licensing agreements and that hackers risked jeopardizing national security by testing voting machines in a public setting with few safeguards.

Soon after, Kevin Skoglund, an independent security researcher, and others discovered that some ES&S systems—which weren’t supposed to be accessible on the internet—could be reached, although they were protected by a firewall.

Mr. Skoglund said he sent his findings to an industry information sharing center rather than to ES&S because he felt the company wouldn’t take his research seriously. “They did not have a good track record on these issues, so we felt like they would deny and spin,” he said.

Sen. Ron Wyden (D., Ore.), who has been critical of the companies, said: “Rather than welcoming the contributions of these researchers with open arms, ES&S and companies like it have repeatedly attempted to demonize cybersecurity researchers and discredit their work.”

ES&S says it has since changed its approach to handling such findings. It has added a way for researchers to report vulnerabilities and acted on several bug notifications, the company said.

It hired its first chief information security officer, Mr. Wlaschin, and last year allowed security experts from the Department of Energy’s Idaho National Laboratory cyber-testing facility to test three of its systems for security flaws. The lab declined to comment.

Synack Inc., a crowdsourced provider of security testing services, will evaluate a system that keeps track of voters checking in at polling stations, ES&S said. Test results from the lab and Synack won’t be made public, ES&S said.

“We hope researchers will agree that our actions in recent years have been positive and industry leading,” a company spokeswoman said.

When security researcher Jack Cable in January discovered that a virtual private network used by ES&S employees was running old software with known bugs that left it vulnerable to attack, he emailed the company’s security team on a Friday night and heard back within hours. A few days later, ES&S had fixed the problem, Mr. Cable and the company said.

“ES&S, more than any other vendor, has a history of locking horns with election security advocates,” Mr. Skoglund said. “It is encouraging to see signs of a new approach, but they have to do more to get past the skepticism and years of bad blood.”

Other companies also are opening themselves more to third-party scrutiny. Dominion Voting Systems Corp., the country’s second-largest voting-machine vendor, plans to publish a new policy for vulnerability disclosure in the coming weeks to expand on the company’s standard agreement for third-party security testing, said Kay Stimson, a spokeswoman for the Denver-based company.

Hart InterCivic Inc., another voting-machine vendor, said it has also expanded its vulnerability testing and reporting over the past year including by working with DHS. The Austin, Texas-based company said it established a way to report vulnerabilities in 2019, though it previously already worked with security experts.

DHS’s senior adviser on election security, Matt Masterson, said in a statement that “over the past few years, the relationship between the election community and the cybersecurity research community has grown immensely, but there is more to be done.”

Tensions Flare As Hackers,Tensions Flare As Hackers,Tensions Flare As Hackers,Tensions Flare As Hackers,Tensions Flare As Hackers,Tensions Flare As Hackers,Tensions Flare As Hackers,Tensions Flare As Hackers,Tensions Flare As Hackers,Tensions Flare As Hackers,

 

 

Related Articles: 

Cyber-Espionage Experts Want to Know Who’s Exposing China’s Hacking Army (#GotBitcoin?)

Chinese Hackers Breach U.S. Navy Contractors (#GotBitcoin?)

U.S. Charges China Intelligence Officers Over Hacking (#GotBitcoin?)

U.S. Charges Chinese Agents In Hacking Scheme, More Cases Expected (#GotBitcoin?)

Our Facebook Page

Your Questions And Comments Are Greatly Appreciated.

Monty H. & Carolyn A.

Go back

Leave a Reply