Pervasive hacking…that DNI is aware of…what will be done on this front?

Documents Reveal Successful Cyberattack in California Congressional Race

The FBI investigated hacking attempts targeting a Democrat who ran against “Putin’s favorite congressman”

WASHINGTON — FBI agents in California and Washington, D.C., have investigated a series of cyberattacks over the past year that targeted a Democratic opponent of Rep. Dana Rohrabacher (R-CA). Rohrabacher is a 15-term incumbent who is widely seen as the most pro-Russia and pro-Putin member of Congress and is a staunch supporter of President Trump.

The hacking attempts and the FBI’s involvement are described in dozens of emails and forensic records obtained by Rolling Stone.

The target of these attacks, Dr. Hans Keirstead, a stem-cell scientist and the CEO of a biomedical research company, finished third in California’s nonpartisan “top-two” primary on June 5th, falling 125 votes short of advancing to the general election in one of the narrowest margins of any congressional primary this year. He has since endorsed Harley Rouda, the Democrat who finished in second place and will face Rohrabacher in the November election.

Cybersecurity experts say that it’s nearly impossible to identify who was behind the hacks without the help of law enforcement or high-priced private cybersecurity firms that collect their own threat data. These experts speculate that the hackers could have been one of many actors: a nation-state (such as Russia), organized crime, so-called e-crime or a hacktivist with a specific agenda. The FBI declined to comment.

Kyle Quinn-Quesada, who was Keirstead’s campaign manager, tells Rolling Stone that the campaign is now going public about the attacks for the sake of voter awareness. “It is clear from speaking with campaign professionals around the country that the sustained attacks the Keirstead for Congress campaign faced were not unique but have become the new normal for political campaigns in 2018,” Quinn-Quesada says. He added that the Keirstead campaign did not believe the cyberattacks had an effect on the primary election results.

The timing of the attacks is significant. Last month, Director of National Intelligence Dan Coats said the warning lights for future cyberattacks aimed at the U.S. were “blinking red.” A week later, a senior Microsoft executive said that Microsoft had identified and helped block hacking attempts aimed at three congressional candidates during the 2018 midterms. The executive declined to name those candidates, but the Daily Beast reported that the Russian intelligence agency responsible for the cyberattacks in 2016 had attempted to hack the office of Sen. Claire McCaskill (D-MO), who is running for reelection this year. (A Microsoft spokesperson declined to say if Keirstead was one of three people targeted by hackers, citing “customer privacy.”) Just last week, Sen. Bill Nelson (D-FL) said that Russian hackers had “penetrated” county voting systems in Florida.

While the spear-phishing attack targeting Keirstead’s work account was successful, none of the attempts to gain unauthorized access to the campaign’s website, hosting company or Twitter account were effective, according to the campaign emails.

Proposed legislation where every check and balance has been thought out by this bipartisan Secure Election Act giving States ultimate authority to run their elections.

Secure Elections Act

Somehow the WH is not giving it a go…nor is Mitch McConnell being clear about what he’s done or not done to support this.

WASHINGTON — A bill that would have significantly bolstered the nation’s defenses against electoral interference has been held up in the Senate at the behest of the White House, which opposed the proposed legislation, according to congressional sources.

The Secure Elections Act, introduced by Sen. James Lankford, R-Okla., in December 2017, had co-sponsorship from two of the Senate’s most prominent liberals, Kamala Harris, D-Calif., and Amy Klobuchar, D-Minn., as well as from conservative stalwart Lindsey Graham, R-S.C., and consummate centrist Susan Collins, R-Me.

Sen. Roy Blunt, R-Mo., was set to conduct a markup of the bill on Wednesday morning in the Senate Rules Committee, which he chairs. The bill had widespread support, including from some of the committee’s Republican members, and was expected to come to a full Senate vote in October. But then the chairman’s mark, as the critical step is known, was canceled, and no explanation was given.

As it currently stands, the legislation would grant every state’s top election official security clearance to receive threat information. It would also formalize the practice of information-sharing between the federal government—in particular, the Department of Homeland Security—and states regarding threats to electoral infrastructure. A technical advisory board would establish best practices related to election cybersecurity. Perhaps most significantly, the law would mandate that every state conduct a statistically significant audit following a federal election. It would also incentivize the purchase of voting machines that leave a paper record of votes cast, as opposed to some all-electronic models that do not. This would signify a marked shift away from all-electronic voting, which was encouraged with the passage of the Help Americans Vote Act in 2002.

“Paper is not antiquated,” Lankford says. “It’s reliable.”

In a statement to Yahoo News, White House spokeswoman Lindsay Walters says that while the administration “appreciates Congress’s interest in election security, [the Department of Homeland Security] has all the statutory authority it needs to assist state and local officials to improve the security of existing election infrastructure.”

Under current law, DHS is already able to work with state and local authorities to protect elections, Walters wrote. If Congress pursues the Secure Elections Act, it should avoid duplicating “existing DHS efforts or the imposition of unnecessary requirements” and “not violate the principles of Federalism.”

“We cannot support legislation with inappropriate mandates or that moves power or funding from the states to Washington for the planning and operation of elections,” she added. However, the White House gave no specifics on what parts of the bill it objected to.

A spokesperson for Senate Majority Leader Mitch McConnell, who sits on the Rules Committee, declined to say whether the majority leader, widely renowned on Capitol Hill for his backroom tactics, was involved in efforts to hobble the Secure Elections Act.

https://www.yahoo.com/news/white-house-blocks-bill-protect-elections-173459278.html

DEFCON story about kids hacking election wedsite - Debunked by ProPublica!

Politico’s Nat Security writer discusses the continuing problems with shoring up our cyber security. GAO - Government Accountability Office.

@EricGeller Another day, another urgent warning from GAO about cybersecurity vulnerabilities.

https://www.gao.gov/assets/700/694355.pdf …

PAPER BALLOTS

Interesting Opinion piece…in NYT which discusses how a perfect technology of today - electronic voting machines, could end up being more of a problem. We face so many areas of vulnerability.

Every government is a machine, and every machine has its tinkerers — and its jams. From the start, machines have driven American democracy and, just as often, crippled it. The printing press, the telegraph, the radio, the television, the mainframe, cable TV, the internet: Each had wild-eyed boosters who promised that a machine could hold the republic together, or make it more efficient, or repair the damage caused by the last machine. Each time, this assertion would be both right and terribly wrong. But lately, it’s mainly wrong, chiefly because the rules that prevail on the internet were devised by people who fundamentally don’t believe in government.
>
The Constitution itself was understood by its framers as a machine, a precisely constructed instrument whose measures — its separation of powers, its checks and balances — were mechanical devices, as intricate as the gears of a clock, designed to thwart tyrants, mobs and demagogues, and to prevent the forming of factions. Once those factions began to appear, it became clear that other machines would be needed to establish stable parties. “The engine is the press,” Thomas Jefferson, an inveterate inventor, wrote in 1799.

…

In the spring of 2000, an article in Wired announced that the internet had already healed a divided America: “We are, as a nation, better educated, more tolerant, and more connected because of — not in spite of — the convergence of the internet and public life. Partisanship, religion, geography, race, gender, and other traditional political divisions are giving way to a new standard — wiredness — as an organizing principle for political and social attitudes.” Of all the dizzying technological boosterism in American history, from the penny press to the telegraph to the radio, no pronouncement was battier. In the years since, partisan divisions have become fully automated functions, those wires so many fetters.

The machine is no longer precisely constructed, its every action no longer measured. The machine is fix upon fix, hack after hack, its safety mechanisms sawed off. It has no brake, no fail-safe, no checks, no balances. It clatters. It thunders. It crushes the Constitution in its gears. The smell of smoke wafts out of the engine room. The machine is on fire.

Some defensive maneuvering on protecting votes in a hypothetical blocked/corrupted voting scenario. An experiment is testing the ‘system’ in a pretend way, for now.

On Thursday, Cybereason, a Boston-based cybersecurity firm, will game out an exercise that puts pretend hackers up against pretend city emergency responders to see what would happen if cybercriminals aimed to disrupt an election by keeping people from voting.

The experiment is happening without computers, however.

Axios:

Why it matters: There are dozens of ways to interfere with an election without touching voting equipment, ranging from causing traffic jams to blasting air conditioning in a polling place on an already cold day. Nearly all of our attention to election security has focused on attacks Russia has already tried or on the most obvious target — the voting machines themselves. But the next wave of attacks won’t play by the rulebook we expect bad guys to use.

Tabletop exercises are group games that are sort of like a two-team Dungeons & Dragons — no computers, just paper and brains. It’s an interesting scenario to play out in your head. What needs to happen …

Voters need to know where and when to vote. A hacker could conceivably depress voter turnout by uploading false stories about polling place changes or extended hours for polls that plan to close on time.

Voters need to get to the polls. Hackers could close a major bridge, preventing people from getting to the polls. They could tie up transportation by informing bus drivers they’ve been given an extra day off.

Voters need to wait in line to cast a vote. False reports of gun violence near polling places or a nearby explosion might reduce the amount of time someone might be willing to wait.

Ross Rustici, Cybereason’s senior director of intelligence services, says the experiment likely will be harder for the pretend city team which has to anticipate and defend, but the more difficult it is now, the better prepared local and state officials may be come the midterms.

This is what an end game would be for Russian influencers. Polls do show we are caught in a unending skepticism about the validity of our upcoming elections.

What happens next…fewer voters perhaps?

I know the midterms are galvanizing many to urgently get to the polls, but the underlying mistrust of how safe our voting systems are is now at an all time low. (31%)

Significant quote
the intense focus by the media and the federal government on Russia’s election interference efforts could be eroding voters’ confidence in democratic institutions.

About 1 out of every 3 American adults thinks a foreign country is likely to change vote tallies and results in the upcoming midterm elections, according to a new NPR/Marist poll released Monday.

The finding comes even as there is no evidence Russia or any other country manipulated or tried to manipulate the vote count in 2016 or at any other point in American history.

The results give credence to what election officials have been worried about since at least the summer of 2016: that the intense focus by the media and the federal government on Russia’s election interference efforts could be eroding voters’ confidence in democratic institutions.

The U.S. intelligence community agrees Russia used a number of different strategies to influence the minds of voters leading up to the 2016 election: posing as Americans to spread false and misleading information on social media, hacking into campaign and political party servers to release narrative-shifting emails, and targeting voting infrastructure like registration databases.

But there’s been no indication any ballots were ever manipulated, as 31 percent of Americans think is likely to happen in November.

U.S. Cyber Command operation disrupted Internet access of Russian troll factory on day of 2018 midterms

The U.S. military blocked Internet access to an infamous Russian entity seeking to sow discord among Americans during the 2018 midterms, several U.S. officials said, a warning that the group’s operations against the United States are not cost-free.

The strike on the Internet Research Agency in St. Petersburg, a company underwritten by an oligarch close to President Vladi­mir Putin, was part of the first offensive cyber campaign against Russia designed to thwart attempts to interfere with a U.S. election, the officials said.

“They basically took the IRA offline,” according to one individual familiar with the matter who, like others, spoke on the condition of anonymity to discuss classified information. “They shut ‘em down.”

The operation marked the first muscle-flexing by U.S. Cyber Command, with intelligence from the National Security Agency, under new authorities it was granted by President Trump and Congress last year to bolster offensive capabilities.

Whether the impact of the St. Petersburg action will be long-lasting remains to be seen. Russia’s tactics are evolving, and some analysts were skeptical of the deterrent value on either the Russian troll factory or on Putin, who, according to U.S. intelligence officials, ordered an “influence” campaign in 2016 to undermine faith in U.S. democracy. U.S. officials have also assessed that the Internet Research Agency works on behalf of the Kremlin.

Very little has been done to shore up the election process. #FixIsIn

State election officials opt for 2020 voting machines vulnerable to hacking

The new machines still pose unacceptable risks in an election that U.S. intelligence officials expect to be a prime target for disruption by countries such as Russia and China.

The machines that Georgia, Delaware, Philadelphia and perhaps many other jurisdictions will buy before 2020 are an improvement over the totally paperless devices that have generated controversy for more than 15 years, election security experts and voting integrity advocates say. But they warn that these new machines still pose unacceptable risks in an election that U.S. intelligence officials expect to be a prime target for disruption by countries such as Russia and China.

A 23-page report is downloadable here discussing the prospect of getting accurate vote counting which is nearly impossible, including paper ballots.

It is up to the States to determine their own voting ‘platform’ and there are very few regulations nor guidance about this. In other words, nothing has changed since 2016…

Abstract

Computers, including all modern voting systems, can be hacked and misprogrammed. The scale and complexity of U.S. elections may require the use of computers to count ballots, but election integrity requires a paper-ballot voting system in which, regardless of how they are initially counted, ballots can be re- counted by hand to check whether election outcomes have been altered by buggy or hacked software. Furthermore, secure voting systems must be able to recover from any errors that might have occurred.

However, paper ballots provide no assurance unless they accurately record the vote as the voter expresses it. Voters can express their intent by hand-marking a ballot with a pen, or using a computer called a ballot-marking device (BMD), which generally has a touchscreen and assistive interfaces. Voters can make mistakes in expressing their intent in either technology, but only the BMD is also subject to systematic error from computer hacking or bugs in the process of recording the vote on paper, after the voter has expressed it. A hacked BMD can print a vote on the paper ballot that differs from what the voter expressed, or can omit a vote that the voter expressed.

It is not easy to check whether BMD output accurately reflects how one voted in every contest. Research shows that most voters do not review paper ballots printed by BMDs, even when clearly instructed to check for errors. Furthermore, most voters who do review their ballots do not check carefully enough to notice errors that would change how their votes were counted. Finally, voters who detect BMD errors before casting their ballots, can correct only their own ballots, not systematic errors, bugs, or hacking. There is no action that a voter can take to demonstrate to election officials that a BMD altered their expressed votes, and thus no way voters can help deter, detect, contain, and correct computer hacking in elections. That is, not only is it inappropriate to rely on voters to check whether BMDs alter expressed votes, it doesn’t work.

Risk-limiting audits of a trustworthy paper trail can check whether errors in tabulating the votes as recorded altered election outcomes, but there is no way to check whether errors in how BMDs record expressed votes altered election out- comes. The outcomes of elections conducted on current BMDs therefore cannot be confirmed by audits. This paper identifies two properties of voting systems, contestability and defensibility, that are necessary conditions for any audit to con- firm election outcomes. No commercially available EAC-certified BMD is contestable or defensible.

To reduce the risk that computers undetectably alter election results by printing erroneous votes on the official paper audit trail, the use of BMDs should be limited to voters who require assistive technology to vote independently.

FBI to shed some light on FL hacking…link to article inside tweet.

The briefing is in response to a request that House Representatives Stephanie Murphy, Democrat of Florida, and Michael Waltz, Republican of Florida, made in a letter to Attorney General William Barr and FBI Director Christopher Wray on May 2.

Florida’s governor and secretary of state have also said that they were unfamiliar with the 2016 hack, and have requested answers. Gov. Ron DeSantis has also requested an FBI briefing on the subject, but does not have a date set, though his office says it wants it to take place before DeSantis visits Israel on May 25.

You wonder how vulnerable we are…and who’s doing what? Here’s a US friendly cybersecurity hacking contest…and see what they can do.

Are there threats? Well, look below…

https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/10/17/the-cybersecurity-202-cyber-command-hacking-contest-aims-to-prep-election-day-first-responders/5da7463288e0fa3155a711a6/

It also marks a novel team-up between U.S. Cyber Command, which is sponsoring the AvengerCon conference today and tomorrow, and the ethical hacking community, which has sounded alarm bells about vulnerabilities in U.S. voting systems but gotten blowback from state and local election officials and voting machine companies saying they’re overhyping the threat.

“The idea is to bring up the skill level and the knowledge level of individuals that, if all hell breaks loose, are going to be responsible for defending or eradicating a potential impact [on Election Day]. You can’t do that if you don’t practice,” Armando Seay, director of Dreamport, a Cybercom offshoot running the conference, told me.

Cybercom launched Dreamport about 18 months ago with a mission of forging stronger relationships between the super-secret work being done by the military command’s offensive and defensive hackers and private-sector cybersecurity researchers.

And with the public anxious that Russia will try to repeat or one-up its 2016 election interference operation, protecting elections seemed like an obvious priority, Seay told me.

OH, wait…of course there are THREATS…WTFery

Cybersecurity warning: This sophisticated Russian hacking group is back in action again

Researchers detail how Cozy Bear - the hacking group behind the DNC attacks - has been working under the radar in attacks against Foreign Ministries across Europe.

A Russian cyber espionage operation which was one of the groups which hacked into Democratic National Committee in the run-up to the 2016 US Presidential election has been busy with attacks against government departments across Europe and beyond.

The Cozy Bear hacking group – also known as APT29 – is believed to be associated with the Russian intelligence service and, alongside Russian military hacking group Fancy Bear, was involved in a number of high profile attacks between 2014 and 2017.

In the time since then, Cozy Bear appeared to go quiet, but now cyber security analysts at ESET have detailed how the group – which they refer to as Dukes – have continued their activity while attempting to staying under the radar.

The newly uncovered campaign – dubbed Operation Ghost by researchers – started in 2013 and continued into 2019, meaning the group never stopped its espionage activity.

In attacks using four new families of malware, Cozy Bear has targeted at ministries of foreign affairs in at least three different countries in Europe, as well as the US embassy of a European Union country in Washington DC.

Researchers have attributed Operation Ghost to Cozy Bear because the attacks use backdoor malware associated with previous activity by the group – MiniDuke – although this version appears to have been updated. The group also appears to mostly active during working hours in Russia, with occasional activity at night-time.

Like other campaigns by Cozy Bear, attacks begin with targeted spear-phishing emails designed to lure victims into clicking a malicious link or downloading malware via an attachment – however the initial compromise emails haven’t yet been identified.

From there, the attackers, steal login details to roam across networks, often exploiting admin credentials to do so.

The campaigns also use three new families of malware to help conduct operations on compromised systems, which researchers have named PolyglotDuke, RegDuke and FatDuke.

PolyglotDuke uses Twitter, Reddit, Imgur and other websites to link to their command and control (C&C) infrastructure, enabling the attackers to avoid storing this information in the malware – something which can be helpful for avoiding detection.

“Automated systems will less likely flag an executable as malicious if it only contains URLs of legitimate websites. Moreover, if the malware is executed in a sandbox, without internet access, it won’t perform any malicious activity as it cannot reach the C&C server,” Matthieu Faou, ESET malware researcher and the author of the research told ZDNet.

“Finally, it allows attackers to easily update the C&C URL as they just need to replace the message,” he added.

Meanwhile, RegDuke contains the main payload and stores it on the Windows registry while also applying stenography to stay hidden. The third new malware family is FatDuke, something which researchers describe as a sophisticated backdoor with the ability to steal login credentials and other private data associated with espionage activities – especially against high ranking government departments.

“These organizations typically deal with highly-sensitive documents about national or worldwide policy. Thus, from an espionage perspective, they are very valuable targets,” said Faou.

The ESET report states that researchers will continue to monitor activity by Dukes and a list of Indicators of Compromise has been posted to GitHub to help potential victims detect attacks.

Researchers also warn that just because an APT threat group appears to have gone dark, it doesn’t mean they’ve stopped espionage activity – indeed, the very nature of spying means they’re doing all they can to avoid detection. And while groups like Cozy Bear might occasionally pause activity, it’s ultimately their job to conduct espionage at all times – so the group will return again in future.

“We can expect them to develop new tools to be able to re-start their attacks in the next weeks or months,” said Faou.

Thank you for reviving this thread! I’ve been too busy lately and this subject is important.

Cybersecurity and electorial safety should be at the forefront of people’s minds, not to mention Congress and well, our President. Last entry of course is in purposeful denial and flim flamming away without any true regard for election safety.

Article talks about how the States are now the front lines of voter fraud issues and voter safety.

SPRINGFIELD, Va. (AP) — Inside a hotel ballroom near the nation’s capital, a U.S. Army officer with battlefield experience told 120 state and local election officials that they may have more in common with military strategists than they might think.

These government officials are on the front lines of a different kind of battlefield — one in which they are helping to defend American democracy by ensuring free and fair elections.

“Everyone in this room is part of a bigger effort, and it’s only together are we going to get through this,” the officer said.

That officer and other past and present national security leaders had a message to convey to officials from 24 states gathered for a recent training held by a Harvard-affiliated democracy project: They are the linchpins in efforts to defend U.S. elections from an attack by Russia, China or other foreign threats, and developing a military mindset will help them protect the integrity of the vote.

The need for such training reflects how elections security worries have heightened in the aftermath of the 2016 election, when Russian military agents targeted voting systems across the country as part of a multi-pronged effort to influence the presidential election. Until then, the job of local election officials could had been described as akin to a wedding planner who keeps track of who will be showing up on Election Day and ensures all the equipment and supplies are in place.

Now, these officials are on the front lines. The federal government will be on high alert, gathering intelligence and scanning systems for suspicious cyber activity as they look to defend the nation’s elections. Meanwhile, it will be the state and county officials who will be on the ground charged with identifying and dealing with any hostile acts.

“It’s another level of war, said Jesse Salinas, the chief elections official in Yolo County, California, who attended the training. “You only attack things that you feel are a threat to you, and our democracy is a threat to a lot of these nation-states that are getting involved trying to undermine it. We have to fight back, and we have to prepare.”

Salinas brought four of his employees with him to the training, which was part of the Defending Digital Democracy Project based at the Belfer Center for Science and International Affairs at the Harvard Kennedy School. The group has been working actively with former and current military, national security, political and communications experts — many of whom dedicate their time after work and on weekends — to develop training and manuals for state and local election officials. Those involved with leading the training asked for anonymity because of their sensitive positions.

This is an in-depth investigative report about VR Systems, a company that handles election and voter registration software in several states. We still don’t know what really happened when their software malfunctioned on election day 2016 in Durham County, N.C., following a phishing attack on the company by the Russians.

… To this day, no one knows definitively what happened with Durham’s poll books. And one important fact about the incident still worries election integrity activists three years later: VR Systems had been targeted by Russian hackers in a phishing campaign three months before the election. The hackers had sent malicious emails both to VR Systems and to some of its election customers, attempting to trick the recipients into revealing usernames and passwords for their email accounts. The Russians had also visited VR Systems’ website, presumably looking for vulnerabilities they could use to get into the company’s network, as the hackers had done with Illinois’ state voter registration system months earlier.
…
The uncertainty around what happened in Durham and to VR Systems has attracted concern in the U.S. Senate. Senator Ron Wyden (D-Ore.), who believes the Russians may have successfully breached VR Systems, has been trying to resolve the unknowns. “The American people have a right to know whether the Russian government’s hack of VR Systems played any role in the failure of VR Systems’ products in Durham, North Carolina, on Election Day in 2016,” Wyden told POLITICO.

Public confidence in the integrity of the 2016 election outcome rests largely on the belief that the Russian hackers—who did, in fact, attempt to meddle in the election, according to the U.S. intelligence community—were blocked before they could alter votes or have a direct effect on the results by manipulating voter records. It has been publicly reported, for example, that those hackers superficially probed election-related websites in 21 states and breached a few voter-registration databases, but did not alter or delete voter records. And accounts of the Russian interference laid out in a recent Senate Intelligence Committee report and in Robert Mueller’s lengthy investigative summary released earlier this year assert that there’s no evidence the Russian actors altered vote tallies or even attempted to do so.

But the government has also suggested in one report and asserted outright in others—among them a 2017 National Security Agency document leaked to the press, a 2018 indictment of Russian intelligence officers, and the Senate Intelligence Committee report and Mueller report—that the hackers successfully breached (or very likely breached) at least one company that makes software for managing voter rolls, and installed malware on that company’s network.

… a successful hack of any of these companies—even a small firm—could have far-flung implications. In the case of VR Systems, more than 14,000 of the company’s electronic poll books were used in the 2016 elections—in Florida, Illinois, Indiana, North Carolina, Virginia and West Virginia and other states. The company’s poll book software—known as EViD, short for Electronic Voter Identification—was used in 23 of North Carolina’s 100 counties and in 64 of Florida’s 67 counties. The latter include Miami-Dade, the state’s most populous county.

But VR Systems doesn’t just make poll book software. It also makes voter-registration software, which, in addition to processing and managing new and existing voter records, helps direct voters to their proper precinct and do other tasks. And it hosts websites for counties to post their election results. VR Systems software is so instrumental to elections in some counties that a former Florida election official said that 90 percent of what his staff did on a daily basis to manage voters and voter data was done through VR Systems software.
…
The fact that so many significant questions about VR Systems remain unanswered three years after the 2016 election undermines the government’s assertions that it’s committed to providing election officials with all of the timely information they need to secure their systems in 2020. It also raises concerns that the public may never really know what occurred in 2016.

Sen Angus King’s digital director aims to keep the staff on their toes, ever reminding them that clicking on links can open up a campaign to serious hacking.

The goal was to keep staff members on their toes so they wouldn’t fall for emails from real hackers intent on damaging the campaign.

“We would try to get them to do things like change their password for their email or change their password for the database we were using,” Kaplan said.

It’s this kind of attention to detail and seriousness about security that political veterans and party officials are urging on candidates and their staffs. Starting next week, the first votes in the 2020 Democratic presidential primaries will be cast. Even more campaigns — from congressional races to local contests for mayor and city council — are gearing up for November’s election.

I became interested when I read that piece on WTF and started digging. It’s a much bigger problem than I anticipated.

"A compact flash card was found, containing a SQLite database of some 600,000 voter records in Tennessee, formatted for the ExpressPoll. Someone sold a Diebold ExpressPoll 5000, containing this card, on eBay.

The very presence of this card at DEF CON, a well-known hacker conference, or indeed anywhere outside of an incinerator, is a huge vulnerability, as it indicates that personal and voter records are clearly not treated with respect, or any sort of security. The entries within this database could be altered, deleted, or appended to, demonstrating that even voter records used in an actual election could be altered by anybody with access to basic hardware."

Anyone can purchase these machines and parts on eBay, which means there’s probably another unseen market elsewhere. This issue needs more attention from the public.

Wtf, right?!