WTF Community

Election Hacking Thread

Yeah, I don’t know :woman_shrugging:t2:

The Senate Intelligence Committee released their report on Russian hacking of election infrastructure. The findings were interesting to say the least.

Quote:

Actors and Motive

The Committee concurs with the IC that Russian government-affiliated actors were behind the cyber activity directed against state election infrastructure.

While the full scope of Russian activity against the states remains unclear because of collection gaps, the Committee found ample evidence to conclude that the Russian government was developing capabilities to undermine confidence in our election infrastructure, including voter processes.

The Committee does not know whether the Russian government-affiliated actors intended to exploit vulnerabilities during the 2016 elections and decided against taking action, or whether they were merely gathering information and testing capabilities for a future attack. Regardless, the Committee believes the activity indicates an intent to go beyond traditional intelligence collection.

3 Likes
2 Likes

From @dragonfly9, saving for later. :nerd_face:

Day 489

1 Like

Ok…thx for pointing this out.:-:grinning:

1 Like

@dragonfly9 Sigh… Well, at least the states are trying to find solutions… I feel like new paper ballots and pencils can’t cost all that much. :woman_shrugging:t2:

1 Like

Voting - Protecting fairness and Regulating it for the future

We see glimpses of what may or may not be happening within the states about how voting should be handled in the future.

How many states have paper ballots?
Which states use electronic ballots?

How safe is our voting data bases from external threats and from manipulation via the courts (washing voter rolls)?

How do we prevent outside influences (Koch Bros) influencers from getting sway on how our voter data is protected?

Not sure if this is an overlapping topic, but thought I’d add it to the General Discussion.

“Every state I travel to, state official I talk to, is taking this seriously,” Masterson said before an overflow crowd in the hearing room on the second floor of the Dirksen Senate Office Building. Notably, there were plenty of seats left on the Republican side of the bench, with only Charles Grassley of Iowa, who chairs the committee, present. The absence of other Republicans only underscored how divisive the issue of Russian electoral meddling remains; when Dianne Feinstein urged fellow legislators to “put aside politics and act decisively,” she was speaking almost entirely to members of her own party.

After testifying before the committee, Nina Jankowicz, a Kennan Institute scholar who has spent the last several years advising the Ukrainian government on how to counter Russian disinformation campaigns, told Yahoo News that the United States needs a “generational solution” that will make Americans less susceptible to fake news and other forms of manipulation. She pointed to Finland and Sweden as two nations that have done especially impressive work in educating their citizens in this regard. It is work, however, they have been doing since the end of World War II.

For now, Jankowicz hopes that every election board in the nation should make sure that electronic voting records are bolstered by a paper trail of tamper-proof records. She also believes, like Hickey of the Justice Department, that a “credible threat of retaliation” should be presented to the Russians, lest they think of launching another misinformation campaign in November. Lastly, she would “enlist credible third parties,” such as technology companies, to explain to Americans how voting works, since a broad confusion about the electoral process is what makes that process potentially ripe for exploitation.

It’s mush,” she said. “It’s hard for Americans to wade through that.

https://www.yahoo.com/news/north-korea-danger-recedes-ever-slightly-renewed-russian-threat-looms-004411454.html

3 Likes

DEFCON is back this weekend and they set up another election village.

This weekend saw the 26th annual DEFCON gathering. It was the second time the convention had featured a Voting Village, where organizers set up decommissioned election equipment and watch hackers find creative and alarming ways to break in. Last year, conference attendees found new vulnerabilities for all five voting machines and a single e-poll book of registered voters over the course of the weekend, catching the attention of both senators introducing legislation and the general public. This year’s Voting Village was bigger in every way, with equipment ranging from voting machines to tabulators to smart card readers, all currently in use in the US.

In a room set aside for kid hackers, an 11-year-old girl hacked a replica of the Florida secretary of state’s website within 10 minutes — and changed the results.

“There’s an interesting paradox.” Blaze said. “We know these systems are wildly insecure, and there’s been precious little evidence of these vulnerabilities so far being exploited in real elections. I think we’ve been very lucky, and I think there’s a little bit of a ticking time bomb here.”

Since October 2016, when intelligence agencies first put forth a statement warning that Russia was attempting to interfere in the US election, the US government has walked a tightrope between warning that Russia was trying various tactics to influence the outcome and insisting that everyone’s vote was counted accurately. While a number of Russian tactics with a range of effects have been exposed — hacking and leaking Democrats’ emails, scanning state voter registration databases, and sending phishing emails to county employees — there is, as numerous agencies have repeatedly stated, no known evidence of foreign hackers ever changing a US vote tally. One of Russia’s fundamental goals with such attacks, analysts stress, is undermining Americans’ faith in democracy itself.

4 Likes

Just unbelieveable…we suspected as such, and with questionable facts on whether that FLA voting set up has been infiltrated, one would think a huge panic would set in.

In a statement, the National Association of Secretaries of State disagreed with the village’s hacking efforts, arguing that the village is setting up an unrealistic scenario.

"Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day," the organization said.

Despite the voting machine vulnerabilities being exposed in Defcon, it’s not clear whether the exercise will be able to help with the midterm elections in November. Braun said Defcon’s report on the voting machines will publish in September, giving election officials two months to fix all the reported security issues.

3 Likes

Hacking The Electric Grid Is Damned Hard

But, surprisingly, some electrical system experts are thinking about it in a different way. Cyberattacks on the grid are a real risk, they told me. But the worst-case scenarios we’re imagining aren’t that likely. Nor is this a short-term crisis, with risks that can be permanently solved. Bringing down the grid is a lot harder than just flicking a switch, but the danger is real — and it may never go away

It helps that the North American electric grid is both diverse in its engineering and redundant in its design. For instance, the Ukrainian attacks are often cited as evidence that hundreds of thousands of Americans could suddenly find themselves in the dark because of hackers. But Lawrence considers the Ukrainian grid a lot easier to infiltrate than the North American one. That’s because Ukraine’s infrastructure is more homogeneous, the result of electrification happening under the standardizing eye of the former Soviet Union, he told me. The North American grid, in contrast, began as a patchwork of unconnected electric islands, each designed and built by companies that weren’t coordinating with one another. Even today, he said, the enforceable standards set by NERC don’t tell you exactly what to buy or how to build. “So taking down one utility and going right next door and doing the same thing to that neighboring utility would be an extremely difficult challenge,” he said.

Meanwhile, the electric grid already contains a lot of redundancies that are built in to prevent blackouts caused by common problems like broken tree limbs or heat waves — and those redundancies would also help to prevent a successful cyberattack from affecting a large number of people. Suh-Lee pointed to an August 2003 blackout that turned the lights off on 50 million people on the east coast of the U.S. and Canada. “When we analyzed it, there was about 17 different things lined up that went wrong. Then it happened,” she said. Hackers wouldn’t necessarily have control over all the things that would have to go wrong to create a blackout like that.

2 Likes

The Cybersecurity 202: Def Con hackers couldn’t crack a mock voter database. It’s a rare bright spot for election security.

There is some good news, we do have the ability to protect these machines, we just need political will and funding.

They tried all weekend to hack the database, which was modeled after a real Ohio county’s and bolstered with extra layers of digital defenses. One got close, but nobody was able to manipulate the voter information inside.

To create the mock database, Voting Village organizers downloaded a publicly available list of voters from the Ohio secretary of state’s website. They then worked with officials from Cook County, Ill., who helped them create a realistic replica of a county computer network. They uploaded the database there and secured it behind layers of firewalls set up by Bash Kazi, a cybersecurity contractor who consulted on the project.

Hackers were invited to try to gain enough access to change voter information. If this were to happen in the real world on Election Day, it could cause long delays and create confusion at the polls. And the risks are well known: The Senate Intelligence Committee found that Russian hackers were in a position to “alter or delete” voter registration data in a “small number” of states when they intruded on election websites in 2016.

Kazi, who runs the firm KIG, which specializes in cybersecurity simulation training, said he hoped the exercise would help election administrators understand the threats. “The idea is to bring attention to the need to train local officials in the vulnerabilities that exist and the types of scenarios they’ll be encountering,” Kazi told me. He said the system he helped set up was “one of the more sophisticated networks relative to other small counties, which haven’t spent much money mitigating the risks that they have.”

Kazi watched as different hackers tried their luck throughout the day Friday. “After six and a half hours, no cigar,” he told me when I stopped by at the end of the afternoon. They didn’t fare any better the rest of the weekend.

4 Likes

Pervasive hacking…that DNI is aware of…what will be done on this front?

Documents Reveal Successful Cyberattack in California Congressional Race

The FBI investigated hacking attempts targeting a Democrat who ran against “Putin’s favorite congressman”

WASHINGTON — FBI agents in California and Washington, D.C., have investigated a series of cyberattacks over the past year that targeted a Democratic opponent of Rep. Dana Rohrabacher (R-CA). Rohrabacher is a 15-term incumbent who is widely seen as the most pro-Russia and pro-Putin member of Congress and is a staunch supporter of President Trump.

The hacking attempts and the FBI’s involvement are described in dozens of emails and forensic records obtained by Rolling Stone.

The target of these attacks, Dr. Hans Keirstead, a stem-cell scientist and the CEO of a biomedical research company, finished third in California’s nonpartisan “top-two” primary on June 5th, falling 125 votes short of advancing to the general election in one of the narrowest margins of any congressional primary this year. He has since endorsed Harley Rouda, the Democrat who finished in second place and will face Rohrabacher in the November election.

Cybersecurity experts say that it’s nearly impossible to identify who was behind the hacks without the help of law enforcement or high-priced private cybersecurity firms that collect their own threat data. These experts speculate that the hackers could have been one of many actors: a nation-state (such as Russia), organized crime, so-called e-crime or a hacktivist with a specific agenda. The FBI declined to comment.

Kyle Quinn-Quesada, who was Keirstead’s campaign manager, tells Rolling Stone that the campaign is now going public about the attacks for the sake of voter awareness. “It is clear from speaking with campaign professionals around the country that the sustained attacks the Keirstead for Congress campaign faced were not unique but have become the new normal for political campaigns in 2018,” Quinn-Quesada says. He added that the Keirstead campaign did not believe the cyberattacks had an effect on the primary election results.

The timing of the attacks is significant. Last month, Director of National Intelligence Dan Coats said the warning lights for future cyberattacks aimed at the U.S. were “blinking red.” A week later, a senior Microsoft executive said that Microsoft had identified and helped block hacking attempts aimed at three congressional candidates during the 2018 midterms. The executive declined to name those candidates, but the Daily Beast reported that the Russian intelligence agency responsible for the cyberattacks in 2016 had attempted to hack the office of Sen. Claire McCaskill (D-MO), who is running for reelection this year. (A Microsoft spokesperson declined to say if Keirstead was one of three people targeted by hackers, citing “customer privacy.”) Just last week, Sen. Bill Nelson (D-FL) said that Russian hackers had “penetrated” county voting systems in Florida.

While the spear-phishing attack targeting Keirstead’s work account was successful, none of the attempts to gain unauthorized access to the campaign’s website, hosting company or Twitter account were effective, according to the campaign emails.

3 Likes

Proposed legislation where every check and balance has been thought out by this bipartisan Secure Election Act giving States ultimate authority to run their elections.

Secure Elections Act

Somehow the WH is not giving it a go…nor is Mitch McConnell being clear about what he’s done or not done to support this.

WASHINGTON — A bill that would have significantly bolstered the nation’s defenses against electoral interference has been held up in the Senate at the behest of the White House, which opposed the proposed legislation, according to congressional sources.

The Secure Elections Act, introduced by Sen. James Lankford, R-Okla., in December 2017, had co-sponsorship from two of the Senate’s most prominent liberals, Kamala Harris, D-Calif., and Amy Klobuchar, D-Minn., as well as from conservative stalwart Lindsey Graham, R-S.C., and consummate centrist Susan Collins, R-Me.

Sen. Roy Blunt, R-Mo., was set to conduct a markup of the bill on Wednesday morning in the Senate Rules Committee, which he chairs. The bill had widespread support, including from some of the committee’s Republican members, and was expected to come to a full Senate vote in October. But then the chairman’s mark, as the critical step is known, was canceled, and no explanation was given.

As it currently stands, the legislation would grant every state’s top election official security clearance to receive threat information. It would also formalize the practice of information-sharing between the federal government—in particular, the Department of Homeland Security—and states regarding threats to electoral infrastructure. A technical advisory board would establish best practices related to election cybersecurity. Perhaps most significantly, the law would mandate that every state conduct a statistically significant audit following a federal election. It would also incentivize the purchase of voting machines that leave a paper record of votes cast, as opposed to some all-electronic models that do not. This would signify a marked shift away from all-electronic voting, which was encouraged with the passage of the Help Americans Vote Act in 2002.

“Paper is not antiquated,” Lankford says. “It’s reliable.

In a statement to Yahoo News, White House spokeswoman Lindsay Walters says that while the administration “appreciates Congress’s interest in election security, [the Department of Homeland Security] has all the statutory authority it needs to assist state and local officials to improve the security of existing election infrastructure.”

Under current law, DHS is already able to work with state and local authorities to protect elections, Walters wrote. If Congress pursues the Secure Elections Act, it should avoid duplicating “existing DHS efforts or the imposition of unnecessary requirements” and “not violate the principles of Federalism.

We cannot support legislation with inappropriate mandates or that moves power or funding from the states to Washington for the planning and operation of elections,” she added. However, the White House gave no specifics on what parts of the bill it objected to.

A spokesperson for Senate Majority Leader Mitch McConnell, who sits on the Rules Committee, declined to say whether the majority leader, widely renowned on Capitol Hill for his backroom tactics, was involved in efforts to hobble the Secure Elections Act.

https://www.yahoo.com/news/white-house-blocks-bill-protect-elections-173459278.html

3 Likes

DEFCON story about kids hacking election wedsite - Debunked by ProPublica!

3 Likes

Politico’s Nat Security writer discusses the continuing problems with shoring up our cyber security. GAO - Government Accountability Office.

@EricGeller Another day, another urgent warning from GAO about cybersecurity vulnerabilities.

https://www.gao.gov/assets/700/694355.pdf

1 Like

PAPER BALLOTS

3 Likes

Interesting Opinion piece…in NYT which discusses how a perfect technology of today - electronic voting machines, could end up being more of a problem. We face so many areas of vulnerability.

Every government is a machine, and every machine has its tinkerers — and its jams. From the start, machines have driven American democracy and, just as often, crippled it. The printing press, the telegraph, the radio, the television, the mainframe, cable TV, the internet: Each had wild-eyed boosters who promised that a machine could hold the republic together, or make it more efficient, or repair the damage caused by the last machine. Each time, this assertion would be both right and terribly wrong. But lately, it’s mainly wrong, chiefly because the rules that prevail on the internet were devised by people who fundamentally don’t believe in government.
>
The Constitution itself was understood by its framers as a machine, a precisely constructed instrument whose measures — its separation of powers, its checks and balances — were mechanical devices, as intricate as the gears of a clock, designed to thwart tyrants, mobs and demagogues, and to prevent the forming of factions. Once those factions began to appear, it became clear that other machines would be needed to establish stable parties. “The engine is the press,” Thomas Jefferson, an inveterate inventor, wrote in 1799.

In the spring of 2000, an article in Wired announced that the internet had already healed a divided America: “We are, as a nation, better educated, more tolerant, and more connected because of — not in spite of — the convergence of the internet and public life. Partisanship, religion, geography, race, gender, and other traditional political divisions are giving way to a new standard — wiredness — as an organizing principle for political and social attitudes.” Of all the dizzying technological boosterism in American history, from the penny press to the telegraph to the radio, no pronouncement was battier. In the years since, partisan divisions have become fully automated functions, those wires so many fetters.

The machine is no longer precisely constructed, its every action no longer measured. The machine is fix upon fix, hack after hack, its safety mechanisms sawed off. It has no brake, no fail-safe, no checks, no balances. It clatters. It thunders. It crushes the Constitution in its gears. The smell of smoke wafts out of the engine room. The machine is on fire.

1 Like

Some defensive maneuvering on protecting votes in a hypothetical blocked/corrupted voting scenario. An experiment is testing the ‘system’ in a pretend way, for now.

On Thursday, Cybereason, a Boston-based cybersecurity firm, will game out an exercise that puts pretend hackers up against pretend city emergency responders to see what would happen if cybercriminals aimed to disrupt an election by keeping people from voting.

The experiment is happening without computers, however.

Axios:

Why it matters: There are dozens of ways to interfere with an election without touching voting equipment, ranging from causing traffic jams to blasting air conditioning in a polling place on an already cold day. Nearly all of our attention to election security has focused on attacks Russia has already tried or on the most obvious target — the voting machines themselves. But the next wave of attacks won’t play by the rulebook we expect bad guys to use.

Tabletop exercises are group games that are sort of like a two-team Dungeons & Dragons — no computers, just paper and brains. It’s an interesting scenario to play out in your head. What needs to happen …

Voters need to know where and when to vote. A hacker could conceivably depress voter turnout by uploading false stories about polling place changes or extended hours for polls that plan to close on time.

Voters need to get to the polls. Hackers could close a major bridge, preventing people from getting to the polls. They could tie up transportation by informing bus drivers they’ve been given an extra day off.

Voters need to wait in line to cast a vote. False reports of gun violence near polling places or a nearby explosion might reduce the amount of time someone might be willing to wait.

Ross Rustici, Cybereason’s senior director of intelligence services, says the experiment likely will be harder for the pretend city team which has to anticipate and defend, but the more difficult it is now, the better prepared local and state officials may be come the midterms.

4 Likes