2 Congressmen Watched Voting Machines Being Hacked

Primer

33 states accepted DHS aid to secure elections

The Department of Homeland Security (DHS) provided cybersecurity assistance to 33 state election offices and 36 local election offices leading up to the 2016 presidential election, according to information released by Democratic congressional staff.

During the final weeks of the Obama administration, the DHS announced that it would designate election infrastructure as critical, following revelations about Russian interference in the 2016 election.

Since January, two states and six local governments have requested cyber hygiene scanning from the DHS, according to a memo and DHS correspondence disclosed Wednesday by the Democratic staff of the Senate Homeland Security and Governmental Affairs Committee.

The information is related to the committee’s ongoing oversight of the DHS decision to designate election infrastructure.

The intelligence community said back in January that in addition to directing cyberattacks on the Democratic National Committee and top Democratic officials, Russia also targeted state and local electoral systems not involved in vote tabulating.

In June, DHS officials told senators investigating Russian interference that there was evidence that Russia targeted election-related systems in 21 states, none of them involved in vote tallying.

Officials have previously confirmed breaches in Arizona and Illinois, though it remains unclear whether other systems were successfully breached. Lawmakers such as Sen. Mark Warner (D-Va.) have demanded more information on the specific states targeted.

Homeland Security and Government Affairs ranking member Claire McCaskill (D-Mo.) wrote then-Secretary of Homeland Security John Kelly back in March, asking for more information on his plans for the critical infrastructure designation. The information released Wednesday is drawn from his response on June 13. Kelly has since left his post to serve as President Trump’s chief of staff.

“Prior to the election, DHS offered voluntary, no-cost cybersecurity services and assistance to election officials across all 50 states. By Election Day, 33 state election offices and 36 local election offices requested and received these cyber hygiene assessments of their internet-facing infrastructure,” Kelly wrote.

“In addition, one state election office requested and received a more in-depth risk and vulnerability assessment of their election infrastructure.”

Given the critical infrastructure designation, the DHS is providing cyber hygiene assessments, which include vulnerability scanning of election-related systems excluding voting machines and tallying systems, which the department recommends being disconnected from the internet.

The department also offers risk and vulnerability assessments, which include penetration testing, social engineering, wireless discovery and identification, and database and operating systems scanning. The DHS is also responsible for sharing threat information with owners and operators of critical infrastructure, which now include state and local election officials.

“Following the establishment of election infrastructure as critical infrastructure, several state and local governments requested new or expanded cybersecurity services from DHS,” Kelly disclosed in June, according to the letter. “Specifically, an additional two states and six local governments requested to begin cyber hygiene scanning (one state has, however, ended its service agreement). DHS also received one request for the risk and vulnerability assessment service.”

Many state and local election officials have opposed the designation, saying that the DHS has not offered enough information about what it means. The department has insisted that assistance will be given only to states that request it.

In the letter, Kelly, who has acknowledged objections, said there are “no plans to make any changes to the designation of election infrastructure as a critical infrastructure subsector.”

All of the Democratic members of the Senate Homeland Security and Governmental Affairs Committee have called for a full investigation into Russian election interference. The matter is already under investigation by the House and Senate Intelligence committees. The memo issued by Democratic staff on Wednesday was sent to the full committee.

Background at a Las Vegas Convention:

LAS VEGAS—For the first time in the 25 years of the world’s largest hacker convention, DefCon, two sitting U.S. Congressmen trekked here from Washington, D.C., to discuss their cybersecurity expertise on stage.

Rep. Will Hurd, a Texas Republican, and Rep. Jim Langevin, a Rhode Island Democrat, visited hacking villages investigating vulnerabilities in cars, medical devices, and voting machines; learned about how security researchers plan to defend quantum computers from hacks; and met children learning how to hack for good.

On Sunday, the last day of the conference, Hurd and Langevin delivered their own message: We come in peace. Please help us.

During a fireside chat-style conversation moderated by Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council, Hurd, chairman of the House Subcommittee on Information Technology, and Langevin, co-founder and co-chair of the Congressional Cybersecurity Caucus, called for the more than 2,000 hackers in the audience to “develop a dialogue” with their local representative in Congress.

“Never underestimate the value that you can bring to the table in helping to educate members and staff of what the best policies are, what’s going to work, and what’s not going to work,” Langevin said, pointing to Luta Security CEO and bug bounty expert Katie Moussouris’ ongoing advocacy for changes to the Wassenaar Arrangement, a decades-old international accord on how countries can transport “intrusion software” and other weapons across international borders.

Moussouris and Iain Mulholland of VMware have effectively convinced Wassenaar member countries to delay their adoption of proposed revisions to the agreement, as they’ve pushed for new language to better protect security researchers’ work.

The conversation between hackers and Congress has never been monosyllabic. But it has been frosty for decades, as federal prosecutors have used American antihacking laws such as the Computer Fraud and Abuse Act and Electronic Communication Privacy Act to punish people conducting legitimate security research.

As many security researchers continue to worry about how these laws might affect them, some have begun to use their expertise to influence the laws—and the lawmakers behind them.

Langevin and Hurd’s plea for hacker-legislator collaboration follows calls by hackers at last year’s DefCon for greater government regulation of software security.

“We don’t have voluntary minimum safety standards for cars; we have a mandatory minimum,” Corman told The Parallax at the time. “What tips the equation [for software] is the Internet of Things, because we now have bits and bytes meeting flesh and blood.”

Hurd said security researchers could play an important role in addressing increasingly alarming vulnerabilities in the nation’s voting apparatus. DefCon’s first voting machine-hacking village this weekend hosted a voting machine from Shelby County, Tenn., that unexpectedly contained personal information related to more than 600,000 voters. Village visitors managed to hack the machine, along with 29 others.

“We have to ensure that the American people can trust the vote-tabulating process,” Hurd said, acknowledging that DefCon attendees were able to hack each machine in the village. “The work that has been done out here is important in educating the secretaries of state all around the country, as well as the election administrators,” about secure technologies and practices.

Langevin and Hurd’s comments seemed to strike the right notes with hackers in attendance. Following Edward Snowden’s leaking of NSA documents and Apple’s refusal to create an encryption backdoor for law enforcement to the iPhone, relations between the hacking community and Washington have been strained at best, notes Herb Lin, a computer security policy expert and research fellow at Stanford University’s Center for International Security and Cooperation. But markedly improving the relationship will require more than a plea for collaboration, he warns.

“It’s better than what’s happened in the past, which is both nothing and active hostility,” he says. “One act by itself is not a game changer.”

The chat ended with assurances of more action from both sides. Corman said he’d like to see members of Congress attend more hacker conferences, such as ShmooCon in Washington, and Hurd promised that he wouldn’t let his experiences this past weekend go to waste.

“These conversations are going to lead me to hold hearings on many of these topics in the subcommittee that I chair,” Hurd said.

***  More details that were recorded at the convention:

DEF CON 2017 –  Are voting systems secure? In August 2016, the FBI issued a “flash” alert to election officials across the country confirming that foreign hackers have compromised state election systems in two states.

Although the US largely invested in electronic voting systems their level of security appears still not sufficient against a wide range of cyber attacks.

During an interesting session at the DEF CON hacking conference in Las Vegas, experts set up 30 computer-powered ballot boxes used in American elections simulating the Presidential election.  Welcome in the DEF CON Voting Village!

At the 1st ever Voting Village at , attendees tinker w/ election systems to find vulnerabilities. I’m told they found some new flaws

The organization asked the participant to physically compromise the system and hack into them, and the results were disconcerting.

“We encourage you to do stuff that if you did on election day they would probably arrest you.” John Hopkins computer scientist Matt Blaze said,

Most of the voting machines in the DEF CON Voting Village were purchased via eBay (Diebold, Sequoia and Winvote equipment), others were bought from government auctions.

voting machines hacking

In less than 90 minutes hackers succeeded in compromising the voting machines, one of them was hacker wirelessly.

“Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we’ve uncovered even more about exactly how,” said Jake Braun, cybersecurity lecturer at the University of Chicago.

The analysis of the voting machines revealed that some of them were running outdated OS like Windows XP and Windows CE and flawed software such as unpatched versions of OpenSSL.

Some of them had physical ports open that could be used by attackers to install malicious applications to tamper with votes.

Even if physical attacks are easy to spot and stop, some voting machines were using poorly secured Wi-Fi connectivity.

The experts Carsten Schurmann at the DEF CON Voting Village hacked a WinVote system used in previous county elections via Wi-Fi, he exploited the MS03-026 vulnerability in Windows XP to access the voting machine using RDP.

Greetings from the Defcon voting village where it took 1:40 for Carsten Schurmann to get remote access to this WinVote machine.

Another system could be potentially cracked remotely via OpenSSL bug CVE-2011-4109, it is claimed.

huge cheer just went up in @votingvilllagedc as hackers managed to load Rick Astley video onto a voting machine

The good news is that most of the hacked equipment is no longer used in today’s election.

 

For 2018 and 2020, Re-branding WTF, no Really

Primer: Actually it is not so much re-branded as Obama applied ‘win the future’ in the 2011 State of the Union address.

Furthermore: A report by The Hill says Obama has been making regular calls with Democratic National Committee Chairman Tom Perez. According to an anonymous source in the DNC, Obama jokingly told Perez, “Hey man, it’s only the future of the world in your hands.” Working out of his D.C. office, Obama is said to be conducting one-on-one meetings with other legislators, like Maryland’s freshman Democratic Sen. Chris Van Hollen. Still, sources that spoke to The Hill stopped short of divulging a more complete list of the meetings Obama has had. More here.

BusinessInsider: “WTF” is a fitting abbreviation for LinkedIn founder Reid Hoffman’s newest project to rethink what the Democratic Party is today.

Called Win the Future, WTF is starting as a “people’s lobby” where people can vote on policy topics that are important to them, like making engineering degrees free for everyone.

“We need a modern people’s lobby that empowers all of us to choose our leaders and set our agenda,” said Mark Pincus, the billionaire cofounder of Zynga who is partnering with Hoffman to start WTF. “Imagine voting for a president we’re truly excited about. Imagine a government that promotes capitalism and civil rights.”

Despite its roots with two powerful tech founders, WTF is taking an old-school approach to start. People will vote on the policies and discuss them on Twitter. The group plans to turn the ones that seem to resonate into billboards in Washington, DC, with congressional leaders the target audience.

While it wants to get the attention of members of Congress, WTF is also unabashedly “not for pro-politicians.” According to Recode, one of WTF’s more audacious plans has been to recruit political outsiders to run as “WTF Democrats” and challenge the old stalwarts of the Democratic Party. Pincus specifically targeted Stephan Jenkins from the band Third Eye Blind, according to Recode.

Those plans are on hold for now, though, as the group focuses on the launch of its billboard campaigns and on building a political platform.

Progressive leaders have already criticized WTF’s launch, however, as an incredibly off-base pet project for two billionaires, according to a Huffington Post report.

Oh just a coupla billionaires who want to make the Democratic Party “pro business” cause it’s “too far to the left”

“I am not sure the creators of the lamest and the most annoying social-media experiences are the exact people who should be rewiring the philosophical core of the Democratic Party as they say they want to,” Alex Lawson, the executive director of Social Security Works, told The Huffington Post.

Despite the early criticism, Pincus and Hoffman have together committed over $500,000 to build out the project — and they’re still raising money to bring the billboard campaign to life.

“We can’t wait until elections to fight for what we care about. We can’t hope for a benevolent leader who may choose to listen to us,” Pincus wrote in his note on the vision of WTF. “We need a network that lets the best ideas and leaders rise to the top through an open, inclusive democratic process.”

***

So….who is on this Obama team now?

David Simas, CEO The Obama Foundation, previously chief of staff for Deval Patrick

Marty Nesbitt, Chairman The Obama Foundation, long history and vacation/golf buddy of Barack

J. Kevin Poorman, President The Obama Foundation, president of PSP Capital Partners of which Penny Pritzker is the founder.

Juliana Smoot, White House social secretary for Obama, Deputy Assistant to Obama, she also worked for Dick Durbin, John Edwards, Chuck Schumer and her husband is the chairperson for the Michigan Democrat Party

Robbin Cohen, real estate developer and president of investment firm in Chicago, formerly of the Pritzker Group.

Yohannes Abraham, former chief of staff for Valerie Jarrett, now the senior advisor for The Obama Foundation

The Obama Foundation is working on a start up for citizenship, it is an ongoing project for the 21st century. This project has a global objective and will include being a digital citizen.

Voter Fraud Comm. Wants States Voter Roll Data

Mississippi responds with ‘go jump in the Gulf of Mexico’.

The White House has said the commission will embark upon a “thorough review of registration and voting issues in federal elections,” but experts and voting rights advocates have pilloried Trump for his claims of widespread fraud, which studies and state officials alike have not found. They say they fear the commission will be used to restrict voting.  

Those worries intensified this week, after the commission sent letters to 50 states and Washington, D.C., on Wednesday asking for a trove of information, including names, dates of birth, voting histories and, if possible, party identifications. The letters also asked for evidence of voter fraud, convictions for election-related crimes, and recommendations for preventing voter intimidation – all within 16 days. More here.

Image result for voter rolls FN

Trump’s voter fraud commission asks all states for voter roll data

President Trump’s newly formed Presidential Advisory Commission on Election Integrity is asking states to turn over all publicly available voter roll data.

In the letter, sent Wednesday to all 50 secretaries of state, the commission’s vice chairman — Kansas Secretary of State Kris Kobach — requests the full names of all registered voters, their addresses, dates of birth, the last four digits of their Social Security numbers, voting history and other personal information.

The letter to Connecticut Secretary of State Denise Merrill, a Democrat, was made public first.

In a statement, Merrill said her office will share “publicly-available information with the Kobach Commission while ensuring that the privacy of voters is honored by withholding protected data.”

Vanita Gupta, the former head of the Department of Justice’s Civil Rights Division, said on Twitter Kobach and Vice President Mike Pence, who serves as the commission’s chairman, “are laying the groundwork for voter suppression, plain & simple.”

Kobach is asking for responses by July 14.

***  Image result for voter rolls USAToday

SACRAMENTO, Calif. States are steadily disclosing whether or not they will cooperate with a request for voter information from the commission set up by President Trump in May to investigate alleged voter fraud in the 2016 elections.

New York Gov. Andrew Cuomo, a Democrat, tweeted Friday that his state would not comply with the commission’s request for a list of the names, party affiliations, addresses and voting histories of all voters, if state laws allow it to be public.

Virginia Gov. Terry McAuliffe said there is no evidence of voter fraud in the state.

“At best this commission was set up as a pretext to validate Donald Mr. Trump’s alternative election facts, and at worst is a tool to commit large-scale voter suppression,” he said in a statement.

On Wednesday the Presidential Advisory Commission on Election Integrity sent a letter giving secretaries of state about two weeks to provide about a dozen points of voter data. That also would include dates of birth, the last four digits of voters’ Social Security numbers and any information about felony convictions and military status.

Other Democratic officials are also refusing to comply, saying the request invades privacy and is based on false claims of fraud. The secretaries of state in California and Kentucky, all Democrats, said they will not share the requested information.

Mr. Trump lost the popular vote to Democrat Hillary Clinton but has alleged, without evidence, that 3 to 5 million people voted illegally.

In addition to the voter information, the letter asks state officials for suggestions on improving election integrity and to share any evidence of fraud and election-related crimes in their states. The data will help the commission “fully analyze vulnerabilities and issues related to voter registration and voting,” vice chairman and Kansas Secretary of State Kris Kobach wrote.

The California and Virginia officials said attention would be better spent upgrading aging voting systems or focusing on Russia’s alleged election meddling. Mr. Trump has alleged “serious voter fraud” in both states.

“California’s participation would only serve to legitimize the false and already debunked claims of massive voter fraud,” Democratic Secretary of State Alex Padilla said in a statement. Clinton won California by about 3 million votes.

Kentucky Secretary of State Alison Lundergan Grimes expressed similar sentiments, reports CBS Lexington affiliate WKYT-TV. A statement released by her office said, “The president created his election commission based on the false notion that ‘voter fraud’ is a widespread issue – it is not. Indeed, despite bipartisan objections and a lack of authority, the President has repeatedly spread the lie that three to five million illegal votes were cast in the last election. Kentucky will not aid a commission that is at best a waste of taxpayer money and at worst an attempt to legitimize voter suppression efforts across the country.”

Wisconsin’s elections administrator, Michael Haas, said in a statement Friday that a voters’ “name, address and voting history are public,” but the state does not collect information about political preference or gender, and Wisconsin law does not permit the state to release a voter’s date of birth, driver’s license number or Social Security number. Should the commission want the public information, Haas said it’ll have to pay the $12,500 fee for the statewide voter file.

Oklahoma, too, said that its voter roll is public, and an Oklahoma State Election Board spokesman said that the commission could have “a copy of the same database that anyone could get from us,” according to NewsOK. Oklahoma will not release even partial Social Security numbers, however.

Georgia will also provide only publicly available voter information, not private information.

The panel is seeking “public information and publicly available data” from every state and the District of Columbia, said Marc Lotter, a spokesman for Vice President Mike Pence, who is chairing the commission. Lotter described the intent of the request as “fact-finding” and said there were no objections to it by anyone on the 10-member commission, which includes four Democrats.

Minnesota Secretary of State Steve Simon, a Democrat, said he’s not sure whether he will share the data because of privacy concerns. Vermont’s top election official, Democrat Jim Condos, said it goes beyond what the state can publicly disclose.

In Missouri, Republican Secretary of State Jay Ashcroft said he is happy to “offer our support in the collective effort to enhance the American people’s confidence in the integrity of the system.” Colorado Secretary of State Wayne Williams, a Republican, said he’ll provide what state law allows.

Other states have not yet decided whether to comply with the commission’s request. Ohio Secretary of State Jon Husted, a Republican who is running for governor, is still considering the request, Cincinnati.com reported.

Should Voting Systems be Classified as Critical Infrastructure?

While members of all political party voters seem to diss the notion that Russia intruded on voting systems in 2016, the proof is there. If you watched former DHS Secretary Jeh Johnson during his congressional testimony, it was not so much his responses but more about what members of congress know, to pose questions to Johnson.

Image result for u.s. voting systems

J. Alex Halderman, a professor of computer science and engineering at the University of Michigan, contended U.S. election equipment is “vulnerable to sabotage” that “could change votes.”

“We’ve found ways for hackers to sabotage machines and steal votes. These capabilities are certainly within reach for America’s enemies,” Halderman told senators.

He said he and his team spent 10 years researching cyber vulnerabilities of election equipment. The professor said:

Some say that the fact that voting machines aren’t directly connected to the internet makes them secure. But, unfortunately, this is not true. Voting machines are not as distant from the internet as they may seem. Before every election, they need to be programmed with races and candidates. That programming is created on a desktop computer, then transferred to voting machines. If Russia infiltrated these election management computers, it could have spread a vote-stealing attack to a vast number of machines. I don’t know how far Russia got or whether they managed to interfere with equipment on Election Day. More here from Daily Signal.

Okay…still a non-believer? Let’s see what the States experiences.

Image result for voter registration database

Click here for additional video and interactive map of states using paper ballot backup systems.

Elections officials outgunned in Russia’s cyberwar against America

WASHINGTON/Charlotte Observer

Local officials consistently play down suspicions about the long lines at polling places on Election Day 2016 that led some discouraged voters in heavily Democratic Durham County, N.C., to leave without casting a ballot.

Minor glitches in the way new electronic poll books were put to use had simply gummed things up, according to local elections officials there. Elections Board Chairman William Brian Jr. assured Durham residents that “an extensive investigation” showed there was nothing to worry about with the county’s new registration software.

He was wrong.

What Brian and other election officials across eight states didn’t know until the leak of a classified intelligence is that Russian operatives hacked into the Florida headquarters of VR Systems, Inc., the vendor that sold them digital products to manage voter registrations.

A week before the election, the hackers sent emails using a VR Systems address to 122 state and local election officials across the country, inviting them to open an attachment wired with malicious software that spoofed “legitimate elections-related services,” the report said. The malware was designed to retrieve enough additional information to set the stage for serious mischief, said the National Security Agency report disclosed by the Intercept, an investigative web site.

That wasn’t the only type of attack.

The new revelations about the Kremlin’s broad and sophisticated cyber offensive targeting Democrat Hillary Clinton and aimed at seating Donald Trump in the Oval Office have set off a wave of worry about the security of the nation’s voting systems. State election officials, facing questions as to whether they ignored oddities or red flags, have responded by accusing intelligence agencies of failing to alert them of the risks.

The truth is a hodge-podge of electronic machinery that enables Americans to exercise their most sacred democratic right is weakly guarded by state and local agencies. Those officials are quick to assure the voting public that their systems are secure, but they lack the resources and technical know-how to defend against cyber intrusions, or even to perform forensic examinations to ensure nothing happened.

Election officials in Illinois, another state that VR Systems lists as a customer, did not find out they were hacked by Russian operatives late last June until a week or two later. By then, the Russian operatives had downloaded about 90,000 voter registration records, leading to an investigation by the FBI and the U.S. Department of Homeland Security, said Ken Menzel, general counsel of the Illinois Board of Elections. Menzel confirmed a Bloomberg report that the Russians appeared to have made unsuccessful attempts to alter or delete some records.

In Georgia, where a nationally watched congressional runoff race is scheduled for Tuesday, Politico magazine reported that a U.S. hacker from a national laboratory seeking to expose vulnerabilities in election systems was able to easily download millions of voter records from Kennesaw State University’s Center for Election Systems, which manages them. Election watchdog groups say subsequent warnings to the state about a hole in their system went unheeded for months.

David Jefferson, a computer scientist at the Lawrence Livermore National Laboratory in California who has acted in his personal capacity in trying to safeguard election integrity, said he believes it is “absolutely possible” that the Russians affected last year’s election.

“And we have done almost nothing to seriously examine that,” he said.

“The Russians really were engaged in a pattern of attacks against the machinery of the election, and not merely a pattern of propaganda or information warfare and selective leaking,” said Alex Halderman, a University of Michigan computer science professor. “The question is, how far did they get in that pattern of attacks, and were they successful?” Election officials across the country may not even know if they’ve been attacked, computer scientists say, pointing to the scenario that played out in Durham County.

EASY PREY

State and local voting systems appear to be easy prey for sophisticated hackers.

Five states use electronic voting machines with no paper backups, precluding audits that might verify the accuracy of their vote counts. They include Georgia, scene of Tuesday’s 6th District runoff election, Delaware, Louisiana, New Jersey and South Carolina. Parts of another nine states also are paperless, including the crucial swing state of Pennsylvania.

Although Congress has discouraged use of internet voting because of the potential for hackers to tamper with ballots, some 32 states allow military and overseas voters to transmit ballots online or via insecure fax machines. Alaska, Washington state and Hawaii have been the most permissive.

“If we don’t fix our badly broken system before the next major presidential election, we’re going to be hacked into,” said Barbara Simons, author of “Broken Ballots,” a 2012 book about election security published by Stanford University. “It might not just be Russia. It might be North Korea, China, Iran or partisans.”

While the Netherlands opted to shift to paper ballots when alerted the Russians were trying to swing its election outcome to the right, U.S. election officials have stood pat.

But former FBI Director James Comey, in widely watched testimony to the Senate Intelligence Committee on June 8, said “there should be no fuzz” about Russia’s barrage of millions of social media messages spreading falsehoods about Clinton.

“The Russians interfered in our election during the 2016 cycle,” he said. “They did it with purpose. They did it with sophistication. They did it with overwhelming technical efforts … And it is very, very serious.”

America’s saving grace could be its decentralized system in which cities, counties and states have used federal grants to procure a wide variety of voting equipment, limiting the potential impact of a single attack.

But that doesn’t mean targeted attacks couldn’t tip the outcome of closely divided races, even for the presidency.

CRITICAL INFRASTRUCTURE

On Jan. 6, American intelligence agencies issued a declassified report accusing Russia of the cyber attack ultimately aimed at helping Trump, calling it the Kremlin’s “boldest” operation ever aimed at influencing the United States. In a brief notation, the report said that, while the Russians targeted state and local voting systems, they did not attempt to corrupt vote-tallying equipment.

On the same day the report was released, in one of his last acts as U.S. secretary of Homeland Security, Jeh Johnson proclaimed the nation’s election systems to be “Critical Infrastructure,” a designation that not only makes their security a higher priority, but improves the climate for federal-state cooperation. Because state and local officials exert total control over their operations, the agency only can investigate a vulnerability or possible breach if asked to do so – an obstacle the new designation didn’t change.

A senior Homeland Security official, in an interview with McClatchy, batted down as wildly exaggerated a Bloomberg report stating that Russian cyber operatives had made “hits” on voting systems in 39 states. Every web site is constantly scanned by “bad actors,” just as burglars might case homes in a neighborhood. That doesn’t equate to hacking, said the official, who spoke on condition of anonymity because of the sensitivity of the matter.

“The ability to manipulate the vote tally, that’s quite complicated,” the Homeland Security official said. “We didn’t see an ability to really accomplish that even in an individual voting machine. You have to have physical access to do that. It’s not as easy as you think.”

Some of the nation’s top experts in voting security disagree.

Lawrence Livermore’s Jefferson voiced frustration with the “defensive” refrain of denials from state and local election officials, including the National Association of Secretaries of State.

“Election officials do not talk about vulnerabilities,” Jefferson said, “because that would give the advantage to the attacker. And they don’t want to undermine public confidence in elections.”

Halderman said Homeland Security officials told him they were unaware of a single county in any state that had conducted post-election forensic examinations of their voting equipment.

The Homeland Security official who spoke with McClatchy said the main concern for agency cyber specialists is not about vote-tampering; it’s related to the ability of intruders to sow confusion and chaos. That could entail schemes to foul voter registration data by, for example, removing the names of voters from the rolls so they are turned away at polling stations.

“This scenario is what we witnessed on the ground in North Carolina on Election Day,” said Susan Greenhalgh, a spokeswoman for the election watchdog group Verified Voting.

“If attackers wanted to impact an election through an attack on a vendor like VR Systems,” she said, “they could manipulate or delete voter records impacting a voter’s ability to cast a regular ballot. Or, they could cause the E-Pollbooks (electronic databases of voters) to malfunction, hampering the check-in process and creating long lines.”

North Carolina was considered to be a swing state in the presidential race, and Durham County, with an African-American population of more than 37 percent, had voted more than 75 percent in favor of putting and keeping Barack Obama in the White House. Last year’s governor’s race was a dead heat entering Election Day.

The chaos in Durham County led to 90-minute delays. Some voters rang a Voter Protection Hotline to complain that their names had disappeared from the registration system or that they were told they already had voted.

The county hired a contractor to investigate the foul-up, but the inquiry never examined whether the system was hacked.

Twenty other North Carolina counties used the system, including Mecklenburg County, encompassing most of Charlotte. Though none reported problems on the scale of Durham County, release of the NSA report prompted the North Carolina Board of Elections to order a new investigation.

A former FBI agent is leading the inquiry. Critics say the three-member investigative team again lacks expertise in forensics.

Mindy Perkins, VR Systems’ president and chief executive officer, said in a statement that the company immediately notified all of its customers as soon as it was alerted “to an obviously fraudulent email purporting to come from VR Systems” and advised them not to click on the attachment.

“We are only aware of a handful of our customers who actually received the fraudulent email,” she said. “We have no indication that any of them clicked on the attachment or were compromised as a result.”

She said the company has “policies and procedures in effect to protect our customers and our company.”

Even so, Russia succeeded in sneaking up on U.S. agencies, voting system vendors and intelligence agencies.

Halderman, the University of Michigan expert, said he believes the best solution is for states to require paper trails for all voting equipment and post-election audits to ensure the vote counts are authentic.

“There’s no guarantee that we’ll know we’re under attack,” he said, “unless we do the quality control that we need by doing these audits to detect manipulation.”

 

 

 

 

Global Blackouts, Anywhere in the World, Courtesy Russia

Fitful sleep last night after reading a very long detailed piece on Russian hackers versus Ukraine. Why, well the same tools and language they use have been found on American infrastructure and systems. Last thoughts before sleep were those of life before the internet and how people get emails with attachments that should never be opened. The short summary is just below. The more detailed and terrifying truth follows. It is a long summary, must be read…it is something like a cyber Hitchcock Twilight Zone disaster thriller, but it happened and happened often.

Image result for cyber war russia and us

Further, during a hearing in the House with former DHS Secretary, Jeh Johnson revealed a couple of key facts. One is told that during the election cycle, when the DNC hack, officials on numerous requests refused assistance, cooperation and discussions with DHS and FBI about foreign cyber intrusions. What was the DNC hiding? The other fact is Obama had the full details in intelligence briefings daily leading into November and December and refused to tell the country about Russian interference. He waited until after the elections and into December to take action. Why?

Okay, read on….

Image result for ukraine blackout CommentaryMagazine

Russia’s New Cyber Weapon Can Cause Blackouts Anywhere in the World

Hackers working with the Russian government have developed a cyber weapon that can disrupt power grids, U.S researchers claim. The cyber weapon has the potential to be absolutely disruptive if used on electronic systems necessary for the daily functioning of American cities.

The malicious software was used to shut down one-fifth of the electric power generated in Kiev, Ukraine last December. Called ‘CrashOverride’ the malware only briefly disrupted the power system but its potential was made clear.

With development, the cyber weapon could easily be used against U.S with devastating effects on transmission and distribution systems.

Sergio Caltagirone, director of threat intelligence for Dragos, a cybersecurity firm that examined the malware said, “It’s the culmination of over a decade of theory and attack scenarios, it’s a game changer.”

Dragos has dubbed the group of hackers who created the bug and used it in Ukraine, Electrum. The group and the virus have also been under scrutiny by cyber intelligence firm, FireEye, headed by John Hultquist. Hultquist’s company has nicknamed the group Sandworm and are keeping watch for clues of another attack.

The news of the malware comes in the middle of the ongoing investigation into Russia’s influence on the recent Presidential election. The Russian government is accused of trying to influence the outcome of the election by hacking hundreds of political organizations and leveraging social media.

While there is no hard evidence yet, U.S. officials believe the disruptive power hackers are closely connected to the Russian Government. U.S. based energy sector experts agree the malware is a huge concern and concede they are seeking ways to combat potential attacks.

“U.S utilities have been enhancing their cybersecurity, but attacker tools like this one pose a very real risk to reliable operation of power systems,”said Michael Assante, who worked at Idaho National Labs and is former chief security officer of the North American Electric Reliability Corporation.

CrashOverride

CrashOverride is only the second known instance of malware specifically designed to destroy or disrupt industrial control systems. The U.S. and Israel worked together to create Stuxnet, a bug designed to disrupt Iran’s nuclear enrichment program.

Robert M. Lee, chief executive of Dragos believes CrashOverride could be manipulated to attack other types of industrial control such as gas or water, though there has been no demonstration of that yet. But the sophistication of the entire operation is undeniable. The hackers had the resources to only develop the malware but to test it too.

The malware works by scanning for critical components that operate circuit breakers, then opening these breakers, which stops the flow of electricity. It continues to keep the circuit breakers open, even if a grid operator tries to close them. CrashOverride also cleverly comes with a “wiper” component that erases the existing software on the computer system that controls the circuit breakers. This forces the grid operator to revert to manual operations, which means a longer and more sustained power outage.

Potential outages could last a few hours and probably not more than a couple of days as U.S. power systems are designed to have high manual override capabilities necessary in extreme weather.

As mentioned above, you need to read the full detailed version here and just how the FBI, global cyber experts at the request of Ukraine worked diligently for accurate attribution to a Russian cyber force intruding on power systems. Hat tip to these experts and the story needs to go mainstream, as we are in a cyber war, the depths impossible to fully comprehend. Ukraine is the target and cyber incubation center for Russian cyber terrorists where they test, review, adapts and keep going without consequence.

Image result for ukraine blackout

Okay, read it all here. Hat tip for the detailed summary and the people doing quiet investigative cyber work.