Election Systems & Software – WindowsTechs.com

First major voting vendor, Hart InterCivic, partners with Microsoft on ambitious software security tool ElectionGuard

Posted on June 3, 2021 by Tim Starks

The ElectionGuard technology that Microsoft touts as a way to make elections more secure and verifiable is taking its biggest step yet: Hart InterCivic, one of the big three election vendors, says it will incorporate ElectionGuard into one of its voting systems. The ElectionGuard open-source software development kit gives voters a unique code to track their encrypted vote and confirm it wasn’t manipulated, and it offers a way for third parties to validate election results, according to Microsoft. The two companies jointly announced the partnership on Thursday. Hart InterCivic is the biggest partner to date for ElectionGuard, as one of three vendors — alongside Election Systems & Software and Dominion Voting Systems — that dominate the marketplace for voting machine technology. “We believe we must constantly re-imagine how technology can make voting more secure and also more transparent, and this partnership with Microsoft is a strong step in that direction,” […]

The post First major voting vendor, Hart InterCivic, partners with Microsoft on ambitious software security tool ElectionGuard appeared first on CyberScoop.

Continue reading First major voting vendor, Hart InterCivic, partners with Microsoft on ambitious software security tool ElectionGuard→

Top voting vendor ES&S publishes vulnerability disclosure policy

Posted on August 5, 2020 by Sean Lyngaas

Election Systems & Software, the biggest vendor of U.S. voting equipment, on Wednesday announced a policy to work more closely with security researchers to find software bugs in the company’s IT networks and websites. “Hackers are going to hack, researchers are going to research, whether or not there’s a policy in place,” Chris Wlaschin, ES&S’s vice president of systems security, told CyberScoop. “We think it’s important to have that safe harbor language out there to set expectations.” The policy allows researchers to probe ES&S’s corporate systems and public-facing websites, but not the election systems in place at jurisdictions around the country, which are subject to different testing regimes. The ES&S policy gives the company 90 days to fix vulnerabilities before researchers can report on them publicly — a standard timeline in the research community. For ES&S, the policy marks another step in collaborating with a white-hat hacking community with which it […]

The post Top voting vendor ES&S publishes vulnerability disclosure policy appeared first on CyberScoop.

Continue reading Top voting vendor ES&S publishes vulnerability disclosure policy→

Klobuchar to voting vendors: Don’t turn your back on good hackers when setting up a CVD program

Posted on November 15, 2019 by Sean Lyngaas

After years of getting pummeled by critics for not embracing ethical hacking, the country’s biggest voting equipment vendors took a big step in that direction in September. They asked the cybersecurity community for ideas on how to set up a process through which researchers could flag software flaws for vendors to fix. Companies that specialize in coordinated vulnerability disclosure (CVD) programs like Bugcrowd and Synack responded to the request for information. But the usual suspects weren’t the only entities to submit ideas. A Democratic presidential candidate and one of the most outspoken voices in the Senate on election security also chimed in. In a four-page letter to the industry association establishing the CVD program, Sen. Amy Klobuchar, D-Minn., advised the voting-gear vendors to ditch their reservations about working with unvetted researchers, pay close attention to their supply chains, and set a timeline for getting software bugs fixed. “[V]oting system manufacturers […]

The post Klobuchar to voting vendors: Don’t turn your back on good hackers when setting up a CVD program appeared first on CyberScoop.

Continue reading Klobuchar to voting vendors: Don’t turn your back on good hackers when setting up a CVD program→

Voting Village brings equipment to lawmakers to boost urgency on election security

Posted on October 29, 2019 by Sean Lyngaas

A year from the 2020 election and with a new round of election security funding stalled in Congress, the DEF CON Voting Village organizers have again taken to Capitol Hill to raise awareness about software vulnerabilities in voting equipment. This time, they brought the equipment with them to drive home their point. “If we’re going to meaningfully introduce funding or introduce new technologies for 2020, time is rapidly running out to be able to do that,” Matt Blaze, a professor at Georgetown University and co-organizer of the Voting Village, told CyberScoop. “We need to act pretty fast.” A handful of House Democrats and their staffers sauntered up to equipment on display, including a ballot-marking device and an electronic voting machine, to ask the researchers about the software bugs they found. “This is really helpful in understanding that these aren’t just abstract problems, that these are real things,” Blaze, an expert […]

The post Voting Village brings equipment to lawmakers to boost urgency on election security appeared first on CyberScoop.

Continue reading Voting Village brings equipment to lawmakers to boost urgency on election security→

DEF CON Voting Village report explores vulnerabilities in ballot-marking devices, calls for paper-based audits

Posted on September 26, 2019 by Sean Lyngaas

After finding security weaknesses in two ballot-marking devices at this year’s DEF CON Voting Village, researchers are calling for “more comprehensive studies” of equipment that is increasingly a part of the voter experience. The findings come as states consider the security advantages of election systems that create a paper trail. Ballot-marking devices, or BMDs for short, allow voters to mark their choices on a screen and then print them out. The paper ballots are then counted by hand or scanned by a separate machine. “The security implications of ballot marking devices should be studied more,” researchers said in the 2019 Voting Village report, which sums up more than two days of hacking and tinkering at a Las Vegas casino in August. “Current and proposed next-generation ballot marking devices have not been designed with security considerations in mind,” they argued. The researchers say that data stored by the two BMDs they studied could […]

The post DEF CON Voting Village report explores vulnerabilities in ballot-marking devices, calls for paper-based audits appeared first on CyberScoop.

Continue reading DEF CON Voting Village report explores vulnerabilities in ballot-marking devices, calls for paper-based audits→

What would a vulnerability disclosure program look like for voting equipment? Expect an RFI soon

Posted on September 19, 2019 by Sean Lyngaas

Voting-equipment vendors are preparing to formally ask security researchers for ideas on building a coordinated vulnerability disclosure (CVD) program, the next step in the industry’s gradual move to work more closely with ethical hackers. The Elections Industry-Special Interest Group, which includes the country’s three largest voting-systems vendors, will this week release the request for information (RFI), Chris Wlaschin, vice president of systems security at one of those vendors, Election Systems & Software, told CyberScoop. “We all feel that sense of urgency to adopt this sooner than later,” Wlaschin said. Since January, the voting vendor group, which is part of the IT-Information Sharing and Analysis Center (IT-ISAC), a broader industry association, has held biweekly meetings to begin hashing out what a CVD program to find and fix software bugs might look like. Other industries have adopted such programs, which can raise the bar for security in an industry and establish trust […]

The post What would a vulnerability disclosure program look like for voting equipment? Expect an RFI soon appeared first on CyberScoop.

Continue reading What would a vulnerability disclosure program look like for voting equipment? Expect an RFI soon→

Election commission says it won’t de-certify voting systems running old versions of Windows

Posted on September 18, 2019 by Sean Lyngaas

The U.S. Election Assistance Commission has told lawmakers that it will not de-certify certain voting machines using outdated Microsoft Windows systems, a disclosure that highlights the challenge of keeping voting systems secure after a vendor ceases offering support for a product. While a voting machine would fail certification if it were running software that wasn’t supported by a vendor, the act of de-certifying the machine is cumbersome and “has wide-reaching consequences, affecting manufacturers, election administration at the state and local levels, as well as voters,” EAC commissioners wrote in a letter to the Committee on House Administration that CyberScoop obtained. To pass certification, voting vendors must meet a series of specifications outlined in the Voluntary Voting Systems Guidelines (VVSG), a set of standards that the EAC has been slow to update. In response to questions from the committee’s staff, EAC commissioners said the laborious de-certification process can be initiated if there is […]

The post Election commission says it won’t de-certify voting systems running old versions of Windows appeared first on CyberScoop.

Continue reading Election commission says it won’t de-certify voting systems running old versions of Windows→

Voting-machine companies are thinking about vulnerability disclosure, bug bounty programs

Posted on August 15, 2019 by Sean Lyngaas

Voting-equipment vendors expressed interest Thursday in establishing a program for the coordinated disclosure of hardware and software vulnerabilities in their equipment — a practice common in other industries and long championed by security experts. An industry group offered support for a voluntary coordinated vulnerability disclosure (CVD) process that collaborates with ethical hackers to fix equipment flaws faster. The move comes as some security researchers and policymakers have criticized the industry’s big vendors for being slow to embrace ethical hacking. The commitment to work with “good-faith researchers marks a significant turn in industry-wide thinking,” says a white paper issued by the Elections Industry-Special Interest Group (EI-SIG), part of the IT-Information Sharing and Analysis Center. The group includes the country’s three largest vendors — Dominion Voting Systems, Election Systems & Software (ES&S), and Hart InterCivic. Perhaps the biggest challenge to establishing a CVD program will be aligning it with a federal testing and certification system — […]

The post Voting-machine companies are thinking about vulnerability disclosure, bug bounty programs appeared first on CyberScoop.

Continue reading Voting-machine companies are thinking about vulnerability disclosure, bug bounty programs→

DEF CON Voting Village matures as industry keeps its distance

Posted on August 12, 2019 by Sean Lyngaas

The third annual Voting Village at the DEF CON hacking conference was a little different than years past. There were more machines to play with and more election personnel wandering around. And nobody publicly cursed out state officials or vendors. Attendees seemed buoyed by the fact that they were helping secure the 2020 election, which U.S. officials warn will again draw foreign interference attempts. “We have more people who are comfortable, immediately wanting to rip things apart and see how they work,” cryptologist Matt Blaze said with satisfaction. He was taking a rest in the corner of the village — a room in Las Vegas’ Planet Hollywood hotel littered with voting equipment — from the exertions of helping organize the gathering. “We don’t care if you break anything, as long as you’re doing it in an interesting way,” Blaze, a professor at Georgetown University, told CyberScoop. Across the room was Stephen Crane, […]

The post DEF CON Voting Village matures as industry keeps its distance appeared first on CyberScoop.

Continue reading DEF CON Voting Village matures as industry keeps its distance→

US Voting Machines Internet-Connected, Despite Denials

Posted on August 9, 2019 by Richi Jennings

Researchers were horrified to discover 35 ES&S voting machines connected to the internet. As you might have guessed, this is not at all good security practice—and it directly contradicts statements by various election officials and the manufacture… Continue reading US Voting Machines Internet-Connected, Despite Denials→