Collaborate Disseminate
Voting machine technology seller Election Systems & Software (ES&S) offered an olive branch to security researchers with new safe harbor terms and vulnerability disclosure policies at Black Hat USA 2020. Continue reading Black Hat 2020: In a Turnaround, Voting Machine Vendor Embraces Ethical Hackers
Voting-equipment vendors are preparing to formally ask security researchers for ideas on building a coordinated vulnerability disclosure (CVD) program, the next step in the industry’s gradual move to work more closely with ethical hackers. The Elections Industry-Special Interest Group, which includes the country’s three largest voting-systems vendors, will this week release the request for information (RFI), Chris Wlaschin, vice president of systems security at one of those vendors, Election Systems & Software, told CyberScoop. “We all feel that sense of urgency to adopt this sooner than later,” Wlaschin said. Since January, the voting vendor group, which is part of the IT-Information Sharing and Analysis Center (IT-ISAC), a broader industry association, has held biweekly meetings to begin hashing out what a CVD program to find and fix software bugs might look like. Other industries have adopted such programs, which can raise the bar for security in an industry and establish trust […]
The post What would a vulnerability disclosure program look like for voting equipment? Expect an RFI soon appeared first on CyberScoop.
Researchers were horrified to discover 35 ES&S voting machines connected to the internet. As you might have guessed, this is not at all good security practice—and it directly contradicts statements by various election officials and the manufacture… Continue reading US Voting Machines Internet-Connected, Despite Denials
The last few years have been an awakening for Election Systems & Software. Before 2016, very few people were publicly pressing the company to change the way it handled its cybersecurity practices. Now, the nation’s leading manufacturer of election technology has become a lightning rod for critics. Security experts say the small number of companies that dominate the nation’s election technology market, including ES&S, have failed to acknowledge and remedy vulnerabilities that lie in systems used to hold elections across the country. Once left to obscurity, the entire ecosystem has been called into question since the Russian government was found to have interfered with the 2016 presidential campaign. While there has never been any evidence to suggest that any voting machines were compromised, the Department of Homeland Security and FBI recently issued a memo that all 50 states were at least targeted by Russian intelligence. The peak of the criticism came after the Voting Village exhibition […]
The post Election tech vendors say they’re securing their systems. Does anyone believe them? appeared first on CyberScoop.
Continue reading Election tech vendors say they’re securing their systems. Does anyone believe them?
While there are a number of companies that build and sell election-related technology, ES&S has been the most notable as of late. The company’s CEO released a letter last week that took issue with calls from lawmakers to work with anonymous researchers, like those at the DEF CON Voting Village that uncovered various vulnerabilities in election-related hardware and software. “We will not, however, provide or submit any hardware, software, source code or other intellectual property to unvetted, anonymous security researchers, nor would we make public any assessments of vulnerability findings, because providing or making available secure information to individuals or groups whose interests may counter the United States’ interests would be irresponsible and may in fact, jeopardize the integrity of elections,” the letter from ES&S CEO Tom Burt read. That letter was poorly received by both Capitol Hill and the security research community, who both felt the response was inadequate […]
The post ES&S security lead: We trust our process over DEF CON village findings appeared first on Cyberscoop.
Continue reading ES&S security lead: We trust our process over DEF CON village findings
While there are a number of companies that build and sell election-related technology, ES&S has been the most notable as of late. The company’s CEO released a letter last week that took issue with calls from lawmakers to work with anonymous researchers, like those at the DEF CON Voting Village that uncovered various vulnerabilities in election-related hardware and software. “We will not, however, provide or submit any hardware, software, source code or other intellectual property to unvetted, anonymous security researchers, nor would we make public any assessments of vulnerability findings, because providing or making available secure information to individuals or groups whose interests may counter the United States’ interests would be irresponsible and may in fact, jeopardize the integrity of elections,” the letter from ES&S CEO Tom Burt read. That letter was poorly received by both Capitol Hill and the security research community, who both felt the response was inadequate […]
The post ES&S security lead: We trust our process over DEF CON village findings appeared first on Cyberscoop.
Continue reading ES&S security lead: We trust our process over DEF CON village findings
The Vote Hacking Village invited attendees – including kids as young as six – to hack the voting infrastructure, including ballot machines, a voter database and more. Continue reading DEF CON 2018: Voting Hacks Prompt Push Back from Election Officials, Vendors
A top manufacturer of voting machines has conceded that it installed remote-access software for a “small number” of election management systems from 2000 to 2006, a practice that experts say leaves the equipment vulnerable to hackers. The revelation could be a teachable moment as state and local election officials work to shore up their voting infrastructure security for the 2018 midterm elections. In an April letter to Sen. Ron Wyden, D-Ore., obtained by CyberScoop, Election Systems and Software (ES&S) said it implemented the remote-access software on systems over a six-year period in order to facilitate customer support. Among other voting-related tasks, election management systems are used to program voting machines across a county. The software in question, pcAnywhere, has proven to be vulnerable to hackers, who stole its source code in 2006. The Nebraska-based vendor said it never set up a remote connection on voting devices like tabulators or ballot-marking […]
The post Voting machine vendor says it installed remote software connections in a ‘small number’ of systems appeared first on Cyberscoop.
Remote-access software and modems on election equipment ‘is the worst decision for security short of leaving ballot boxes on a Moscow street corner.’ Continue reading Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States
South Carolina voters are suing their state over its use of paperless voting machines amid worries that they are susceptible to hacking without detection. The complaint filed Tuesday seeks a declaration from the court that South Carolina has violated the plaintiffs’ fundamental right to have their votes counted and prevent the state from continuing to use the machines it currently has in place. The lawsuit largely resembles one that is ongoing in Georgia. With the midterm elections coming up in November, the lawsuit does not outline any short-term alternatives to using the state’s current machines. The plaintiffs in the Georgia lawsuit propose using provisional paper ballots that can be scanned with the machines the state uses for absentee ballots. The plaintiffs are Frank Heindel, a commodities trader and election security advocate, and Phil Leventis, a former senator in the state legislature who opposed the the state’s adoption of the machines […]
The post South Carolina voters sue state over paperless voting machines appeared first on Cyberscoop.
Continue reading South Carolina voters sue state over paperless voting machines