Voting Village brings equipment to lawmakers to boost urgency on election security

A year from the 2020 election and with a new round of election security funding stalled in Congress, the DEF CON Voting Village organizers have again taken to Capitol Hill to raise awareness about software vulnerabilities in voting equipment. This time, they brought the equipment with them to drive home their point. “If we’re going to meaningfully introduce funding or introduce new technologies for 2020, time is rapidly running out to be able to do that,” Matt Blaze, a professor at Georgetown University and co-organizer of the Voting Village, told CyberScoop. “We need to act pretty fast.” A handful of House Democrats and their staffers sauntered up to equipment on display, including a ballot-marking device and an electronic voting machine, to ask the researchers about the software bugs they found. “This is really helpful in understanding that these aren’t just abstract problems, that these are real things,” Blaze, an expert […]

The post Voting Village brings equipment to lawmakers to boost urgency on election security appeared first on CyberScoop.

Continue reading Voting Village brings equipment to lawmakers to boost urgency on election security

Microsoft will offer free Windows 7 support for election officials through 2020

Microsoft is expected to announce Friday it will offer state and local election officials free support for Windows 7 operating systems used in voting systems through 2020, according to multiple people familiar with the matter. Microsoft has long planned to stop providing security updates for Windows 7 users in general in January 2020, but was allowing users to pay for those updates through 2023. But the offer of free services through next year’s U.S. presidential election is an additional effort to make it easier to update operating software used in voting systems, such as the election management systems that format ballots. Many systems that support voting in the U.S. still rely on Windows 7, which is not nearly as straightforward to update on those machines as it is on a personal computer. Patches require installation and testing to verify that they will not disrupt a voting system. The U.S. Election Assistance Commission has said it will not de-certify […]

The post Microsoft will offer free Windows 7 support for election officials through 2020 appeared first on CyberScoop.

Continue reading Microsoft will offer free Windows 7 support for election officials through 2020

What would a vulnerability disclosure program look like for voting equipment? Expect an RFI soon

Voting-equipment vendors are preparing to formally ask security researchers for ideas on building a coordinated vulnerability disclosure (CVD) program, the next step in the industry’s gradual move to work more closely with ethical hackers. The Elections Industry-Special Interest Group, which includes the country’s three largest voting-systems vendors, will this week release the request for information (RFI), Chris Wlaschin, vice president of systems security at one of those vendors, Election Systems & Software, told CyberScoop. “We all feel that sense of urgency to adopt this sooner than later,” Wlaschin said. Since January, the voting vendor group, which is part of the IT-Information Sharing and Analysis Center (IT-ISAC), a broader industry association, has held biweekly meetings to begin hashing out what a CVD program to find and fix software bugs might look like. Other industries have adopted such programs, which can raise the bar for security in an industry and establish trust […]

The post What would a vulnerability disclosure program look like for voting equipment? Expect an RFI soon appeared first on CyberScoop.

Continue reading What would a vulnerability disclosure program look like for voting equipment? Expect an RFI soon

Election commission says it won’t de-certify voting systems running old versions of Windows

The U.S. Election Assistance Commission has told lawmakers that it will not de-certify certain voting machines using outdated Microsoft Windows systems, a disclosure that highlights the challenge of keeping voting systems secure after a vendor ceases offering support for a product. While a voting machine would fail certification if it were running software that wasn’t supported by a vendor, the act of de-certifying the machine is cumbersome and “has wide-reaching consequences, affecting manufacturers, election administration at the state and local levels, as well as voters,” EAC commissioners wrote in a letter to the Committee on House Administration that CyberScoop obtained. To pass certification, voting vendors must meet a series of specifications outlined in the Voluntary Voting Systems Guidelines (VVSG), a set of standards that the EAC has been slow to update. In response to questions from the committee’s staff, EAC commissioners said the laborious de-certification process can be initiated if there is […]

The post Election commission says it won’t de-certify voting systems running old versions of Windows appeared first on CyberScoop.

Continue reading Election commission says it won’t de-certify voting systems running old versions of Windows

Video captures glitching Mississippi voting machines flipping votes

A video that shows an electronic machine switching voters’ selections has gone viral, underscoring the need for paper audit trails. Continue reading Video captures glitching Mississippi voting machines flipping votes

Voting-machine companies are thinking about vulnerability disclosure, bug bounty programs

Voting-equipment vendors expressed interest Thursday in establishing a program for the coordinated disclosure of hardware and software vulnerabilities in their equipment — a practice common in other industries and long championed by security experts. An industry group offered support for a voluntary coordinated vulnerability disclosure (CVD) process that collaborates with ethical hackers to fix equipment flaws faster. The move comes as some security researchers and policymakers have criticized the industry’s big vendors for being slow to embrace ethical hacking. The commitment to work with “good-faith researchers marks a significant turn in industry-wide thinking,” says a white paper issued by the Elections Industry-Special Interest Group (EI-SIG), part of the IT-Information Sharing and Analysis Center. The group includes the country’s three largest vendors — Dominion Voting Systems, Election Systems & Software (ES&S), and Hart InterCivic. Perhaps the biggest challenge to establishing a CVD program will be aligning it with a federal testing and certification system — […]

The post Voting-machine companies are thinking about vulnerability disclosure, bug bounty programs appeared first on CyberScoop.

Continue reading Voting-machine companies are thinking about vulnerability disclosure, bug bounty programs

10,000 Microsoft customers targeted by nation-state attacks in the last year

Microsoft has notified 10,000 customers in the past year that they have been the brunt of nation-state cyberattacks — some of which were successful — from Iran, North Korea, and Russia, Microsoft announced Wednesday. “This data demonstrates the significant extent to which nation-states continue to rely on cyberattacks as a tool to gain intelligence, influence geopolitics or achieve other objectives,” Tom Burt, corporate vice president of customer security & trust at Microsoft, wrote in a blog post on the matter. Microsoft has linked the attacks with a group linked with Iran broadly known as APT 33, with a group from North Korea known as APT 38, as well as two groups linked with Russia, APT 28 and APT 29, which Microsoft dubs Strontium and Yttrium respectively. APT 28 was behind the intrusions at the Democratic National Committee. Some of the attacks observed appear to be related to U.S. politics and […]

The post 10,000 Microsoft customers targeted by nation-state attacks in the last year appeared first on CyberScoop.

Continue reading 10,000 Microsoft customers targeted by nation-state attacks in the last year

Elizabeth Warren wants to overhaul U.S. election security

Sen. Elizabeth Warren, D-Mass., released a plan focused on election security Tuesday that would replace every voting machine in the U.S. with “state-of-the-art” technology and require states to follow federal standards for federal elections. Warren, who is running for president, would replace outdated voting systems with voter-verified paper ballot machines, mandate voting equipment be paid for by the federal government, and require risk-limiting audits before elections take place. The proposal also makes the federal government responsible for election cybersecurity. “Our democracy is too important for it to be under-resourced and insecure,” Warren wrote in a post on Medium. “We have a solemn obligation to secure our elections from those who would try to undermine them.” Beyond requiring risk-limiting audits, Warren’s plan would add a condition for states seeking federal funding for elections administration. Among the conditions would be an examination of how states are making voting more convenient. “The federal […]

The post Elizabeth Warren wants to overhaul U.S. election security appeared first on CyberScoop.

Continue reading Elizabeth Warren wants to overhaul U.S. election security

Election Security: Back-to-Basics Approach Best Bet

Any conversation about the security of our digital future inevitably involves the subject of election security. Whether it’s an attempt to mitigate the risk of foreign adversaries using misinformation to influence national elections or mitigating the … Continue reading Election Security: Back-to-Basics Approach Best Bet

Election commission names new lead for testing and certifying voting systems

The federal Election Assistance Commission has appointed Jerome Lovato, a former Colorado state election official, as head of the commission’s program for testing and certifying voting systems, according to a commission email obtained by CyberScoop. Lovato replaces Ryan Macias, who was filling the role in an acting capacity and will step down this month. The crucial EAC program works with the country’s top voting equipment vendors to certify and decertify voting system hardware and software. Lovato’s appointment, which was first reported by Politico, comes as the commission prepares to help secure the 2020 election, a vote that U.S. officials have warned will be targeted by foreign adversaries. Senators are expected to raise those issues next week at an EAC oversight hearing next week. Some lawmakers have pushed for an increase in EAC funding to hire more tech and cybersecurity experts. Whether or not that money comes, the commission intends on hiring more technical personnel, […]

The post Election commission names new lead for testing and certifying voting systems appeared first on CyberScoop.

Continue reading Election commission names new lead for testing and certifying voting systems