Voting Village In Vegas: Gambling Or Voting? 
0
Dan Gavin
Voting Village In Vegas: Gambling Or Voting? 

As you walk through the lobby of Caesar’s Palace, you marvel at the grand marble pillars and the sea of glittering chandeliers. You are floored by the opulence and glitz that surrounds you. The lobby bustles with tourists looking to win big, and their excitement fills the air. As you open the door to the conference room, though, the atmosphere does a complete 180. Computers, voting machines and E-polling devices fill the room wall to wall, with network and power cables snaked between them. Blinking lights pulse to a steady rhythm. You’ve just stepped into the DEF CON Voting Village. 

White hat hackers (the good guys) travel here annually from around the world to hack into voting machines and report whatever vulnerabilities they find to vendors and authorities. This year, their convergence at Caesar’s Palace took place from the tenth of August to the twelfth. They’ve been meeting since 1993, figuring out how to hack anything from security systems to light bulbs to cars. They started hacking voting machines in 2017.    

That first year, it took them two minutes to hack the system remotely and manipulate the votes. This year, one participant modified the touch-screen voting platform to show a video of Rick Astley’s “Never Gonna Give You Up”—just a fun little prank to demonstrate the system’s vulnerability. But beyond that, they found many real issues. For instance, they were able to use a USB drive to scramble the machines’ tallying capabilities. Though many more issues were found, they’ve been kept closely guarded so as not to fall into the hands of bad actors. 

The hacking team provided their results to the vendors. Unfortunately, none of the vulnerabilities they discovered will be fixed in time for the election. The vendors claim that there isn’t enough time, and that the process is much more complex than the tailoring and debugging of your monthly Microsoft updates. Many of the vulnerabilities DEF CON identified in their first Voting Villages were found again this year. Harri Hursti, Voting Village’s co-founder, said in an interview at the end of the event, “There’s so much basic stuff that should be happening and is not happening, so yes I’m worried about things not being fixed, but they haven’t been fixed for a long time, and I’m also angry about it.” 

Hursti seems concerned about the threat foreign adversaries pose to US elections. He noted that it took his team only two-and-a-half days to find and take advantage of the faults in the system. “If you don’t think this kind of place is running 24/7 in China, Russia, you’re kidding yourselves,” he said. I agree. Any organization with the resources and an incentive can easily hack this infrastructure.   

Jake Braun, another co-founder of the event, noted in a podcast in August that the E-poll books are especially easy to hack and are notorious for breaking often. This could cause serious delays. He recommends that polling stations print multiple copies of the voter registration lists for each district. 

In our column on voting machines this past spring, I noted that the calibration of the touchscreen affects how the voters’ input maps to different locations on the screen.  If the calibration is incorrect, it could alter the voters’ choices.  During early voting for the November election, there are reports that this has happened in both Tarrant County, TX and in Shelby County, TN. The screen showed the proper vote, but the printed copy showed a vote for the unselected candidate.  If you are using the touch screen device, check your printed ballot. 

Although gambling might be the heart of Las Vegas, it should not be the heart of Election Day. Using this infrastructure to determine who governs our land is like pulling a handle of a slot machine in Caesar’s lobby 

Cyber-attacks on voting infrastructure. Is there a backup plan?
0
Dan Gavin
Cyber-attacks on voting infrastructure. Is there a backup plan?

Imagine that during this upcoming election in November if no results were available until days after the election. On July 31st the Cybersecurity and Infrastructure Security Agency (CISA), in conjunction with the Federal Bureau of Investigation (FBI) released a public service announcement stating that there is potential for a Distributed Denial of Service (DDOS) attack on election infrastructure and adjacent infrastructure that supports operations. 

To better understand the situation, here is some background information. CISA was established in November 2018 to enhance the security, resilience, and reliability of the nation’s critical infrastructure. CISA is at the heart of mobilizing a collective defense to understand and manage risk to our critical infrastructure and associated National Critical Functions. Basically, CISA is charged with protecting US cyberspace as well as the nation’s critical infrastructure such as power, water, and even our elections.

A DDoS attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming it with a flood of internet traffic. Hackers do this by using many compromised computer systems as a source of attack traffic. It is like a mob of people rushing to a store to block legitimate customers from shopping. Imagine tens of thousands of computers that have been loaded with malware without the users’ knowledge. Now imagine all those computers running a program at the same time against specific sites making continuous requests against the election infrastructure.

Now back to the announcement from CISA: 

“With Election Day less than 100 days away, it is important to help put into context some of the incidents the American public may see during the election cycle that, while potentially causing some minor disruptions, will not fundamentally impact the security or integrity of the democratic process,” said CISA Senior Advisor Cait Conley. “DDoS attacks are one example of a tactic that we have seen used against election infrastructure in the past and will likely see again in the future, but they will NOT affect the security or integrity of the actual election.”

CISA’s intent is to assure the public that the elections will not be affected even though there may be disruptions that may prevent the public from receiving timely information. However, if they know that adversaries may target the elections, how do they know that the elections will be safe and secure? How do they know that a DDoS against the voting tabulation network won’t block results from being collated. How do they keep a breach from occurring in the voting infrastructure? What happens if there is a major regional power outage due to cyber-attack? As we know from the CrowdStrike outage where Maricopa County’s Dominion voting machines got the blue screen of death update (see article from 2 weeks ago for more details), voting machines are on the network. Why would it just be periphery report structure and not the actual voting? As a cybersecurity professional the joint FBI and CISA statement provides more questions than answers. 

Perhaps to properly secure the election system, we need to employ the same cybersecurity strategies that businesses use in case of emergencies. There should be contingency plans ready in case of a cybersecurity event. Precincts, counties and states should be ready to manually count the votes for all the races in case of a regional or national cyber-attack. The people required to perform the required functions – counters, watchers, recorders should be prepared and ready. Knowing the risks, should manual counting of paper ballots at the precinct level be the primary method with machine backup?

It seems CISA and the FBI are placating the public and telling us not to worry. Maybe they should spend more resources into hardening the infrastructure and working with the local resources on contingency planning in case of emergency. 

This article was originally published in the Sierra Vista Herald found here.

Copyright © 2024 CyberEye Call us at: ‪(520)224-8981