Tag Archives: voting

Jake Braun discusses the Voting Village at DEF CON

Election security continues to be a hot topic, as the 2018 midterm elections draw closer. So, the Voting Village at DEF CON 26 in Las Vegas wanted to re-create and test every aspect of an election.

Jake Braun, CEO of Cambridge Global Advisors, based in Arlington, Va., and one of the main organizers of the DEF CON Voting Village, discussed the pushback the event has received and how he hopes the event can expand in the future.

What were the major differences between what the Voting Village had this year compared to last year?

Jake Braun: The main difference is it’s way bigger. And we’ve got, end to end, the voting infrastructure. We’ve got voter registration, a list of voters in the state of Ohio that are in a cyber range that’s basically like a county clerk’s network. Cook County, Illinois, their head guy advised us on how to make it realistic [and] make it like his network. We had that, but we didn’t have the list of voters last year.

That’s the back end of the voter process with the voter infrastructure process. And then we’ve got machines. We’ve got some new machines and accessories and all this stuff.

Then, on the other end, we’ve got the websites. This is the last piece of the election infrastructure that announces the results. And so, obviously, we’ve got the kids hacking the mock websites.

What prompted you to make hacking the mock websites an event for the kids in R00tz Asylum?

Braun: It was funny. I was at [RSA Conference], and we’ve been talking for a long time about, how do we represent this vulnerability in a way that’s not a waste of time? Because the guys down in the [Voting Village], hacking websites is not interesting to them. They’ve been doing it for 20 years, or they’ve known how to do it for 20 years. But this is the most vulnerable part of the infrastructure, because it’s [just] a website. You can cause real havoc.

I mean, the Russians — when they hacked the Ukrainian website and changed it to show their candidate won, and the Ukrainians took it down, fortunately, they took it down before anything happened. But then, Russian TV started announcing their candidate won. Can you imagine if, in November 2020, the Florida and Ohio websites are down, and Wolf Blitzer is sitting there on CNN saying, ‘Well, you know, we don’t really know who won, because the Florida and Ohio websites are down,’ and then RT — Russian Television — starts announcing that their preferred candidate won? It would be chaos.

Anyway, I was talking through this with some people at [RSA Conference], and I was talking about how it would be so uninteresting to do it in the real village or in the main village. And the guy [I was talking to said], ‘Oh, right. Yeah. It’s like child’s play for them.’

I was like, ‘Exactly, it’s child’s play. Great idea. We’ll give it to R00tz.’ And so, I called up Nico [Sell], and she was like, ‘I love it. I’m in.’ And then, the guys who built it were the Capture the Packet guys, who are some of the best security people in the planet. I mean, Brian Markus does security for … Aerojet Rocketdyne, one of the top rocket manufacturers in the world. He sells to [Department of Defense], [Department of Homeland Security] and the Australian government. So, I mean, he is more competent than any election official we have.

The first person to get in was an 11-year-old girl, and she got in in 10 minutes. Totally took over the website, changed the results and everything else.

How did it go with the Ohio voter registration database?

Braun: The Secretaries of State Association criticized us, [saying], ‘Oh, you’re making it too easy. It’s not realistic,’ which is ridiculous. In fact, we’re protecting the voter registration database with this Israeli military technology, and no one has been able to get in yet. So, it’s actually probably the best protected list of voters in the country right now.

Have you been able to update the other machines being used in the Voting Village?

Braun: Well, a lot of it is old, but it’s still in use. The only thing that’s not in use is the WinVote, but everything else that we have in there is in use today. Unlike other stuff, they don’t get automatic updates on their software. So, that’s the same stuff that people are voting on today.

Have the vendors been helpful at all in providing more updated software or anything?

Braun: No. And, of course, the biggest one sent out a letter in advance to DEF CON again this year saying, ‘It’s not realistic and it’s unfair, because they have full access to the machines.’

Do people think these machines are kept in Fort Knox? I mean, they are in a warehouse or, in some places, in small counties, they are in a closet somewhere — literally. And, by the way, Rob Joyce, the cyber czar for the Trump administration who’s now back at NSA [National Security Agency], in his talk [this year at DEF CON, he basically said], if you don’t think that our adversaries are doing exactly this all year so that they know how to get into these machines, your head is insane.

The thing is that we actually are playing by the rules. We don’t steal machines. We only get them if people donate them to us, or if we can buy them legally somehow. The Russians don’t play by the rules. They’ll just go get them however they want. They’ll steal them or bribe people or whatever.

They could also just as easily do what you do and just to get them secondhand.

Braun: Right. They’re probably doing that, too.

Is there any way to test these machines in a way that would be acceptable to the manufacturers and U.S. government?

Braun: The unfortunate thing is that, to our knowledge, the Voting Village is still the only public third-party inspection — or whatever you want to call it — of voting infrastructure.

The unfortunate thing is that the only time this is done publicly by a third party is when it’s done by us. And that’s once a year for two and a half days. This should be going on all year.
Jake BraunCEO of Cambridge Global Advisors

The vendors and others will get pen testing done periodically for themselves, but that’s not public. All these things are done, and they’re under [nondisclosure agreement]. Their customers don’t know what vulnerabilities they found and so on and so forth.

So, the unfortunate thing is that the only time this is done publicly by a third party is when it’s done by us. And that’s once a year for two and a half days. This should be going on all year with all the equipment, the most updated stuff and everything else. And, of course, it’s not.

Have you been in contact with the National Institute of Standards and Technology, as they are in the process of writing new voting machine guidelines?

Braun: Yes. This is why DEF CON is so great, because everybody is here. I was just talking to them yesterday, and they were like, ‘Hey, can you get us the report as soon as humanly possible? Because we want to take it into consideration as we are putting together our guidelines.’ And they said they used our report last year, as well.

How have the election machines fared against the Voting Village hackers this year?

Braun: Right, of course, they were able to get into everything. Of course, they’re finding all these new vulnerabilities and all this stuff. 

The greatest thing that I think came out of last year was that the state of Virginia wound up decommissioning the machine that [the hackers] got into in two minutes remotely. They decommissioned that and got rid of the machine altogether. And it was the only state that still had it. And so, after DEF CON, they had this emergency thing to get rid of it before the elections in 2017.

What’s the plan for the Voting Village moving forward?

Braun: We’ll do the report like we did last year. Out of all the guidelines that have come out since 2016 on how to secure election infrastructure, none of them talk about how to better secure your reporting websites or, since they are kind of impossible to secure, what operating procedures you should have in place in case they get hacked.

So, we’re going to include that in the report this year. And that will be a big addition to the overall guidelines that have come out since 2016.

And then, next year, I think, it’s really just all about, what else can we get our hands on? Because that will be the last time that any of our findings will be able to be implemented before 2020, which is, I think, when the big threat is.

A DEF CON spokesperson said that most of the local officials that responded and are attending have been from Democratic majority counties. Why do you think that is?

Braun: That’s true, although [Neal Kelley, chief of elections and registrar of voters for] Orange County, attended. Orange County is pretty Republican, and he is a Republican.

But I think it winds up being this functionally odd thing where urban areas are generally Democratic, but because they are big, they have a bigger tax base. So then, the people who run them have more money to do security and hire security people. So, they kind of necessarily know more about this stuff.

Whereas if you’re in Allamakee County, Iowa, with 10,000 people, the county auditor who runs the elections there, that guy or gal — I don’t know who it is — but they are both the IT and the election official and the security person and the whatever. You’re just not going to get the specialized stuff, you know what I mean?

Do you have any plans to try to boost attendance from smaller counties that might not be able to afford sending somebody here or plans on how to get information to them?

Braun: Well, that’s why we do the report. This year, we did a mailing of 6,600 pieces of mail to all 6,600 election officials in the country and two emails and 3,500 live phone calls. So, we’re going to keep doing that.
 
And that’s the other thing: We just got so much more engagement from local officials. We had a handful come last year. We had several dozen come this year. None of them were public last year. This year, we had a panel of them speaking, including DHS [Department of Homeland Security].

So, that’s a big difference. Despite the stupid letter that the Secretary of State Association sent out, a lot of these state and local folks are embracing this.

And it’s not like we think we have all the answers. But you would think if you were in their position and with how cash-strapped they are and everything, that they would say, ‘Well, these guys might have some answers. And if somebody’s got some answers, I would love to go find out about those answers.’

Irregularities discovered in WinVote voting machines

LAS VEGAS — The insecurity of electronic voting systems has been well-documented, but so far there has been no concrete evidence that those systems have been hacked in the field. However, a forensic analysis by security researcher Carsten Schuermann discovered irregularities in eight WinVote voting machines used in Virginia elections for more than a decade.

Speaking at Black Hat 2018, Schuermann, associate professor at IT University of Copenhagen, presented data that showed voting machine irregularities in WinVote systems used in a variety of state and federal elections from 2004 to 2014. In his session, titled “Lessons from Virginia – A Comparative Forensic Analysis of WinVote Voting Machines,” Schuermann also pushed for mandated paper ballots and regular audits to mitigate potential threats.

“When you add technology to the voting process, you clearly increase its attack surface,” Schuermann said.

Schuermann noted that there are actually two problems with insecure voting machines. The first is obvious — the systems can be easily hacked.

“That’s a real threat,” he said. “But the other threat is equally important and equally dangerous, and that is the threat of an alleged

cyberattack
— when people claim there was a

cyberattack
when there actually wasn’t.”

Such allegations can disrupt elections and damage the credibility of voting results. And since too many voting machines don’t produce paper trails, he said, those allegations can be as damaging as a real

cyberattack
.

Schuermann had such a voting machine with him on stage — a decommissioned WinVote system that had a printer but only printed vote tallies and not individual ballots. He said he obtained eight WinVote voting machines from an unnamed source two years ago, and first hacked into one of the machines for a DEFCON Voting Village session last year.

Schuermann followed up with a deeper forensic analysis that uncovered concerning voting machine irregularities as well as serious vulnerabilities. He told the audience that while he had access to the machines’ SSDs, he did not have any access to memory or memory dumps, security logs or a record of wireless connections.

But what data was available showed a number of holes that hackers could exploit, including open ports (135, 139, 445 and 3387, among others) and unpatched versions of Windows XP Embedded from 2002 that were vulnerable to a critical buffer overflow attack, CVE-2003-0352.

“Another problem is that this machine has wireless turned on all the time,” Schuermann said, adding that the wireless password for the systems was “ABCDE.” “That’s not a very secure password.”

I have only one conclusion, and that is, use paper and do your audits.
Carsten Schuermannassociate professor, IT University of Copenhagen

Those vulnerabilities in themselves didn’t prove the machines had been hacked, but a closer examination of files on some of the WinVote voting machines showed unexplained anomalies. One of the machines, for example, had MP3s of a Chinese pop song and traces of CD ripping software, and data showed the machine broadcast the song on the internet. That was strange, he said, but there were more concerning voting machine irregularities.

For example, three of the machines used during the 2005 Virginia gubernatorial election dialed out via their modems on Election Day, though the data didn’t explain why. Schuermann speculated that perhaps the systems were getting a security update, but one of the machines actually dialed the wrong number.

In addition, two of the systems that were used in the 2013 Virginia state elections had more than 60 files modified on Election Day before the polls closed. In addition, USB devices connected to one of the machines while the polls were open.

“That’s really bizarre,” he said.

It was unclear whether the files were modified as part of a system update, he said, and there wasn’t enough data to explain what those USB connections were for. Schuermann cautioned the audience that the voting machine irregularities weren’t necessarily evidence of hacking, but he said the uncertainty about the irregularities should serve as a call to action. Only a few states, he said, have electronic voting systems that produce paper ballots and can be audited.

“I have only one conclusion,” he said. “And that is, use paper and do your audits.”

DEFCON hopes voting machine hacking can secure systems

A new report pushes recommendations based on the research done into voting machine hacking at DEFCON 25, including basic cybersecurity guidelines, collaboration with local officials and an offer of free voting machine penetration testing.

It took less than an hour for hackers to break into the first voting machine at the DEFCON conference in July. This week, DEFCON organizers released a new report that details the results from the Voting Village and the steps needed to ensure election security in the future.

Douglas Lute, former U.S. ambassador to NATO and retired U.S. Army lieutenant general, wrote in the report that “last year’s attack on America’s voting process is as serious a threat to our democracy as any I have ever seen in the last 40+ years – potentially more serious than any physical attack on our Nation.”

“Loss of life and damage to property are tragic, but we are resilient and can recover. Losing confidence in the security of our voting process — the fundamental link between the American people and our government — could be much more damaging,” Lute wrote. “In short, this is a serious national security issue that strikes at the core of our democracy.”

In an effort to reduce the risks from voting machine hacking, DEFCON itself will be focusing more on the election systems. Jeff Moss, founder of DEFCON, said during a press conference for the report that access to voting machines is still a major hurdle.

“The part that’s really hard to get our hands on is the back-end software that ties the voting machines together — to tabulate, to accumulate votes, to provision a voting ballot, to run the election, to figure out a winner — and boy we really want to have a complete voting system to attack, so people can attack the network, they can attack the physical machines, they can go after the databases” Moss said. “This is the mind-boggling part: just as this is the first time this is really being done — no NDAs — there’s never been a test of a complete system. We want a full end-to-end system so it’s one less thing people can argue about. We can say, ‘See? We did it here too.'”

DEFCON had obtained the voting machines tested at the 2017 conference from second-hand markets, like eBay, but hopes to have more cooperation from election officials and the companies that make the voting equipment. Moss said it is still unclear what exactly DEFCON will be allowed to do in 2018 because the DMCA exemption that allows voting machine hacking currently needs to be renewed.

Immediate voting machine security

DEFCON officials noted that election security needs to be improved before the 2018 DEFCON conference so local officials can prepare for the 2018 mid-term elections.

John Gilligan, board chair and interim CEO for the Center for Internet Security (CIS), said his organization was working “to take the elections ecosystem and to develop a handbook of best practices” around election security. CIS has invited DHS, NIST, the Election Assistance Commission, the National Association of Secretaries of State and other election officials to collaborate on the process.

“We have 400 or 500 people who currently collaborate with us, but we’re going to expand that horizon a bit because there are those who have specific expertise in election systems. The view is: let’s get together and very quickly — by the end of this calendar year — produce a set of best practices that will be given to the state and local governments,” Gilligan said in a news conference on Tuesday. “Our effort will complement what the Election Assistance Commission is developing presently with NIST.”

Jake Braun, cybersecurity lecturer at the University of Chicago and CEO of private equity firm Cambridge Global, headquartered in Washington, said the DEFCON team would provide free voting machine pen testing to any election officials that want the help.

The only way you can see if the machine was hacked is if the attacker wanted to be found. That’s the sad truth. It can be done without leaving a trace.
Harri Hurstifounding partner at Nordic Innovations Lab

“If you’re an election official, the thing you can do coming out of this is to contact DEFCON and offer to give out your schemes, your databases, give access to whatever else you want tested. This is essentially free testing and training for your staff, and that would normally cost you millions of dollars to purchase on your own.”

Moss said the industry fear of hackers is common, but urged that the team only wanted to help.

“This is the first scrutiny the manufacturers have had and they don’t know what to do. And that’s a pretty routine response. We saw that from the medical device world, car world, access control, ATMs,” Moss said. “When these industries first come into contact with hackers and people who are giving an honest opinion of their technology, they pull back and hide for a while. If you’re doing a good job, we’ll tell you, ‘Hey, that’s awesome.’ And, if you’re doing a poor job, we’ll say, ‘Can you please fix that?’ But the best part is it’s free. You’re getting some of the world’s best hackers doing pro bono work, giving away reports for free — normally these people make thousands of dollars a day — and they’re doing it just because they want to see what’s possible.”

The DEFCON voting machine hacking report noted a number of misconceptions surrounding the security of elections, but Harri Hursti, founding partner at Nordic Innovations Lab, said one of the biggest issues was the idea that there had “never been a documented incident where votes have been changed during a real election.”

“These machines don’t have the capability of providing you forensic evidence to see that. They cannot prove they are honest; they cannot prove they were not hacked. They simply don’t have the fundamental, basic capabilities of providing you that data,” Hursti said in the press conference. “The only way you can see if the machine was hacked is if the attacker wanted to be found. That’s the sad truth. It can be done without leaving a trace.”