Aug 1, 2019

Inside election security's biggest event

Illustration: Rebecca Zisser/Axios

The DEF CON hacker conference's Voting Village event has become a testing ground for our national debate over voting security, referenced by Senate reports, several congressmen and even a presidential candidate (albeit incorrectly, see below). This year's version, happening next week, comes with some upgrades.

The big picture: Now in its third year, the event is traditionally one of the only places where many security researchers get a chance to audit the security of election systems.

Background: Voting Village burst onto the scene in 2017, when it took hackers only a matter of minutes to discover serious problems with machines.

  • That was despite it being the first time many of the hackers had seen the systems.
  • Restrictive contracts with states bar public third-party audits, but Voting Village beat the contract rules by purchasing flood-salvaged equipment from an insurance company.

This year, Voting Village has expanded its range of equipment, including election software researchers have not had a chance to audit and the first test of equipment designed specifically for security and public testing.

  • Cybersecurity firm Galois will demonstrate a project funded by DARPA, the Pentagon's advanced research arm, to develop hardware that defends against hackers that target memory.
  • Galois is publicly revealing system internals to try to aid DEF CON's hackers.

What they're adding: While in previous years state election officials bristled at even well-meaning hackers intruding on their turf, this year Voting Village will launch the "Unhack the Ballot" initiative, pairing state officials with researchers who can offer nuts and bolts advice.

  • The conference is also expanding from one day of talks to three days.

For the kids: In last year's DEF CON, Voting Village helped with the conference's program for kids, developing faux election registration websites with errors previously seen on real sites for children to learn to hack.

  • This tale got garbled in the media as children hacking actual election websites or exact facsimiles of the sites (they didn't). Presidential candidate and representative Tulsi Gabbard (D-Hawaii) regularly notes that "an 11 year old girl at DEFCON hacked a replica of Florida’s voting system in 10 minutes."

Voting Village is working with kids again, although this year trying to be clearer about what the kids are actually doing.

  • This year's faux websites will be campaign finance reporting portals, where kids will create fake news to unleash using bots on a fake version of Twitter.
  • They'll also learn about how to use machine learning to create filters that can block the fake news they've spread on that fake network.

Go deeper

Democratic caucuses' phone-in plan opens new risks

Illustration: Rebecca Zisser/Axios

Democrats in Iowa and Nevada want to boost participation in their 2020 caucuses by opening them up to telephone voting. Hacking-spooked Democrats have worked to protect the process from interference, but some experts still see notable risks.

Why it matters: Security concerns have long troubled digital voting systems. Many of the same problems with online voting carry over to telephone voting.

Go deeperArrowAug 1, 2019

Dime-a-dozen ransomware attacks could mess with elections

Illustration: Aïda Amer/Axios

State and city election boards have spent the better part of 3 years hardening their systems for a 2020 hacker invasion. Yet all that work may not be enough to keep out ransomware.

Driving the news: On Monday, Reuters was first to report that the Department of Homeland Security would begin helping elections officials prepare for ransomware attacks.

Go deeperArrowAug 29, 2019

Hackers arrive via special delivery

A Miami Post Office employee unloads packages in 2015. Photo: Joe Raedle/Getty Images

If it's too hard to breach a network over the internet, hackers may successfully resort to mailing an employee a device designed to steal passwords or implant malware over WiFi, IBM demonstrated in a novel proof-of-concept.

Why it matters: Organizations spend millions of dollars in products, manpower and training to screen incoming internet traffic for malicious attackers, but this snail mail technique could see helpful office managers bringing a hack right to their desk.

Go deeperArrowAug 7, 2019