Tag Archives: voting machines

Security News for the Week Ending August 7, 2020

Microsoft Considering Buying TikTok

In light of President Trump’s threats to ban TikTok, Microsoft says that it is considering buying the company from its Chinese owners. That would be a win-win-win for Microsoft. They would add another social media platform to their inventory. The can probably buy it at fire sale prices and they would be doing something nice for the Republican administration. Credit: NY Times

Republicans Say TikTok is a National Security Risk

The current Republican administration says that TikTok is a national security risk and it may well be, but not for any of the reasons that they are talking about. Secretary of State Pompeo says that the TikTok and other Chinese owned software might be feeding the Chinese your address, your facial image, phone number or friends. First of all, they likely have all of that already. Second, they can get all that information from Twitter or Facebook, so what is special about TikTok and third, they can buy or steal all of that and a whole lot more from any one of a thousand data brokers and it is all legal.

Why is this only a China problem and not, say, a Russia problem? One reason is that we don’t tend to use Russian software. But in the bigger picture, if the Republicans don’t think that Russia, North Korea, Iran, as well as friendly countries like France, Israel and Germany, among many others, they are wrong. After all, we are doing this, both to our citizens and theirs.

The bigger problem is that the TikTok software, along with a lot of other software running on your computers (PC or Mac) and phones (iPhone and Android) is horribly unsecure and is leaking WAY MORE data than just that. And that assumes that the software does not have malicious intent. *THAT* is a national security risk that the Republicans don’t want to talk about because it cost American businesses money to fix that problem. What if a malicious update to a piece of software vacuumed whatever data it could off your phone – contacts, texts, photos. It is probably more realistic than you think. Credit: Fox News

Papers Leaked Before UK Election Linked to Russia

Classified US-UK trade documents that were leaked before the recent UK election in an attempt to manipulate the elections are now being linked to Russia. They were stolen from former British trade minister Liam Fox. The Brits say that they have a “very robust” system to protect classified documents and are investigating how the Russians access Fox’s email multiple times between July and October of last year in spite of this so-called robust system. This is a classic technique that all intelligence services try to use – steal documents. Cherry pick which ones to leak. Use social media to generate outrage. Rinse and repeat. Score one for Russia. Credit: US News

Shocking News: Voting Machine Security Improves When you Work With Researchers

Voting machine maker ES&S has a horrible reputation when it comes to security. Organizers at Defcon bought used ES&S (and other) voting hardware and let people hack it. I don’t think any piece of their hardware lasted 5 minutes. What was ES&S’s response? They threatened to sue. Recently, they have begun to change that strategy. They are now going to offer a bug bounty program managed by an independent third party and are actually listening to the researchers. Did the gov threaten to blackball their machines? Who knows? Whatever they did, it is good for voting security. Credit: The Register

Security News for the Week Ending May 22, 2020

AG Says They Unlocked Shooter’s iPhone Without Needing Apple to Hack Their Security

For a couple of decades the FBI and Justice Department has been saying that software vendors need to insert backdoors into their security software to make it easier for the government to hack it if they want to.

One high profile case was the Pensacola Naval Air Station shooter, who was killed by police in the attack (making it difficult to prosecute him). Therefore, the FBI didn’t need anything off his phone to prosecute him, BUT they did want info in order to get useful intelligence about who he was working for/with and what other attacks might be planned.

In spite of the AG’s relentless claims that they need companies like Apple to insert backdoors into their systems – which will inevitably get into the hands of hackers and ruthless governments – Barr announced this week that they broke into the phones without Apple’s help. Barr said that hacking the phones was due to the great work of the FBI. Much more likely, they just placed the phone in a Cellebrite box (or competitor) and wait.

What probably galls Barr is that if he doesn’t have an unlimited license (which I am sure he does), he would have had to pay Cellebrite $1,500 for each phone he wanted to unlock.

This announcement definitely weakens the argument that software vendors need to weaken security for everyone so that the police can hack phones when it is important. Credit: The Register

Rogue ADT Tech Spies on Customer CCTV of Teen Girl

ADT has revealed that one of their techs used his permissions to access the accounts of hundreds of ADT customers and watch them via their security cameras. Last month an ADT customer in Dallas spotted an unexpected email address listed as an admin user on their account. The employee has used that email to access the home’s cameras over 100 times.

Apparently, not only could he spy on naked customers, but he could also unlock their homes if they had smart locks. One of the naked customers in question sued ADT last week.

People need to think about where they place security cameras and whether smart locks are really smart to use. Credit: The Register

Details Leaking on WHY for Prez’s EO on Securing the Grid

Earlier this month, the president issued an EO that sorta, kinda stopped the power grid from buying things that could allow adversaries to compromise the grid. I said sorta, kinda because the EO (read the text) doesn’t actually identify anything that people can’t buy. It does, however, form a committee to figure out what that might be.

Here’s what’s new. A U.S. power utility discovered a “hardware backdoor” on a Chinese transformer that was delivered to them and that they found things “that should not be there”. They think there are many of these already installed in America.

If true and I have no reason to doubt it, but almost no details to confirm it, that could be a really serious problem. A bigger problem is that the U.S. doesn’t manufacture any big transformers like the kind the utilities use.

So, if the feds ban Chinese transformers, I can describe a scenario where folks working in cooperation with the Chinese destroy a sufficient number of existing transformers with utilities not allowed to buy replacements and potentially leaving millions in brown-out or black-out conditions for months. Homeland Security is believed to have been secretly trying to figure out a solution for several years. Credit: CSO Online

Hackers Jailbreak New Apple iOS One Day After Release

Apple announced a new version of the iPhone software, 13.5, this week and the next day hackers claimed they had a hack to jailbreak the new version – every device, even the iPad Pro. That can’t possibly make Apple happy, but there are some in the hacking community that are very happy. Credit: Mac Rumors

Chinese Hardware Powers US Voting Machines

Third party risk company Interos took apart one very popular, widely used, touch screen voting machine and found that 20% of the machines components came from a company headquartered in Russia or China. 59% of the parts came from companies with locations in Russia and China.

Interos Visualization of Voting Machine Suppliers by Country. Image courtesy of Interos.

The red dots represent components from companies based in China. Given the the U.S. manufactures very little any more, this is not much of a surprise.

Paper based vote by mail sounds better by the day. Credit: Security Ledger

Security News Bites for the Week Ending July 20, 2018

Israeli Startup Raises $12.5 Million to Help Governments Hack IoT

Given the sad state of IoT security, I am not sure that governments need any help in hacking IoT devices, but just in case they do, Israeli startup Toka raised $12.5 million to help police hack iPhones, Alexas, Echos and Nests, along with other IoT devices like your TV, refrigerator and dishwasher.

If you weren’t paranoid before, maybe you should be now.

Former Israeli Prime Minister Ehud Barak is a cofounder and Brigadier General Yaron Rosen, former head of the Israel Defense Forces cyber staff is the president of Toka.

Kind of like NSA’s Tailored Access Operations (TAO) that builds custom hacks for the NSA, Toka said they are going to see what customers ask for and then deliver.

This sounds like a company to watch.  (Source: Forbes)

U.S. Intel Chief Warns of Devastating Cyber Threat to U.S. Infrastructure

Director of National Intelligence Dan Coats said the warning lights are blinking red again, nearly two decades after 9-11.

Russia, China, Iran and North Korea are launching daily cyber strikes on the networks of federal, state and local government agencies, U.S. corporations and academic institutions.

Of the four, Russia has been the most aggressive according to Coats.

Coats warned that the possibility of a “crippling cyber attack on our critical infrastructure” by a foreign actor is growing. (Source: Reuters)

Voting Machine Vendor Admits Installing Remote Access Software After Lying About it to the New York Times

Election Systems and Software admitted in a letter sent to Senator Ron Wyden that they installed pcAnywhere remote access software on some voting machines delivered between 2000 and 2006.  This is opposite what they told a New York Times reporter in February, so either they were lying then or are lying now, pick one.

They stopped installing the remote access software in December 2007 after the laws changed which would have made installing that software illegal.

The remote access software was not on the ballot boxes in the local precincts but rather on the election management systems in the city and county headquarters.  There are much fewer of these systems and each one is accountable for many voting machines, which would make them a much more attractive target for hackers.  (Source: Motherboard)

LabCorp Shuts Down Network Due to Ransomware Attack

Laboratory Corporation of America, known to most Americans as LabCorp shut down portions of its network over the weekend due to suspicious activity.  That is about as vague as the company has been.

The attack hit the company’s genetic testing unit and spread from there.  The company has data on over 250 million Americans. LabCorp says there is no indication that data was breached, but according to people familiar with the attack, it is a strain of the common ransomware SamSam and it has infected tens of thousands of workstations.

The hackers demanded $52,000 in ransom which LabCorp says it has no intention of paying.

LabCorp is working hard to try and minimize brand damage as the fight for marketshare with Quest Diagnostics.  Unfortunately, unless they can prove that no data was stolen, under HIPAA rules, this will be considered a breach and must be reported to the government, at which point we will get more details.  Source: Wall Street Journal.