US e-voting machines are (still) woefully antiquated and subject to fraud

Enlarge

With fewer than 24 hours before polls open for the 2016 US presidential election, consider this your periodic reminder that e-voting machines expected to tally millions of votes are woefully antiquated and subject to fraud should hackers get physical access to them.

A case in point is the Sequoia AVC Edge Mk1, a computerized voting machine that will be used in 13 states this year, including in swing states such as Arizona, Pennsylvania, and Wisconsin. The so-called direct-recording electronic vote-counting system has long been known to be susceptible to relatively simple hacks that manipulate tallies and ballots. Researchers from security firm Cylance are driving that point home with demonstration hacks. The first one causes one or more votes for one candidate to count as votes for that candidate's rival. A second one alters the names as they appear on the electronic balloting screen.

Cylance discloses voting machine vulnerability.

The hacks work by tampering with—or more precisely, reflashing—the PCMCIA card, a storage device in the voting machine that's similar to the tiny hard drive that's used by many digital cameras. The fraud could be carried out by inserting a maliciously modified card inside a Sequoia AVC Edge machine, although the attackers would likely have to circumvent tamper-evident seals that are designed to flag such abuse. The video above shows the hack being used to alter both the public and protective counters the machine uses to count and recount results to ensure tallies are valid. The decade-old hack first came to public attention in 2007 in a research paper titled Source Code Review of the Sequoia Voting System.

Read 3 remaining paragraphs | Comments

Talking About Cyber Risks Educates the Community

table-discussion

In the last 12 months, we have seen an unprecedented number of cyberattacks occur or come to light. Sophisticated attacks against governments, businesses, consumers, and the pillars of the Internet itself. The future appears to be fraught with runaway risks. Can security tame data breaches, ransomware, massive denial of service assaults, cyber theft, and attacks against autonomous and Internet-connected devices that potentially put people’s lives in jeopardy?

That was the topic for the advisory council members of the Bay Area SecureWorld conference, recently held in San Jose, Calif. As moderator, I had the task is keeping control of a conversation with a room full of passionate experts who live and breathe these challenges every day.

In the past year, a number of significant risks have risen. The team had no hesitation in talking about some of the big issues.

IoT DDoS attacks

Consumers and business are feeling the impact of massive distributed denial of service (DDoS) attacks, fueled by insecure Internet of Things (IoT) devices. The sheer impact of data and requests that these botnets can wield is an order of magnitude greater than the industry’s comfort zone. The consensus is that everyone should be worried and the fix is not quick. The IoT industry must change to embrace security across the life cycle of these devices. In a twisted way, these recent attacks are a good wake-up call for the industry. The group agreed that it is far better to have these incidents occur now rather than down the road, when billions more IoT devices will be connected to the Internet.

Data breaches

On the heels of the worst year (2015) for health care data breaches, the hemorrhaging continues. This is by no means limited to health care, as many other sectors are being impacted. An interesting debate emerged challenging the role and impacts of government regulations in this space. One side postulated the government has weakened security by setting a confusing bar that is too low. Compliance does not make organizations secure, which is an unfortunate mental trap. Many organizations fund only what is needed to achieve the minimal requirements. On the other side, advocates of regulation and auditing pointed out that without a baseline many organizations would fall severely short. As we all work together, we need assurance that other partners, parties, suppliers, and vendors are implementing security controls which meet expectations.

Nobody believed the legislative process could effectively keep pace with the changes in the industry. But all agreed that the lack of consistency, readability, and simplicity of regulations is a problem. Complexity increases costs, delays implementation, and causes confusion. Smarter, lightweight, and easily understood guidelines would benefit the community.

Credit card and online fraud

Major retailers saw a drop in in-store credit fraud with the introduction of new chip cards in the United States, accompanied with a correlated rise of online theft, in which the chip does not play a role. In effect, fraud continues, but the bubble was squeezed from in-store to online properties. It is a predictable outcome when threat agents are viewed as intelligent attackers. They will adapt. Shrinkage figures are not outrageous, but the online security teams are feeling the heat to keep them low. This pressure will likely require a combination of new technology, back-end analytics, and user-behavior changes. Greed is a persistent attribute of cybercriminals. Other activities, such as ransomware, are also currently painful for consumers, health care, and small businesses. Enterprises have their ears open to shifts in which they may become the primary targets if attackers can find a way to reach into their deep pockets.

Gone in 60 minutes

The industry is full of risks and opportunities. Sitting in a room of experienced professionals who are sharing their insights and experiences reveals one important fact. These conversations must occur more often if we are to keep pace with the attackers. Our adversaries share information and are masterful at working together to our detriment. We, the cybersecurity community, must do the same in order to survive. Our hour together raced by quickly. I look forward to more meetings, discussions, debates, and venting sessions.

 

Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

The post Talking About Cyber Risks Educates the Community appeared first on McAfee Blogs.

Kautilya – Human Interface Device Hacking Toolkit

Kautilya is a human interface device hacking toolkit which provides various payloads for HIDs which may help with breaking into a computer during penetration tests. The Windows payloads and modules are written mostly in powershell (in combination with native commands) and are tested on Windows 7 and Windows 8. In principal Kautilya should work...

Read the full post at darknet.org.uk

Bank halts online transactions after money stolen from 20,000 accounts

Enlarge (credit: Tesco Bank)

Tesco Bank has been forced to suspend its online transactions after fraudulent criminal activity was spotted on thousands of its customer accounts over the weekend.

A total of 40,000 current accounts were hit by suspicious transactions. Money was pinched from 20,000 of the affected current accounts, Tesco Bank said on Monday morning.

"We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers’ accounts," said the bank's chief Benny Higgins.

Read 7 remaining paragraphs | Comments