Tag Archive for: undermine

Using ‘Password’ As A Password, Ransomware And Other Threats That Undermine Election Security

/in


Not long after Northern Kentucky University computer science professor James Walden’s presentation on election security issues Wednesday, Iran was accused of accessing election information and sending emails to Florida voters. Walden lays out the most serious threats and has some advice on how to make elections more secure.

The Most Recent Hack

U.S. Director of National Intelligence John Ratcliffe was not surprised Iran was allegedly behind the hack. “This data can be used by foreign actors to attempt to communicate false information to registered voters that they hope will cause confusion, sew chaos and undermine your confidence in American democracy.”

Ratcliffe says Russia also gained access but it didn’t contact voters in this most recent hack however, “We are aware that they have attained some voter information, just as they did in 2016.”

The U.S. Must Identify Weak Links

In the Oct. 21 Zoom presentation, Walden said it’s kind of easy to hack into election data. “By examining election systems from an attacker’s viewpoint, we will identify weak links in security and points of high leverage for altering election outcomes in this unique election year.”

At the hacker’s convention DefCon, attendees try to gain access to election software every year. “They never found a voting machine they couldn’t penetrate in some way,” says Walden. “The easiest way they got in were default passwords, which were in some cases the word ‘password.’ ”

More worrisome for Walden is ransomware. He sees at least one local government get caught up in that every week. Ransomeware encrypts data and demands payment in cryptocurrency like bitcoin.

What if this happens on Election Day? “There will be tremendous pressure to pay even though the demands could be in the millions of dollars,” Walden says. “Of course a lot of jurisdictions might not be able to come up with enough bitcoin in time to pay.”

He has another thought about when voters go into the election booth. “There are these popular USB devices called rubber duckies that are designed for just that purpose. When you plug it in it types in a lot of hacking attempts.”

What About Solutions?

Waldon has recommendations to increase voter security. They…

Source…

Senators Pretend That EARN IT Act Wouldn’t Be Used To Undermine Encryption; They’re Wrong

/in

On Wednesday, the Senate held a hearing about the EARN IT Act, the bill that is designed to undermine the internet and encryption in one single move — all in the name of “protecting the children” (something that it simply will not do). Pretty much the entire thing was infuriating, but I wanted to focus on one key aspect. Senators supporting the bill, including sponsor Richard Blumenthal — who has been attacking the internet since well before he was in the Senate and was just the Attorney General of Connecticut — kept trying to insist the bill had nothing to do with encryption and wouldn’t be used to undermine encryption. In response to a letter from Facebook, Blumenthal kept insisting that the bill is not about encryption, and also insisting (incorrectly) that if the internet companies just nerded harder, they could keep encryption while still giving law enforcement access.

“This bill says nothing about encryption,” Sen. Richard Blumenthal…, said at a hearing Wednesday to discuss the legislation…

[….]

“Strong law enforcement is compatible with strong encryption,” Blumenthal said. “I believe it, Big Tech knows it and either is Facebook is lying — and I think they’re telling us the truth when they say that law enforcement is consistent with strong encryption — or Big Tech is using encryption as a subterfuge to oppose this bill.”

No, the only one engaged in lying or subterfuge here is Blumenthal (alternatively, he’s so fucking ignorant that he should resign). “Strong” encryption is end-to-end encryption. Once you create a backdoor that lets law enforcement in, you’ve broken the encryption and it’s no longer stronger. Even worse, it’s very, very weak, and it puts everyone (even Senator Blumenthal and all his constituents) at risk. If you want to understand how this bill is very much about killing encryption, maybe listen to cryptographer Matthew Green explain it to you (he’s not working for “Big Tech,” Senator):

EARN IT works by revoking a type of liability called Section 230 that makes it possible for providers to operate on the Internet, by preventing the provider for being held responsible for what their customers do on a platform like Facebook. The new bill would make it financially impossible for providers like WhatsApp and Apple to operate services unless they conduct “best practices” for scanning their systems for CSAM.

Since there are no “best practices” in existence, and the techniques for doing this while preserving privacy are completely unknown, the bill creates a government-appointed committee that will tell technology providers what technology they have to use. The specific nature of the committee is byzantine and described within the bill itself. Needless to say, the makeup of the committee, which can include as few as zero data security experts, ensures that end-to-end encryption will almost certainly not be considered a best practice.

So in short: this bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn’t come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they’ll go bankrupt if they try to disobey this committee’s recommendations.

It’s the kind of bill you’d come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn’t care.

Or listen to Stanford’s Riana Pfefferkorn explain how the bill’s real target is encryption. As she explains, the authors of the bill (including Blumenthal) had ample opportunity to put in language that would make it clear that it does not target encryption. They chose not to.

As for the “subterfuge” Blumenthal calls out, the only real “subterfuge” here is by Blumenthal and Graham in crafting this bill with the help of the DOJ. Remember, just the day before the DOJ flat out said that 230 should be conditioned on letting law enforcement into any encrypted communications. So if Blumenthal really means that this bill won’t impact encryption he should write it into the fucking bill. Because as it’s structured right now, in order to keep 230 protections, internet companies will have to follow a set of “best practices” put together by a panel headed by the Attorney General who has said multiple times that he doesn’t believe real encryption should be allowed on these services.

So if Blumenthal wants us to believe that his bill won’t undermine encryption, he should address it explicitly, rather than lying about it in a Senate hearing, while simultaneously claiming that Facebook (and every other company) can do the impossible in giving law enforcement backdoor access while keeping encrypted data secure.

Permalink | Comments | Email This Story

Techdirt.

Fortnite ditches Google Play – will it undermine Android security?

/in

  1. Fortnite ditches Google Play – will it undermine Android security?  Naked Security

  2. Fortnite Skips Google Play For Android Apps, Irking Security Experts  Threatpost
  3. Fortnite’s Android version will require disabling security settings to install  SC Magazine
  4. Fortnite for Android will ditch Google Play Store for Epic’s website  The Verge

    5. Full coverage

android security news – read more

Cyber warfare may undermine US Army superiority – IHS Jane’s 360

/in

Cyber warfare may undermine US Army superiority
IHS Jane’s 360
Cyber attack and other emerging areas of warfare are putting at risk the US Army's dominance of the contemporary battlespace, according to the head of US Army Training and Doctrine Command (TRADOC). Speaking during a panel discussion at the …

cyber warfare – read more