Brian Yates, *The Guardian*, 25 May 2014. http://guardianlv.com/2014/05/cyberberkut-attempt-to-alter-ukrainian-election/ A computer hacking group called CyberBerkut attempted to alter the Ukrainian presidential election. They did so by having an administrator at the Central Election Commission (CEC) plant a virus from an internal computer that granted the hackers access. Victor Yagun of the Security Service of the Ukraine held a press conference announcing the cyber attack. The main target of CyberBerkut was the election analytic system that aggregates voter data. Altering the information would have created a different winner in the recent Ukrainian election for president. Destroying the data would have created the illusion of election fraud. Yagun also reported an employee of the CEC, who provided the hacking group with internal access, was also detained. Volodymyr Zverev, head of the State Service for Special Communication and Information Security, said the virus released by CyberBerkut destroyed all the internal data of the CEC servers on May 22. The virus was released inside CEC by someone able to log into the network and open email containing the virus. The compromised data collected by CyberBerkut included personal emails of CEC members and technical documents on the operation of CEC's election analytic system. All of the lost data was restored from a backup server by 4 pm on May 22. Evidence pointing to an inside source stemmed from tracking where the virus first infiltrated the CEC network. The login information for a CEC computer showed a person used the correct username and password on the first attempt. Zverev blamed Kaspersky antivirus software for its failure to recognize the virus. Kaspersky Lab is a Russian software firm. A spokesperson from the company said Kaspersky Lab was ready to investigate the recent cyber attack and write programming to help prevent such an incident from happening again. Mykhailo Okhendovsky, the CEC director, said in a press conference the network is operational and will continue running. The CEC's election analytics system functioned normally after it was restored from the backup server. Okhendovsky said if there are any failures, the CEC will not hide the problem. His organization will speak openly about them. The computer hacking group called CyberBerkut took credit in the attempt to alter the Ukrainian presidential election. The group claimed it had infiltrated CEC's digital infrastructure and disabled the election analytics system. The group also claimed it had uploaded personal emails of CEC officials. They also collected the technical specifications from the analytic system that aggregates voting data. On the hacking group's website, they stated they could now access the CEC communications system anytime they wished. Maxim Savanevskiy, of Watcher.com.ua, said CyberBerkut's hacking of CEC inflicted no major damage. The main problem seemed to have been an internal source granting the hackers access from within. Once the passwords to vital programs are changed, access to outside sources would be eliminated. Victoria Siumar, the deputy National Security and Defense Council Secretary said the problem with hackers goes back to the previous pro-Russian Yanukovych administration. Members from that government may have programmed the CEC computers with built-in vulnerabilities to assist hackers in gaining backdoor access into the network. It would not be the first time former President Yanukovych faced such allegations. In 2004, his allies rigged the presidential election in his favor. Their plan included a similar hacking system that exploited access to a data transit server. With cyber attacks on individuals, businesses, and government institutions on the rise, the Security Service of the Ukraine and members of the CEC were lucky to be able to find the perpetrators. Losing or altering vital election data during an election would have meant a disaster and cries of fraud. The attempt by CyberBerkut to alter the Ukrainian presidential election could have created a different result that would have added further turmoil in the region.
More than 30 states and territories already allow some form of Internet voting. They might want to reconsider. Bruce McConnell and Pamela Smith While most voters will cast their ballots at polling stations in November, online voting has been quietly and rapidly expanding in the United States over the last decade. Over 30 states and territories allow some form of Internet voting (such as by email or through a direct portal) for some classes of voters, including members of the military or absentees. Utah just passed a law allowing disabled voters to vote online; and Alaska allows anyone to cast their ballots online. And there were recent news reports that Democratic and Republican national committees are contemplating holding primaries and caucuses online. We estimate that over three million voters now are eligible to vote online in the U.S. But online voting is fraught with danger. Hackers could manipulate enough votes to change the results of local and national elections. And a skilled hacker can do so without leaving any evidence. Estonia is the world leader in using online voting for its national elections. Its government has done a great deal to improve the security of the system, which is now used by up to 25% of voters. The country's `I-voting system' is touted by proponents of online voting in the U.S. to claim that secure Internet voting is possible. It isn't. Early in May an international team of independent security experts accredited by the Estonian government reported severe security vulnerabilities in that country's `I-voting system'. Elections, the researchers found, “It could be stolen, disrupted, or cast into disrepute.'' The team recommended that Estonia's online voting system "be immediately discontinued." One researcher, J. Alex Halderman of the University of Michigan, has said that "Estonia's Internet voting system blindly trusts the election servers and the voters' computers. Either of these would be an attractive target for state-level attackers, such as Russia." Another researcher, Harri Hursti from Finland, concluded, "With today's security technology, no country in the world is able to provide a secure Internet voting system." While the U.S. has not adopted online voting to the extent that Estonia has, recent allegations by the U.S. Department of Justice that Chinese hackers have been infiltrating several major American corporations since 2006 reveal again how difficult it is to safeguard any system connected to the Internet, and how easy it is for a skilled attacker to remain undetected for months and years. The underlying architectures of the Internet, the personal computer and mobile devices present numerous avenues of attack, making it impossible to safeguard a voting system with the security tools that are currently available. Methods of attack continue to become more sophisticated, well-resourced and damaging. Well-meaning state legislators and local election officials in the U.S. are being pressed by vendors of online voting systems to adopt Internet voting--despite warnings from federal officials. The Department of Defense cancelled an Internet voting project for soldiers in 2004 because it felt it could not ensure the legitimacy of the votes, and the project has not been reconstituted. In a 2011 report, the National Institute of Standards and Technology, the federal agency tasked with researching Internet voting, concluded that secure Internet voting is not currently feasible. First, NIST's report noted, "it is extremely difficult to protect against software attacks" on personal computers outside the control of election officials "that could violate ballot secrecy or integrity or steal a voter's authentication credentials." Second, "remote electronic voter authentication is a difficult problem." Third is the problem of "ensuring remote electronic voting systems are auditable," with "no current or proposed technologies offering a viable solution." The move to online voting is motivated by good intentions: to improve access to the ballot box for voters who may have difficulty exercising the franchise, and to reduce costs. And the Internet offers enormous potential to improve the voting process through responsible uses such as online voter registration with appropriate safeguards, providing information on and the location of polling places, sample ballots, blank absentee ballots and more. But offering voters a voting method that is not secure and cannot ensure their vote will be counted as they were cast does them, and this country, no favors. Given the stakes, online voting should be shelved until it can be made secure. Mr. McConnell is senior vice president at the EastWest Institute in New York, and the former deputy under secretary for cybersecurity at the U.S. Department of Homeland Security. Ms. Smith is president of Verified Voting Foundation.
Jim Finkle, Reuters, 5 Jun 2014 Seven more new security fixes for SSL just released! https://uk.finance.yahoo.com/news/bugs-found-software-caused-heartbleed-194114540.html Incidentally, Scytl (whose website says they have secure election management and online voting solutions) has claimed their systems were not vulnerable to Heartbleed—because they were not using the Heartbleed versions of OpenSSL. Nevertheless, they are vulnerable to the new bugs! As always, RISKS readers must tend to believe that Internet voting is an INHERENTLY BAD IDEA.
http://www.examiner.com/article/baltimore-camera-audit-colossal-speed-camera-error-70-000-tickets-may-be-wrong The good news is we now know that, though fining 70,000 innocent drivers is outrageous, fining 14,000 is acceptable!
Isn't it obvious that it is alway good to acquire more scientific knowledge and engineering know-how, and to apply it to produce new products, or to improve the way we produce existing products? Maybe not! I'll bet that you can think of items that you wish did not exist. Apart from this list, how about artifacts or processes that you can imagine, but that you would be relieved to learn could <i>not</i> be produced or implemented? How about new technology that seems nice, and is being eagerly purchased and used by many, but where there are disturbing indications that there may be serious problems that won't surface for decades? My thoughts on this subject are accessible at: http://www1.cs.columbia.edu/~unger/articles/technologyProgress.html Stephen H. Unger, Professor Emeritus, Computer Science and Electrical Engineering, Columbia University
Ars Technica via NNSquad http://arstechnica.com/security/2014/06/critical-new-bug-in-crypto-library-leaves-linux-apps-open-to-drive-by-attacks/ “A recently discovered bug in the GnuTLS cryptographic code library puts users of Linux and hundreds of other open source packages at risk of surreptitious malware attacks until they incorporate a fix developers quietly pushed out late last week. Maliciously configured servers can exploit the bug by sending malformed data to devices as they establish encrypted HTTPS connections. Devices that rely on an unpatched version of GnuTLS can then be remotely hijacked by malicious code of the attacker's choosing, security researchers who examined the fix warned.''
Ars Technica via NNSquad http://arstechnica.com/security/2014/05/unsafe-cookies-leave-wordpress-accounts-open-to-hijacking-2-factor-bypass/ "Memo to anyone who logs in to a WordPress-hosted blog from a public Wi-Fi connection or other unsecured network: It's trivial for the script kiddie a few tables down to hijack your site even if it's protected by two-factor authentication. Yan Zhu, a staff technologist at the Electronic Frontier Foundation, came to that determination after noticing that WordPress servers send a key browser cookie in plain text, rather than encrypting it, as long mandated by widely accepted security practices."
Researchers find a global botnet of infected PoS systems The botnet contained almost 1,500 compromised point-of-sale and other retail systems from 36 countries, researchers from IntelCrawler said Lucian Constantin, *Computerworld*, 23 May 2014 Security researchers uncovered a global cybercriminal operation that infected with malware almost 1,500 point-of-sale (PoS) terminals, accounting systems and other retail back-office platforms from businesses in 36 countries. The infected systems were joined together in a botnet that researchers from cybercrime intelligence firm IntelCrawler dubbed Nemanja. The researchers believe the attackers behind the operation might be from Serbia. The size of the botnet and the worldwide distribution of infected systems brings into perspective the security problems faced by retailers from around the world, problems that were also highlighted by the recent PoS breaches at several large U.S. retailers. ... http://www.computerworld.com/s/article/9248541/Researchers_find_a_global_botnet_of_infected_PoS_systems
FYI—When (not "if") this database gets hacked, it's game over, and we know that the NSA is at least one of the hackers. Also, what is to keep politicians from accessing this database for targeting voters? http://washingtonexaminer.com/new-federal-database-will-track-americans-credit-ratings-other-financial-information/article/2549064 Richard Pollock, *Washington Examiner*, 30 May 2014 As many as 227 million Americans may be compelled to disclose intimate details of their families and financial lives—including their Social Security numbers—in a new national database being assembled by two federal agencies. The Federal Housing Finance Agency and the Consumer Financial Protection Bureau posted an April 16 Federal Register notice of an expansion of their joint National Mortgage Database Program to include personally identifiable information that reveals actual users, a reversal of previously stated policy. FHFA will manage the database and share it with CFPB. A CFPB internal planning document for 2013-17 describes the bureau as monitoring 95 percent of all mortgage transactions. FHFA officials claim the database is essential to conducting a monthly mortgage survey required by the Housing and Economic Recovery Act of 2008 and to help it prepare an annual report for Congress. Critics, however, question the need for such a “vast database'' for simple reporting purposes. In a May 15 letter to FHFA Director Mel Watt and CFPB Director Richard Cordray, Rep. Jeb Hensarling, R-Texas, and Sen. Mike Crapo, R-Idaho, charged, "this expansion represents an unwarranted intrusion into the private lives of ordinary Americans." ... Critics also warn the new database will be vulnerable to cyber attacks that could put private information about millions of consumers at risk. They also question the agency's authority to collect such information. [Long item truncated for RISKS. PGN]
[Via Dave Farber, who notes “That's why it is nice to have a removable battery and/or a package made from heavy duty aluminum foil.] Andy Greenberg, *WiReD*, 3 Jun 2014 http://www.wired.com/2014/06/nsa-bug-iphone/ Just because you turned off your phone doesn't mean the NSA isn't using it to spy on you. Edward Snowden's latest revelation about the NSA's snooping inspired an extra dose of shock and disbelief when he said the agency's hackers can use a mobile phone as a bug even after it's been turned off. The whistleblower made that eye-opening claim when Brian Williams of NBC Nightly News, holding his iPhone aloft during last Wednesday's interview, asked, “What can the NSA do with this device if they want to get into my life? Can anyone turn it on remotely if it's off? Can they turn on apps? “They can absolutely turn them on with the power turned off to the device,'' Snowden replied. Snowden didn't offer any details on this seemingly magical feat. But a group of particularly cunning iPhone hackers say it's possible. They also say you can totally and completely turn off your iPhone so no one—not even the NSA—can use it to spy on you. Your Phone Is Playing Dead Like any magic trick, the most plausible method of eavesdropping through a switched-off phone starts with an illusion. Security researchers posit that if an attacker has a chance to install malware before you shut down your phone, that software could make the phone look like it's shutting down -- complete with a fake “slide to power off'' screen. Instead of powering down, it enters a low-power mode that leaves its baseband chip—which controls communication with the carrier—on. This “playing dead'' state would allow the phone to receive commands, including one to activate its microphone, says Eric McDonald, a hardware engineer in Los Angeles. McDonald is also a member of the Evad3rs, a team of iPhone hackers who created jailbreaks for the two previous iPhone operating systems. If the NSA used an exploit like those McDonald's worked on to infect phone with malware that fakes a shutdown, “the screen would look black and nothing would happen if you pressed buttons,'' he says. “But it's conceivable that the baseband is still on, or turns on periodically. And it would be very difficult to know whether the phone has been compromised.'' ...
[Note: This item comes from friend Janos Gereben. DLH (via Dave Farber)] Daniel Ellsberg, *The Guardian*, 30 May 2014 Edward Snowden is the greatest patriot whistleblower of our time, and he knows what I learned more than four decades ago: until the Espionage Act gets reformed, he can never come home safe and receive justice <http://www.theguardian.com/commentisfree/2014/may/30/daniel-ellsberg-snowden-fair-trial-kerry-espionage-act> John Kerry was in my mind Wednesday morning, and not because he had called me a patriot on NBC News. I was reading the lead story in the New York Times -- US Troops to Leave Afghanistan by End of 2016—with a photo of American soldiers looking for caves. I recalled not the Secretary of State but a 27-year-old Kerry, asking, as he testified to the Senate about the US troops who were still in Vietnam and were to remain for another two years: How do you ask a man to be the last man to die for a mistake? I wondered how a 70-year-old Kerry would relate to that question as he looked at that picture and that headline. And then there he was on MSNBC an hour later, thinking about me, too, during a round of interviews about Afghanistan that inevitably turned to Edward Snowden ahead of my fellow whistleblower's own primetime interview that night: There are many a patriot—you can go back to the Pentagon Papers with Dan Ellsberg and others who stood and went to the court system of America and made their case. Edward Snowden is a coward, he is a traitor, and he has betrayed his country. And if he wants to come home tomorrow to face the music, he can do so. On the Today show and CBS, Kerry complimented me again—and said Snowden “should man up and come back to the United States'' to face charges. But John Kerry is wrong, because that's not the measure of patriotism when it comes to whistleblowing, for me or Snowden, who is facing the same criminal charges I did for exposing the Pentagon Papers. As Snowden told Brian Williams on NBC later that night and Snowden's lawyer told me the next morning, he would have no chance whatsoever to come home and make his case—in public or in court. Snowden would come back home to a jail cell—and not just an ordinary cell-block but isolation in solitary confinement, not just for months like Chelsea Manning but for the rest of his sentence, and probably the rest of his life. His legal adviser, Ben Wizner, told me that he estimates Snowden's chance of being allowed out on bail as zero. (I was out on bond, speaking against the Vietnam war, the whole 23 months I was under indictment). More importantly, the current state of whistleblowing prosecutions under the Espionage Act makes a truly fair trial wholly unavailable to an American who has exposed classified wrongdoing. Legal scholars have strongly argued that the US supreme court—which has never yet addressed the constitutionality of applying the Espionage Act to leaks to the American public—should find the use of it overbroad and unconstitutional in the absence of a public interest defense. The Espionage Act, as applied to whistleblowers, violates the First Amendment, is what they're saying. As I know from my own case, even Snowden's own testimony on the stand would be gagged by government objections and the (arguably unconstitutional) nature of his charges. That was my own experience in court, as the first American to be prosecuted under the Espionage Act—or any other statute -- for giving information to the American people. I had looked forward to offering a fuller account in my trial than I had given previously to any journalist—any Glenn Greenwald or Brian Williams of my time—as to the considerations that led me to copy and distribute thousands of pages of top-secret documents. I had saved many details until I could present them on the stand, under oath, just as a young John Kerry had delivered his strongest lines in sworn testimony.
http://www.nytimes.com/2014/06/01/us/nsa-collecting-millions-of-faces-from-web-images.html?action=click&contentCollection=U.S.Žion=Footer&module=MoreInSection&pgtype=article The National Security Agency is harvesting huge numbers of images of people from communications that it intercepts through its global surveillance operations for use in sophisticated facial recognition programs, according to top-secret documents. The spy agency's reliance on facial recognition technology has grown significantly over the last four years as the agency has turned to new software to exploit the flood of images included in emails, text messages, social media, videoconferences and other communications, the N.S.A. documents reveal. Agency officials believe that technological advances could revolutionize the way that the N.S.A. finds intelligence targets around the world, the documents show. The agency's ambitions for this highly sensitive ability and the scale of its effort have not previously been disclosed. The agency intercepts “millions of images per day''—including about 55,000 “facial recognition quality images''—which translate into “tremendous untapped potential,'' according to 2011 documents obtained from the former agency contractor Edward J. Snowden. While once focused on written and oral communications, the N.S.A. now considers facial images, fingerprints and other identifiers just as important to its mission of tracking suspected terrorists and other intelligence targets, the documents show. ...
The things that have been revealed about how the U.S. has behaved in the last 15 years are precisely the things which, during the Cold War, were cited as things the U.S. would never do, and hence distinguished the U.S. from The Bad Guys. If we don't want to be The Bad Guys, stop pretending we can behave like them and get away with it. The entire purpose of the Constitution was to ensure that the government isn't making up rules as it sees fit for its convienence. The fact that nobody has gone to jail for the gross violations committed over the last 15 years is a Constitutional Atrocity. The fact the Supreme Court has decided to have the Constitution reprinted on 4"x4" squares in 400 sheet rolls doesn't make it right; it only makes it legal.
Please report problems with the web pages to the maintainer