Debian Linux Security Advisory 4021-1 – It was discovered that missing input validation in the Open Ticket Request System could result in privilege escalation by an agent with write permissions for statistics.
What a difference a year makes. This time last year, Twitter pooh-poohed any suggestion that Russian agents ran accounts on its platform for purposes of subverting the US election.
A month ago, it was forced to eat its words, owning up to maybe just a few paltry 201. Last week, in the course of a Congressional grilling, that estimate ticked upward a magnitude to more than 2,700.
Facebook, too, upped the ante, admitting that Russian-backed content may have reached not 10 million users, as previously claimed, but 126 million. Some of this, as analysis of the @TEN_GOP Twitter account suggests, was influential. But did it influence the election? That is the $64,000 question. Or, given how much Donald Trump appears to be profiting from his election as US president, perhaps the $64m question.
Not to be outdone, the UK may, finally, be asking some of the same questions. A petition politely asking the UK government to “investigate covert foreign interference in the EU referendum” was cancelled earlier this year when the general election was called. Now it is back and has hit 10,000 signatures, an official (written) response is required.
100,000 signatures means the petition will be considered for debate in Parliament.
Attempts at targeted influence were not restricted to US and UK votes. The same techniques appear to have been deployed during French and German elections.
UK General Election 2017: How EU law will hit British politicians’ Facebook fight
These latest admissions add massively to previous concerns that, whatever covert interference took place, financiers with deep pockets were hard at work influencing the outcomes of national elections using advanced data mining techniques and targeted online messaging.
None of the above are great for democracy. All suggest that the influence of social media has already proven malign. Yet this focus on the indirect threat, from tactics designed to swing individual voting may be missing a much bigger issue. That is, the threat from partisan campaigners and hackers to subvert the voting process directly, making the outcome of future elections at best dubious, and, whatever the outcome, destroying the legitimacy of those elections.
Politically motivated? It’s hard to tell. Some hackers probably resented the regular spankings that O’Brien administers to pro-Brexit callers on his popular LBC radio show. Others, though, seemed to be doing it “for lulz”.
More serious are reports, about the same time, of trolls attempting to distort the results of the government’s first LGBT survey. According to some news outlets, this was politically motivated: far-right campaigners exploiting an opportunity to derail attempts by the Government Equalities Office to make policy more responsive to LGBT needs, while simultaneously ramping up Islamophobia.
Again, reality is likely mixed: some politics, some lulz. The end result is the same: a lot of work for data analysts weeding out spurious input; and a lingering suspicion that this survey cannot be trusted to deliver accurate insight. Because out there, in the dark spaces of the web, some of the derailers were discussing how they could more plausibly derail. This involved encouraging submissions that weren’t obvious trolls, advocating propositions with little support in the LGBT community but nonetheless credible.
But scale that up, beyond simple online polls to general elections. A year ago, Symantec demonstrated there existed major holes in paperless touchscreen direct-recording electronic (DRE) voting machines used in the US. But it was not until September 2017 that the US state of Virginia agreed to stop (PDF) using these machines after attendees at DefCon’s “Voting Machine Hacking Village” flagged them up as potentially vulnerable to hackers.
It took DEF CON hackers minutes to pwn these US voting machines
Explaining the decision, Department of Elections Commissioner Edgardo Cortes wrote: “The Department of Elections believes that the risks presented by using this equipment in the November General Election are sufficiently significant to warrant immediate decertification to ensure the continued integrity of Virginia elections.”
This is just the tip of the iceberg. Verified Voting surveyed systems used in the 2016 Presidential election. They found five states relying solely on DRE machines and a further eight relying on a mix of paper ballots and paperless DRE machines.
In September 2017, the Department of Homeland Security finally confirmed that election systems in at least 21 states had been targeted by Russian hackers in the run-up to the 2016 contest. A small number of systems were breached but, the agency concluded, there was no evidence of any actual vote manipulation.
This follows revelations last year of attempts to hack voter registration systems in Arizona and Illinois. Officials were keen to stress that these involved “preparatory activity such as scanning computer systems” and that “attempts to compromise networks” were mostly unsuccessful. Given that the Illinois attack took down the system for 10 days, and some 200,000 voter details may have been compromised, that is a pretty elastic definition of “unsuccessful”.
Still, officials are clear that it is “unlikely” that any real damage was done. So we can all sleep reassured. Mostly.
The problem with digital systems is the overarching fear that everything could be blown up in one act of hacker spite.
This is compounded by the fact that we don’t know what we don’t know. A further issue with the DREs in Virginia and elsewhere is that they produce no paper trail. They have no vote-auditing capability. We are assured that they have never been hacked but if they were, how would we tell?
The real enemy in this is official complacency.
According to security expert Bruce Schneier, it may now be too late to fix the holes in some systems. He wrote: “We must ignore the machine manufacturers’ spurious claims of security, create tiger teams to test the machines – and systems – resistance to attack, drastically increase their cyber-defenses and take them offline if we can’t guarantee their security online.”
Earlier this year hacker collective Chaos Computer Club (CCC) were shocked not only to discover how easily they could hack – and change – preliminary results of the German Election, but by the dismissive attitudes of those tasked with safeguarding the election. They fixed the systems hole with a patch that CCC almost immediately circumvented.
The US State of Georgia has rejected offers of help to safeguard its voting system, claiming this was just scare-mongering and a power grab from the centre.
From social media to civil servants to politicians, the message is the same: nothing to worry about. A year on, we are beginning to understand how modest our fears were and that the worst may yet be to come.
There are two sets of hackers in this world: those targeting the machinery of voting and those seeking to corrupt the debate, the discourse, the atmosphere via social media. Both are united by a desire to compromise the actual voting, but they’ll happily settle for undermining confidence in the overall result. In this, thanks to complacency everywhere, they appear to be achieving their aim. ®
The Internet of Things (IoT) is causing serious security concerns for enterprises worldwide with few companies capable of securing them as they are unable to identify devices properly, according to new research.
On Wednesday, ForeScout Technologies revealed the results of a new survey into the challenges IoT poses for the enterprise.
The survey, conducted by Forrester Consulting, suggests that IoT and operational technology (OT) are having a serious impact on the way businesses conduct themselves today — and pose a huge risk due to a lack of information and appropriate security practices.
According to the survey, based on responses from 603 IT and line-of-business (LoB) decision-makers involved in enterprise security teams across the US, UK, Germany, France, Australia and New Zealand, a massive 82 percent of companies are not confident about passing audits as they are unable to identify all IoT and OT devices on their networks.
To make matters worse, when asked who is responsible for the security of such devices, respondents did not have a clear answer.
In total, 54 percent of respondents said that IoT is causing serious anxiety due to security worries and the impact on the business should a failure occur, and LoB employees demonstrated more concern than IT staff at 58 percent to 51 percent respectively.
Executive skepticism was cited as a barrier to investment into IoT security solutions, alongside budget constraints. As a result of having little money to spare, 40 percent of respondents said that their companies continue to rely on traditional security approaches — which, in turn, prevent a clear view into what devices are connecting to where, and when.
This is a glaring issue for today’s firms, which need crystal-clear visibility into networks where BYOD and IoT are common. Failing to identify and isolate malicious devices or suspicious network activity places company networks and information at serious risk.
However, according to the survey, 59 percent of respondents said they were willing to tolerate a medium to high-risk level in relation to compliance requirements for IoT security — and yet, 90 percent also expect the volume of IoT devices connecting to corporate networks to rise in the next five years.
The research also says that 48 percent of respondents believe improving awareness and visibility of IoT devices should be a top priority for improving IoT security, and 82 percent expect their IoT and OT security spend to increase over the next few years.
“The survey results demonstrate a dynamic shift in the way organizations are starting to think about security and risk as it relates to IoT,” said Michael DeCesare, president, and CEO at ForeScout. “Each new device that comes online represents another attack vector for enterprises and it only takes one device to compromise an entire network and disrupt business operations, which can impact the bottom line. Securing IoT is not just a cybersecurity issue, it is a business issue and operating at any risk level is too much. Enterprises need full visibility.”
Previous and related coverage
via .:[ packet storm ]:. – http://ift.tt/pG2dUI http://ift.tt/1Fpvz7L
Marissa Mayer Subpoenaed To Testify Before Senate On Yahoo Breaches
Former Yahoo CEO Marissa Mayer will testify before a Senate committee on Wednesday regarding the massive data breaches that occurred under her watch. However, she only agreed to do so after the committee compelled her appearance with a subpoena, according to reports.
A spokesperson for the Senate Commerce Committee confirmed to ZDNet that the committee issued a subpoena. However, a representative for Mayer told the Hill that she is appearing before the committee voluntarily. The spokesperson did acknowledge to the Hill that the former CEO initially suggested she was not the best witness to discuss the data breaches, which compromised billions of Yahoo accounts.
Along with Mayer, multiple other former and current executives will testify at Wednesday’s hearing on data breaches, including Karen Zacharia, deputy general counsel and chief privacy officer at Verizon (which acquired Yahoo in June); former Equifax CEO Richard Smith; interim Equifax CEO Paulino do Rego Barros, Jr.; and Entrust Datacard CEO Todd Wilkinson.
Ethereum Wallets Worth $280M Accidentally Frozen By Flaw
Digital currencies and the wallets that hold them have become an increasingly attractive target for digital pickpockets, resulting in millions of real dollars’ worth of lost currency. A $50 million heist of Ethereum currency last year exploiting weaknesses in the cryptocurrency’s underlying software threatened to break the Bitcoin competitor. But a new security bug in a popular Ethereum wallet platform has caused what amounts to a bank freeze on scores of high-value wallets. Today, Parity Technologies Ltd., the developer of cryptographic “wallets” for the digital currencies Bitcoin and Ethereum, announced that an “accidental” triggering of a bug affecting certain Parity wallets had broken them, making it impossible to transfer Ethereum funds out of them.
As a result, 1 million ETH have become frozen in wallets—roughly $280 million (US) worth of digital currency. Of that, about $90 million belongs to Parity founder and former Ethereum core developer Gavin Woods’ Initial Coin Offering (ICO) Polkadot, according to Tuur Demeester, editor in chief at Adamant Research.
Critical Parity bug leaves +$150M in $ETH frozen, including $90M of Gavin Woods’ Polkadot ICO. Cue clamoring for new hard-fork bailout… https://t.co/loIkQmnuXz
The bug specifically affects multi-signature wallets created with a digital contract after July 20. Multi-signature wallets have cryptographic security measures that require multiple users to sign a transaction in order for it to be processed and approved—an approach that allows for escrow contracts to control payments from accounts belonging to a group.
By calling a function from within Parity’s wallet library, a wallet owner could turn a normal single-owner wallet created with Parity’s wallet contract library code into a multi-signature wallet and take over ownership of it. That bug in the code would allow someone to kill contracts between any created with the most recent Parity code library—and that is exactly what happened. Someone managed to invoke the code as part of a wallet and made themselves part of every multi-signature contract created since the bug was introduced into the code. The user then “suicided” the wallet and, in the process, disabled all the multi-signature contracts that had been created since July 20 by making them “suicide” as well.
It would seem that issue was triggered accidentally 6th Nov 2017 02:33:47 PM +UTC and subsequently a user suicided the library-turned-into-wallet, wiping out the library code which in turn rendered all multi-sig contracts unusable since their logic (any state-modifying function) was inside the library.
Parity is still investigating how to correct the problem.
The individual who triggered the lockdown claims to be new to Ethereum and expressed concern about what would happen to him in a forum:
Vodafone announced news on Tuesday (Nov. 7) of its entrance into the Internet of Things (IoT) consumer market through the launch of “V by Vodafone.”
“V by Vodafone” enables consumers to connect millions of home and leisure electronics products to the company’s dedicated global IoT network, which the telecoms company said in a press release is the largest network of its kind in the world.
“The Internet of Things is already beginning to transform how businesses operate. Over the next decade, the expansion of IoT into consumer markets will bring about an equally dramatic shift in how people manage their daily lives, at home and in their leisure time,” said Vodafone Group Chief Executive Vittorio Colao in the press release. “‘V by Vodafone’ makes it simple to connect a wide range of IoT-enabled devices, helping customers keep everyone and everything that matters to them safe and secure. We look forward to applying our world-leading expertise in IoT to help consumers make the most of the next phase of the global digital revolution.”
Citing market research, Vodafone said that estimates suggest that by 2020 there will be more than 370 million consumer electronics and smart home devices capable of connecting to mobile IoT networks in the countries in which Vodafone operates, up from around 50 million today.
“V by Vodafone” is a system for consumers to connect and manage IoT devices and a product range that includes a connected car dongle, a 4G security camera, a pet location and activity tracker and a bag location tracker. To enable connected devices, Vodafone is rolling out “V-Sim by Vodafone,” which is a Sim card that will be shipped with IoT-enabled consumer electronics products sold by Vodafone. “V-Sim by Vodafone” will be also offered by third-party retailers next year.
There’s also the “V by Vodafone” smartphone app, which provides customers with a single and intuitive overview of all IoT-enabled products registered to their account. Next year, Vodafone said it will also launch a new online product marketplace open to IoT developers that will greatly extend product choice for customers.
Telecoms giant Vodafone makes push into internet of things consumer market
Vodafone has launched a new system that it says will allow consumers to connect “millions of home and leisure electronics products” to its dedicated global internet of things network.
In an announcement Tuesday, the business said its “V by Vodafone” system was made up of, among other things, an internet of things sim card and a smartphone app.
The sim card will be sent out with internet of things-enabled products sold by Vodafone, while the app will give customers an overview of all the internet of things-enabled products registered to their account.
Launch products include a location and activity tracker for pets, which allows owners to track their dogs and cats using GPS and the mobile network. Owners will get an alert on their smartphone if their pet moves away from a designated area, and will be able to monitor their animal’s sleeping patterns and movements.
The European Commission describes the internet of things as merging “physical and virtual worlds, creating smart environments.” According to analysis from the McKinsey Global Institute, the potential economic impact of the internet of things in 2025, including consumer surplus, could be anything between $3.9 trillion and $11.1 trillion.
“The internet of things is already beginning to transform how businesses operate,” Vittorio Colao, chief executive of the Vodafone Group, said in a statement Tuesday. “Over the next decade, the expansion of internet of things into consumer markets will bring about an equally dramatic shift in how people manage their daily lives, at home and in their leisure time.”