The upcoming U.S. presidential election can be rigged and sabotaged, and we might never even know it happened.This Election Day voters in 10 states, or parts of them, will use touch-screen voting machines with rewritable flash memory and no paper backup of an individual's vote; some will have rewritable flash memory. If malware is inserted into these machines that's smart enough to rewrite itself, votes can be erased or assigned to another candidate with little possibility of figuring out the actual vote.To read this article in full or to leave a comment, please click here
With the U.S. presidential election just weeks away, questions about election security continue to dog the nation's voting system. It's too late for election officials to make major improvements, "and there are no resources," said Joe Kiniry, a long-time election security researcher.
However, officials can take several steps for upcoming elections, security experts say.
"Nobody should ever imagine changing the voting technology used this close to a general election," said Douglas Jones, a computer science professor at the University of Iowa. "The best time to buy new equipment would be in January after a general election, so you've got almost two years to learn how to use it."To read this article in full or to leave a comment, please click here
How do you disrupt the U.S. election? Hacking a voter registration database could very well do just that.
Imagine thousands or even millions of citizens' names mysteriously disappearing from a database. Then when election day comes along, they find out they aren't registered to vote.
Some security experts warn that this scenario isn't totally far-fetched and could deny citizens from casting ballots.
"If that happens to a few voters here and a few there, it's not a big deal," said Dan Wallach, a professor at Rice University who studies electronic voting systems. "If that happens to millions of voters, the processes and procedures we have would grind to a halt."To read this article in full or to leave a comment, please click here
The question on the mind of many voting security experts is not whether hackers could disrupt a U.S. election. Instead, they wonder how likely an election hack might be and how it might happen.
The good news is a hack that changes the outcome of a U.S. presidential election would be difficult, although not impossible. First of all, there are technology challenges -- more than 20 voting technologies are used across the country, including a half dozen electronic voting machine models and several optical scanners, in addition to hand-counted paper ballots.
But the major difficulty of hacking an election is less a technological challenge than an organizational one, with hackers needing to marshal and manage the resources needed to pull it off, election security experts say. And a handful of conditions would need to fall into place for an election hack to work.To read this article in full or to leave a comment, please click here
Reports of a secret Yahoo program to search through customers' incoming emails has spurred other tech companies to deny ever receiving a similar request from the U.S. government.The program, reportedly created last year through a classified U.S. order, involves Yahoo searching through hundreds of millions of user accounts at the behest of the National Security Agency or FBI.Other U.S. tech companies, including Google, Microsoft, Twitter and Facebook, denied doing anything like it. Most also said they would challenge such a request in court.Privacy advocates said the government enlisting Yahoo to assist in email monitoring would be wrong.To read this article in full or to leave a comment, please click here
WikiLeaks is promising to release secret documents relating to the U.S. election, at a time when there are already questions over whether Russian hackers are feeding the site information.WikiLeaks will publish the documents "every week for the next 10 weeks" and the topics include the U.S. election, war, arms, Google, and mass surveillance, site founder Julian Assange said on Tuesday in a press conference. All the U.S. election documents will be released before Nov. 8, when voters cast their ballots. The leaks pertain to "U.S. power factions and how they operate," Assange said. However, he denied deliberately trying to sabotage Democratic presidential candidate Hillary Clinton's election chances.To read this article in full or to leave a comment, please click here
Medical device manufacturer Animas, a subsidiary of Johnson & Johnson, is warning diabetic patients who use its OneTouch Ping insulin pumps about security issues that could allow hackers to deliver unauthorized doses of insulin.The vulnerabilities were discovered by Jay Radcliffe, a security researcher at Rapid7 who is a Type I diabetic and user of the pump. The flaws primarily stem from a lack of encryption in the communication between the device's two parts: the insulin pump itself and the meter-remote that monitors blood sugar levels and remotely tells the pump how much insulin to administer.The pump and the meter use a proprietary wireless management protocol through radio frequency communications that are not encrypted. This exposes the system to several attacks.To read this article in full or to leave a comment, please click here
Yahoo has reportedly searched through all of its users' incoming emails with a secret software program that's designed to ferret out information for U.S. government agencies.The software program, which was created last year, has scanned hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, according to a Tuesday report from Reuters.Yahoo reportedly created the program to comply with a U.S. classified government directive. It's unclear if the mass email searching program is still in use."Yahoo is a law-abiding company and complies with the laws of the United States," the company said in a statement.To read this article in full or to leave a comment, please click here
Following a Mozilla-led investigation that found multiple problems in the SSL certificate issuance process of WoSign, a China-based certificate authority, Apple will make modifications to the iOS and macOS to block future certificates issued by the company.Although there is no WoSign root certificate in Apple's trusted certificate store, a WoSign intermediate CA certificate is cross-signed by two other CAs that Apple trusts: StartCom and Comodo. This means that until now Apple products have automatically trusted certificates issued through the WoSign intermediate CA.Because WoSign experienced multiple control failures in their certificate issuance processes for the WoSign CA Free SSL Certificate G2 intermediate CA, "we are taking action to protect users in an upcoming security update," Apple said in support notes for both iOS and macOS. "Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA."To read this article in full or to leave a comment, please click here
A botnet responsible for a massive DDOS (distributed denial-of-service) attack was created thanks to weak default usernames and passwords found in internet-connected cameras and DVRs.The Mirai botnet grabbed headlines last month for taking down the website of cybersecurity reporter Brian Krebs with a huge DDOS attack. Unlike most botnets, which rely on infected PCs, this one used IoT devices to target its victims.It turns out the botnet was specifically designed to scan the internet for poorly secured products like cameras and then access them through easily guessable passwords like "admin" or "12345." Last Friday, the botnet's maker released its source code, and security experts have noticed it's built to try a list of more than 60 combinations of user names and passwords.To read this article in full or to leave a comment, please click here
There is a huge problem with the ugly Internet of Things (IoT). Many IoT thingies have the security of wet tissue paper, and they’re being used in large swarms and masses to wreak havoc.
A colleague of mine, Stephen Satchell, says misbehaving IoT devices should bear the full front of the Consumer Product Safety Commission and be recalled, every last one of them.
Recalled.
Why won’t this happen? Let me speculate.
It’s because our own government, that is to say the more covert parts of the U.S. government, has its own cadre of botnets and control vectors that allows them interesting windows into foreign lands. To read this article in full or to leave a comment, please click here
Dell EMC has fixed six flaws in its management interfaces for VMAX enterprise storage systems, including three vulnerabilities that are rated critical and could lead to the exposure of sensitive files or a complete system compromise.One of the critical flaws is located in the Unisphere for VMAX enterprise storage arrays, an appliance that provides a web-based management interface to provision, manage, and monitor such systems.More specifically, the flaw is in the GraniteDS library that provides server-side support for the Flash-based portion of the Unisphere web application. According to researchers from vulnerability management firm Digital Defense, the issue allows unauthenticated attackers to retrieve arbitrary text files from the virtual appliance with root privileges.To read this article in full or to leave a comment, please click here
The hackers who are auctioning off cyberweapons allegedly stolen from the National Security Agency are growing annoyed and want cash.The ShadowBrokers' sale of the stolen tools has so far generated little interest, and over the weekend, the hackers complained in a message posted online, using broken English."TheShadowBrokers is not being interested in fame. TheShadowBrokers is selling to be making money," the hackers said.As of Monday, their auction only had one substantial bid at 1.5 bitcoins, or US $918. Many of the other bids were valued at less than $1. To read this article in full or to leave a comment, please click here
Network World started its Wider Net stories in 2003 in an effort to lighten up our news pages, acknowledging that there is a lot more to the world of enterprise networking and IT other than speeds and feeds of switches and routers and WAN links.
The story approach was modeled somewhat after the Wall Street Journal's famed and quirky front page A-Hed articles (i.e., the middle column), but tended more to networking topics, from "When animals attack…networks" to the story of networking's most famous couple, Alice and Bob of security lesson fame.
While Network World did away with its formal weekly Wider Net articles when the publication switched over to publishing twice a month, we've tried to continue mixing in lighthearted pieces through our blogs and in other places on our website and print magazine. Here are some of our favorites:To read this article in full or to leave a comment, please click here
The U.S. government needs to be ready to use its offensive cyberweapons in response to attacks from other nations, Republican presidential candidate Donald Trump said Monday.The U.S. has significant offensive cybercapabilities, but it has been shy about deploying them, Trump said during a speech in Herdon, Virginia. "This is the warfare of the future," he said. The U.S. should also increase its use of cyberweapons to attack terrorists, Trump said. President Barack Obama has failed to protect the nation's cybersecurity and a new focus is needed, added Trump, who has largely avoided technology issues in his campaign. Trump said he will create an international cybersecurity task force to battle hackers, and he will ask U.S. military leaders for suggestions on how to improve the nation's cyberdefenses. To read this article in full or to leave a comment, please click here
When shopping online and paying with a credit or debit card, you have to enter the three-digit CVV (card verification value) from the back. These are card-not-present transactions and entering the security code is supposed to help verify that you physically have the card. But cyber thugs have plenty of ways to get hold of your CVV and burn through your money until you happen to notice the purchases and cancel your card. In fact, card-not-present transactions made up 65 percent of all card fraud.A French digital payment security company called Oberthur Technologies (OT) thinks it can do away such fraud by changing static CVVs to dynamic CVVs which change every hour. If a crook gets hold of your card number, his or her shopping spree could last no more than an hour; after the security code changes, the card number would be useless.To read this article in full or to leave a comment, please click here
“Most companies are simply not designed to survive. They become successful on the basis of one big idea or breakthrough product,” says CEO Mike Walsh of Tomorrow, a global consultancy that helps design 21st century businesses. The companies that will thrive in the near future are the ones not only embracing change but breaking the rules. Learn how to leverage disruptive innovation, solve business problems with social networks and apply “the new lean IT mindset” to sharpen your focus on how future customers will think, talk and transact.
The source code for a trojan program that infected hundreds of thousands of internet-of-things devices and used them to launch distributed denial-of-service attacks has been published online, paving the way for more such botnets.The code for the trojan, which its creator calls Mirai, was released Friday on an English-language hackers' forum, cybersecurity blogger Brian Krebs reported over the weekend. Krebs' website was the target of a record DDoS attack two weeks ago that was launched from the Mirai botnet.The trojan's creator, who uses the online handle Anna-senpai, said that the decision to release the source code was taken because there's a lot of attention now on IoT-powered DDoS attacks and he wants to get out of this business.To read this article in full or to leave a comment, please click here
Waratek is introducing a feature to its Java-protection platform that enables upgrading to the current version of Java without having to install Java updates or touch the apps running within the Java virtual machine.The latest version of its AppSecurity for Java uses secure virtual containers around the entire Java application stack to apply the security and performance features of the current Java 8 platform’s security and performance levels without having to install Java 8, the company says.The alternative would be to replace the Java Runtime Environment (JRE) and upgrade the application code directly. That would involve taking the application offline while the upgrades are performed.To read this article in full or to leave a comment, please click here
New products of the weekOur roundup of intriguing new products. Read how to submit an entry to Network World's products of the week slideshow.Daptiv TTMKey features: With Daptiv TTM, teams can better track tasks and submit timesheets, stakeholders get a more accurate view of project status, and initiatives move forward on time and on budget. More info.To read this article in full or to leave a comment, please click here