Top voting machine maker reverses position on election security, promises paper ballots

Voting machine maker ES&S has said it “will no longer sell” paperless voting machines as the primary device for casting ballots in a jurisdiction.

ES&S chief executive Tom Burt confirmed the news in an op-ed.

TechCrunch understands the decision was made around the time that four senior Democratic lawmakers demanded to know why ES&S, and two other major voting machine makers, were still selling decade-old machines known to contain security flaws.

Burt’s op-ed said voting machines “must have physical paper records of votes” to prevent mistakes or tampering that could lead to improperly cast votes. Sen. Ron Wyden introduced a bill a year ago that would mandate voter-verified paper ballots for all election machines.

The chief executive also called on Congress to pass legislation mandating a stronger election machine testing program.

Burt’s remarks are a sharp turnaround from the company’s position just a year ago, in which the election systems maker drew ire from the security community for denouncing vulnerabilities found by hackers at the annual Defcon conference.

Security researchers at the conference’s Voting Village found a security flaw in an old but widely used voting machine in dozens of states. Their findings prompted a response by senior lawmakers on the Senate Intelligence Committee, who said that independent testing “is one of the most effective ways to understand and address potential cybersecurity risks.”

But ES&S disagreed. In a letter firing back, Burt said he believed “exposing technology in these kinds of environments makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention.”

Days later, NSA cybersecurity chief Rob Joyce criticized the response. “Ignorance of insecurity does not get you security,” he tweeted. “The investigation of these devices by the hacker community is a service, not a threat.”

Although unexpected, election … Read the rest

Google’s own data proves two-factor is the best defense against most account hacks

Every once in a while someone will ask me what is the best security advice.

The long answer is “it depends on your threat model,” which is just a fancy way of saying what’s good security advice for the vast majority isn’t necessarily what nuclear scientists and government spies require.

My short answer is, “turn on two-factor.” Yet, nobody believes me.

Ask almost any cybersecurity professional and it’ll likely rank as more important than using unique or strong passwords. Two-factor, which adds an additional step in your usual log-in process by sending a unique code to a device you own, is the greatest defense between a hacker and your online account data.

But don’t take my word for it. Google data out this week shows how valuable even the weakest, simplest form of two-factor can be against attacks.

The research, with help from New York University and the University of California, San Diego, shows that any device-based challenge — such as a text message or an on-device prompt — can in nearly every case prevent the most common kind of mass-scale attacks.

Google’s data showed having a text message sent to a person’s phone prevented 100% of automated bot attacks that use stolen lists of passwords against login pages and 96% of phishing attacks that try to steal your password.

Account takeover preventing rates by challenge type (Image: Google)

Not all two-factor options are created equal. We’ve explained before that two-factor codes sent by text message can be intercepted by semi-skilled hackers, but it’s still better than not using two-factor at all. Its next best replacement, getting a two-factor code through an authenticator app on your phone, is far more secure.

Only a security key, designed to protect the most sensitive accounts, prevented both automated bot and phishing attacks but … Read the rest

Google discloses security bug in its Bluetooth Titan Security Keys, offers free replacement

Google today disclosed a security bug in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide. The company says the bug is due to a “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols” and that even the faulty keys still protect against phishing attacks. Still, the company is providing a free replacement key to all existing users.

The bug affects all Titan Bluetooth keys, which sell for $50 in a package that also includes a standard USB/NFC key, that have a “T1” or “T2” on the back.

To exploit the bug, an attacker would have to be within Bluetooth range (about 30 feet) and act swiftly as you press the button on the key to activate it. The attacker can then use the misconfigured protocol to connect their own device to the key before your own device connects. With that — and assuming that they already have your username and password — they could sign into your account.

Google also notes that before you can use your key, it has to be paired to your device. An attacker could also potentially exploit this bug by using their own device and masquerading it as your security key to connect to your device when you press the button on the key. By doing this, the attacker can then change their device to look like a keyboard or mouse and remote control your laptop, for example.

All of this has to happen at the exact right time, though, and the attacker must already know your credentials. A persistent attacker could make that work, though.

Google argues that this issue doesn’t affect the Titan key’s main mission, which is to guard against phishing attacks, and argues that … Read the rest

‘Unhackable’ encrypted flash drive eyeDisk is, as it happens, hackable

In security, nothing is “unhackable.” When it’s claimed, security researchers see nothing more than a challenge.

Enter the latest findings from Pen Test Partners, a U.K.-based cybersecurity firm. Their latest project was ripping apart the “unhackable” eyeDisk, an allegedly secure USB flash drive that uses iris recognition to unlock and decrypt the device.

In its Kickstarter campaign last year, eyeDisk raised more than $21,000; it began shipping devices in March.

There’s just one problem: it’s anything but “unhackable.”

Pen Test Partners researcher David Lodge found the device’s backup password — to access data in the event of device failure or a sudden eye-gouging accident — could be easily obtained using a software tool able to sniff USB device traffic.

The secret password — “SecretPass” — can be seen in plaintext (Image: Pen Test Partners)

“That string in red, that’s the password I set on the device. In the clear. Across an easy to sniff bus,” he said in a blog post detailing his findings.

Worse, he said, the device’s real password can be picked up even when the wrong password has been entered. Lodge explained this as the device revealing its password first, then validating it against whatever password the user submitted before the unlock password is sent.

Lodge said anyone using one of these devices should use additional encryption on the device.

The researcher disclosed the flaw to eyeDisk, which promised a fix, but has yet to release it; eyeDisk did not return a request for comment.

Source link Read the rest

Flaws in a popular GPS tracker leak real-time locations and can remotely activate its microphone

A popular GPS tracker — used as a panic alarm for elderly patients, to monitor kids and track vehicles — contains security flaws, which security researchers say are so severe the device should be recalled.

The Chinese-manufactured white-label location tracker, rebranded and sold by more than a dozen companies — including Pebbell by HoIP Telecom, OwnFone Footprint and SureSafeGo — uses a SIM card to connect to the 2G/GPRS cell network. Although none of the devices have internet connectivity and won’t be found on exposed device database sites like Shodan, they still can be remotely accessed and controlled by SMS.

Researchers at U.K. cybersecurity firm Fidus Information Security say the device can be tricked into turning over its real-time location simply by anyone sending it a text message with a keyword. Through another command, anyone can call the device and remotely listen in to its in-built microphone without alerting anyone.

Another command can remotely kill the cell signal altogether, rendering the device effectively useless.

Although the device can be protected with a PIN, it’s not enabled by default. Worse, the researchers found the device can be remotely reset without needing a PIN — opening up the device to further commands.

“This device is marketed at keeping the most vulnerable safe and yet anybody can locate and listen into thousands of people’s lives without their knowledge,” said Fidus’ Andrew Mabbitt, who wrote up the team’s findings. “This day and age, everything is connected one way or another and we seem to be leaving security behind; this isn’t going to end well.”

An attacker only requires the phone number of the device, Mabbitt told TechCrunch. His team showed it was easy to extrapolate hundreds of working phone numbers connected to vulnerable devices based off a single known device. “We … Read the rest