Tag Archive for: holes

Fix security holes in election management

/in


North Korea can infiltrate South Korea’s internal network to manipulate voting results if it wants to, according to the National Intelligence Service’s (NIS) investigation of the National Election Commission (NEC). The finding on the NEC that oversees the process of presidential, parliamentary and local elections is shocking, especially ahead of next year’s parliamentary elections on April 10. In the worst possible scenario, the security loopholes in the election management system can prompt losers not to accept the results of the legislative election.

On Tuesday, the NIS announced the results of its investigation on the NEC’s election management system from July 17. It discovered a fault in the ballot opening procedure, which is crucial to the election outcome. Anyone could break into the NEC system by using a staffer’s password, which was, simply, “12345.”

The confusion in the early voting system was also confirmed to be serious. Hackers can easily break into the computer network from unauthorized outside systems, change early voters into nonvoters and manipulate the numbers to influence the final votes.

Stamping in early votes also could be easily exposed, as faking ballot cards was possible through printing tricks. A North Korean hacking group broke into the email box of an NEC employee in 2021, stole sensitive data, and leaked it to outside.

Whether North Korea succeeded in raiding South Korea’s election management system is unclear. The latest results should not be linked to raising questions on the outcome of the 2020 parliamentary elections and others. But the NEC must come up with appropriate measures to address its systemic vulnerabilities to North Korea’s hacking threat, especially ahead of the parliamentary election next April. The election management body must pay more heed to the early voting system due to the alarming findings in the previous legislative election. If quick fixes cannot be possible, authorities need to consider strengthening the firewall or streamlining the system.

The NEC retorted that voting results cannot be manipulated as they proceed publicly unless there is a large…

Source…

Cyber Security Today, Feb. 24, 2023 – Holes in open source software, ransomware gang tries to evade cyber insurers and more

/in


Holes in open source software, ransomware gang tries to evade cyber insurers and more

Welcome to Cyber Security Today. It’s Friday, February 24th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.

Creators of open-source projects still aren’t doing enough to ensure their code is squeaky clean. Researchers at Synopsys released their annual Open Source Security and Risk Analysis report this week, which looked at 1,700 audits of commercial and proprietary software. And the results weren’t pretty. Eighty-four per cent of the codebases examined had at least one known open source vulnerability. That’s up four per cent from last year. Here’s something else: Of the 1,480 audited codebases that included risk assessments by corporate owners of the software, 91 per cent contained outdated versions of open-source components. Developers of applications and IT departments that buy them need to have complete visibility of their software, says Synopsys. It helps for developers to create and buyers to demand a software bill of goods, the company adds.

Hackers have created a new class of bugs that get around the security protection of iPhones,iPads and Macs. Researchers at Trellix found the malware could evade protections preventing unapproved software running on the macOS and iOS operating systems. Normally this would be a significant breach of the Apple security model. However, the vulnerabilities were addressed with the recent releases of macOS 13.2 and iOS 16.3. Which is why you should have installed them by now.

The HardBit ransomware gang has a new tactic for dealing with corporate victims: Rather than haggling over payment to get access to encrypted data back, organizations are asked to go behind the backs of their insurers and divulge details of their cyber insurance policies (if they have one). Then the payment demanded will just be the maximum under the coverage. It’s pitched as a deal: If the gang knows you are insured only for, say $10 million, it promises not to demand more than $10 million.

A Russian citizen has been extradited to the U.S. from the republic of Georgia to face computer fraud and…

Source…

Security Holes in Deere, Case IH Shine Spotlight on Agriculture Cyber Risk

/in


The agricultural equipment industry has long considered itself immune from cyber attacks. After all: farm equipment wasn’t Internet-connected and the software and protocols that it used were obscure. Besides: farms- and farm equipment held little in the way of sensitive personal or financial data that cybercriminals could easily monetize. 

But a lot has changed in the agriculture sector in the last decade. And farm country’s cybersecurity bill has come due…in a big way. A presentation at the annual DEF CON hacking conference in Las Vegas, scheduled for Sunday, will describe a host of serious, remotely exploitable holes in software and services by U.S. agricultural equipment giants John Deere and Case-IH. Together, the security flaws and misconfigurations could have given nation-state hackers access to- and control over Deere’s global product infrastructure, access to sensitive customer and third party data and, potentially, the ability to remotely access critical farm equipment like planters and harvesters that are the lynchpin of the U.S. food chain. 

Opinion: my Grandfather’s John Deere would support our Right to Repair

A video of the presentation, “The Agricultural Data Arms Race Exploiting a Tractor Load of Vulns,” was posted on YouTube by conference organizers on Thursday. It is the most detailed presentation, to date, of a range of flaws in Deere software and services that were first identified and disclosed to the company in April. The disclosure of two of those flaws in the company’s public-facing web applications set off a scramble by Deere and other agricultural equipment makers to patch the flaws, unveil a bug bounty program and to hire cyber security and embedded device security talent. 

Sick Codes (@SickCodes), an independent security researcher who declines to use his real name in public statements, worked with researchers from the group Sakura Samurai including wabaf3t; D0rkerDevil; ChiefCoolArrow; John Jackson; Robert Willis; and Higinio “w0rmer” Ochoa. Together, the group uncovered 11 other flaws in Deere software and applications and  that the group shared with the company as well as CISA, the Cybersecurity…

Source…

The SolarWinds hack pokes holes in Defend Forward

/in


In December 2020, the cybersecurity company FireEye discovered a cyber espionage campaign, compromising dozens of government and private organisations in the US.

Orchestrated by subverting the supply-chain of the popular IT administration software-maker SolarWinds, the operation showcased remarkable ingenuity and precise tradecraft at every step of the “kill chain” to skirt around the phenomenal counterintelligence capabilities of the US. They had no plans to outmatch the strategic cyber offensive might of the US, so the spies tactically blended-in with the environment, exploited “transitive trust” of the computers, and used deception to look like routine processes.

Yet, beyond all the technical details, it was the palpable strategic calculus which strikes at the heart of US cyber policy. The SolarWinds hack could potentially upset many of the US’ cyber statecraft initiatives—bolstering national cyber defence in the aftermath of the 2016 electoral interference—which took years to mature.

Widely attributed to the discrete Russian foreign intelligence agency SVR, the intrusion may not be an act of aggression, but it exposes the structural fault-lines within US cyber policy.

Exposure of weaknesses in US cyber policy

The American initiatives were based on certain assumptive paradigms, largely driven by legal and political compulsions rather than the operational realities of the domain. Strategies like the US Cyber Command’s (USCYBERCOM) Defend Forward seek to execute pre-emptive, “extraterritorial” cyber operations in an adversary’s own information space— neutralising a potential threat even before it is initiated. The idea behind it is not to undertake such expeditionary manoeuvres in every hostile network, but to make a credible deterrence threat with the selective use of ‘force.’

Defend Forward aimed at establishing firm declaratory thresholds on one hand, while trying to strike a tacit bargain with the adversary in a contested territory on the other. The strategy was based on some broad, sweeping assumptions:

First, that the traditional structures of deterrence by denial and deterrence by punishment remain valid in cyberspace. Second, that cyberspace…

Source…