Friday, August 14, 2020

Security Smorgasbord, vol. 12 no. 1

 I used to do these regularly but have gotten lazy in my dotage.  Ah well, maybe we can reboot the series.

Government actually does something smart about election security (yes, it finally happened!)

Ohio introduces election site vulnerability disclosure policy:

Ohio’s secretary of state has established guidelines for security experts to find and help fix software flaws in the state’s election-related websites, the first such move by a state as the 2020 election approaches.

The vulnerability disclosure policy (VDP) covers registration websites for Ohio residents and overseas and military voters, among other sites, and provides legal liability protections for researchers. The program will bolster the efforts of Ohio Secretary of State Frank LaRose’s security team at a time when threats to election infrastructure “have never been greater,” the policy states. Under the policy, researchers are required to wait four months after reporting a vulnerability to Ohio officials before going public with it.
This is an excellent move by the State of Ohio.  There are a lot of White Hat hackers out there that can help the State find and close security bugs before the Black Hat d00dz find (and exploit) them, but up until now the risk of prosecution by grandstanding District Attorneys has scared off a lot of research.  By encouraging this research - with "responsible disclosure" policies in place, we can hope that the electoral system can get a little bit of hardening.  Well done, Ohio.

Voting machine manufacturer actually does something smart about election security (yes, it finally happened!)

Just hours after Professor Matt Blaze today discussed the state of election system security in America, one of the largest US voting machine makers stepped forward to say it's trying to improve its vulnerability research program.

Election Systems and Software (ES&S), whose products include electronic ballot boxes and voter registration software, said it is working with infosec outfits and bug-finders to improve the security of its products.

Speaking at this year's online Black Hat USA conference, CISO Chris Wlaschin outlined a number of steps his biz has already or will soon take to overhaul its relationship with bug-bounty hunters.

Well done to ES&S.  And sending their CISO to talk at Black Hat is pretty l33t ...

Someone is messing around with Tor Exit Nodes:

Since January 2020, a mysterious threat actor has been adding servers to the Tor network in order to perform SSL stripping attacks on users accessing cryptocurrency-related sites through the Tor Browser.

The group has been so prodigious and persistent in their attacks, that by May 2020, they ran a quarter of all Tor exit relays — the servers through which user traffic leaves the Tor network and accesses the public internet.

This is very bad juju if you use Tor.  I've written a fair amount about Tor - this is a good starting place.  It's a way to keep your network traffic anonymous (well, maybe).  This is an interesting new attack against it.

Boeing 747s still receive critical software updates via 3.5" floppy disk:

Long time reader and commenter (and all around great guy) Libertyman sends a link to this, which has very interesting security implications.  Boeing sends critical 747 software updates via floppy disk:
Boeing’s 747-400 aircraft, first introduced in 1988, is still receiving critical software updates through 3.5-inch floppy disks. The Register reports that security researchers at Pen Test Partners recently got access to a British Airways 747, after the airline decided to retire its fleet following a plummet in travel during the coronavirus pandemic. The team was able to inspect the full avionics bay beneath the passenger deck, with its data center-like racks of modular black boxes that perform different functions for the plane.

Pen Test Partners discovered a 3.5-inch floppy disk drive in the cockpit, which is used to load important navigation databases. It’s a database that has to be updated every 28 days, and an engineer visits each month with the latest updates.
Two key security points here: there's no possibility of "over the air" hacks, and the in-person delivery is probably very security indeed.  However, if nobody manufactures 3.5" floppy disks then you have a real problem here.  That's not a problem (yet) since both the floppy disks and the drives are still available.  Who knew?

1 comment:

James said...

I saw this a couple of days ago in the Apple News feed on my iPhone, about 80% of which is IT and Space related. This looked like a great idea when I saw it for the exact reasons you mentioned.

Pukes that would hack an aircraft should be put against the wall at once or used for bayonet practice (sorry, my old Cold Warrior days bleeding through here). While I was teaching computer forensics and digital evidence at the 3-letter agency academy - inconveniently located in Brunswick GA - we were briefed at the time that several 3-letter agencies still used the good ol' time religion Sony 3.5" floppies as "system entry" devices. This was in 2015.

Man, when I got my smoking' hot Macintosh SE-20 in early 1987 I soon had 30-40 of the 800 KB floppies for everything. MacWrite docs, Hypercard stacks (miss those!) as well as those wonderful "digital" computer magazines that only came on floppy. Thought I'd never fill up that vast 20 MB hard drive! I remember Jerry Pournelle writing about his first 30 megger and writing the same thing in Byte.

Ahh, those were the days.