I used to do these regularly but have gotten lazy in my dotage. Ah well, maybe we can reboot the series.
Government actually does something smart about election security (yes, it finally happened!)
Ohio’s secretary of state has established guidelines for security experts to find and help fix software flaws in the state’s election-related websites, the first such move by a state as the 2020 election approaches.This is an excellent move by the State of Ohio. There are a lot of White Hat hackers out there that can help the State find and close security bugs before the Black Hat d00dz find (and exploit) them, but up until now the risk of prosecution by grandstanding District Attorneys has scared off a lot of research. By encouraging this research - with "responsible disclosure" policies in place, we can hope that the electoral system can get a little bit of hardening. Well done, Ohio.
The vulnerability disclosure policy (VDP) covers registration websites for Ohio residents and overseas and military voters, among other sites, and provides legal liability protections for researchers. The program will bolster the efforts of Ohio Secretary of State Frank LaRose’s security team at a time when threats to election infrastructure “have never been greater,” the policy states. Under the policy, researchers are required to wait four months after reporting a vulnerability to Ohio officials before going public with it.
Just hours after Professor Matt Blaze today discussed the state of election system security in America, one of the largest US voting machine makers stepped forward to say it's trying to improve its vulnerability research program.
Election Systems and Software (ES&S), whose products include electronic ballot boxes and voter registration software, said it is working with infosec outfits and bug-finders to improve the security of its products.
Speaking at this year's online Black Hat USA conference, CISO Chris Wlaschin outlined a number of steps his biz has already or will soon take to overhaul its relationship with bug-bounty hunters.
Since January 2020, a mysterious threat actor has been adding servers to the Tor network in order to perform SSL stripping attacks on users accessing cryptocurrency-related sites through the Tor Browser.
The group has been so prodigious and persistent in their attacks, that by May 2020, they ran a quarter of all Tor exit relays — the servers through which user traffic leaves the Tor network and accesses the public internet.
Boeing’s 747-400 aircraft, first introduced in 1988, is still receiving critical software updates through 3.5-inch floppy disks. The Register reports that security researchers at Pen Test Partners recently got access to a British Airways 747, after the airline decided to retire its fleet following a plummet in travel during the coronavirus pandemic. The team was able to inspect the full avionics bay beneath the passenger deck, with its data center-like racks of modular black boxes that perform different functions for the plane.
Pen Test Partners discovered a 3.5-inch floppy disk drive in the cockpit, which is used to load important navigation databases. It’s a database that has to be updated every 28 days, and an engineer visits each month with the latest updates.