Wilford  Pagac

Wilford Pagac

1596844800

Black Hat 2020: In a Turnaround, Voting Machine Vendor Embraces Ethical Hackers

Voting machine technology seller Election Systems & Software (ES&S) offered an olive branch to security researchers with new safe harbor terms and vulnerability disclosure policies at Black Hat USA 2020.

Voting machine-maker Election Systems & Software (ES&S) has formally announced a vulnerability disclosure policy, Wednesday, during a Black Hat USA 2020 session.

The move, which comes with the U.S. presidential elections looming in November, shows that voting-machine vendors are beginning to take the role of the security research community seriously in helping to secure critical election infrastructure. On Wednesday, ES&S said that its formally released policy applies to all digital assets owned and operated by ES&S – including corporate IT networks and public-facing websites.

“We’re publishing this policy today to formalize how we’re going to work with security researchers to improve election security going forward,” said Chris Wlaschin, vice president of Systems Security and CISO, ES&S. “This is a good first step in the right direction and we look forward to improving, everywhere we can, election security.”

The policy does not give authorization to test state and local government election-related networks or assets – “researchers should follow guidance from those entities for security researcher opportunities and conditions,” according to the report.

“For ES&S products not owned or operated by ES&S, we will accept reports as a result of research under this policy,” the company said.

The vulnerability-disclosure policy also provides safe-harbor language for security researchers. This means that ES&S will not initiative legal action against researchers for “good faith” or accidental violations of the policy. In addition, researchers will be exempt from the Digital Millennium Copyright Act (DMCA), and ES&S said it will not bring a claim against them for circumvention of technology controls.

Finally, researchers would be “exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy,” according to the policy.

ES&S election security

The adoption of safe-harbor language marks a drastic turnaround from how the voting-machine vendor has interacted with the research community in previous years.

At DEFCON in 2018 for instance, ES&S and security researchers butted heads after the company criticized attempts to test voting machines. In a letter to customers, ahead of the conference, ES&S in 2018 also warned election officials that unauthorized use of its software violated the company’s licensing agreements.

Despite this contentious background, security flaws have popped up over the years in the company’s election infrastructure. In 2019, security researchers revealed that they found 35 backend election systems – made by ES&S – that connected to the internet at some point in the past year. And in 2018, the company revealed that it installed remote-access software on some voting machines over a period of six years, raising security concerns.

The announcement also comes during a year when election security is in the spotlight at Black Hat, with the U.S. elections three months away. Security researcher Matt Blaze opened Black Hat 2020 with a call-to-arms for cybersecurity researchers, asking the security space to leverage their expertise to help secure the upcoming U.S. presidential elections, which will likely be a mostly vote-by-mail affair.

Wlaschin for his part said that ES&S has actually been working now with security researchers for at least 18 months – but the program announced on Wednesday formalizes the process. As part of this, ES&S has worked with Synack, a crowdsourced penetration testing platform, to continue to develop its vulnerability disclosure process.

“If you apply [vulnerability disclosure] to our election critical infrastructure, there is a match made in heaven here between security companies and government bodies, and we’re trying to advance that collaboration,” said Mark Kuhr, CTO of Synack.

#black hat #critical infrastructure #vulnerabilities #web security #black hat security #election #election security #election systems and software #es&s

What is GEEK

Buddha Community

Black Hat 2020: In a Turnaround, Voting Machine Vendor Embraces Ethical Hackers
Wilford  Pagac

Wilford Pagac

1596844800

Black Hat 2020: In a Turnaround, Voting Machine Vendor Embraces Ethical Hackers

Voting machine technology seller Election Systems & Software (ES&S) offered an olive branch to security researchers with new safe harbor terms and vulnerability disclosure policies at Black Hat USA 2020.

Voting machine-maker Election Systems & Software (ES&S) has formally announced a vulnerability disclosure policy, Wednesday, during a Black Hat USA 2020 session.

The move, which comes with the U.S. presidential elections looming in November, shows that voting-machine vendors are beginning to take the role of the security research community seriously in helping to secure critical election infrastructure. On Wednesday, ES&S said that its formally released policy applies to all digital assets owned and operated by ES&S – including corporate IT networks and public-facing websites.

“We’re publishing this policy today to formalize how we’re going to work with security researchers to improve election security going forward,” said Chris Wlaschin, vice president of Systems Security and CISO, ES&S. “This is a good first step in the right direction and we look forward to improving, everywhere we can, election security.”

The policy does not give authorization to test state and local government election-related networks or assets – “researchers should follow guidance from those entities for security researcher opportunities and conditions,” according to the report.

“For ES&S products not owned or operated by ES&S, we will accept reports as a result of research under this policy,” the company said.

The vulnerability-disclosure policy also provides safe-harbor language for security researchers. This means that ES&S will not initiative legal action against researchers for “good faith” or accidental violations of the policy. In addition, researchers will be exempt from the Digital Millennium Copyright Act (DMCA), and ES&S said it will not bring a claim against them for circumvention of technology controls.

Finally, researchers would be “exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy,” according to the policy.

ES&S election security

The adoption of safe-harbor language marks a drastic turnaround from how the voting-machine vendor has interacted with the research community in previous years.

At DEFCON in 2018 for instance, ES&S and security researchers butted heads after the company criticized attempts to test voting machines. In a letter to customers, ahead of the conference, ES&S in 2018 also warned election officials that unauthorized use of its software violated the company’s licensing agreements.

Despite this contentious background, security flaws have popped up over the years in the company’s election infrastructure. In 2019, security researchers revealed that they found 35 backend election systems – made by ES&S – that connected to the internet at some point in the past year. And in 2018, the company revealed that it installed remote-access software on some voting machines over a period of six years, raising security concerns.

The announcement also comes during a year when election security is in the spotlight at Black Hat, with the U.S. elections three months away. Security researcher Matt Blaze opened Black Hat 2020 with a call-to-arms for cybersecurity researchers, asking the security space to leverage their expertise to help secure the upcoming U.S. presidential elections, which will likely be a mostly vote-by-mail affair.

Wlaschin for his part said that ES&S has actually been working now with security researchers for at least 18 months – but the program announced on Wednesday formalizes the process. As part of this, ES&S has worked with Synack, a crowdsourced penetration testing platform, to continue to develop its vulnerability disclosure process.

“If you apply [vulnerability disclosure] to our election critical infrastructure, there is a match made in heaven here between security companies and government bodies, and we’re trying to advance that collaboration,” said Mark Kuhr, CTO of Synack.

#black hat #critical infrastructure #vulnerabilities #web security #black hat security #election #election security #election systems and software #es&s

Brain  Crist

Brain Crist

1594753020

Citrix Bugs Allow Unauthenticated Code Injection, Data Theft

Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker.

The Citrix products (formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to a December assessment from Positive Technologies.

Other flaws announced Tuesday also affect Citrix SD-WAN WANOP appliances, models 4000-WO, 4100-WO, 5000-WO and 5100-WO.

Attacks on the management interface of the products could result in system compromise by an unauthenticated user on the management network; or system compromise through cross-site scripting (XSS). Attackers could also create a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, could result in the compromise of a local computer.

“Customers who have configured their systems in accordance with Citrix recommendations [i.e., to have this interface separated from the network and protected by a firewall] have significantly reduced their risk from attacks to the management interface,” according to the vendor.

Threat actors could also mount attacks on Virtual IPs (VIPs). VIPs, among other things, are used to provide users with a unique IP address for communicating with network resources for applications that do not allow multiple connections or users from the same IP address.

The VIP attacks include denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user; or remote port scanning of the internal network by an authenticated Citrix Gateway user.

“Attackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices,” according to the critical Citrix advisory. “Customers who have not enabled either the Gateway or Authentication virtual servers are not at risk from attacks that are applicable to those servers. Other virtual servers e.g. load balancing and content switching virtual servers are not affected by these issues.”

A final vulnerability has been found in Citrix Gateway Plug-in for Linux that would allow a local logged-on user of a Linux system with that plug-in installed to elevate their privileges to an administrator account on that computer, the company said.

#vulnerabilities #adc #citrix #code injection #critical advisory #cve-2020-8187 #cve-2020-8190 #cve-2020-8191 #cve-2020-8193 #cve-2020-8194 #cve-2020-8195 #cve-2020-8196 #cve-2020-8197 #cve-2020-8198 #cve-2020-8199 #denial of service #gateway #information disclosure #patches #security advisory #security bugs

Mikel  Okuneva

Mikel Okuneva

1597662000

Black Hat 2020: Scaling Mail-In Voting Spawns Broad Challenges

Security researcher Matt Blaze opened Black Hat 2020 with a call-to-arms for cybersecurity experts, asking them during his keynote to leverage their passion for election security to help secure the upcoming U.S. presidential elections, which will likely be a mostly vote-by-mail affair.

“This community is precisely the one whose help is going to be needed by your local election officials,” he said. “The logistical aspects of this are familiar to computing specialists,” he said, while urging virtual Black Hat attendees to “engage now.”

Scaling up mail-in voting, Blaze said, with less than 100 days left before the election, is an undertaking that, while not impossible, presents many challenges. With the “operational environment being under uncertainty and in a state of emergency…our expertise in this community is central to many of the problems that we have here.”

Blaze, who is McDevitt Chair in Computer Science and Law at Georgetown, chairman of the Tor Project and co-creator of the Voting Village at DEFCON, took the virtual “stage” at Black Hat 2020 on Wednesday for the first-day keynote. He discussed how the global coronavirus pandemic has created a national emergency on the voting front, driving a need for scaling up accessible, COVID-19-safe election mechanisms between now and November. Broader mail-in voting is an obvious choice for that – but making it or any other “fix” a reality in the short-term is easier said than done, he said.

“I’m a computer scientist who studies computer security, which is full of terribly hard problems,” Blaze said. “I don’t think I’ve ever encountered a problem that’s harder than the security and integrity of civil elections – it’s fundamentally orders-of-magnitude more difficult and more complex than almost anything else.”

One of the big reasons for this complexity is the fact that the federal government has remarkably little to do in practice with the process and the mechanisms of voting, he said, making for a patchwork of approaches that can’t be effectively changed in bulk.

“In practice, each state sets its own rules, has its own laws, and has its own requirements for the elections that are conducted in that state,” Blaze explained. “And in most states, elections are actually run by local governments, most often counties. And to give you a sense of the scale, there, there are over 3,000 counties in the United States – and if you add the townships and other governments that that run elections, there are over 5,000 government entities responsible for doing everything with the elections for their residents. So there’s no single place where you can change everything nationwide.”

With the pandemic and various politicians driving controversy over the efficacy of vote-by-mail, Blaze noted that absentee voting has always been with us – but just not at scale.

“This is available everywhere, and it’s a fairly predictable, well-established concept in general, and election officials can usually predict how many people are going to need to vote by this absentee method,” he said. “There are states that that rely on mailing voting very heavily, in places like Oregon. But that said, in most places, we still by and large vote in person.”

#black hat #critical infrastructure #government #vulnerabilities #black hat 2020 #challenges #election security #keynote #mail in voting #matt blaze #presidential election #scale

Wilford  Pagac

Wilford Pagac

1596807780

Black Hat USA 2020 Preview: Election Security, COVID Disinformation and More

Threatpost editors break down the top themes, speakers and sessions to look out for this year at Black Hat 2020 – from election security to remote work and the pandemic.

Despite COVID-19 pushing the Black Hat USA 2020 conference to go virtual for the first time, you can expect a steady stream of new security research, threat intel and an impressive lineup of high-profile speakers.

This year’s conference kicks off with Matt Blaze, McDevitt Chair in Computer Science and Law at Georgetown University, who is slated to talk about election security measures. Earlier this week, Blaze put President Donald Trump in the Twitter spotlight blasting him in a high-profile tweet for spreading “baseless” election concerns. Election security is also on the mind of Christopher Krebs, director of the Department of Homeland Security’s CISA unit, whose Black Hat session is called “Election Security: Securing America’s Elections.”

COVID-19 and remote work will also be a theme at the conference, with Renée DiResta, research manager at Stanford Internet Observatory giving a keynote (“Hacking Public Opinion”) on online disinformation about coronavirus and nation states spinning pandemic conspiracies. Beyond that, you can look out for advancements in research around some of the typical hot topics unveiled at Black Hat USA, including Apple research by Patrick Wardle, vulnerabilities found in connected cars (this year a Mercedes-Benz), critical infrastructure weaknesses and even “satellite eavesdropping attacks.”

Threatpost editors Tom Spring, Tara Seals and Lindsey O’Donnell-Welch break down the top sessions, keynotes, speakers and themes to look out for in this week’s podcast.

Download the podcast direct here or listen below.

Below find a lightly edited transcript of the podcast.

Lindsey O’Donnell Welch: Welcome back to the Threatpost podcast, Black Hat USA 2020 preview edition. You’ve got the Threatpost team here, including myself, Lindsey O’Donnell-Welch, Tom Spring and Tara Seals. And we are planning on breaking down what to expect from the first ever virtual Black Hat Conference in the entire 23 years of the show, which kicks off this weekend. So Tom and Tara, how are you doing? Are you excited for the show?

Tom Spring: Well, yeah, I’m excited. I’m excited that I don’t have to hop on a plane and fly to Vegas. I mean, there’s there’s pluses and minuses.

Tara Seals: I am, I’m definitely excited about not being in Vegas in August. So that’s a good thing. Yeah, it’ll be interesting to see how that how the virtual event is going to go. It looks like the session list has pretty impactful content, lots of interesting stuff and tendrils to pick up on in there, in terms of trends.

Lindsey: Yeah, it’ll be interesting, it being virtual, in previous years of the show, obviously, you go for the keynotes and the sessions and the breaking news. And that will still all be there. But it’s also always fun to meet, you know, face to face with security experts who you’ve mostly been interacting with on the phone for all of the year. So I’ll really miss that this year. But I do see that they have Tara, as you say, tons of sessions and really interesting – I think it was over 90 research presentations that’ll be prepared and presented this year. So, you know, in terms of topics, I mean, this probably comes to a surprise to no one but obviously election security is going to be a huge topic this year just looking at the keynotes and the sessions as well.

Tara: Yeah, for sure. And I think that, obviously it being an election year, it’s near and dear to everyone’s hearts and is at the top of everyone’s minds how this election is going to go. So it’ll be interesting to see from a cybersecurity perspective what it is that they’re going to be zeroing in on. And, you know, at past events we’ve had a lot of talk about the voting machines themselves. But I think this year, the focus might be more on online voting and mail-in ballots and more the hacking of processes rather than the actual machines. That would be interesting.

Tom: Yeah, the second day keynote in terms of election manipulation in terms of social media, there’s going to be a focus on that as well. I think one of the other dominant themes that can’t be avoided, even though it’s not explicitly stated in the sessions, is going to be remote work, with everybody working from home. I don’t know if it was deliberate or not, but it doesn’t seem to be too much discussion about the pandemic and about how workforces are working from home. But it does seem like there’s enough stuff about VPN securitycloud security, cloud exploits, container security, where we’re going to see that, is also another dominant theme.

Tara: Yeah, it’s kind of interesting that you mentioned the cloud, Tom, because there are a ton of cloud-related sessions this year. And I know the guys from Mandiant are going to be talking about an O365-targeted series of attacks that I think you’re going to be attending, right?

Tom: Yeah, yeah, I’m actually really interested to see how it’s gonna play out in terms of what the what the actual experience is going to be like from a – nevermind a reporter standpoint – but just as a sort of an attendee standpoint. Whether or not it’s just going to be like an empty room with somebody at a podium or, you know, somebody sitting at their desk. I don’t know, we’ll see what happens. But yes, so I’m really looking forward to covering the cloud security issues. There’s seems to be at a much smaller scale, a lot of news percolating up right now, in anticipation of some of the bigger sort of sessions that are going to be taking place primarily on Wednesday and Thursday, as the first half of the conference is dedicated to training.

Lindsey: Right. Yeah. And there’s definitely a ton of sessions that we’ve seen in previous Black Hats that are, you know, we’ve seen the speakers there, like Patrick Wardle would be talking about how on MacOS certain attacks are growing in popularity, and I know he’s done a ton of presentations in previous years, so I’ll be looking forward to that one. There’ll be a really cool, connected car security research on Mercedes-Benz session that I’m interested in. I know, it’s not presented by Charlie Miller and Chris Valasek, necessarily, but there is always really cool car security research that comes out of Black Hat. So I’ll definitely be focused on that one by I think it was researchers with 360 Group. And then just beyond that, I feel like, a focus on critical infrastructure and IoT. Tara, I know, yesterday, you wrote about those VPN flaws that were affecting OT networks. And I think that really will be a big focus this year at Black Hat in terms of security issues in critical infrastructure. And I know that I think I saw that like Trend Micro will highlight some work done in terms of research, finding weaknesses in industrial protocol gateways, in industrial control system environments. So just something to look out for there. I know that OT networks and OT security was a big topic at Black Hat 2019. So I think that will just continue this year.

Tara: Yeah, I think the focus on critical infrastructure of late — we’ve seen a bit of a groundswell in that area. And you know, you’re talking about some of the cool sessions that that you had spotted on the agenda, Lindsey, I know Tom, one of the ones that you have been talking about was the IoT Skimmer session from the researchers from the Georgia Institute of Technology. Talking about using a botnet to conduct power-market manipulation, which is really, really interesting. And new and different.

Tom: Yeah, no, that sounds like a really fascinating session, looking forward to actually sitting in and reporting on what comes out of that. This whole virtual Black Hat, it will be interesting to see how it plays out. You know, it’ll be interesting to see how I mean how the vendors deal with communicating their messages outside of the Black Hat in a sense that you know, so much about Black Hat wasn’t actually about the sessions, but some of the off-site stuff and some of the meet and greets and some of the private briefings. You know, as this plays out, it’ll be interesting to see how it all falls into place or if it falls into place. I am cautiously optimistic that it’s going to be a good hopefully great, Black Hat, you know?

**Tara: **Yeah, I would really love to see if they’re able to carry out some sort of virtual networking agenda. And I don’t know, I haven’t seen a whole lot, I’ve been getting some reach-out from different individual firms, but in terms of a virtual reception or something like that, and I don’t even know what that would necessarily look like, but I think if any virtual conference could crack the code on how to enable networking in a virtual type of setting, I think that would be a real winner.

Tom: Yeah, and Tara helped me better understand, I know this is Black Hat. But DEFCON is sort of the other conference that is such an important part of my Black Hat Las Vegas experience and, and help me help me and remind me what the plan of action is DEF CON, in terms of how they’re going to structure that event that usually overlaps and, and really is that you know, sort of for me the icing on the cake in terms of security coverage of the show.

Tara: Yeah, so DEFCON is going to kick off on August 7 and continue through August 8, so directly after Black Hat that is going to start. And they’re taking a very different approach from what I can tell, in that they don’t actually have a set agenda necessarily. They’re trying to get people to interact on forums and different messaging boards and trying to get people together in sort of clusters or pods to discuss different interesting topics of the day. And so I think that’s going to be a lot more informal and I think it’s gonna be a lot more interactive and about bouncing ideas off of each other and much closer to sort of the typical networking experience than you would see at traditional conferences. Which is honestly what DEFCON in its physical format was like anyway. But it seems as though they’re really eschewing the set session schedule in favor of more of a get-the-brain-trust together and see what comes out of it approach.

#black hat #podcasts #appsec #black hat 2020 #cloud security #coronavirus #covid-19 #election #election security #pandemic #remote work #voting security

Tyrique  Littel

Tyrique Littel

1597392000

Black Hat 2020: Satellite Comms Globally Open to $300 Eavesdropping Hack

Satellite internet communications are susceptible to eavesdropping and signal interception by far-flung attackers located in a different continent or country from their victims. And all they need is $300 worth of off-the-shelf equipment to pull it off.

That’s the word from James Pavur, an academic researcher and doctoral candidate at Oxford University, speaking at Black Hat 2020 on Wednesday.

Satellite ISPs provide connectivity in places where terrestrial communications aren’t possible. For instance, at oil rigs in the Gulf, or to pilots in-flight. Commercial shipping vessels, fishing boats, cruise passengers, terrestrial explorers camping in the wilderness, Arctic observation camps, weather stations and others all rely on satellite to connect to the outside world.

Click to register!

The first thing to know is that the way satellite communications work provides for a wide geographical attack area, the researcher explained. When a satellite ISP makes an internet connection for a customer, it beams that customer’s signals up to a satellite in geostationary orbit within a narrow communications channel; that signal is then sent back down to a terrestrial receiving hub and routed to the internet. However, when the response signals are sent back along the same path (just in reverse), that transmission downlink between the satellite and the user will be a broadcast transmission, containing many customers’ traffic simultaneously.

“A critical difference is that we’re going to send [downstream signals] in a really wide beam, because we want to cover as many customers as possible, and satellites are very expensive,” according to Pavur. “So radio waves carrying a response to a Google search will reach our customer in the middle of the Atlantic Ocean; but they will also hit an attacker’s dish in, say, Ghana.”

Essentially what this means is that if they were able to perform an interception, adversaries could eavesdrop on vast sections of the globe.

The $300 Listening Station

The common assumption is that for an attacker to pull off this kind of signal interception, it takes money. And indeed, there are specialized modems for intelligence-collection purposes that allow governments to listen in on satellite communications, Pavur noted; they’re installed in multimillion-dollar ground stations worldwide. However, for those without nation-state assistance, the researcher demonstrated that the same kind of attack can be accomplished with basic home-television consumer equipment.

“We purchased this simple flat panel satellite dish — although honestly any satellite dish would do, even something that’s already resting on your roof, or off of Craigslist or Gumtree for basically free,” Pavur said. “And then we used a PCIe satellite tuner card. These are widely available for people who want to watch satellite television on their computer.”

Higher-end professional PCIe tuner cards cost between $200 and $300, but there are cheaper versions in the $50 to $80 price range. The downside of the cheaper ones, Pavur explained, is that there will be a lack of reliability in listening in on certain feeds.

With the equipment in hand, eavesdroppers then need to decide where to point their dishes (the locations of comms satellites are public information), and then go about discovering internet feeds. To do that, Pavur’s team used a software tool called EPS Pro, which is designed to help people find satellite television channels.

“We’re going to point our satellite dish at a spot in the sky that we know has a satellite, and we’re going to scan the Ku band of the radio spectrum to find signals against the background noise,” Pavur explained. “The way we’ll identify channels is by looking for distinct humps in the radio spectrum; because they stick out against the background noise, we can guess that there’s something going on there. We’ll tell our card tune to this one, and treat it as a digital video broadcasting for satellite feed. After a few seconds we get a lock on that feed, meaning we successfully found a connected satellite.”

The next step is to make a short recording of the feed; depending on the signal-to-noise ratio, the amount of data captured could range from a megabyte to a terabyte. In any event, attackers would then examine the data to discover whether they’ve found internet traffic or a TV feed.

“There’s no dark magic to this process, I’m just going to look through that raw binary file for the string HTTP, which we’d expect to see an internet capture, but wouldn’t expect to see in a television feed,” Pavur explained.

#black hat #cloud security #critical infrastructure #cryptography #hacks #iot #web security #black hat 2020 #communications #eavesdropping #interception #isps #james pavur #listening #maritime #oil rigs #oxford #satellite #shipping