STE WILLIAMS

Video The software used in Ohio voting machines contain a backdoor that would allow third-parties to change electronic votes, claims a lawsuit filed by local Green Party candidate Bob Fitrakis.

The lawsuit, filed on Monday afternoon against Ohio’s Republican Secretary of State John Husted, claims that on September 18 he hired Election Systems Software (ESS) to provide the electronic voting systems used by the state. ESS’ software is suspect, the complaint states, and it asks the court to allow the use of paper voting in Tuesday’s election.

“ESS has installed a ‘back door’ into such hardware and software that enables persons who are not under the supervision and control of defendant Husted, and who are not under the supervision and control of Ohio’s boards of elections, to access the recording and tabulation of votes,” the complaint states.

The software contract was signed off without public bidding or scrutiny, and without being signed off by the state technology review board as is required by local law, the suit claims. There is also an “imminent risk” of outsiders hacking the election results, it states.

In his day job, complainant Fitrakis is a professor of political science at Columbus State Community College and editor of the Freepress.org left-leaning news outlet. He has lined up security experts to testify on his behalf, he says, and the Ohio court is now sitting to consider the issue in a last-minute session.

“An expert, who worked for 37 years for the National Security Agency just told that court that the uncertified and untested software has created vulnerabilities for the Ohio election system and could allow for both a backdoor to tamper the vote and allow for viruses to be inserted,” Fitrakis said.

He also claims that the voting machines in question have received untested patches on October 31 that haven’t been reviewed or certified as safe for use. A similar round of patching occurred just before the 2004 election, he said.

He has also released footage claiming to show problems with voting screens in a Pennsylvania election booth. Votes for Obama were automatically being reassigned for Romney, the video appears to show.

Legal representatives for the Secretary of State are contesting the suit, saying Fitrakis’ claims are “ridiculous,” Matt McClellan, a spokesman for Husted told SF Gate. A “reporting tool” was installed into the code that is intended to ease the viewing of results, he said, but that would not affect their integrity.

“We did not touch, update, patch or do anything to the tabulation systems or the voting machines,” McClellan said. “There’s no vulnerability to the system whatsoever.”

In response to the lawsuit, ESS said it was “frivolous and without merit,” and that Fitrakis filed it “with the sole intent of undermining voter confidence.” It is confident that the court will find in its favor, it said.

Fitrakis does certainly have an axe to grind on the issue. Last month he claimed that Mitt Romney’s son Taggart Romney is a partial owner of Hart Intercivic, which provides election machines used in some of the Ohio districts. The investment house Solamere, set up by Tagg with $10m in seed capital from his parents, along with equity managers HIG Capital, bought control of Hart Intercivic in July last year, he claims.

According to Factcheck.org HIG Capital does own Hart Intercivic, but there’s no proof that Tagg’s company Solamere has any stake in the voting machine manufacturer, although it does invest in some HIG projects.

“Tagg Romney does not own or control voting machines in Ohio,” Factcheck.org states. “There’s no evidence that he is even invested in them. There is a lot of money flowing from HIG executives to Romney’s political committees, but that’s not evidence of wrongdoing.”

Whatever the rights and wrongs of the Ohio case, there are serious problems with electronic voting and security. Around a third of the votes today are going to be cast electronically, especially if you were in the path of “Superstorm Sandy”, and the results of most elections will be tabulated on computer.

A case study presented at this year’s RSA conference showed how a team of students hacked the Washington DC election board software in a public trial held three weeks before it was to be used in an actual election. In a couple of hours they had spotted a vulnerability and used it to get the drunken Futurama bag o’ bolts Bender elected to the head of the Washington DC school board.

None of the voting systems used in US elections is secure, according to Dr. David Jefferson from Lawrence Livermore National Labs, and election hacking is very hard to detect, since the results are seldom examined after the result for evidence of hacking.

“The states are in the habit of certifying voting systems, typically without testing them or seeing the source code,” he said. “In many cases the voting system uses proprietary code that government can’t legally check, and the running of the systems is outsourced to the vendors. This situation is getting worse.” ®

Bootnote

In a tradition American readers would probably consider quaint, we Britons don’t use electronic voting in national elections. There’s a very simple reason: pen and paper is more efficient.

To rig an election held in such an archaic manner is very difficult, indeed. For a start, you need a large number of people to fill in the ballot papers needed to turn an election result, and someone is bound to let slip. Secondly, you need to get access to the ballot boxes to swap out the votes, and security on them is very tight and in some cases very public.

Attempts to modernize the system have proven fraught with problems. The introduction of postal ballots has increased voting fraud, and moves to go electronic are being fiercely resisted on the grounds that it would make the situation even more unsafe. Yes, getting the results can be slow, but they can also be checked and verified.

Actually going to a polling booth once every few years isn’t a great deal of effort for people, and the resulting surety of a result gives citizens far greater confidence that the end result is fair and just.

Maybe the Americans need to take a look at how things are down in the old country, and learn a little.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/06/ohio_voting_machines_backdoor/

The smoke has cleared from Anonymous’s Bonfire Night hacking spree with a denial from PayPal that it had been hacked. The payments-processing firm appeared to have been highest profile target of the hacking spree, but apparently this was an error caused by the tweeting and retweeting of an erroneous post by a cyber security blogger.

Hacktivists claimed to have uploaded 28,000 email addresses, names, and passwords of a certain firm, named in the blogpost as PayPal, after supposedly hacking into its systems. The claim was reiterated by various Anonymous-affiliated accounts, resonating in the Twitterspace. PayPal took the claims seriously and launched an investigation which concluded that the hack was not actually directed at it but rather at ZPanel, a web hosting software developer.

Hacktivists and the media latched onto a report by cyberwarnews.info that incorrectly named PayPal and not ZPanel as a victim, PayPal explained in a statement below.

It appears that the exploit was not directed at PayPal after all, it was directed at a company called ZPanel. The original story that started this and was re-tweeted by some of the Anonymous Twitter handles has now been updated.

ZPanel has yet to comment on the incident. Meanwhile Symantec and ImageShack, the two other significant targets of Monday’s shenanigans, are continuing to investigate hacks on their systems.

A hacking crew called Hack the Planet (HTP) claimed the alleged hack on ImageShack allowed it to extract system files and other information. Meanwhile, HTP also claimed the alleged Symantec breach resulted in a database dump of 3000+ user accounts. Both attacks may have featured the use of zero-day exploits, or so the hackers claim.

There is now some doubt as to whether HTP’s hacks were even related to the Anonymous OpNov5 attacks, as had been previously widely reported.

Meanwhile, supposed plans to take down Facebook and free Zynga games later on 5 November, which always seemed unlikely, never transpired. In fairness, elements of Anonymous distanced themselves from those supposed plans well before anything was supposed to take place.

What’s left of #OpNov5 (AKA ‪#OpVendetta‬) in cyberspace amounts to site defacements against NBC.com sites and an Argentinian bank (cajapopular.gov.ar) as well as some distributed denial-of-service (DDoS) attacks on Turkish government sites. Oh, and a number of websites in Australia were also defaced, namely: Ascension Australia (a hippie festival in Melbourne), Semcorp (a Australian web development company) and the Quality Lifestyle Alliance, an NGO – not an Australian government outfit as elements of Anonymous falsely claimed.

A Lady Gaga fan site – Gaga Daily – was also hit by a defacement attack by “pyknic”, the same script-kiddies who sprayed digital graffiti on Saturday Night Live and other NBC websites.

The re-release of VMWare source code on Sunday by a hacker is another incident that might have nothing to do with #OpNov5 as such, even though leak torrents were promoted through social media using Anonymous and AntiSec hashtags.

Altogether its not much to boast about and only the real world demonstrations by hundred of Anons outside the Houses of Parliament in London went off as planned.

Instead of the promised pyrotechnics, #OpNov5 only delivered damp squibs, false attribution, confusion and few script-kiddies exploding unimpressive but loud bangers. Everybody involved, especially those who hyped up the non-event, should be thoroughly ashamed of themselves. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/06/anon_opnov5_update/

Miscreants have developed a strain of malware that steals image files from compromised systems.

The Pixsteal-A Trojan dispenses with the conventional tactic of only stealing text files, instead concentrating on uploading .jpg, .jpeg, and .dmp (memory dump) files from infected machines onto a remote FTP server.

The switch in tactics reflects the changing way that users store potentially sensitive information, an advisory by Trend Micro explains.

“Information theft routines have been mostly limited to information that is in text form, thus this malware poses a whole new different risk for users,” writes Raymart Paraiso, a threat response engineer at Trend Micro. “Users typically rely on photos for storing information, both personal and work-related, so the risk of information leakage is very high. Collected photos can be used for identity theft, blackmail, or can even be used in future targeted attacks.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/06/image_snaffling_malware/

Freebie anti-virus firm Avira has admitted its security software is not compatible with either Windows 8 or Windows 12 Server.

The German firm issued an advisory on Friday admitting its products would not be compatible with Windows 8 until the first quarter of 2013 after users complained that attempting to run Avira’s software on Microsoft’s latest operating system results in the infamous Blue Screen of Death, H-Security reports. Users have to manually uninstall the technology to get around the problem. Avira’s technology isn’t yet compatible with Windows Server 12 either, as an advisory by the firm (below) explains.

Windows 8 introduces significant changes to the operating system platform. As with any new computer operating system, it is possible that some existing software is not compatible with it. Currently, the Avira products are not ready for Windows 8 and Windows Server 2012 (Built on Windows 8).

Avira is working closely with Microsoft to achieve compatibility for the products as soon as possible. Therefore, it can be said with certainty that the Avira products will be compatible with Windows 8 in the first quarter of 2013.

The delay puts Avira at a marked disadvantage to security firms which offer basic anti-virus software to consumers without cost, such as AVG and Avast, in the hopes of nagging persuading them to use more functional paid-for security products later. AVG, Avast and Avira all claim to have more than 100 million users of their desktop software.

Avira is the smallest of the three and its market share is likely to suffer unless it can sort out its Windows 8 compatibility problems sooner rather than later. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/06/avira_win8_snafu/

Podcast Deep inside your mobe is the “baseband chipset”, a slab of silicon that handles all radio communications.

Baseband systems have plenty of processing grunt and, according to renowned Jailbreaker Eric “Musclenerd” McDonald, are deeply integrated with the rest of a mobe’s hardware. That makes them a great place to run a virus, which could be uploaded through a hacked cell.

The good news is that this attack is largely theoretical for now: to pull it off you would need to follow your target around and aim a dedicated cell at their phone.

The bad news is that the baseband chipset is just the kind of thing you’d attack if you wanted to run the extensive surveillance needed to sustain a police state.

In this podcast, McDonald explains just how the baseband chipset could be exploited and how to do it for the Qualcomm chipsets used in the iPhone.

Eric Musclenerd McDonald on Risky.biz

You can also download the podcast here. ®

Patrick Gray’s Risky Business podcast brought Reg readers special coverage of the Ruxcon Breakpoint conference.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/06/baseband_chipset_mobile_attacks/

VMware has confirmed that the source code for old versions of its ESX technology was leaked by hackers over the weekend – but played down the significance of the spill.

The virtualisation giant said on Sunday that the exposed portions of its hypervisor date back to 2004, and the leak follows the disclosure of VMware source code in April.

“It is possible that more related files will be posted in the future,” Iain Mulholland, VMware’s director of platform security, explained. “We take customer security seriously and have engaged our VMware Security Response Center to thoroughly investigate.”

Mulholland said customers who apply the latest product updates and patches, in addition to following system hardening guidelines, ought to be protected against attacks developed in the wake of the code leak.

“By applying the combination of the most current product updates and the relevant security patches, we believe our customer environments will be best protected,” he said.

A 2MB compressed archive of the software blueprints was uploaded into file-sharing networks and promoted by various tweeters on Sunday. Some of these tweets, posted with the hashtags #Anonymous #AntiSec and #SourcySleazySundays, claimed that the leaked code was the “full VMware ESX Server Kernel”.

A person going by the name of Stun, who made the source code available, wrote: “It is the VMKernel from between 1998 and 2004, but as we all know, kernels don’t change that much in programs, they get extended or adapted but some core functionality still stays the same.”

The previous VMWare source code leak was accompanied by the publication of the company’s internal emails via Pastebin by someone called Hardcore Charlie. The Anonymous-affiliated hacker claimed the information came from China National Electronics Import and Export (CEIEC), an engineering and electronics company outfit.

VMware said at the time that customers were not necessarily at greater risk as as result of the leak.

Hacktivists, to say nothing of state-sponsored cyber-espionage, have increased the threat of intellectual property theft for high-tech firms. The VMWare case is not unprecedented.

Earlier this year Symantec admitted source code for the 2006-era versions of the following products had been exposed: Norton Antivirus Corporate Edition; Norton Internet Security; Norton SystemWorks (Norton Utilities and Norton GoBack); and pcAnywhere. The security biz took the highly unusual step of advising customers of pcAnywhere to suspend use of the older versions of remote control desktop management software pending the release of a patch, which arrived within days of the warning.

An Indian hacktivist crew called the Lords of Dharmaraja claimed they lifted Symantec’s source code from systems belonging to the Indian government.

Leaked versions of source code for older versions of Kaspersky Lab’s security software appeared on file-sharing networks in January 2011. The Russian security firm blamed a rogue former employee for the leak. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/05/vmware_source_code_leak/

Facebook has been forced to kybosh a security-lite feature that offered an auto login shortcut to its users, after a privacy flaw was unsurprisingly uncovered.

The shortcut in question had allowed Facebookers to access the site simply by clicking on a web link sent to their email addresses.

But Hacker News uncovered late last week that the shortcut links had been made “publicly available” online. It further claimed that more than one million Facebook accounts had been affected, after the links had been posted and searched for on the web.

Facebook has since yanked the feature from its site after admitting that anyone accessing the links could then view the pages associated with the shortcut as well as the email addresses of those users whose details were exposed.

An engineer at the company responded on Friday about the shortcut. Matt Jones said:

We only send these URLs to the email address of the account owner for their ease of use and never make them publicly available. Even then we put protection in place to reduce the likelihood that anyone else could click through to the account.

For a search engine to come across these links, the content of the emails would need to have been posted online (e.g. via throwaway email sites, as someone pointed out – or people whose email addresses go to email lists with online archives).

He added:

[D]ue to some of these links being disclosed, we’ve turned the feature off until we can better ensure its security for users whose email contents are publicly visible. We are also securing the accounts of anyone who recently logged in through this flow.

As noted by security vendor Sophos, Facebook had embedded a cookie-like identifier into the links in question to help its users avoid having to re-enter their login credentials.

But it’s clear that such a function will always weaken an account holder’s security.

Sophos warned:

Hopefully this isn’t a news flash, but emails are not secure nor private if you haven’t encrypted them.

This is the same reason we don’t email people our credit card information and don’t send new passwords to people via email. It’s not secure.

Facebook has suspended the practice, albeit temporarily. Let’s hope they wise up and realise this cannot be done safely and leave it disabled permanently.

Most users stay logged into Facebook and don’t clear their cookies as it is, having a password bypass by magic link is simply unnecessary.

®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/05/facebook_auto_login_feature_exposes_security_flaw/

American news channel NBC was prank-hacked last night with a Guy Fawkes image, and the traditional children’s rhyme:

“Remember, remember the fifth of November, gunpowder, treason and plot / I know of no reason why the gunpowder treason should ever be forgot” repeated four times and followed by the phrases:

GREETZ TO ODAY, BRUT4L S4VAGE

FUCK THE FEDS, 419 IS JUST A GAME~~

USER INFO – EXPOSED

PASSWORDS – DUMPED

“419 is just a game” is believed to be a reference to Nigerian spammer hacking. Screengrabs of the hacked site also show that the hacker claimed to be called “pyknic”. Apparently the site played music and displayed an image of the stars while running the above text. Because of the use of the Guy Fawkes image, it has been linked to the hacker group Anonymous.

Today is Guy Fawkes day, though it’s not celebrated in America. References to Guy Fawkes and the 1605 Gunpowder plot that aimed to restore a Catholic monarchy to England, tend to refer to the hacker collective Anonymous.

A Lady Gaga fan site – Gaga Daily – was hit by a similar attack claiming to be from “pyknic” as well.

We’ve emailed NBC and Gaga Daily to ask for comment and to confirm whether charges about leaked password information on NBC are accurate or not. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/05/nbc_lady_gaga_guy_fawkes_hack/

Anonymous claims to have leaked 28,000 passwords from PayPal as part of a a global day of protest to mark 5 November, Guy Fawkes night.

Hacktivists uploaded thousands of email addresses, names, and passwords – supposedly snaffled from the payment processing firms systems, TheNextWeb reports. A PayPal representative said it has yet to find any evidence of a security breach, but is nonetheless investigating the claim.

‪#OpNov5‬ also featured purported hacks against a server at ImageShack and a Symantec portal, thehackernews.com reports. The Symantec hack allegedly resulted in the leak of email addresses and other personal data from hundreds of security researchers. Hackers claimed to have exploited a zero-day bug in the ZPanel portal software used by Symantec to pull off the hack.

A Symantec spokeswoman said that the security firm was investigating: “Our first priority is to make sure that any customer information remains protected. We are investigating these claims and have no further information to provide at this time.”

The ImageShack hack, which used a different zero-day exploit, allowed hackers to extract system files and other information, they claimed.

Other claimed defacements and attacks around the world are being logged by the AnonymousPress Twitter account.

The Register reported earlier today that several NBC websites including its mobile site were defaced with the message “Remember, remember the fifth of November” (extracts from a nursery rhyme about Guy Fawkes and the Gunpowder plot to blow up the UK Parliament in 1605).

However, other elements of Anonymous have distanced themselves from the NBC “prank” attack as well as from supposed plans to take down Facebook and free Zynga games later today, which always seemed unlikely. As Sophos notes, self-identifying elements of Anonymous made threats to attack Facebook last year on 5 November without anything ultimately occurring.

The overall picture is somewhat confusing and, aside from the PayPal hack and perhaps the Symantec breach, arguably insignificant. Both PayPal (after it denied payment services to WikiLeaks) and Symantec (massive security firm, which, according to Anons, sells “ineffective bloatware”) are, of course, favourite enemies of Anonymous.

Alongside its mischief in cyberspace, the rag-tag hacktivist collective is hoping to remake scenes from V for Vendetta in a real world protest outside the White House in Washington and the UK Parliament later today. It is unclear at the time of writing whether or not this scheme is gathering momentum. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/05/anon_nov5_protests/

Suspected Chinese hackers launched damaging cyber raids on several big name multi-nationals over the past few years, including Coca Cola, according to new reports.

Fizzy drink giant Coca Cola, British energy company BG Group, Luxembourg-based steel maker ArcelorMittal and Chesapeake Energy were all named by Bloomberg as having been breached but deciding not to reveal the news at the time.

Coca Cola’s computer systems were infiltrated thanks to an email sent to then the deputy president of Coca-Cola’s Pacific Group, Paul Etchells.

Appearing to come from the CEO, it actually contained a malicious link which, when Etchell clicked, began downloading malware including a keylogger, the report said.

Hackers spent around a month rooting around inside Coca Cola’s systems, said Bloomberg, citing an internal company document detailing the cyber intrusion. The document is said to attribute the attack to state-sponsored attackers as the culprits.

The attack was launched in 2009 with the aim of exfiltrating files relating to Coca Cola’s ultimately unsuccessful $US2.4bn acquisition of China Huiyuan Juice Group. China’s Ministry of Commerce eventually rejected the deal after raising competition concerns.

Although the report claimed state-sponsored actors were involved, experts interviewed by the news wire said the attack had all the hallmarks of Comment – a prolific Chinese hacking group.

Comment was also fingered for a 2011 attack on US gas giant Chesapeake Energy, by hacking the computers of its partner Jeffries Group. Chesapeake was apparently in dialogue at the time with a Chinese energy company about joint shale gas investments.

Comment was also accused of hacking ArcelorMittal, searching for a file named “China” on a senior exec’s computer and pinching a whole load of PowerPoint slides.

BG Group was hacked in 2011 in a breach said to have been massive – including geological maps and drilling records – but like all the others, unreported at the time.

The incidents, if they took place, highlight the risks to multinational firms with business interests in China. Experts increasingly warn about such risks, with IP theft said to be prevalent.

Google took the rare step of going public after it uncovered the China-based Operation Aurora attacks on it and other firms in 2010. Since then, covert APT-style targeted attacks believed to originate in China have often hit the headlines. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/11/05/coca_cola_breach_china_hackers/