Election hacking FAQs

From Hillary’s vulnerable email server to the string of Russia-linked email dumps, digital security has been one of the major forces driving the news. So far, all the hacks have been about information — in their way, not so different from October Surprises and smear campaigns of previous elections — but they raise an even more troubling question. With allegedly state-sponsored hackers already playing an active role in the campaign, could the integrity of voting itself be at stake?

Voting machines

Voting machines are terrible in basically every way. They’re expensive, old, prone to failure, and unpleasant to look at, but they’re also not that hard to break into. Computer scientists have been demonstrating that for at least 10 years, generally by physically cracking open the machines and installing election-rigging software. Election boards have been slow to respond, and the demonstrations have just gotten better as the years go by.

Voter data

This year has already seen attacks against voter registration systems in Arizona and Illinois, with the latter attack bringing down the system for 10 days and stealing data on as many as 200,000 voters. If an attacker went farther, actively erasing certain voters from the rolls, it could easily cause havoc on election day.

The good news is that, like the voting machines, rolls are distributed. Hackers might compromise the election board’s version of the voter registration list, but there would be plenty of other evidence that each voter was registered, including previously distributed voter rolls and actual registration forms.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

LinkedIn can now help you determine the salary you deserve

LinkedIn recently introduced a new tool called LinkedIn Salary that aims to help users learn more about the salaries in their industry and how making changes to their current career impacts how much they make.

When you enter a job title and a city, the tool brings results of the median earnings individuals with that job title in the city you selected. Besides base salary, it also takes into account other forms of compensation, like bonuses and stock options.

LinkedIn, which is increasingly focusing on a data-driven approach to its services, will also let you dig into the salary data so you can get a better idea of how different factors impact salaries in a given field. For example, it will show how salaries for a given role vary by company, as well as how company size and education level impact earnings.

LinkedIn is not the first company to try to bring more transparency to salary information — Glassdoor has a similar product for helping people determine whether they are being paid fairly — but the company says it is more focused on helping its users maximize their potential rather than assessing fairness or whether a particular salary is competitive.

Instead, the goal of all of this, LinkedIn says, is to “help professionals around the world make better career decisions and optimize their earning potential now.” And the company says we can expect to see it integrate salary information into more parts of its network in the future (LinkedIn Premium users will also see salary details in the site’s job search results.) LinkedIn Salary is available to all the site’s users, though those who don’t subscribe to a paid tier will need to first enter their own salary before they can access all of the information.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

Google rebuked for disclosure of Windows Bug

Google on Monday posted to the Internet a previously unpublicized flaw that could pose a security threat to users of the Microsoft Windows operating system.

Google notified both Microsoft and Adobe of zero day vulnerabilities in their software on Oct. 21, wrote Neel Mehta and Billy Leonard, members of Google’s Threat Analysis Group, in an online post.

Google has a policy of making critical vulnerabilities public seven days after it informs a software maker about them. Adobe was able to fix its vulnerability within seven days; Microsoft was not.

“This vulnerability is particularly serious because we know it is being actively exploited,” wrote Mehta and Leonard.

However, Google’s Chrome browser prevents exploitation of the vulnerability when running in Windows 10, they added.

“We disagree with Google’s characterization of a local elevation of privilege as ‘critical’ and ‘particularly serious,’ since the attack scenario they describe is fully mitigated by the deployment of the Adobe Flash update released last week,” Microsoft said.

After cracking a system, hackers typically try to elevate their privileges in it to obtain access to increasingly sensitive data.

“Additionally, our analysis indicates that this specific attack was never effective against the Windows 10 Anniversary Update due to security enhancements previously implemented,” Microsoft noted.

The Windows vulnerability Google’s team discovered is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape triggered by a win32k.sys call, according to Mehta and Leonard.

The sandbox in Google’s Chrome browser blocks win32k.sys calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of the sandbox escape vulnerability, they explained in their post.

Google’s decision to release details of the vulnerability before Microsoft had a chance to get out a fix has surfaced a long-standing debate over responsible disclosure. Many security researchers have long held that vendors should be given a reasonable shot at fixing reported flaws in their products before details of the vulnerability are publicly disclosed.

Others, especially bug hunters, have said the only way to get some vendors to address security issues quickly is to give them a tight deadline for fixing the issues and to threaten them with public disclosure if they don’t.

The latest incident shows why some sort of regulatory requirement is implemented to guide disclosure practices, said Udi Yavo, chief technology officer and co-founder at security vendor enSilo.

“The Google-Microsoft disclosure dispute is yet another example of why the 90-day window for vulnerability disclosure that has been industry practice for some time should be an actual regulatory requirement,” he said in an emailed statement.

The legislation should spell out the grace time that is available for vendors that are not able to meet the 90-day window and the consequences for violating these rules

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

Yahoo Hack: Whodunnit

A week has passed since Yahoo was subjected to the worst data breach in history. Yet, there have been no profound details made known about who nabbed info on 500 million email accounts remain sketchy.

At least one firm says it wasn’t a “state-sponsored actor” as Yahoo claimed, but like many things related to hacks, cybersecurity and the dark web, even that claim is impossible to verify.

“The group responsible for the Yahoo hack are cybercriminals,” said Andrew Komarov, chief intelligence officer at InfoArmor. The company posted a report on Wednesday detailing the involvement of “Group E,” a hacking syndicate that InfoArmor says it has been monitoring in dark corners of the internet for some time.

The FBI is currently investigating the data breach but hasn’t put forward a theory publicly about who is behind it.

“We take these types of breaches very seriously and will determine how this occurred and who is responsible,” the FBI said in a statement.

Komarov said InfoArmor was able to obtain “a pretty large sample of the database” of stolen email addresses, encrypted passwords and other personal information. With the permission of people whose information was caught up in the hack, the company checked the database and found it corresponded with real Yahoo accounts from 2014.

Details of the breach were confirmed shortly within weeks of the Democratic National Committee’s emails being hacked, exposing the Democrats’ attempt to smear former presidential candidate Bernie Sanders.

Other large-scale company security breaches include Dropbox, which announced earlier this month that 68m users’ accounts were compromised in 2012, representing two thirds of its customer base. Some 167m LinkedIn users’ account details were leaked the same year.

Sony Pictures Entertainment also suffered an attack with around 47,000 social security numbers of current and former employees leaked online, including those of actors and freelancers.

This year, around 37m users of Ashley Madison, a site to facilitate extramarital affairs, were hacked. More than 400m MySpace accounts were compromised in July, the second largest breach in history.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

Windows 10 now active on 400 million devices

There have been more than enough questions raised about how many device upgrades the company has actually logged in the last phase of its rollout. In July, the company declared 350 million people had upgraded to or were using Windows 10. Now, after the conclusion of its Get Windows 10 campaign, Microsoft declared it has more than 400 million customers using the OS.

Microsoft is expected to get another substantial bump to total Windows 10 usage figures once it rolls that OS out on Xbox One on November 12. Total uptake has been significantly faster than Windows 7, which took an additional seven months to hit the 400 million mark, according to data.

The free Windows 10 upgrade has been blamed for some of the continued softness in the PC market. The OS even remains available for free if you know where to look - but it’s too early to tell if ending the giveaway will spark any kind of uptick in PC sales. Given the trends of the last five years, there’s not much chance the consumer space has bottomed out yet. Increased sales of boutique gaming systems and 2-in-1s have not been sufficient to offset the general decline in shipments.

Despite Microsoft’s assurances about Windows 10, not everyone is happy with the new operating system, which Microsoft recently began updating with the rollout of the Windows 10 Anniversary Update. Ongoing complaints have emerged regarding compatibility and reliability issues, which is likely to explain why Microsoft is phasing in the anniversary update over a period of three months so it can continue testing throughout the process.

The latest build also addressed a problem that caused some Windows 10 apps, including the calculator, alarms and clock, not to work after updates to a new build, Sarkar said. She added that Microsoft is continuing to investigate some other issues that arose with a recent developer version of Windows 10 for Mobile. She said that a new build will be delayed until those problems, which affected the pin pad display and SIM card usage, are resolved.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

An unknown state may be running drills for taking down the entire internet

It seems as though there is single body out there carrying out a systematic attempt to test the defenses of the internet’s fundamental infrastructure, presumably with the intention of one day breaking those defenses.

While the sources for the article are anonymous, they hardly need naming since Schneier makes it clear that his research has collected insight from virtually all major internet companies, from large service providers like AT&T all the way to organizing bodies like Verisign or potentially even ICANN itself. Somebody is searching for weaknesses in the sorts of places that many assume you’d only attack for one reason: crashing all or a large portion of the internet.

The basic narrative is this: Schneier has been hearing sustained, widespread reports from fundamentally important internet companies that they are experiencing a marked uptick in certain kinds of attacks, in particular Distributed Denial of Service (DDoS) attacks. These have been not only getting stronger, longer lasting, and more diverse, but they’ve been moving in seemingly systematic, investigatory ways. Schneier describes a scenario in which attackers sent predictable probing attacks against successively higher levels of security until it had tested everything, apparently being exhaustive in their search for failure points.

One important aspect of these attacks is their power and frequency, implying enormous resources at the disposal of the attacker and strongly indicating a nation-state as the culprit. Schneier name-drops both China and Russia as the most likely culprits (China most of all), but he can’t say for sure. In addition to the sheer volume of the attacks, however, is their variety, forcing defenders to roll out their full complement of defenses. This could be interpreted as an attempt to get defenders to “bare all,” and make their full defensive capabilities known. Corero director Sean Newman said the attacks his company has seen are short and “sub-saturating,” likely meant to slowly approach and find the target’s exact maximum traffic capacity.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

New Ethernet standards will offer up to 5Gbps performance using cables already owned

Consumer Ethernet performance has been stuck at gigabit speeds for nearly 20 years. Apple was the first company to ship gigabit Ethernet in motherboards. Intel’s 875P chipset popularized the feature in the PC market by connecting the Ethernet controller to the northbridge, thereby offering improved performance. Thirteen years later, gigabit is still the standard for wired Ethernet – but that might be about to change, thanks to a new wired networking standard from the IEEE 802.3bz task force.

There are multiple reasons why we’ve been stuck on gigabit for as long as we have. 10GbE requires more expensive cabling – either fiber optic cable in some cases, or more expensive Cat6a or Cat7 cabling for others. It’s not as backwards-compatible with previous standards (half-duplex operation isn’t supported), and routers, switches, and network cards that can support 10GbE are all far more expensive than their gigabit counterparts.

The two new IEEE standards, known as 2.5GBASE-T and 5GBASE-T, should satisfy that need. These two standards were specifically created to use 10GbE signaling, but at a rate that would be compatible with existing runs of Cat5e and Cat6 cable out to 100 meters. The 2.5Gbps standard can run on Cat5e out to 100 meters, while the 5Gbps standard requires Cat6 cable to run 100 meters. Both should be far easier – and cheaper – to bring to market than current 10GbE technologies.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

All you need to know about the iPhone 7

The iPhone can be pre-ordered on September 9, will officially be released on September 16, 2016

With months of speculation about the new iPhone 7, Apple has announced the release date with an event that will be held on September 7, 2016.

Apple presents two models – the iPhone 7 Plus and the 4.7-inch model. There are no reports of a radical design change, and the phone will look similar to the previous model.

The price range is likely to replicate the iPhone 6, with the Plus model being more expensive. The iPhone 7 will have a bigger camera, and the Plus model will have the dual camera, which is considered the future of smartphones. It will produce much better low light images and optical zoom, which won’t become blurred like the previous models. The dual-camera technology will be the closest thing to a DSLR (Digital single-lens reflex camera).

The headphone jack is going away, and this is considered the most radical reported change to the iPhone 7. Rather than the traditional headphones, you will likely have to use the iPhone’s Lightning charging port. Apple co-founder Steve Wozniak has urged Apple not to get rid of the iPhone’s 3.5mm headphone jack in favour of a proprietary one on the iPhone 7

“If it’s missing the 3.5mm earphone jack, that’s going to tick off a lot of people,” Wozniak told the Australian Financial Review. Wozniak said removing the standard 3.5mm port would mean those who have spent lots of money on headphones may even be deterred from buying the iPhone 7 if it means they have to shell out again for new ones that will be supported by the iPhone 7, or add on an adaptor.

As with other iPhones, the smartphone will likely come with the new Lighting port earbuds or maybe headphones, but it is unlikely. There are also reports about Apple manufacturing wireless earbuds, which may accompany the iPhone 7.

Future iPhones could be waterproof. A report has unearthed a patent to take better pictures underwater. According to Patently Apple, Apple has been granted around 80 patents, one of which relates to underwater photography editing tools. The patent describes a system for colour-balancing images taken underwater that improves those pictures. It would remove unwanted tints without changing the colour of the water itself.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

Google Duo crosses 5 million downloads

Google Duo now over 5M Android downloads in a week,” Google CEO Sundar Pichai said. Google Duo, a video-calling app for one-on-one interactions, was made available globally on August 18. The app works on Android and iOS. Users need only their mobile number to sign into Duo.

The highlight of Google Duo is its network efficiency. Google’s Product Manager says “our app is reliable across networks, and works across platforms. So if your network is not that good, it will adjust the video definition accordingly, and Duo is smart enough to adapt to these conditions.” In our review, we said our download and upload speeds will make a difference to how well a video call goes on Duo.

Google wanted to create “as simple an experience as possible” with a “solution that is almost as simple as voice calling,” says Amit Fulay, Group Project Manager at Google.

The app can be installed in under a minute. Just type in your phone number, receive a confirmation text, and you’re done. Duo instantly syncs with your existing contact list, so there will be no need to repopulate your phone book manually. Calling is simple too, requiring only two taps, one for “call” and one for the contact’s name. Duo has virtually no fancy features or bells and whistles. The only standout feature is called Knock-Knock, a sort of visual caller ID that shows you a streaming video of the caller before you pick up. Knock-Knock seems like a great way to gauge the caller’s environment or mood before diving into the video chat.

Besides its simplicity, Duo also gets nods for working with very small bandwidths, making it a great option for rural and other low-service areas, as well as for developing nations.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment

WhatsApp and Facebook’s plan to share contacts under fire

WhatsApp’s new terms-of-service are causing quite a stir among privacy advocates. The company recently announced it would begin sharing user phone numbers, profile data, status message and online status with Facebook, its parent company — a change that the Electronic Privacy Information Center (EPIC) claims violates a Federal Trade Commission consent order.

Specifically, the privacy group says it’s planning to file a complaint against the companies for violating statues of the Federal Trade Commission act that warns against “unfair or deceptive acts or practices.” Here, EPIC is accusing WhatsApp of lying to users when it promised its 2014 sale to Facebook wouldn’t effect its privacy policy — which pledged never to share or sell “personally identifiable information” like the phone number, name and profile data shared under the new policy.

This announcement should be very concerning to WhatsApp users, who have been promised many times by both WhatsApp and Facebook that their privacy will be respected and protected,” said Claire T. Gartland, consumer protection counsel at the Electronic Privacy Information Center.

WhatsApp says it needs to share limited data with Facebook to test out new features designed to help users “communicate with business,” such as receiving fraud notifications from a bank or flight delays from airline companies.

The warnings over privacy concerns actually go back to 2014 when Facebook first acquired WhatsApp for approximately US$19.3 billion.

“Jessica Rich, director of the FTC’s Consumer Protection Bureau, sent a letter to the companies during Facebook’s acquisition of WhatsApp warning the companies that the privacy promises made to WhatsApp users must be respected,” recalled EPIC’s Gartland.

“WhatsApp’s blog describes two different means of opting out of the proposed new sharing,” she noted, “and neither of these options appear consistent with Rich’s letter, which requires Facebook to get users’ affirmative consent before changing the way they use data collected via WhatsApp.”

Moreover, it does not appear as if WhatsApp even plans to secure what could be considered “meaningful, informed opt-in consent from its users to begin sharing this information with Facebook,” Gartland suggested.

Users also have up to 30 days to opt-out of the sharing portion of the new terms-of-service, but according to EPIC, that doesn’t protect the companies from the FTC’s consent order. The order apparently requires the company to obtain an opt-in consent before asking them to agree to the new terms. WhatsApp does technically offer an opt-in option, but it’s not clear how to access it: one must click “read” to view the terms-of-service agreement before the opt-in checkbox appears.

0 votes, 0.00 avg. rating (0% score)
Posted in General | Leave a comment