Doug White and Jason Wood discuss improvements to IoT, fooling millions of Android users, Google Play bug bounties, school boards being hacked by pro-ISIS groups, and more with Jason Wood on this episode of Hack Naked News!
Despite the benefits, new devices will lead to new security risks. And the presence of malicious code on the IoT is now very much a reality
IoT spending is set to reach 1.7 trillion by 2021. That level of investment puts security firmly at the forefront of critical business priorities
- Code signing
School board websites restored after hack by pro-ISIS group
- Team System DZ
- These sorts of hacks just continually point out the need for public side controls in place for resources
FERC Proposes Updates To Critical Infrastructure Protection Standards For Cybersecurity
- Federal Energy Regulatory Commission (FERC)
- North America Electric Reliability Corporation (NERC)
- Critical Infrastructure Protection (CIP)
- NERC standards
- CIP-003 — bulk electric systems assets
- CIP-002-9 are the standards of framework
- Requires Cyber Security Policy
- Requires SEC leadership at the senior manager level
- Requires Information Protection standards (identify, classify, and protect)
- Requires Access Control
- Talk about SOX and critical infrastructure
Fake WhatsApp app fooled million Android users on Google Play: Did you fall for it?
- uses unicode (like puny code attacks) to fake the link
- very difficult to detect these attacks since the unicode doesn’t display
- (bad) https://play.google.com/store/apps/developer?id=WhatsApp+Inc.%C2%A0
Google Play bug bounty aims to restore trust after malware incidents
- Persistent threat of malware in Google Play Store apps.
- more code signing
- Team up with HackerOne
- Looking for Remote Code Execution fro Android devices
Expert Commentary: Members of Congress want you to hack the US election voting system
Bug bounties are catching on at the federal government and now some US Senators want to get into the act. Senators Martin Heinrich (D-NM) and Susan Collins (R-Maine) released a draft of the Save America’s Voting Equipment Act of 2017 on October 31, 2017. This bill has three stated goals as it is currently drafted:
Information sharing with state election officials Preserving the security and independence of state voting systems Establish a “Cooperative Hack the Election” program
In the first Title (or section), the bill lays out requirements for the Secretary for Homeland Security to sponsor state election officials for security clearances so that DHS can send them classified information. The second Title appears to be an attempt to give the federal government more influence over state elections, while attempting to maintain the independence of states on election matters. It requires that the Sec of HS will declare voting systems critical infrastructure and provides provisions for states to opt into the programs described in the bill. It also establishes a requirement for grant money to upgrade voting systems and requires that participating states implement their voting systems according to “recommended best practices” as detailed in section 202 of the bill.
Title 3 is where the bug bounty is described. If enacted, the DHS will hold an annual competition “for hacking into State voting and voter registration systems”. Competitors will receive some kind of prize or award (TBD) for the “most significant” vulnerabilities discovered and will share the vulnerability data with the impacted vendors. Under Title 2 of the bill, the federal government will provide grant money to States to upgrade their systems in response to the findings from the competition. Finally, Title 4 lays out an audit program to make sure the funds granted in to States are being used appropriately.
The concept of the proposed law sounds interesting. Particularly to have a bug bounty program built strictly for voting equipment. DEFCON already had a village for attacking voting systems and this takes that a step further by creating an official competition with awards for participants. One of the points that interest me is that voting equipment varies quite a bit from state to state, but there is overlap in the systems used. So if two states use the same equipment and one state opts in to the program but the other doesn’t, the second state is still impacted by the results. But because they didn’t opt in to the program, they aren’t eligible for grant money (through this bill) to fix them. Non-participation appears to have a bit of a stick behind it.
If the bill comes up for debate, then I’d expect to see States argue that the law infringes on their sovereignty to conduct elections with the voting systems vendor providing their support. The bill will provide more influence over States voting and voter registration systems by leveraging the power of grant money and establishing a contest to discover flaws in voting systems. Still, I don’t think there are many folks in security that would argue that voting systems are secure, so I like the idea of creating a bug bounty for these systems. If the bill actually makes it to the senate floor, watch for fireworks over State sovereignty and claims that the bug bounty will make things less secure from the states and vendors.