Dubbed “voter identity theft” by study authors Latanya Sweeney, Professor of Government and Technology in Residence, research analyst Ji Su Yoo and graduate student Jinyan Zang, the vulnerability could be exploited by attackers to attempt to disenfranchise many voters where voter registration information can be changed online. Armed with personal information obtained through legitimate or illegitimate sources, hackers could know enough to impersonate voters and change key information using online voter registration systems.

One tactic, researchers said, would be to simply change voters’ addresses, making it appear — to poll workers at least — as though they were voting at the wrong location. Those voters might be forced to cast provisional ballots, which in many circumstances are not counted. The study is described in a September 6 paper published in the Journal of Technology Science.

Though the researchers don’t report evidence of attackers exploiting the vulnerability, Sweeney, Yoo and Zang said the fear is that it might be used to either undermine confidence in elections or even to swing the result in favor of a particular candidate.

https://www.sciencedaily.com/releases/2017/09/170906103803.htm

Hey Guys,

Below is step by step instructions for installing Nessus on Kali

https://www.tenable.com/blog/getting-started-with-nessus-on-kali-linux

Peter J. Henning for the New York Times reported the Government Accountability Office had found IS deficiencies at the SEC that “limited the effectiveness of the S.E.C’s controls for protecting confidentiality, integrity and availability.”  They also found poor encryption practices on certain data.

The hack was on a SEC system used by companies who are about to go public.  The system is used as a practice system, where they enter in company information, just as they would when they become a publicly traded company.

The hack could have exposed insider information on companies who used the system to practice, and entered in real data vs. test data.  Meaning, actual results, financial statements, and other data reported to the SEC by publicly traded companies.

This could have led to insider trading, by giving the hackers knowledge of non-public information and making trades based on that information.

The questionable thing is that the hack occurred last year…  NIST and FISMA require reporting of a breach within 120 days of knowing.  Now, these documents also include guidance to determine if a breach notification is required based on the likelihood of harm and could be argued why the SEC didn’t report last year, but…  This type of incident handling now gives companies like Equifax a road map on how “Not” to report a security breach.

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Dubai has started to test fly two-seater drones that are designed to transport people autonomously. The flights are currently unmanned however the city wants this vehicle to be the world’s first self flying taxi service and has named the drone the Autonomous Air Taxi (AAT). The AAT is powered by electricity and currently has a maximum flight time of 30 minutes and a maximum airspeed of 62mph. The inital test flight had the drone hovering 200 meters high. The drone consists of 18 rotors, optional emergency parachtes, and nine independant battery systems with each battery taking two hours to charge. Dubai plans to significantly reduce the charging time of the drone and to also offer a smartphone app that allows users to book flights and track routes. Dubai has set a target for autonomous transport to account for a quarter of total trips by 2030.

 

https://www.theverge.com/2017/9/26/16365614/dubai-testing-uncrewed-two-person-flying-taxis-volocopter

http://www.reuters.com/article/us-deloitte-cyber/deloitte-hacked-says-very-few-clients-affected-idUSKCN1C01PB

Deloitte hacked, says ‘very few’ clients affected

Deloitte was hacked as early as last year, according to sources quoted by Reuters.  The consulting company – a “big 4” – serves 80% of the Fortune 500, including consulting services for cyber security. The attack was targeted at email servers at Deloitte. It is unknown right now what kind of information they got, but based on my experience working in consulting, it is likely that these emails include high level communications between Deloitte and its clients. Very embarrassing to say the least, and has some big ramifications beyond Deloitte’s bottom line. Sensitive financial data could have been compromised, as well as strategy discussion that could be used in any number of ways – and possibly information regarding enterprise security. Deloitte hired lawyers in the spring of this year and had been very tight lipped about the breach.

 

Similar to the Viacom leaked that happened earlier this week, Kromtech Security Center discovered a misconfigured Amazon Web Server (AWS) S3 cloud storage that was left accessible to the public. The AWS contained a cached that belonged to SVR, Stolen Vehicle Records. The SVR Tracking service provided its costumers a way to “track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location.” The leaked cache contained around 540,000 SVR accounts that included email addresses, passwords, and vehicle data.

The leaked data also contained information exact information of which the physical tracking unit was located.

“Since the leaked passwords were stored using SHA-1, a 20-years-old weak cryptographic hash function that was designed by the US National Security Agency (NSA), which can be cracked with ease.”

Due to the monitoring of the SVR’s car tracking device, anyone that had access to SVR users’ login credentials would be able to track a vehicle as well as create a detailed log of locations that the vehicle has visited. With the given habits of people, the attacked could’ve stole the vehicle or intrude on someone’s home when they were away.

Since Kromtech has alerted the company, the AWS S3 cloud storage bucket has been secured.

Article: http://thehackernews.com/2017/09/hacker-track-car.html

https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/routex-malware-found-exploiting-remote-access-vulnerability-in-netgear-routers

Recently, a vulnerability was discovered in the remote command and execution function of Netgear routers. Malware known as RouteX has been found to be exploiting these devices to turn them into a socket secure or SOCKS proxy server which allows the attacker to anonymously launch attacks on intended targets.

RouteX is different from similar past examples of this kind of attack in that once it has compromised the device, it sets firewall rules and access restrictions to prevent other attacks from exploiting the same vulnerability and gaining control. This is indicative of the growing risks posed by unsecured machines such as routers and IoT devices.

https://www.darkreading.com/partner-perspectives/f5/where-do-security-vulnerabilities-come-from/a/d-id/1329951?

I thought this article was timely, considering we are reviewing a company’s footprint. The author states security vulnerabilities come from three places, code quality, complexity and overly trusting data inputs.

I found it fascinating that “the current version of the Firefox browser, which contains 16 million lines of code written by 5,094 developers over ten years” and cannot imagine the complexity.

The author suggests reducing your exposure to only what you need, limit what you expose to the internet, perform risk assessments and test often.

http://www.technewsworld.com/story/84747.html

Consumers Gain More Power to Seek Data Breach Damages

This article talks about the following: The federal apples court decision handed down earlier this month, significantly expand the circumstances under which consumers may pursue class actions against companies, CareFirst which had an cyberattack was found not liable for the damage caused to the consumers but the ruling was later overruled by the U.S court of Appeals, with the new ruling companies face massive settlements, and finally companies must up their cybersecurity game or if not they will face litigation which can be very costly.

It will be interesting to see how things unfold in the future. Will companies up their security to prevent from data beaches or take the risk of getting sued? If they decide to up their security, how is that going to affect the daily operation? Also, will we see more pressure from the government where they up the regulation?