...a new $10 million contract the Defense Department's Defense Advanced Research Projects Agency (DARPA) has launched to design and build a secure voting system that it hopes will be impervious to hacking.
The first-of-its-kind system will be designed by an Oregon-based firm called Galois, a longtime government contractor with experience in designing secure and verifiable systems. The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA. The voting system will also be designed to create fully verifiable and transparent results so that voters don't have to blindly trust that the machines and election officials delivered correct results.
But DARPA and Galois won't be asking people to blindly trust that their voting systems are secure -- as voting machine vendors currently do. Instead they'll be publishing source code for the software online and bring prototypes of the systems to the Def Con Voting Village this summer and next, so that hackers and researchers will be able to freely examine the systems themselves and conduct penetration tests to gauge their security. They'll also be working with a number of university teams over the next year to have them examine the systems in formal test environments.
The Internet is full of commercial activity and it should come at no surprise that even illegal commercial activity is widespread as well. In this article we would like to describe the current developments - from where we came, where we are now, and where it might be going - when it comes to technologies used for digital black market activity.Via #Schneier / #Cryptogram.
TSB Bank Disaster[l]
This seems like an absolute disaster: The very short version is that a UK bank, TSB, which had been merged into and then many years later was spun out of Lloyds Bank, was bought by the Spanish bank Banco Sabadell in 2015. Lloyds had continued to run the TSB systems and was to transfer them over to Sabadell over the...- - - - - -
This vulnerability is a result of an interaction between two different ways of handling e-mail addresses. Gmail ignores dots in addresses, so firstname.lastname@example.org is the same as email@example.com is the same as firstname.lastname@example.org. (Note: I do not own any of those email addresses -- if they're even valid.) Netflix doesn't ignore dots, so those are all unique e-mail addresses and can each be used to register an account. This difference can be exploited.MORE (links and coments) Schneier on Security: https://www.schneier.com/blog/archives/2018/04/obscure_e-mail_.html
I was almost fooled into perpetually paying for Eve's Netflix access, and only paused because I didn't recognize the declined card. More generally, the phishing scam here is:
- Hammer the Netflix signup form until you find a gmail.com address which is "already registered". Let's say you find the victim jameshfisher.
- Create a Netflix account with address james.hfisher.
- Sign up for free trial with a throwaway card number.
- After Netflix applies the "active card check", cancel the card.
- Wait for Netflix to bill the cancelled card. Then Netflix emails james.hfisher asking for a valid card.
- Hope Jim reads the email to james.hfisher, assumes it's for his Netflix account backed by jameshfisher, then enters his card **** 1234.
- Change the email for the Netflix account to email@example.com, kicking Jim's access to this account.
- Use Netflix free forever with Jim's card **** 1234!
Obscure, yes? A problem, yes?
James Fisher, who wrote the post, argues that it's Google's fault. Ignoring dots might give people an enormous number of different email addresses, but it's not a feature that people actually want. And as long as other sites don't follow Google's lead, these sorts of problems are possible.
I think the problem is more subtle. It's an example of two systems without a security vulnerability coming together to create a security vulnerability. As we connect more systems directly to each other, we're going to see a lot more of these. And like this Google/Netflix interaction, it's going to be hard to figure out who to blame and who -- if anyone -- has the responsibility of fixing it.