Did Russia Interefere with the US Hacking its Own Election?

True Strange Library

Reality Winner is such a great name. What she may win, for apparently not seeing the reality of the bigger game being played, however, is jail time.The bigger game is the illusion of US democracy.

In US elections, each county reports results as ballots are counted. There is no central computer to be hacked. If the evidence Reality Winner leaked is from county vote systems and is Russian IP addresses, hackers already know that those will be seen in logs and that IP addresses can be falsified.

The underlying US election problem is proprietary code (e.g. Microsoft MDAC) and backdoors in hardware used for electronic voting systems, plus a lack of paper recipts that allow a recount. The code we use for voting is not secure, many think on purpose.

The (voting) system also appears to use MDAC 2.1, or Microsoft Data Access Components, which was found in the…

View original post 851 more words

Hacker News: Over 8,600 Vulnerabilities Found in Pacemakers

pacemaker-vulnerability

If you want to keep living, Pay a ransom, or die.” This could happen, as researchers have found thousands of vulnerabilities in Pacemakers that hackers could exploit.

Millions of people that rely on pacemakers to keep their hearts beating are at risk of software glitches and hackers, which could eventually take their lives.

A pacemaker is a small electrical battery-operated device that’s surgically implanted in the chest to help control the heartbeats. This device uses low-energy electrical pulses to stimulate the heart to beat at a normal rate.

While cyber security firms are continually improving software and security systems to protect systems from hackers, medical devices such as insulin pumps or pacemakers are also vulnerable to life-threatening hacks.

In a recent study, researchers from security firm White Scope analysed seven pacemaker products from four different vendors and discovered that they use more than 300 third-party libraries, 174 of which are known to have over 8,600 vulnerabilities that hackers could exploit in pacemaker programmers.

“Despite efforts from the FDA to streamline routine cyber security updates, all programmers we examined had outdated software with known vulnerabilities,” the researchers wrote in a blog post about the study.

“We believe that this statistic shows that the pacemaker ecosystem has some serious challenges when it comes to keeping systems up-to-date. No one vendor really stood out as having a better/worse update story when compared to their competitors.”

The White Scope analysis covered implantable cardiac devices, home monitoring equipment, pacemaker programmers, and cloud-based systems to send patient’s vital data over the Internet to doctors for examining.

pacemaker-hacking.png

All of the programmers examined by the security firm had outdated software with known vulnerabilities, many of which run Windows XP.

What’s even more frightening? Researchers discovered that the Pacemaker devices do not authenticate these programmers, which means anyone who gets their hands on an external monitoring device could potentially harm heart patients with an implanted pacemaker that could harm or kill them.

Another troubling discovery by researchers is with the distribution of pacemaker programmers.

Although the distribution of pacemaker programmers is supposed to be carefully controlled by the manufacturers of pacemaker devices, the researchers bought all of the equipment they tested on eBay.

So, any working tool sold on eBay has the potential to harm patients with the implant. Yikes!

“All manufacturers have devices that are available on auction websites,” the researchers said. “Programmers can cost anywhere from $500-$3000, home monitoring equipment from $15-$300, and pacemaker devices $200-$3000.”

What’s more? In some cases, researchers discovered unencrypted patients’ data stored on the pacemaker programmers, including names, phone numbers, medical information and Social Security numbers (SSNs), leaving them wide open for hackers to steal.

Another issue discovered in the pacemaker systems is the lack of the most basic authentication process: login name and password, allowing the physicians to authenticate a programmer or cardiac implant devices without even have to enter a password.

This means anyone within range of the devices or systems can change the pacemaker’s settings of a patient using a programmer from the same manufacturer.

Matthew Green, a computer science assistant professor at Johns Hopkins, pointed out on Twitter that doctors are not willing to let security systems block patient care. In other words, the medical staff shouldn’t be forced to log in with credentials during an emergency situation.

“If you require doctors to log into a device with a password, you will end up with a post-it note on the device listing the password,” Green said.

The list of security vulnerabilities the researchers discovered in devices made by four vendors includes hardcoded credentials, unsecured external USB connections, the failure to map the firmware to protected memory, lack of encrypted pacemaker firmware updates, and using universal authentication tokens for pairing with the implanted device.

White Scope has already contacted the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), so the manufacturers of the tested devices can address the flaws.

Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

Hacker News: How to Hack Someone’s Facebook Account Just by Knowing their Phone Numbers

how-to-hack-facebook-account

Update: If you think this technique is old and can not be used to hack your social media, bank or any online accounts, then you are mistaken. A real-world SS7 attack has been spotted this month when some unknown hackers exploited the design flaws in the Signaling System 7 (SS7) to drain victims’ bank accounts.

Hacking Facebook account is one of the major queries on the Internet today. It’s hard to find — how to hack Facebook account, but researchers have just proven by taking control of a Facebook account with only the target’s phone number and some hacking skills.

Yes, your Facebook account can be hacked, no matter how strong your password is or how much extra security measures you have taken. No joke!

Hackers with skills to exploit the SS7 network can hack your Facebook account. All they need is your phone number.

The weaknesses in the part of global telecom network SS7 not only let hackers and spy agencies listen to personal phone calls and intercept SMSes on a potentially massive scale but also let them hijack social media accounts to which you have provided your phone number.

SS7 or Signalling System Number 7 is a telephony signaling protocol that is being used by more than 800 telecommunication operators worldwide to exchange information with one another, cross-carrier billing, enabling roaming, and other features.

However, an issue with the SS7 network is that it trusts text messages sent over it regardless of their origin. So, malicious hackers could trick SS7 into diverting text messages as well as calls to their own devices.

All they need is the target’s phone number and some details of the target’s device to initiate the silent snooping.

The researchers from Positive Technologies, who recently showed how they could hijack WhatsApp and Telegram accounts, now gave the demonstration of the Facebook hack using similar tricks, Forbes reported.

SS7 has long been known to be vulnerable, despite the most advanced encryption used by cellular networks. The designing flaws in SS7 have been in circulation since 2014 when the team of researchers at German Security Research Labs alerted the world to it.

Here’s How to Hack Any Facebook Account:

The attacker first needs to click on the “Forgot account?” link on the Facebook.com homepage. Now, when asked for a phone number or email address linked to the target account, the hacker needs to provide the legitimate phone number.

The attacker then diverts the SMS containing a one-time passcode (OTP) to their own computer or phone, and can login to the target’s Facebook account.

The issue affects all Facebook users who have registered a phone number with Facebook and have authorized Facebook Texts.

Besides Facebook, researchers’ work shows that any service, including Gmail and Twitter, that uses SMS to verify its user accounts has left open doors for hackers to target its customers.

Although the network operators are unable to patch the hole sometime soon, there is little the smartphone users can do.

  • Do not link your phone number to social media sites, rather rely solely on emails to recover your Facebook or other social media accounts.
  • Use two-factor authentication that does not use SMS texts for receiving codes.
  • Use communication apps that offer “end-to-end encryption” to encrypt your data before it leaves your smartphone over your phone’s standard calling feature.
Update: However, the important thing to note is that the issue has actually nothing to do with Facebook security or other website’s security, instead it is the weakness in the telecom network.

“Because this technique [SSL exploitation] requires significant technical and financial investment, it is a very low risk for most people,” Facebook spokesperson told The Hacker News.

“As an added precaution, we recommend turning on two-factor authentication, called Login Approvals, in your Facebook security settings. Doing this will disable recovery via SMS on your account so even if someone has your phone number, they’ll still need your password to access your account.”

Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.