back to article Voting machine maker vows to step up security, Fortnite bribes players to do 2FA – and more

Summer rolls on, Reg vultures are making the most of their hols before the September rush hits, and in the past week, we saw Lazarus malware targeting Macs, Adobe scrambling to get an emergency patch out, and Democrats losing their minds over a simple training exercise. Here's what else went down... SOLEO mission Researchers …

  1. John Sager

    Directory traversal, still??

    You would think this is now a standard thing with websites to bar directory traversal, but obviously not:(

  2. Anonymous Coward
    Anonymous Coward

    Hmmm

    I tried the Fortnite free game to see what all the fuss what about, bizarrely within the first two weeks people had tried to log in as me on multiple occasion triggering multiple emails from Epic asking me to set up 2FA. What exactly were these "hackers" going to do? Play the game as me? I highly doubt it, there was nothing of value to getting logged in as me. Now we see Epic bribing people to get 2FA by offering a dance move. So the big question is why? What do Epic get out of knowing who I am? (Phone number link, they already have an email) Is there a market for Email/IP/Phone information on people? If anyone knows I'd be curious to know.

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        'The big question is why? What do Epic get out of knowing who I am?'

        That's not it... Musk (Tesla) and Sweeney (Epic) are arguably the few senior people in tech who actually care about Privacy and don't want to slurp your info! Epic in general are a genius game engine company, but they're a bit light on the security side, and have been caught out badly by the success of Fortnite. In fact, a lot of their platform support is outsourced and not well managed.

        So overall Epic's biggest problem right now is Security. Below is a typical post. Most don't even get a reply. 2FA is necessary if you're giving Epic billions from storing payment / card details to buy in-game upgrades, then you need to secure your account!

        https://forums.unrealengine.com/unreal-engine/feedback-for-epic/1453715-epic-your-account-security-design-is-atrociously-bad

  3. Will Godfrey Silver badge
    Meh

    Ancient PLCs

    These chug along for far more than 20 years! I know of several that are still running 24/7 and are getting on for 30, and last year I repaired an ancient TTL forerunner that's something like 40 - the I/O modules are 2x10x8... inches!

    Fortunately none of these have any network access (that I know of)

  4. Anonymous Coward
    Facepalm

    Security devices and web interfaces

    Researchers at Project Insecurity have detailed a vulnerability in SOLEO's IP relay technology that disclosed sensitive files on affected installations. For example, the following HTTPS request to a vulnerable service”...

    The solution being, don't put a web anything on security devices, remove the http server, remove the http browser, remove the java interpretor etc. and learn to use command-line tools and configuration scripts.

    This vulnerability exists due to the fact that there is improper sanitization on the ‘page’ GET parameter in servlet/IPRelay. A developer should always check for dangerous characters in filenamesref

    2001 is calling and want's its Directory Traversal attack back :]

    1. Charles 9 Silver badge

      Re: Security devices and web interfaces

      And if you get overridden because the higher ups insist on it and tell you to Do It or Else?

      1. Mark 85 Silver badge

        Re: Security devices and web interfaces

        And if you get overridden because the higher ups insist on it and tell you to Do It or Else?

        I'd make damn sure there's emails involved and not word of mouth. Print out the emails and secure in a lock box or better yet, use the local bank's security lock boxes they have on site. Crap rolls downhill and you don't want the blame when things go pear shaped because some manager/exec said "just do it".

  5. Anonymous Coward
    Big Brother

    ES&S harden its voting machines from hackers

    Just who in their right-minds connects a voting machine directly to the Internet? Election Systems and Software (ES&S) that's who, who sometime back acquired Diebold’s voting machine division ‘Premier Election Solutions’. What is the make of hardware and software that these voting products run on?

    ES&S .. was expanding its work with .. Homeland Security .. includes the installation of advanced threat monitoring and network security monitoring

    Is it wise giving the state security apparatus full control over the voting process, especially as there is no paper trail. If a malicous actor were to come to power, s/he could manipulate the vote in his/her favour.

    1. Anonymous Coward
      Anonymous Coward

      Re: ES&S harden its voting machines from hackers

      Maybe I'm blind, but going through ES&S' press release I couldn't find anything stating that the new "safeguards" are going to be in place prior to the November election. Plenty of fluff though about how "pleased" they are about this.

      1. A Dark Germ

        Re: ES&S harden its voting machines from hackers

        Do they use hardware cryptography to do public key cryptography?

        Have they linked to U2F security keys?

        Did they build it on trusted secure core like SAML11?

        All answers are nope, it's just normal IT with security in software and TCP/UDP/IP stack access.

  6. Lars Silver badge
    Happy

    So easy

    Just return to paper and pencil (ink) and try to avoid internet connected paper and pencil. opinion by a guy who spent 35 as a programmer and who will never trust anything else, sad as it is. And please Americans, no punch cards either.

    1. Claptrap314 Silver badge

      Re: So easy

      But...if we don't have punch cards, how can we ensure that voters voted for the correct candidate a hundred at a time?

    2. A Dark Germ

      Re: So easy

      LARS read about

      FIDO and hardware security keys.

      Man your stuck in the past.

    3. Danny 2 Silver badge

      Re: So easy

      Exactly. What problem is a voting machine the solution to? Arguably they are quicker to return the count, maybe even cheaper, but they are no more accurate and they are a single hackable point of failure for democracy.

      https://xkcd.com/2030/

      1. Charles 9 Silver badge

        Re: So easy

        Single? Given how many machines there are in the country, I'd say they're a bit harder to bribe than manual vote counters (and if you know the size of the major political parties, you cannot rule out the possibility of them infiltrating and/or bribing most if not all of them).

  7. Waseem Alkurdi
    Trollface

    Sales terminals in some Cheddar’s Scratch Kitchen restaurants may well have been hacked in 23 US states to steal payment card information between November 3, 2017, and January 2, 2018. A technique to steal crypto-keys from electromagnetic radiation from a very nearby device has been detailed here.

    That attack finally turned out to be of use?

    Maybe somebody else's going down to the HDD activity light blink hack?

  8. A Dark Germ

    SMS 2FA gave us sweet FA security

    https://www.theregister.co.uk/2018/08/01/reddit_hacked_sms_2fa/

    Do people actually understand what they read.

    Epic failure, lol.

    I asked them to add U2F but nope.

    Asked local MP Douglas Ross to have UK government link U2F to passports ID chip..

    Then we have root of trust in hardware.

    People are so slow with education.

    1. Charles 9 Silver badge

      Re: SMS 2FA gave us sweet FA security

      I've always said. How do you make people care when it's so over their heads they're beyond caring?

      IOW, how do you make people care?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like