Posts Tagged ‘hacking’

Iran to blame for cyber-attack on MPs’ emails – British intelligence

October 14, 2017

By 

Evidence points to Iran, says unpublished report, after initial suspicion of Russia and North Korea dismissed

The houses of parliamentThe emails of dozens MPs were hacked, partly as the result of weak passwords, according to a parliamentary spokesman. Photograph: Xinhua/Barcroft Images

Iran is being blamed for a cyber-attack in June on the email accounts of dozens of MPs, according to an unpublished assessment by British intelligence. Disclosure of the report, first revealed by the Times but independently verified by the Guardian, comes at an awkward juncture. Donald Trump made it clear on Friday that he wants to abandon the Iran nuclear deal. But European leaders, including Theresa May, want to retain it.

Initial suspicion for the attack fell on Russia, but this has now been discounted. The evidence amassed is pinpointing Iran, according to the assessment. A spokesperson for the National Cyber Security Centre, the government body responsible for helping to counter attacks, said: “It would be inappropriate to comment further while inquiries are ongoing.”

The cyber-attack on parliament on June 23 hit the accounts of dozens of MPs, including Theresa May, the prime minister. and senior ministers. The network affected is used by every MP for interactions with constituents.

A security source told the Guardian at the time: “It was a brute-force attack. It appears to have been state-sponsored. The nature of cyber-attacks means it is notoriously difficult to attribute an incident to a specific actor.”

MPs contacted by the Guardian said the immediate suspicion had fallen upon foreign governments such as Russia and North Korea, both of which have been accused of orchestrating previous hacking attempts in the UK. The attackers sought to gain access to accounts protected by weak passwords. The parliamentary digital services team said they had made changes to accounts to block out the hackers. A spokesman said those whose emails were compromised had used weak passwords, despite advice to the contrary.

Conservative MP Andrew Bridgen said at the time that such an attack “absolutely” could leave some people open to blackmail. “Constituents want to know the information they send to us is completely secure,” he said.

Liam Fox, the international trade secretary, connected the news to reports that cabinet ministers’ passwords were for sale online. “We know that our public services are attacked, so it is not at all surprising that there should be an attempt to hack into parliamentary emails,” he said. “And it’s a warning to everybody, whether they are in parliament or elsewhere, that they need to do everything possible to maintain their own cybersecurity.”

https://www.theguardian.com/world/2017/oct/14/iran-to-blame-for-cyber-attack-on-mps-emails-british-intelligence

Advertisements

Russia Has Turned Kaspersky Software Into Tool for Spying

October 11, 2017

Searches exploited popular Russian-made antivirus software to seek classified material, officials say

WASHINGTON—The Russian government used a popular antivirus software to secretly scan computers around the world for classified U.S. government documents and top-secret information, modifying the program to turn it into an espionage tool, according to current and former U.S. officials with knowledge of the matter.

The software, made by the Moscow-based company Kaspersky Lab, routinely scans files of computers on which it is installed looking for viruses and other malicious software. But in an adjustment to its normal operations…

 https://www.wsj.com/articles/russian-hackers-scanned-networks-world-wide-for-secret-u-s-data-1507743874
.
Related:
.

Spy vs spy vs spy as Israel watches Russian hackers: NYT

October 11, 2017

AFP

Image may contain: tree, sky and outdoor

© AFP/File | The Russian intrusion detected more than two years ago used anti-virus software manufactured by the Russian firm Kaspersky Lab as an ad hoc global search tool, The New York Times said

WASHINGTON (AFP) – Israeli spies observed Russian government hackers in real time as they scoured computers around the world for the codenames of US intelligence programs, The New York Times reported Tuesday night.

The Russian intrusion detected more than two years ago used anti-virus software manufactured by the Russian firm Kaspersky Lab as an ad hoc global search tool, the Times said, quoting current and former government officials.

The software is used by 400 million people around the world, including by officials at some two dozen American government agencies, the Times reported.

Israeli intelligence had hacked into the Kaspersky network and upon detecting the Russian intrusion, alerted the United States. This led to a decision last month for Kaspersky software to be removed from US government computers, the Times said.

It is known that Russian hackers stole classified documents from a National Security Agency employee who had stored them on his home computer which featured Kaspersky antivirus software, the paper said.

It said that it is not yet publicly known what other secrets the Russians may have obtained from US government agencies by using Kaspersky software as “a sort of Google search for sensitive information.”

The Times said Kaspersky Lab denied any knowledge of or involvement in the Russian hacking.

**************************************

How Israel Caught Russian Hackers Scouring the World for U.S. Secrets

*******************************************************************

Image result for Russia's FSB intelligence service, photos

Kaspersky Software Used by Russian Government to Steal NSA Hacking Tools, Say Israeli Spies: Reports

Kaspersky Software Used by Russian Government to Steal NSA Hacking Tools, Say Israeli Spies: Reports

HIGHLIGHTS

  • Israeli spies have found Russian government using Kaspersky
  • The spies had previously warned their US counterparts of intrusion
  • US has already banned the use of Kaspersky in its defence domain

Israeli intelligence officials spying on Russian government hackers found they were using Kaspersky Labantivirus software that is also used by 400 million people globally, including US government agencies, according to media reports on Tuesday.

The Israeli officials who had hacked into Kaspersky’s network over two years ago then warned their US counterparts of the Russian intrusion, said The New York Times, which first reported the story.

That led to a decision in Washington only last month to order Kaspersky software removed from government computers.

The Washington Post also reported on Tuesday that the Israeli spies had also found in Kaspersky’s network hacking tools that could only have come from the US National Security Agency.

After an investigation, the NSA found that those tools were in possession of the Russian government, the Post said.

And late last month, the US National Intelligence Council completed a classified report that it shared with NATO allies concluding that Russia’s FSB intelligence service had “probable access” to Kaspersky customer databases and source code, the Post reported.

Image result for Russia's FSB intelligence service, photos

Russian intelligence services — the Main Intelligence Directorate (GRU) and the FSB

That access, it concluded, could help enable cyber attacks against US government, commercial and industrial control networks, the Post reported.

The New York Times said the Russian operation, according to multiple people briefed on the matter, is known to have stolen classified documents from a National Security Agency employee who had improperly stored them on his home computer, which had Kaspersky antivirus software installed on it.

It is not yet publicly known what other US secrets the Russian hackers may have discovered by turning the Kaspersky software into a sort of Google search for sensitive information, the Times said.

The current and former government officials who described the episode spoke about it on condition of anonymity because of classification rules, the Times said.

The newspaper said the National Security Agency and the White House declined to comment, as did the Israeli Embassy, while the Russian Embassy did not respond to requests for comment.

The Russian embassy in Washington last month called the ban on Kaspersky Lab software “regrettable” and said it delayed the prospects of restoring bilateral ties.

Kaspersky Lab denied to the Times any knowledge of, or involvement in, the Russian hacking. “Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage efforts,” the company said in a statement on Tuesday.

Eugene Kaspersky, the company’s co-founder and chief executive, has repeatedly denied charges his company conducts espionage on behalf of the Russian government.

Kaspersky spokeswoman Sarah Kitsos told the Washington Post on Tuesday that “as a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.” She said the company “does not possess any knowledge” of Israel’s hack, the Post said.

US intelligence agencies have concluded that Russian President Vladimir Putin ordered a multipronged digital influence operation last year in an attempt to help Donald Trump win the White House, a charge Moscow denies.

North Korea Hacked South Korea’s War Plans

October 10, 2017

AFP

© AFP/File | A Seoul lawmaker says North Korean hackers stole details of South Korean-US exercises

SEOUL (AFP) – North Korean computer hackers have stolen hundreds of classified military documents from South Korea including detailed wartime operational plans involving its US ally, a report said Tuesday.Rhee Cheol-Hee, a lawmaker for the ruling Democratic party, said the hackers had broken into the South’s military network last September and gained access to 235 gigabytes of sensitive data, the Chosun Ilbo daily reported.

Among the leaked documents was Operational Plans 5015 for use in case of war with the North and including procedures for “decapitation” attacks on leader Kim Jong-Un, the paper quoted Rhee as saying.

Rhee, a member of parliament’s defence committee, could not be reached for comment but his office said he had been quoted correctly.

The report comes amid heightened fears of conflict on the Korean peninsula, fuelled by US President Donald Trump’s continued threats of military action against Pyongyang to tame its weapons ambitions.

In his latest tweet over the weekend, Trump reiterated that diplomatic efforts with North Korea have consistently failed, adding that “only one thing will work”.

Citing Seoul’s defence ministry, Rhee said that 80 percent of the leaked documents had yet to be identified.

But the contingency plan for the South’s special forces was stolen, he said, as well as details about annual joint military drills with the US and information on key military facilities and power plants.

A ministry spokesman declined to confirm the report, citing intelligence matters.

In May the ministry said North Korea had hacked into Seoul’s military intranet but did not say what had been leaked.

Pyongyang has a 6,800-strong unit of trained cyber-warfare specialists, according to the South Korean government. It has been accused of launching high-profile cyber-attacks including the 2014 hacking of Sony Pictures.

The Chosun Ilbo story was the second report Tuesday of military-related cyber-attacks in the Asia-Pacific.

Australia’s government said separately an unidentified defence contractor had been hacked and a “significant amount of data” stolen.

There were 47,000 cyber-incidents in the last 12 months, a 15 percent increase from the previous year, Minister for Cyber Security Dan Tehan said in Canberra as he launched a report by the Cyber Security Centre.

The defence contractor was exploited via an internet-facing server, with the cyber-criminals using remote administrative access to remain in its network, the report said.

The Australian newspaper reported that the hacker was based in China but Tehan told the Australian Broadcasting Corporation that “we don’t know and we cannot confirm exactly who the actor was”.

Related articles

Defending UK ‘digital homeland’ from cyber attack as important as spying and counter terrorism, says new GCHQ director

October 9, 2017

GCHQ CREDIT: BARRY BATCHELOR/PA

Protecting Britain from hacking and cyber attacks is as important as spying and preventing terrorism, the new head of GCHQ has said.

Defending the “digital homeland” must become a key part of the work of Britain’s electronic spy agency, Jeremy Fleming says in his most extensive public comments since becoming head of the agency earlier this year.

The growing task of defending Britain’s online life and commerce means an increasingly prominent role for an agency that has traditionally taken a backseat to MI5 and MI6.

Writing in the Telegraph, he says the top secret, Cheltenham-based agency must step out of the shadows of nearly a century of secrecy to better keep people safe and free online.

His comments come after a series of high profile cyber attacks, including May’s WannaCry ransomware outbreak that caused chaos to the NHS.

Jeremy Fleming was appointed director of GCHQ earlier this year

Concerns over the UK’s national cyber security have also been raised by a string of allegedly Russian-backed cyber operations targeting political parties and MPs across Europe.

Mr Fleming, said: “If GCHQ is to continue to help the keep the country safe was we prepare for our second century, then protecting the digital homeland – keeping our citizens safe and free online – must become and remain as much part of our mission as our global intelligence reach and our round-the-clock efforts against terrorism.”

His comments come as the Government is reviewing national security policy in the wake of increased terrorism, cyber attacks and Russian activity.

First look inside GCHQ: The home of Britain's spy network
First look inside GCHQ: The home of Britain’s spy network

01:02

Mr Fleming joined GCHQ in April after a career at the Security Service, MI5.

The Government last year launched the National Cyber Security Centre (NCSC), a high-profile offshoot from GCHQ drawing on the agency’s expertise to protect the nation’s online life.

Mr Fleming said his staff were “protecting the nation from those who want to use the internet to cause harm”.

“We all derive great benefit from the ease and speed of connecting across the planet: access to knowledge, reduced costs of communication and commerce, and from the additional security provided by default encryption.

“It’s also true to say that hostile states, terrorists and criminals use the same features to undermine our national security, attack our interests and, increasingly, to commit crime.”

In its first year, the NCSC tackled 600 significant cyber attacks on bodies ranging from key national institutions to large and small businesses.

The WannaCry outbreak affected dozens of NS trusts, while in June email accounts were targeted in an attack on parliamentary networks.

GCHQ celebrates its centenary in 2019, but the work of its technical experts, engineers, analysts, translators and codebreakers has been kept secret throughout its history.

Mr Fleming said the agency’s new role would require a higher profile, collaborating more openly with industry.

He said: “All of this can feel deeply challenging for a GCHQ that by necessity has worked in the shadows. It remains the case that much of what we do must remain secret. But the success of the NCSC demonstrates that we are more effective, a better employer and more trusted if we are more transparent, more visible and take advantage of the internet to drive change.”

http://www.telegraph.co.uk/news/2017/10/08/defending-uk-digital-homeland-cyber-attack-important-spying/

German spy agencies want right to destroy stolen data and ‘hack back’

October 5, 2017

Reuters

ByAndrea Shalal

BERLIN (Reuters) – Top German intelligence officials on Thursday urged lawmakers to give them greater legal authority to “hack back” in the event of cyber attacks from foreign powers.

Hans-Georg Maassen, head of the BfV domestic intelligence agency, told the parliamentary oversight committee it should be possible to destroy data stolen from German servers and moved to foreign servers to prevent it from being misused.

He said it would also make sense to “infect” foreign servers with software that would enable greater surveillance of any operations directed against German cyber targets, or to extract data, much as human agents are recruited for counter-espionage.

 Image result for BfV domestic intelligence agency, logo

“In the real world, it would be like turning a foreign intelligence agent and getting them to work for us … Something like this should be possible in the cyber world too,” Maassen told the committee in its first public hearing.

“These are ‘hack back’ instruments, but they are below the threshold of destroying or incapacitating a foreign server,” Maassen said.

German officials have blamed APT28, a Russian hacker group said linked to Moscow, for the May 2015 hack of the German lower house of parliament, the Bundestag, and other cyber attacks aimed at political groups, individuals or institutions.

They issued repeated warnings about the possibility that Moscow could seek to influence or disrupt the Sept. 24 German election, although officials have since said they did not see any major push by Russia to do so.

Maassen said it was possible Russia decided the political cost was too great after the backlash that ensued in the United States after a similar effort there.

Russia denies seeking to influence any foreign elections.

LACKING LEGAL AUTHORITY

Germany’s BND foreign intelligence agency already has the expertise, but not the legal authority, to destroy foreign servers, its chief Bruno Kahl told the committee.

Once the source of attack had been carefully investigated and identified, it could make sense to “shut down the source of such an attack and not have to retreat and give the job of going back in and taking care of business,” Kahl said.

In the end, however, such decisions had to be made by politicians, Kahl said.

Christof Gramm, head of Germany’s MAD military counter-espionage agency, said there were questions of domestic and international law to address before empowering the agencies to take such actions.

“This all has to be worked out. There are international boundaries. We’re not just talking about national law,” Gramm told the committee near the end of a three-hour session.

He said if such powers were granted, it would be up to the military’s cyber command to carry out such actions, not the MAD.

Maassen said authorities needed access to streaming data from foreign servers – for instance of videos showing beheadings – to track radicalization of possible Islamist attackers.

He also called for broader powers to track communications between Germany and Raqqa, the Syrian city still under Islamic State control, noting that current law only allowed the tracking of individual communications, not broader flows.

Reporting by Andrea Shalal and Sabine Siebold; Editing by Richard Balmforth

SEC Discloses Edgar Corporate Filing System Was Hacked in 2016

September 21, 2017

The SEC disclosed that hackers penetrated its electronic system for storing public-company filings and may have traded illegally on the information.

Breach may have allowed trading that profited from nonpublic information, regulator says

.

WASHINGTON—The top U.S. markets regulator disclosed Wednesday that hackers penetrated its electronic system for storing public-company filings last year and may have traded on the information.

The Securities and Exchange Commission’s chairman, Jay Clayton, revealed the breach in an unusual and lengthy statement issued Wednesday evening that didn’t provide many details about the intrusion, including the extent of any illegal trading.

The SEC said it was investigating the source of the hack, which exploited a software vulnerability in a part of the agency’s Edgar system, a comprehensive database of filings made by thousands of public companies and other financial firms regulated by the SEC.

The commission said the hack was detected in 2016, but that regulators didn’t learn about the possibility of related illicit trading until August, when they started an investigation and began cooperating with what the SEC called “appropriate authorities.”

A spokesman for the Federal Bureau of Investigation declined to comment on the SEC disclosure.

The commission’s disclosure follows a major breach of Equifax Inc. that affected 143 million Americans and warnings from executives of the New York Stock Exchange and Bats Global Markets Inc. that a planned data repository of all U.S. equity and options orders could become a juicy target for hackers.

“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Mr. Clayton said in a written statement. “We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”

The intrusion shows how confidential information that can yield easy trading profits has increasingly become a target of hackers.

The SEC in December sued three Chinese traders who allegedly earned more than $4 million in illegal gains after they stole information from the computer systems of Cravath, Swaine & Moore LLP and Weil, Gotshal & Manges LLP, which represent Wall Street banks and Fortune 500 companies.

The SEC’s Electronic Data Gathering, Analysis and Retrieval system, or Edgar, is used by investors who access the online system to view companies’ earnings statements and other disclosures on material developments at companies. Some companies purchase and resell electronic feeds of the filings that cater to electronic and algorithmic traders.

Mr. Clayton’s statement didn’t identify the precise date of the intrusion or what sort of nonpublic data was obtained. The agency said the hackers exploited a vulnerability in part of the Edgar system that allows companies to test the accuracy of data transmitted in new forms. Many corporate filings are made public as soon as they are received through Edgar, although other forms may have to be reviewed first by SEC staff.

The SEC’s statement also didn’t explain why the SEC waited to reveal the breach until Wednesday.

SEC officials have sometimes indicated they could take enforcement action against a public company that misled investors about a significant hack that affected share prices.

Mr. Clayton, who is due to testify before the Senate Banking Committee next week, is sure to face questions about his own agency’s cyber vulnerabilities.

“We face the risks of cyber threat actors attempting to compromise the credentials of authorized users, gain unauthorized access to filings data, place fraudulent filings on the system, and prevent the public from accessing our system through denial of service attacks,” Mr Clayton said. “We also face the risks of actors attempting to access nonpublic data relating to our oversight, or enforcement against, market participants, which could then be used to obtain illicit trading profits,” he added.

The Edgar system, which was launched to equalize access to information among retail and sophisticated investors, has occasionally caused headaches for the commission. Academic researchers found in 2014, for instance, that hedge funds and other rapid-fire investors got earlier access to market-moving documents from Edgar than other users of the standard, web-based system, giving them a potential edge on other traders. The SEC later said it fixed the problem.

The system has also been exploited by traders who submitted fake corporate filings. In 2015, a 37-year-old man in Bulgaria filed a fake takeover offer for Avon Products Inc., which succeeded in sending the beauty-product company’s shares soaring but netted the mastermind just $5,000, regulators alleged.

Mr. Clayton’s statement acknowledged that the planned data repository, known as the Consolidated Audit Trail, could be targeted by cyber thieves looking to steal personal information of stockbrokers’ customers. The audit trail has been in the works for nearly seven years and the SEC approved its final design last year. However, exchange executives have recently cited the Equifax hack as evidence that the audit trail should be pared back, even if that takes away information that could help regulators spot manipulative traders more quickly.

Stock and options exchanges, as well as the Financial Industry Regulatory Authority, which oversees brokers, are due to begin reporting data to the repository in November.

Robert Cook, chief executive of Finra, also has questioned whether the audit trail should be scaled back in light of the Equifax data breach. Speaking Wednesday at a banking luncheon in Washington, Mr. Cook questioned whether the database designed to help regulators sort through flash crashes and spot market manipulation should include personal information about stockbrokers’ customers.

“Especially post-Equifax when we are trying to win back investor confidence in the markets, it seems to be a useful question to ask whether we’ve got the right approach here or we need to revisit it,” he said.

Write to Dave Michaels at dave.michaels@wsj.com

https://www.wsj.com/articles/sec-discloses-edgar-corporate-filing-system-was-hacked-in-2016-1505956552

U.S. Sanctions Iranians for malicious cyber activities or enabling Tehran’s nuclear program

September 14, 2017

Image result for Iran, flag, photos

WASHINGTON (Reuters) – The United States on Thursday slapped sanctions on seven Iranian individuals and two entities, alleging involvement in either malicious cyber activities or enabling Tehran’s nuclear program.

The action, announced on the U.S. Treasury Department’s website, freezes any assets they may hold in the United States and prohibits U.S. individuals from doing business with them.

(Reporting by Tim Ahmann; Editing by Cynthia Osterman)

Germany opens ZITiS cyber surveillance agency

September 14, 2017

The German Interior Ministry has officially opened ZITiS, a surveillance agency independent of both the police and the secret service. Critics say anyone with a smartphone is now vulnerable to state snooping.

password field on a laptop

Interior Minister Thomas de Maiziere opened a new cyber security agency in Munich on Thursday as part of a centralized attempt to tackle cyber-crime and digital espionage via mass telecommunication surveillance, data encryption, and mass data collection.

However, the German government’s own data protection commissioner has complained publicly that she was not consulted as promised about the new “central office for information technology in the security sphere” (ZITiS).

Data protection commissioner Andrea Vosshoff complained to the Neue Osnabrücker Zeitung newspaper that she was unable to offer a “serious or valid assessment or evaluation of this project” even though the government had promised “official participation” last summer.

“Of course data protection is a central element of such a huge project,” Vosshoff’s predecessor Peter Schaar told DW. “It would be extremely unfortunate if the relevant data protection commissioner wasn’t sufficiently involved.”

Read more: Selling on the darknet? The BKA is buying

ZITiS is a serious investment: some 10 million euros ($12 million) will be poured into the new agency in the first year alone, with 120 positions created immediately. The government wants to expand that workforce to 400 by 2022. It is designed to be a technological resource for Germany’s other security agencies, all of which come under the authority of the Interior Ministry.

The new agency’s tasks will also include “digital forensics,” which means developing methods for piecing together evidence from the internet. ZITiS will also research and develop new telecom surveillance strategies for other agencies.

No rules for a new agency

Frank Herrmann, of Germany’s Pirate Party, called Vosshoff’s public complaint “remarkable.” “The data protection authority should definitely be an address you would want to include, and as she says, that was agreed and it didn’t happen,” he said. “There are regulations that the state has to define exactly what it wants to do, so it can be checked that it is doing its work properly.”

He also said he was particularly concerned that, because ZITiS was an independent security agency, it was not governed by any law. “We have a BKA law, we have a BND law,” he said, referring to Germany’s federal police and intelligence agencies.

German Federal Police Logo.svg

“Those are all institutions that are regulated by laws that say what they can do and what they can’t. None of that exists for ZITiS.”

Read more: What is ransomware?

New crimes, new powers

In a statement issued ahead of the opening, de Maiziere emphasized how “a whole series of incidents with criminal, but especially terrorist, background in the course of 2016 placed our security agencies before technical challenges.”

“We live in a digital age and the security forces must keep up with developments,” the minister added.

The president of Germany’s federal police, Holger Münch, also welcomed the help that ZITiS would bring, pointing out, at a cyber-crime conference in May, that the police had registered 83,000 cases of cyber-crime in 2016 alone, and estimating that this had caused 51-million-euros worth of damage.

But there was also resistance from opposition parties. The Left party’s Martina Renner called ZITiS “a danger for anyone who owns a smartphone or wants their privacy in the digital world to be respected.”

Read more: German facial recognition pilot prgoram divides public

Herrmann also said that ZITiS’ purpose would actually create the opposite of what the state wants to do – make the internet more secure.

“The main task of ZITiS is to break into networks and to break encryptions – those are things that you can only do by exploiting security gaps,” he said. “This agency’s task is not to close these gaps, but to use them. But computer technology will only become safer if you close these gaps – it’s actually quite sick. ZITiS should be shut down before it’s opened.”

Read more: EU agrees to joint sanctions on cyberattacks

The German police is actually already developing its own network-cracking skills: that was revealed in July by the independent news outlet Netzpolitik, which leaked an Interior Ministry document showing the German police was expecting to be able to read encrypted messaging apps such as WhatsApp by the end of the year.

New surveillance malware, known as Remote Communication Interception Software 2.0 (RCIS) can be used on mobile devices with Android, iOS, and Blackberry operating systems. RCIS circumvents the encryption built into services such as WhatsApp and Telegram by hacking the phones themselves and reading the messages “at source” on users’ screens.

In June, the German government also passed a law to hand police the power to hack into devices belonging to anyone suspected of criminal activity – not just terror offenses.

http://www.dw.com/en/hacking-for-the-government-germany-opens-zitis-cyber-surveillance-agency/a-40511027

Vulnerabilities discovered in German electoral system — Fixes “do not stand up to even superficial security tests”

September 9, 2017

AFP

© John MacDougall, AFP | Le Chaos Computer Club discovered flaws in software used in German elections.

Text by Sébastian SEIBT

Latest update : 2017-09-09

The Chaos Computer Club (CCC), a group of German hackers, is warning that there are major flaws in software that will be essential to the vote count in Germany’s September 24 legislative elections.

The CCC said on Tuesday that hackers could destabilise the German general election if the choice of 61.5 million Germans who will cast their ballots on September 24, to either re-elect Chancellor Angela Merkel or replace her, is not respected.

The CCC published a report online giving details as to how the election could be hijacked. While electronic voting is illegal in Germany, results are transmitted to the electoral commission electronically. It is there that the vulnerabilities lie. The software used in much of the country to send the votes to the Federal Election Commission is not secure, the CCC said. And the weakness is so obvious that it was discovered easily by a 29-year-old computer scientist.

PC-Wahl in the crosshairs

The program used to send results, PC-Wahl, doesn’t adhere to “the basic principles of computer security, and the number of vulnerabilities discovered far surpass our worst fears,” said Linus Neumann, spokesman for Berlin-based CCC. The weakness comes from the lack of an electronic signature on the data that is sent that proves that it is genuine. Without that, hackers could intercept the results and modify them.

And the passwords for accessing the PC-Wahl interface are not hard to find. For starters, the same ID is valid for multiple municipalities. “It is like a hotel where all the doors are closed, but where the same key opens them all,” Neumann said.

The PC-Wahl software can also be easily modified. The program updates automatically on a regular basis, but the updates aren’t well-protected from hackers. A cybercriminal could fairly easily swap an official update with a version that would allow him or her to control the software.

Insufficient improvements

The defects were discovered at the beginning of the summer and the manufacturer of PC-Wahl was quickly alerted. Several modifications later, the Chaos Computer Club is still not satisfied with the results. The improvements made “do not stand up to even superficial security tests”, the report notes.

In an interview with the weekly Die Zeit, the manufacturer of PC-Wahl defended itself by stating that “even in cases of piracy, the final result of the vote will be legitimate because there is always the paper trail for verification.” The CCC and the computer scientist who made the original discovery acknowledge that if there is the slightest doubt, the electoral commission will be able to verify the results against the paper ballots.

But the CCC contends that the flaws that still exist in the software might cast suspicion on the election results, which “weakens the democratic process,” Neumann said. Some authorities have taken note. In Hesse, the head of the electoral commission asked local election officials to compare the results that will be published online on the evening of the election with those they sent in. And national authorities are now working with the makers of PC-Wahl to make sure the software is as secure as possible come election day.

http://www.france24.com/en/20170909-vulnerabilities-discovered-german-electoral-system