You are viewing 'hacker'
Hack the vote blog series: part 3
We reiterate that there have been no known malicious attacks against voting machines actively being used in an election in the United States. This doesn’t mean that such attacks aren’t possible, but simply that it hasn’t happened yet (or if it has happened nobody has noticed). Still, we should take the attacks against political parties and the voter rolls as a warning that somebody is interested in affecting U.S. elections.
As long as electronic voting machines have been around there have been security researchers finding vulnerabilities in them including one disclosed yesterday, the day before the election. The primary concern is that with the move to electronic voting systems the votes and even the ballots themselves are just bits in a database that can be easily flipped. It has become much more feasible for a malicious actor to have a large impact than in the days of paper ballots. While these technical vulnerabilities are a threat and should be... read more >
Hack the vote blog series: part 2
At first glance, the hacks targeting voter registration databases are a bit confusing: the voter rolls are considered a public record in many states, often obtainable by paying a fee of a few hundred dollars. Websites can and have legally republished this data. Records are also available to political campaigns, even in states where the records are not otherwise publicly available, and these lists can be bought online. It raises the question: why hack into a database that can be had just by politely asking for it?
So far the conversation around the voter database hacks has focused on the confidentiality of these records, as if the exposure of this data presents some sort of increased risk. Illinois, a... read more >
The news has been rife with headlines about voting hacks, with the FBI revealing that state voter registration databases have been compromised and warning of ongoing attacks. Meanwhile, one of the major parties has already suffered two known breaches and WikiLeaks continues to post Clinton campaign emails on a regular basis. So far, signs are pointing to operators inside Russia as the culprits for all of the above.
Many of us in the information security... read more >
When “catch them all” isn’t just Pokémon Go’s catch phrase
Let me start off by saying that I have not played a Pokémon game since Pokémon Snap back in ‘99. When I heard there was going to be an augmented reality Pokémon game for mobile, my inner child fanboyed. I made sure to download it as soon as it hit the app store, and had the fever to “catch them all.” I quickly found out, however, that Pokémon were not the only thing people were catching.
The best way to catch a Pokémon is to go out to a public area. The game shows you a virtual map of the area (it’s connected to Google maps, so is a real map). As you explore, Pokémon “spawn,” or show up, on the app for you to catch. The first place that popped into my mind as a good place to catch Pokémon was the park. So I packed up my stuff, got my daughter ready to go, and off we went.
I started to catch Pokémon, and even gave my daughter a few tries. With both of us using the app, we... read more >
Ways to safeguard against gift card exploitable vulnerabilities
In my previous blog, Hacking Gift Cards, I outlined how you can get free food by enumerating valid gift cards with Burp Intruder. This blog continues that narrative, but adds in other types of cards and attack vectors. In addition, I’ll illustrate some problems with gift card balance checking, and how gift cards can be easily enumerated without the card holder’s knowledge or permission. In some cases, the security surrounding a gift card is so bad you don’t even need to use Burp Intruder.Prerequisites:
Burp Suite Professional
In Hacking Gift Cards Part 1, I discussed six gift cards that had a discernible pattern. Identifying the pattern allowed us to find values on cards that were already sold and had value. In searching for more targets, I... read more >