- Webteam - bizit.rs

At Def Con, hackers and lawmakers came together to tackle holes in election security - The Washington Post
by Dejan Ristanovic 15 Aug '19

15 Aug '19

https://www.washingtonpost.com/business/2019/08/12/def-con-hackers-lawmaker… Hackers were told to break into U.S. voting machines. They didn’t have much trouble. Taylor Telford (Steve Marcus/Reuters) LAS VEGAS — As Sen. Ron Wyden (D-Ore.) toured the Voting Village on Friday at Def Con, the world’s hacker conference extraordinaire, a roomful of hackers applied their skills to voting equipment in an enthusiastic effort to comply with the instructions they had been given: “Please break things.” Armed with lock-pick kits to crack into locked hardware, Ethernet cables and inquiring minds, they had come for a rare chance to interrogate the machines that conduct U.S. democracy. By laying siege to electronic poll books and ballot printers, the friendly hackers aimed to expose weaknesses that could be exploited by less friendly hands looking to interfere in elections. Wyden nodded along as Harri Hursti, the founder of Nordic Innovation Labs and one of the event’s organizers, explained that the almost all of the machines in the room were still used in elections across the United States, despite having well-known vulnerabilities that have been more or less ignored by the companies that sell them. Many had Internet connections, Hursti said, a weakness savvy attackers could abuse in several ways. Wyden shook his head in disbelief. “We need paper ballots, guys," Wyden said. After Wyden walked away, a few hackers exchanged confused expressions before figuring out who he was. “I wasn’t expecting to see any senators here,” one said with a laugh. In the three years since its inception, Def Con’s Voting Village — and the conference at large — has become a destination not only for hackers but also for lawmakers and members of the intelligence community trying to understand the flaws in the election system that allowed Russian hackers to intervene in the 2016 election and that could be exploited again in 2020. This year’s programming involved hacking voting equipment as well as panels with election officials and security experts, a demonstration of a $10 million experimental voting system from the Pentagon’s Defense Advanced Research Projects Agency, and a “part speed-dating, part group therapy" session where state and local election officials gathered with hackers to hash out challenges of securing elections. Congregants spoke often of the need for thorough auditing of election results, increased funding and improved transparency from vendors. The call for paper ballots was a common refrain. At the time of the 2018 midterm elections, Delaware, Georgia, Louisiana, New Jersey and South Carolina had no auditable paper trails. “Election officials across the country as we speak are buying election systems that will be out of date the moment they open the box,” Wyden said in the Voting Village’s keynote speech. “It’s the election security equivalent of putting our military out there to go up against superpowers with a peashooter.” House Democrats have introduced two bills that would require paper records to back up voting machines, mandate post-election audits and set security standards for election technology vendors. But Senate Majority Leader Mitch McConnell (R-Ky.) has repeatedly blocked votes on the bills, saying election security is the province of the states. Last month, the Senate Intelligence Committee released a report detailing how Russian hackers probably targeted all 50 states between 2014 and 2017. Although the report did not find evidence that Russian actors tampered with vote tallies on Election Day, the committee said that hackers “exploited the seams” between federal and state authorities and that states weren’t sufficiently prepared to handle such an attack. “In 2016, cybersecurity for electoral infrastructure at the state and local level was sorely lacking,” the report reads. “Voter registration databases were not as secure as they could have been. Aging voting equipment, particularly voting machines that had no paper record of votes, were vulnerable to exploitation by a committed adversary. Despite the focus on this issue since 2016, some of these vulnerabilities remain.” Local election officials at Def Con echoed these fears. Joel Miller, an election auditor in Linn County, Iowa, and repeat Def Con attendee, said he’ has had to file Freedom of Information Act requests and a Help America Vote Act complaint to try to get answers about security concerns in the state’s voter registration system from Iowa’s secretary of state. Russian hackers attempted to infiltrate the system in 2016, and while an overhaul of the 14-year-old system is impending, officials have said it will not be replaced before 2020. “We don’t know what’s going on with the system,” Miller said. “I’m a former IT director, and I know more about what I don’t know, but that’s almost worse than if I didn’t have a tech background. I’m aware there’s more threats out there than we can handle.” A spokesman for the Iowa secretary of state defended the security of the state’s systems and noted that Secretary of State Paul D. Pate’s chief of staff also attended Def Con this year. “Iowa’s system is secure and we work every day to ensure it remains secure,” the spokesman, Kevin Hall, said in an emailed statement. “Cybersecurity threats are constantly evolving and we are constantly evaluating what’s in place and what gains we can make. This is a race without a finish line.” At the Voting Village, nestled in a ballroom in the sprawling Planet Hollywood convention center, hackers put the machines’ weaknesses on display with playful flourishes, overtaking one electronic poll book to play the first-person shooter game Doom on it, or leaving Nyan Cat, a Japanese meme, sailing across the screen of another made by VR Systems. Ahead of the 2016 election, Russian hackers installed malware on VR Systems’ company network, The Washington Post reported. The Voting Village has faced extreme pushback from voting equipment companies and government officials in the past. They’ve argued that the free-for-all environment at Def Con doesn’t replicate the realities of security on Election Day. The National Association of Secretaries of State condemned the exercise as “unrealistic” last year, and Election Systems & Software, one of the major voting machine vendors, sent a letter to its customers making the same argument. "Physical security measures make it extremely unlikely that an unauthorized person, or a person with malicious intent, could ever access a voting machine,” ES&S wrote last year. ES&S and VR Systems did not respond to requests for comment about this year’s village. Hursti said vendors have used legal threats to “create a chilling effect” on research of their equipment, and that they were “actively trying to shoot the messengers” rather than reckon with the weaknesses in their products. That lack of cooperation has left organizers to search for machinery to use at the Voting Village: Some equipment was rescued from a warehouse where the roof collapsed, while other was snagged in government surplus auctions or on eBay, Hursti said. “One rebuttal is to say we give a lot of access to the machines, but in reality, that’s how research works. Whether or not you can show me how to attack this machine in x or y setting is beside the point,” Hursti said. “This is about discovering vulnerability and stopping it before weaponization.” The first primary votes of the 2020 election will be cast in the Iowa caucuses in just a few months, but it’s impossible to patch the gaping security holes in U.S. election security by then, or even by Election Day, Hursti said. “Everyone claiming we can fix this by 2020 is giving a false sense of security,” Hursti said. “The aim should be, can we do something by 2022 or 2024?” Hours after the Voting Village opened, it was packed with hackers sporting T-shirts with slogans such as, “If I’m not on the government watchlist, someone isn’t doing their job” and “Come to the Dork side" — all eager to test their skills as an act of civic service. By the end of the weekend, they would uncover a litany of new vulnerabilities in the voting equipment, ranging from gallingly obvious passwords to hardware issues and exposure to remote attacks. On Friday afternoon, one conference attendee meandered through the labyrinth of tables covered in dusty voting equipment and Pabst Blue Ribbon cans, explaining the enterprise to his less-well-versed companion. “So, this is how the Russians did it,” he said, as a hacker near him crowed about how easy it was to pick the lock on a machine. “The fate of our whole country rests on these machines.” He shuddered. Sent from my iPad 2018

1 0

Google Insider Turns Over 950 Pages Of Docs And Laptop To DOJ – Sara A. Carter
by Dejan Ristanovic 15 Aug '19

15 Aug '19

Od ovoga može da ispadne ozbiljan pičvajz. Samo ako neko iz TraNpove ekipe krene da ovo eksploatiše, bez obzira da li je istinito ili ne... https://saraacarter.com/exclusive-google-insider-turns-over-950-pages-of-do…

1 0

FW: Windows rupe...
by Dejan Ristanovic 14 Aug '19

14 Aug '19

Kakvi vrljavi programeri... :( https://www.theregister.co.uk/2019/08/13/windows_notepad_flaw/ We checked and yup, it's no longer 2001. And yet you can pwn a Windows box via Notepad.exe Google guru shows how WinXP-era text code grants total control By <https://www.theregister.co.uk/Author/Shaun-Nichols> Shaun Nichols in San Francisco 13 Aug 2019 at 20:40 Patch Tuesday Software buried in Windows since the days of WinXP can be abused to take complete control of a PC with the help of good ol' Notepad and some crafty code. On Tuesday, ace bug-hunter Tavis Ormandy, of Google Project Zero, detailed how a component of the operating system's <https://docs.microsoft.com/en-us/windows/win32/tsf/text-services-framework> Text Services Framework, which manages keyboard layouts and text input, could be exploited by malware or rogue logged-in users to gain System-level privileges. Such level of access would grant software nasties and miscreants total control over, and surveillance of, the computer. Advertisement The flaw, designated <https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019…> CVE-2019-1162, is patched in this month's Patch Tuesday release of security fixes from Microsoft. The relevant update should be installed as soon as possible. After a lengthy investigation, Ormandy <https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html> discovered that the component in question, CTextFramework aka CTF, which dates as far back as the Windows XP era, is riddled with security flaws, which can be exploited via applications that interact with it to handle text on screen. "It will come as no surprise that this complex, obscure, legacy protocol is full of memory corruption vulnerabilities," Ormandy said. "Many of the Component Object Model objects simply trust you to marshal pointers across the Advanced Local Procedure Call port, and there is minimal bounds checking or integer overflow checking. Advertisement "Some commands require you to own the foreground window or have other similar restrictions, but as you can lie about your thread id, you can simply claim to be that Window's owner and no proof is required." <https://www.theregister.co.uk/2019/08/12/microsoft_windows_bad_drivers/> READ MORE With this in mind, Ormandy was able to develop a proof-of-concept tool that abused CTF, via Notepad, to launch a command-line shell with System-level privileges. "The obvious attack is an unprivileged user injecting commands into an Administrator's console session, or reading passwords as users log in. Even sandboxed AppContainer processes can perform the same attack," Ormandy explained. "Another interesting attack is taking control of the UAC consent dialog, which runs as NT AUTHORITY\SYSTEM. An unprivileged standard user can cause consent.exe to spawn using the 'runas' verb with ShellExecute(), then simply become System." Advertisement In the grand scheme of things, the uncovered flaws, while fascinating, are not totally Earth shattering. Elevation-of-privilege holes in Windows are a dime a dozen, and Microsoft patches what feels like scores of them a year. In order to abuse CTF, a scumbag has to be running code on your machine anyway, which is not a good situation. Threat modeling aside, the fact that the vulnerability was found in a basic component of Windows that had been exposed to applications for more than a decade is both a testament to Ormandy's skill at bug-hunting and an example of just how complex and voluminous Windows has become over its thirty-year-plus lifetime, and what a massive challenge that complexity presents Microsoft's engineers from a security standpoint. "These are the kind of hidden attack surfaces where bugs last for years," Ormandy noted. "It turns out it was possible to reach across sessions and violate NT security boundaries for nearly twenty years, and nobody noticed." ® Sponsored: <https://go.theregister.co.uk/tl/1848/shttps:/www.mcubed.london/?utm_source=…> MCubed - The ML, AI and Analytics conference from The Register. Sent from my iPad 2018

1 0

FW: Evolution of the internet: Celebrating 50 years since Arpanet | Network World
by Dejan Ristanovic 14 Aug '19

14 Aug '19

-----Original Message----- From: Dejan Ristanovic <dejan(a)ristanovic.com> Sent: Tuesday, August 13, 2019 1:24 PM Subject: Evolution of the internet: Celebrating 50 years since Arpanet | Network World https://www.networkworld.com/article/3410588/evolution-of-the-internet-celeb rating-50-years-since-arpanet.html Sent from my iPad 2018=

1 0

FW: Coming saopštenje za avgust mesec
by Ksenija Kostić [PC Press] 13 Aug '19

13 Aug '19

Za objavu _________ Ksenija Kostić Marketing www.pcpress.rs PC Press | Osmana Đikića 4 | 11000 Beograd | Srbija Tel: +381 11 2080-220 | Mob: +381 63 125 00 26 -----Original Message----- From: nebojsa.raskovic(a)unitedcommunications.rs [mailto:nebojsa.raskovic@unitedcommunications.rs] Sent: 13 August 2019 12:58 To: Ksenija Kostić <ksenija(a)pcpress.rs> Subject: Coming saopštenje za avgust mesec Pozdrav Ksenija, možeš li ovo da pustiš danas-sutra. Ima i Vas :). S poštovanjem, Nebojša Rašković

3 4

Uber, losing billions, freezes engineering hires
by Dejan Ristanovic 11 Aug '19

11 Aug '19

1.2B USD minus u Q2. Baš QQ i lele. :) https://arstechnica.com/cars/2019/08/uber-freezes-engineering-hires-amid-mo…

1 0

Kako Mercedes intervjuiše web developere
by Dejan Ristanovic 11 Aug '19

11 Aug '19

Ne znam dal je za fun ili za webteam ali... https://www.youtube.com/watch?v=SjICFVP8SOw

1 0

World's Most Advanced Aluminium Smart Luggage | Indiegogo
by Dejan Ristanovic 11 Aug '19

11 Aug '19

https://www.indiegogo.com/projects/world-s-most-advanced-aluminium-smart-lu…

1 0

Apple offers record 'bounty' to researchers who find iPhone security flaws - Reuters
by Dejan Ristanovic 10 Aug '19

10 Aug '19

https://www.reuters.com/article/us-apple-cyber-bounty-idUSKCN1UY2OA?utm_cam… <https://www.reuters.com/article/us-apple-cyber-bounty-idUSKCN1UY2OA?utm_cam…> &utm_content=5d4d2a82a281bd0001b002f3&utm_medium=trueAnthem&utm_source=twitter

1 0

Pregled nedelje - 05.08. - 12.08.2019. - check
by Voja Gasic ＠ PC Press 09 Aug '19

09 Aug '19

<https://pcpress.rs/?na=view&id=108> PC PRESS NEWSLETTER Pregled nedelje - 05.08. - 12.08.2019. . . . <https://pcpress.rs/PCout/?url=http://bizit.rs/?utm_source=newsletter&utm_me dium=email&utm_campaign=bizit2019&utm_content=baner> Izdvajamo <https://pcpress.rs/bizit-2019-lazni-pratioci-influensera-kostaju-kompanije- milijarde-dolara/> BIZIT 2019: Lažni pratioci influensera koštaju kompanije milijarde dolara U 2019. godini očekuje se da će na marketing, zasnovan na influenserima, biti potrošeno ukupno oko 8,5 milijardi dolara, kao i da će vrednost oglašavanja u ovom segmentu porasti do. <https://pcpress.rs/bizit-2019-lazni-pratioci-influensera-kostaju-kompanije- milijarde-dolara/> Detaljnije <https://pcpress.rs/bizit-2019-milijarde-potrosene-na-digitalnu-transformaci ju-a-korisnici-nemaju-nista-od-toga/> BIZIT 2019: Milijarde potrošene na digitalnu transformaciju, a korisnici nemaju ništa od toga Istraživanje koje je sprovedela kompanija Kony nad 800 direktora u kompanijama i 800 korisnika tehnologije u četiri industrije (bankarstvo, maloprodaja, usluge i zdravstvena zaštita) ukazalo je da korisnici gotovo da. <https://pcpress.rs/bizit-2019-milijarde-potrosene-na-digitalnu-transformaci ju-a-korisnici-nemaju-nista-od-toga/> Detaljnije <https://pcpress.rs/specijal-5g-dolazi/?utm_source=newsletter&utm_medium=ema il&utm_campaign=5g-specijal-2019&utm_content=vest> Propustili ste, pročitajte! <https://pcpress.rs/evropa-vodece-trziste-za-oled-televizore/> Evropa - vodeće tržište za OLED televizore Prema istraživanju analitičke kompanije IHS Markit-a, Evropa je vodeće tržište što se tiče OLED televizora velikih dijagonala. Tokom prošle godine oko 45% svih OLED televizora velikih dijagonala u svetu je. <https://pcpress.rs/evropa-vodece-trziste-za-oled-televizore/> Detaljnije <https://pcpress.rs/huawei-predstavio-harmonyos/> Huawei predstavio HarmonyOS Od trenutka kada su američke kompanije u maju prestale da sarađuju sa Huawei-jem, počele su da kolaju priče da ova kompanija već odavno radi na razvoju sopstvenog operativnog sistema. Prvo. <https://pcpress.rs/huawei-predstavio-harmonyos/> Detaljnije <https://pcpress.rs/tezos-bitkoin-rival-cija-vrednost-raste-vrtoglavom-brzin om/> Tezos: Bitkoin rival čija vrednost raste vrtoglavom brzinom Bitkoin se od početka 2019. godine dobro nosi sa svim svojim kripto-rivalima, te vrednost ove kriptovalute zauzima čak 70% od ukupnog tržišta. Od početka godine je vrednost Bitkoina porasla preko. <https://pcpress.rs/tezos-bitkoin-rival-cija-vrednost-raste-vrtoglavom-brzin om/> Detaljnije <https://pcpress.rs/samsung-predstavio-galaxy-note-10-i-note-10-plus/> Samsung predstavio Galaxy Note 10 i Note 10 Plus Kompanija Samsung Electronics predstavila je sinoć, 07. avgusta, na događaju u Njujorku, Galaxy Note10, novu liniju premijum pametnih telefona inspirisan generacijom koja u svom radu spaja posao i privatni život. Po. <https://pcpress.rs/samsung-predstavio-galaxy-note-10-i-note-10-plus/> Detaljnije <https://pcpress.rs/apple-watch-i-dalje-najprodavaniji-pametni-sat-na-svetu/ > Apple Watch i dalje najprodavaniji pametni sat na svetu Prema najnovijem izveštaju kompanije Strategy Analytics, Apple Watch je i dalje najprodavaniji pametni sat na svetu. Industrija pametnih satova dobro posluje u celini, isporučivši 12 miliona uređaja širom sveta od. <https://pcpress.rs/apple-watch-i-dalje-najprodavaniji-pametni-sat-na-svetu/ > Detaljnije <https://pcpress.rs/uber-i-lyft-otkrili-da-pogorsavaju-gradski-saobracaj/> Uber i Lyft otkrili da pogoršavaju gradski saobraćaj Uber i Lyft su možda konkurenti, ali kao dve glavne kompanije koje pružaju usluge prevoza, imaju i mnogo toga zajedničkog - uključujući i štrajkove njihovih vozača sa kojima su suočene.. <https://pcpress.rs/uber-i-lyft-otkrili-da-pogorsavaju-gradski-saobracaj/> Detaljnije <https://pcpress.rs/htc-je-zbog-patentnih-prava-zaustavio-prodaju-telefona-u -velikoj-britaniji/> HTC je zbog patentnih prava zaustavio prodaju telefona u Velikoj Britaniji Zbog spora koji se vodi oko patentnih prava sa kompanijom Ipcom, HTC je privremeno prestao da prodaje svoje telefone u Velikoj Britaniji. Na njihovoj online prodavnici namenjenoj ovom tržištu, pored. <https://pcpress.rs/htc-je-zbog-patentnih-prava-zaustavio-prodaju-telefona-u -velikoj-britaniji/> Detaljnije <https://pcpress.rs/zte-sprema-vlastiti-5g-cip-do-kraja-godine/> ZTE sprema vlastiti 5G čip do kraja godine U poslednje vreme pojavljuje se mnogo informacija o 5G čipovima koje za svoje mobilne uređaje pripremaju proizvođači kao što su Qualcomm, Huawei i MediaTek. Sada stižu informacije kako i kompanija. <https://pcpress.rs/zte-sprema-vlastiti-5g-cip-do-kraja-godine/> Detaljnije <https://pcpress.rs/specijal-televizori-i-ekrani-velikog-formata-leto-2019-g odine/?utm_source=newsletter&utm_medium=email&utm_campaign=televizori-i-veli ki-ekrani-specijal-2020&utm_content=baner> Najčitanije i najzanimljivije vesti <https://pcpress.rs/vestacki-jezik-koji-razlikuje-pravi-viski-od-laznog/> Veštački jezik koji razlikuje pravi viski od lažnog Naučnici su predstavili javnosti veštački "jezik" koji prepoznaje suptilne razlike između različitih vrsta viskija, a mogao bi doprineti borbi protiv trgovine alkoholom, piše CNN. Stručnjaci sa univerziteta u Glazgovu i. <https://pcpress.rs/vestacki-jezik-koji-razlikuje-pravi-viski-od-laznog/> Detaljnije <https://pcpress.rs/rusija-tehnologija-za-prepoznavanje-lica-kao-alatka-za-l ov-na-uspavane-taksiste/> Rusija: Tehnologija za prepoznavanje lica kao alatka za lov na uspavane taksiste Iscrpljeni ruski taksisti uskoro bi mogli da budu u obavezi da prave neophodne pauze, budući da je Yandex.Taxi - najveći taksi servis u ovoj zemlji - najavio uređaje sa tehnologijom. <https://pcpress.rs/rusija-tehnologija-za-prepoznavanje-lica-kao-alatka-za-l ov-na-uspavane-taksiste/> Detaljnije <https://pcpress.rs/xiaomi-planira-telefon-sa-kamerom-od-108-megapiksela/> Xiaomi planira telefon sa kamerom od 108 megapiksela Xiaomi je objavio da će u nekim svojim budućim modelima telefona implementirati kameru rezolucije 108 MP. To će biti "ultra-clear" Samsung-ov ISOCELL senzor čija je rezolucija 12.032x9.024 piksela. Ovu rezoluciju. <https://pcpress.rs/xiaomi-planira-telefon-sa-kamerom-od-108-megapiksela/> Detaljnije <https://pcpress.rs/selfi-za-merenje-pritiska/> Selfi za merenje pritiska Kako stvari stoje, uskoro će aparati za merenje pritiska postati nepotrebni. Umesto toga, biće vam potreban samo telefon sa selfi kamerom. Istraživači sa Univerziteta u Torontu razvili su tehnologiju koju. <https://pcpress.rs/selfi-za-merenje-pritiska/> Detaljnije <https://pcpress.rs/moderni-cirkus-hologrami-umesto-zivotinja/> Moderni cirkus: Hologrami umesto životinja Nemački cirkus Roncalli udaljio se od dugo kritikovane prakse zloupotrebe životinja zarad zabave posetilaca, te se odlučio za visoko-tehnološka rešenja koja prave novi korak u moderno doba cirkuskih šatri. Naime,. <https://pcpress.rs/moderni-cirkus-hologrami-umesto-zivotinja/> Detaljnije <https://pcpress.rs/sony-koristi-ai-kako-bi-zamenio-bubnjare/> Sony koristi AI kako bi zamenio bubnjare Sony je najnovija kompanija koja se upustila u projekat AI muzike. Kompanija je ove nedelje otkrila da su njeni istraživači stvorili model mašinskog učenja koji može da stvori muzičku liniju. <https://pcpress.rs/sony-koristi-ai-kako-bi-zamenio-bubnjare/> Detaljnije <https://pcpress.rs/ai-sistemi-za-pletenje-buducnost-kreiranja-odevnih-predm eta/> AI sistemi za pletenje: Budućnost kreiranja odevnih predmeta Oni koji su do sada čeznuli za ispletenim komadima odeće koji su napravljeni samo za njih, a nisu posedovali potrebne veštine, te im bake nisu bile na raspolaganju, sada tu. <https://pcpress.rs/ai-sistemi-za-pletenje-buducnost-kreiranja-odevnih-predm eta/> Detaljnije <https://pcpress.rs/francuski-pronalazac-uspesno-presao-lamans-na-letecoj-da sci/> Francuski pronalazač uspešno prešao Lamanš na letećoj dasci Nakon prvog neuspešnog pokušaja francuski pronalazač Franky Zapata uspešno je preleteo Lamanš 4. avgusta, a samo uz pomoć Flyboard Air hoverboard-a koji je sam dizajnirao. Let je započeo iz mesta. <https://pcpress.rs/francuski-pronalazac-uspesno-presao-lamans-na-letecoj-da sci/> Detaljnije <mailto:pcpressnews-leave@pcpress.info> Za odjavu klinite OVDE | <https://pcpress.rs/pravila-koriscenja-sajta/> Politika privatnosti sajta <https://www.facebook.com/PCPress.rs/> <https://twitter.com/pcpressrs?lang=en> <https://www.linkedin.com/company/pc-press> <https://www.youtube.com/user/OfficialPCPress> <https://www.instagram.com/pcpressrs/> PC Press Osmana Đikića 4 Copyright C 2018 PC Press. All rights reserved.

2 2

2026

2025

2024

2023

2022

2021

2020

2019

2018

Webteam