FERC, Fake WhatsApp, and Google Play Bug Bounty – Hack Naked News #148
November 7, 2017
Doug White and Jason Wood discuss improvements to IoT, fooling millions of Android users, Google Play bug bounties, school boards being hacked by pro-ISIS groups, and more with Jason Wood on this episode of Hack Naked News!
Despite the benefits, new devices will lead to new security risks. And the presence of malicious code on the IoT is now very much a reality
Persistent threat of malware in Google Play Store apps.
more code signing
Team up with HackerOne
Looking for Remote Code Execution fro Android devices
Expert Commentary: Members of Congress want you to hack the US election voting system
Bug bounties are catching on at the federal government and now some US Senators want to get into the act. Senators Martin Heinrich (D-NM) and Susan Collins (R-Maine) released a draft of the Save America’s Voting Equipment Act of 2017 on October 31, 2017. This bill has three stated goals as it is currently drafted:
Information sharing with state election officials Preserving the security and independence of state voting systems Establish a “Cooperative Hack the Election” program
In the first Title (or section), the bill lays out requirements for the Secretary for Homeland Security to sponsor state election officials for security clearances so that DHS can send them classified information. The second Title appears to be an attempt to give the federal government more influence over state elections, while attempting to maintain the independence of states on election matters. It requires that the Sec of HS will declare voting systems critical infrastructure and provides provisions for states to opt into the programs described in the bill. It also establishes a requirement for grant money to upgrade voting systems and requires that participating states implement their voting systems according to “recommended best practices” as detailed in section 202 of the bill.
Title 3 is where the bug bounty is described. If enacted, the DHS will hold an annual competition “for hacking into State voting and voter registration systems”. Competitors will receive some kind of prize or award (TBD) for the “most significant” vulnerabilities discovered and will share the vulnerability data with the impacted vendors. Under Title 2 of the bill, the federal government will provide grant money to States to upgrade their systems in response to the findings from the competition. Finally, Title 4 lays out an audit program to make sure the funds granted in to States are being used appropriately.
The concept of the proposed law sounds interesting. Particularly to have a bug bounty program built strictly for voting equipment. DEFCON already had a village for attacking voting systems and this takes that a step further by creating an official competition with awards for participants. One of the points that interest me is that voting equipment varies quite a bit from state to state, but there is overlap in the systems used. So if two states use the same equipment and one state opts in to the program but the other doesn’t, the second state is still impacted by the results. But because they didn’t opt in to the program, they aren’t eligible for grant money (through this bill) to fix them. Non-participation appears to have a bit of a stick behind it.
If the bill comes up for debate, then I’d expect to see States argue that the law infringes on their sovereignty to conduct elections with the voting systems vendor providing their support. The bill will provide more influence over States voting and voter registration systems by leveraging the power of grant money and establishing a contest to discover flaws in voting systems. Still, I don’t think there are many folks in security that would argue that voting systems are secure, so I like the idea of creating a bug bounty for these systems. If the bill actually makes it to the senate floor, watch for fireworks over State sovereignty and claims that the bug bounty will make things less secure from the states and vendors.