27.10.16

Election hacking FAQ: 2016 US presidential election edition


With all the recent headlines about “hacking the vote” and “voting hacked” quite a few people are asking if hackers could change the outcome of the 2016 US presidential election. Unfortunately, it is impossible to provide a responsible answer to that question in just a few words, so for folks interested in the many complex issues that this question raises I’ve compiled a list of objective, non-partisan answers to 10 Frequently Asked Questions on the topic of election hacking.
I’m going to start with a fundamental question, the answer to which provides some necessary context for the rest of the questions.
Q1. It’s 2016, why aren’t we voting online?
A1. Voting for the 2016 US presidential election is not online because secure internet voting is not possible in the US given the currently deployed technology. The vast majority of voting in the US presidential election takes place on systems that are not connected to the internet (in my professional opinion given the current state of internet security, this is a good thing). There is more about the technology requirements for internet voting in the answer to Question 10.
For a comprehensive overview of the security issues unique to voting, I recommend reading “If I Can Shop and Bank Online, Why Can’t I Vote Online?” by David Jefferson, a computer scientist at Lawrence Livermore National Laboratory. Although it was written a few years ago, this essay remains an accurate statement of the bottom line: The highly distributed and diverse voting processes used for the US presidential election give a level of security that is different from, and higher than, that required for online banking or shopping. In other words changing the outcome of the US presidential election through digital manipulation of the voting process is a lot harder than stealing money from an ATM or making a fraudulent online purchase.
Q2. If it’s so hard to rig the election by hacking the vote, why is everyone talking about it?
A2. There are several reasons for the current conversations about vote hacking.
i. Some polling places still use badly designed electronic voting machines. For many years, security and voting experts such as myself have called for these machines to be removed from the process. Because they are unfortunately still in use in some places, they show up in the media during every election cycle under headlines about voting machine hacking. Sadly, these articles often fail to address how these admittedly deplorable machine vulnerabilities could be exploited in an actual election-rigging scenario. The reality is that it would be very difficult to produce undetectable bogus voting outcomes without a large and coordinated effort by a determined entity that has a considerable in-country presence.
ii. One of the two leading 2016 presidential candidates has repeatedly claimed that the election is rigged and, despite a lack of evidence, some people assume that this candidate’s assertions mean fraudulent voting can take place at a scale that would determine the outcome of the election. They tend to cite headlines about “vote hacking” without reading the whole article, which may go on to say “this security issue will have no effect on the election” (other than a possible psychological effect, see Q8).
iii. Historically there have always been some politicians and public figures who find it convenient to say the presidential election is rigged. For example, if you think your candidate is going to lose, then claims of a rigged election before the votes are counted offer an excuse if they lose. Claims of a rigged election can also serve to undermine the authority of the eventual winner of the election, something you might want to do if you think it gives you political advantage (although there are numerous potential downsides to this strategy including the eventual repudiation of your strategy by voters in future elections).
Prior to the introduction of computers into the election machinery, claims of vote rigging centered on fraudulent balloting by dead people or people voting more than once, and so on. Those strategies led to the complex system of checks and balances in the voting processes that are used today. This system can block fraudulent voting before it happens and also detect it after the fact so that it can be remediated.
iv: In 2016 we have seen several hacking incidents directed at parts of the voting system and some of the players in the election. However, none of these have impacted the integrity of the voting process (see Q6).
v. A popular television program called Mr. Robot uses the tag line “Our democracy has been hacked” although frankly I didn’t see much democracy hacking in the program. I did see numerous realistic depictions of hacking activity that were technically accurate, but it is important to remember that Mr. Robot is not technically accurate in its portrayal of reality (my own take is that Mr. Robot is a science fiction/fantasy taking place in an alternative reality where the world economy is dominated by a single “too-big-to-fail” corporation.)
Q3. What exactly do you mean by “hacking the vote” and “hacking the election”?
A3. By hacking the vote I mean unauthorized access to, or manipulation of, information systems used in the voting process. This includes breaking into digital devices used for voting and denial of service attacks targeting any of these systems. What is not included is “hacking the election” in the sense of manipulating public opinion, like a disinformation campaign. Such actions are more accurately described as “information warfare” and not hacking, although information warfare may well use hacking. For example, you might be able to influence the outcome of an election like this: first you hack source A which has ties to your opponent; then you make sure the public knows that source A has experienced a security breach; finally you publish documents that appear to come from source A and have been doctored to make your opponent look bad. However, this is an indirect swaying or disruption of the vote, in that the votes would still reflect the intentions of the voters who cast them.
Q4. Can the voting machines used in the 2016 US presidential election be hacked?
A4. Yes, some of the voting machines used in the 2016 US presidential election can be hacked, but that in itself does not mean the election can be hacked. Millions of cars and trucks on the road today can be hacked, but that doesn’t mean they are being hacked or that we should stay off the roads. Converting the exploitation of vulnerabilities in certain electronic voting devices into fraudulent vote totals on Election Day would require considerable “meatspace” resources (meatspace = people in the flesh, real world operatives prepared to commit crime as opposed to criminal hackers who remain relatively untouchable in cyberspace).
There are two main reasons that hacking voting machines to affect an election outcome does not scale well. First, the US has not embraced internet voting. Very few voting machines are networked and even less are on the Internet. The lack of network connections between voting systems actually works as a safeguard and imposes a manpower burden on would-be fraudsters. Second, voting in US presidential elections is a highly fragmented process. Each state votes separately and within each state there are scores of different voting jurisdictions (some 8,000 altogether). So, for example, it is not like you can use a phishing email to infect Arizona’s voting machines and thereby steal the election.
A further level of protection against translating election machine vulnerabilities into a rigged election outcome is the numerous checks and balances in the US voting system, as discussed in Q5. So, even if you individually hacked Arizona’s unconnected voting machines to produce fraudulent vote totals on Election Day it is highly probable that this would be detected and subject to intense scrutiny, auditing, even a recount. And yes, I know that some voting systems make doing an audit and a recount very difficult (the main problem is Direct Recording Electronic or DRE machines that have no paper trail for backup). But if the goal is to get away with a fraudulent outcome by hacking voting machines, my opinion is that such a goal would be very hard to reach, even if the attempt produces a logistical problem that is very difficult to solve.
Q5. What checks and balances exist to ensure people don’t get away with hacking votes?
“election laws anticipate human error and cheating, and guard against them at multiple levels”
A5. I’m inclined to let Chris Ashby answer this. Chris is a leading member of the Republican National Lawyers Association with a lot of election experience. His recent article “The Election Is Not Rigged” provides a pretty good summation of the checks and balances so I am quoting him at length here as he explains how “election laws anticipate human error and cheating, and guard against them at multiple levels”:
·         Private citizens — not government bureaucrats — serve as the “clerks,” “inspectors,” “officers” or other election officials who run our polling places and conduct the voting.
·         Most state laws permit local political parties to appoint or nominate these officials, and require a roughly even partisan balance between them.
·         The law also permits parties and candidates to send pollwatchers into each polling place to stand over the election officials and monitor them as they work.
·         Election officials count votes and tally results.
·         Candidate and party representatives also observe this process.
·         Following the election, there is a public canvass at which the election night results are redetermined, to make sure that they are aligned.
I urge everyone to read Mr. Ashby’s article, which goes on to list five very difficult things you would have to do to rig the election, on top of which “you’d still have to Jedi-mind trick lawyers, political operatives and state election administrators, all of whom scrub precinct-level returns for aberrant election results, and scrutinize any polling place result that is not in line with what they would have expected, based on current political dynamics and historical election results.”
Still not convinced? How about this recent quote from Senator Marco Rubio of Florida, where voting is carried out by the states 67 counties, with each one operating independently of the other: “I promise you there is not a 67-county conspiracy to rig this election.” Or this, from Texas Secretary of State Carlos Cascos: “Texas has 254 counties using a variety of voting methods. The decentralized system in addition to layers of checks would make changing the outcome of a statewide election essentially impossible.”
Q6. What are voter rolls and if they’ve have been hacked, how can we be sure voting is accurate?
A6. Voter rolls are the lists of people who are registered to vote. These are managed and scrutinized at the local level by the 8,000 different voting jurisdictions into which the country is divided, but are typically aggregated at the state level. Numerous voter roll hacking scenarios exist, like deleting a bunch of your opponent’s supporters from the rolls or adding a bunch of fake supporters. The problem with turning these scenarios into a fraudulent election outcome is that you still need people to execute the plan at the scale required to change the outcome. For example, the fake supporters you added to the rolls need to vote, and someone needs to deflect the legitimate voters whose names you erased. And you need to do this without detection by an election workforce made up of people from both parties.
Of course, some media headlines are not helpful, like this example from Illinois: “Voter Rolls Hacked”. Yes, unauthorized persons did access records pertaining to thousands of voters, but no, they were not able to change them, as the article notes. So, as upsetting as the above-mentioned incident in Illinois might have been to the people whose information was exposed, that hack is unlikely to materially affect voting there. (For the record, some states actually allow your voter registration information to be published on the internet, see Q9.)
Q7. Could unauthorized access to the voter rolls enable hacking of the vote?
“If someone tries to go to the polling place and vote as you, then they are very likely to fail. Clearly, affecting the outcome of an election using this strategy is highly labor intensive.”
A7.You could potentially use data gleaned from the voter roll to find people who are likely to vote for the opposition and then find people to pretend to be them and cast votes for your candidate instead. But this is a tricky strategy to execute because in most voting scenarios in most states you need actual people to vote. The classic, time-honored “pen and paper in person” voting system works by having voters show up in person at the polling place and get a ballot. At that point their name is marked on the electoral roll. This is still the essence of the system under which the majority of votes are cast in the US presidential election.
If someone tries to go to the polling place and vote as you, then they are very likely to fail. Obviously they will fail if you have already voted. But even if they turn up before you and successfully pretend to be you – perhaps by knowing personal information about you that they gained by hacking – their vote is going to be invalidated when the real you turns up. Clearly, affecting the outcome of an election using this strategy is highly labor intensive.
Q8. Could all the talk about hacking during the election campaign affect the election outcome?
A8. Yes, this is a possibility. A large amount of imprecise media coverage about vote hacking could undermine confidence in the voting process. Consider articles that start with a news item – something to do with hacking and voting and the US presidential election – then proceed to a list of things that can go wrong with voting. Experts are quoted. Fear is generated. Uncertainty is expressed. Doubt is cast. And there you have the FUD trifecta, a hat-trick with the potential to undermine the US presidential election. That could mean the biggest threat to the 2016 US presidential election ends up being fear of threats to the election.
Casting doubts on the legitimacy/accuracy/security of the voting process in advance of voting is indeed one way to disrupt an election. Consider these two strategies:
i. Get people to believe that the voting system is liable to get hacked, so it’s pointless for them to vote, which could help your candidate if they are likely to benefit from low voter turnout.
ii. Get people to believe that the voting system is liable to get hacked, so if you lose you can claim the system is rigged and deny the legitimacy of the outcome.
It is interesting to note that talk of rigged elections is nothing new in American politics. Indeed, one of the current candidates openly rejected the outcome of the 2012 election, as shown in these tweets that were later deleted. It is also interesting that many of the officials overseeing elections in key “battleground states” this year are Republicans, some of whom have come forward to reassure the public about the security and legitimacy of the voting process in their respective jurisdictions, like the Florida, Iowa, and North Carolina officials quoted in this article. Additionally, it should be pointed out that the people who process our votes come from all political parties and work side-by-side in polling stations to facilitate free and fair voting.
Q9. Is it true that voter registration information from some states is published on the internet?
A9. Yes. For example, anyone with an internet connection can legally download the voter roll for every county in Florida. This information includes names, addresses, birthdays, phone numbers, even email addresses for some people. Some Floridians have two homes, so secondary out-of-state addresses are also listed for some voters. The publication of this data on the world wide web may strike many people as a huge violation of personal privacy; however, its legality stems from the idea that the voter rolls should be a matter of public record and open to challenge. Unfortunately, some public officials have not figured out that “on the internet” is categorically – and possibly catastrophically – different from “available for personal inspection in the registrar’s office during normal business hours”.
Q10. You said secure internet voting is currently impossible in the US so does that mean secure internet voting is possible in other places?
A10. One of the main prerequisites to secure internet voting in the US is a reliable means of digitally identifying and authenticating voters, of whom there are over 200 million. But there is no official national digital identification system in the US. Furthermore, past efforts to create one have run into serious opposition. Back in the 1990s I spoke with the CEO of a smartcard manufacturing company who had received death threats after President Clinton suggested all Americans could carry chip cards that gave healthcare providers access to a national database of their medical data.
That said, some countries have embraced digital identities, notably Estonia, which has carried out some national elections over the internet. One factor on Estonia’s side is scale: it is a small country with a population less than half that of San Diego County, just one of 3,000 counties in the US. Furthermore, Estonia is where the NATO Cooperative Cyber Defence Centre of Excellence is located (the CCD COE is an international military organization that develops the cybersecurity capabilities of NATO countries).
In other words, it may be possible to vote securely over the internet in a tightly controlled environment that is heavily defended, with a small population of digitally-savvy citizens. That said, it is still possible for errors to occur. Just take a look at this slide from a talk a few years ago at a meeting of non-partisan organisation Verified Voting. It shows actual lines of code from Estonia’s internet voting software. Admittedly that was a few years ago, and I’m assuming the problem has since been addressed, but still, this is not reassuring.
The slide was in a presentation by Joe Kiniry, a researcher who has studied internet voting for many years. Joe is a former professor at the Technical University of Denmark where he was Head of the Software Engineering Section. He is now CEO and Chief Scientist at Free & Fair, an elections technology consultancy, and a Principal Investigator at Galois in Portland, Oregon. In other words, he knows a thing or two about voting systems. He is widely quoted in that article I cited in Q4 about DRE voting machines.
Bonus Question! Could a DDoS attack be used to hack the 2016 US presidential election?
A. On Friday, October 21, a large Distributed Denial of Service (DDoS) attack caused sporadic internet service disruption in the US (we wrote about the attack here). This has raised fears that such an attack could happen on Election Day, November 8. However, while such an attack could interfere with internet-enabled media reporting of election-related activity, the above-mentioned lack of internet connectivity among voting systems would shield them from a DDoS attack. Election officials would still be able to count votes and report totals.

Summary

Hopefully this FAQ has been helpful. To be clear, I agree with many of my fellow security researchers that the US needs to get rid of vulnerable voting equipment, preferably long before the 2020 presidential election. And I acknowledge the feasibility of scenarios put forward by some of my colleagues in which a relatively small amount of election hacking/rigging could change the outcome in a close race. Yet I still believe that, as things stand right now, such efforts would be detected and eventually thwarted.
What seems undeniable when you examine these issues is that we all need to do a better job of educating our fellow citizens about how voting actually works in practice so that we can have meaningful discussions about its security and legitimacy, preferably unencumbered by myths and misconceptions, not to mention unsupported and illogical allegations.

The Hive Mind: When IoT devices go rogue



The Internet of Things (IoT) has been referred to by so many different names in the past year. The Internet of Terror, the Internet of Trash and a few other catchy monikers to account for the large amount of vulnerabilities present in new devices that are increasingly present in many homes.
Things like smart thermostats, internet camera devices, internet enabled refrigerators and smart washing machines fall into the IoT category. These devices, while presenting a multitude of functionality for controlling various mundane aspects of everyday life, such as locking your front door and turning off appliances in your home, also offer criminals a new attack platform: your appliances.
Now, attackers are leveraging these new, IP based devices to launch some of the most torrential network distributed denial of service (DDoS) attacks that have been recorded in history. What are the inherent risks associated with these devices? What is the best way to protect home devices from being attacked by outside users? Is there a happy medium between usability of IoT devices and security?
We will be looking closely at these aspects, provide some insight into the rise of the Hive Mind: Infected/Affected IoT devices, and discuss the best ways to make sure your devices are not affected by malicious actors.
IoT devices
The Internet of Things can best be described as “the internetworking of physical devices, vehicles (also referred to as ‘connected devices’ and ‘smart devices’), buildings and other items, embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data”.
In short, it takes the devices in your home, combines them with a few controllable electronic components, adds a network interface, then calls them ‘smart’ because you can now control them with a phone, computer or tablet. The goal is to automate the home or business in a similar fashion to a computer or any other automated process.
If you do not use a constant process, you have it shut down, like a light. You can schedule jobs, like washing clothes and perform conditional tasks like turning off the heater if temperature exceeds a certain temperature. The theory is sound, as having these items work for you – instead of you working for them – offers you more free time, as well as allowing you to do things that you could not have imagined with household appliances (like get alerts on your phone if someone approaches your front door or lock your doors to your home from half a world away).
Looking deeper at the business and industrial sectors, items like critical city infrastructure and centrifuges are controlled by computer based systems instead of manual controls, and every day are becoming more available for control using network based interfaces. Granted, critical infrastructure perimeter defenses (like government, enterprise business) should be hardened, however, a few times items have been able to jump from digital code to affecting physical objects (remember Stuxnet?). However, the next portion is best summarized in the Spiderman comic series: “With great power, comes great responsibility.”
IoT Security Problems
When mentioning IoT to security experts, the whole ordeal becomes the “Tower of Security Babble”. There is no unification in theory, coding or protection methods for these devices. People have different ideas on how to best protect the devices. Some go with the theory of applying a firewall like device in your home or business to regulate control of the devices to authorized users and filter traffic.
Some companies are looking at certificate-based options, allowing only parties with the appropriate security certificate to control the devices, removing unauthorized users from the equation. In the end, there are so many options that sometimes the easiest ones are missed, like using a default password that everyone knows. Also, under no circumstance, in 2016, should a telnet server be running on a public facing device.
Why? Well, few weeks ago, the Mirai virus source code was released on the regular internet as well as various darknet avenues. The malware was used most recently in an attack on the Brian Krebs website. The attack generated record amounts of traffic that the company Akamai had to remove the Krebs website from its servers as it was too damaging to keep it in place. Google eventually stepped in utilizing their Project Shield, a service aimed to assist journalists or other public facing people that incur a DDoS attack.
The malware software itself is very basic and seemingly not yet completed as the coding reveals. The issue remains that it still works well. The malware is cross platform, written in C and GO, a recent programming language created by Google in about 2007. The malware package is cross platform as well, and runs on both 32 and 64 bit architectures, allowing for a greater infection platform. It has three main components; a command and control module that phones home and allows for communications, a network scanner that allows for pivoting and the further infection of other IoT devices and an attack module, allowing for the use and abuse of legitimate network traffic once a target is defined by the command module.
The scary part of this is that the malware will (and has) infected other IoT devices by scanning a network and abusing a protocol (Telnet) that was originally created in 1969 and offers little in the way of security. The other scary part is that the affected devices contain one of 65 well known and used passwords used by telnet to authenticate to the device, which, when utilized, leads to the compromise of the device, turning it into another zombie in the IoT bot army.
In writing this article, another oddity (attack) hit. On Friday – October 21st – as this article was being penned, Dyn DNS was hit by one of the largest cyberattacks recorded, removing access for millions of users to notable sites like Amazon, Netflix, ETSY and a whole lot more. These are the first strikes in what is due to be a very fast and expansive spread of IoT based botnets (more insight on this from Stephen Cobb). With all of these vulnerabilities and attacks taking place, how can you protect yourself or your business from being taken advantage of online when using IoT devices?
IoT protection
When using these devices, look at them like another computer asset in your organization. If you are using them in the house, look at them as a door that needs to be locked. Using just a few of these steps can help reduce attacks or future infection of your IoT based devices:
1.     Change the default password. This can be a chore, however, it is a very manageable step to remove a vulnerability from your network.
2.     Use a HTTPS interface when possible. If you log in using a computer to manage your devices, default to an HTTPS gateway, removing clear text or man-in-the-middle attacks form affecting your password or device security.
3.     If you do not need it, turn it off. If the device offers extra connection protocols (SSH, Telnet, other) that are not in use and they have the ability to be turned off, disable them immediately. Removing the port from a listening state will remove an ability for it to be exploited.
Using just these three simple and basic items will reduce greatly the ability for an attacker to utilize your IoT device (and more importantly, the network traffic they generate) as a weapon of cyberwar.

26.10.16

ESET lanceert zijn nieuwe reeks Internet Security producten voor thuisgebruikers


ESET® meldt  vandaag de beschikbaarheid van zijn reeks premium beveiligingsoplossingen voor de thuisgebruiker – ESET Smart Security Premium, gebaseerd op zijn bekroonde NOD32 technologie die de beste mix biedt voor detectie, snelheid en gebruiksvriendelijkheid. Bovendien biedt het hoogwaardige product ook ESET Passwoord Manager, voor een eenvoudiger en veiliger validatie, en ESET Secure Data voor een gemakkelijker en nog krachtiger encryptie.
Daar Internet bedreigingen steeds meer divers zijn, hebben de gebruikers meer nood aan complexe Internet beveiligingssuites met functionaliteiten gebaseerd op hun individuele voorkeuren. Onze nieuwe productenportfolio is volledig in lijn met deze trends,” aldus Marc Mutelet, CEO van MGK Technologies, exclusief distributeur van ESET voor België en Luxemburg.

ESET is steeds uiterst succesvol in onafhankelijke testen en mocht 98 keer de prestigieuze VB100 prijs in ontvangst nemen, de hoogste score voor eenzelfde product.  Onlangs in de SE Labs’ Home Anti-Malware Protection test was het de enige oplossing met 100% bescherming onder alle beveiligingsproducten en behaalde het de hoogste score in de AV-Comparatives’ Performance Test  . ESET was ook de onbetwiste nummer 1 voor spambescherming, in de VBSpam Test en AV-Comparatives Anti-Spam Test.

Met deze nieuwe gamma producten legt ESET de nadruk op de nood aan privacy bij het gebruik van PC en laptop. ESET Webcam Protection, beschikbaar met ESET Smart Security Premium en ESET Internet Securitry, regelt de toegang tot de camera zodat de gebruiker volledig beschermd wordt. Hij kan dan ook processen en applicaties zien en blokkeren/toelaten en de camera van de computer uitschakelen zodat die processen geen toegang hebben.
Met ESET Smart Security Premium kunnen gebruikers voor het eerst ook van de gloednieuwe ESET Internet Security genieten. De legendarische ESET NOD 32® Antivirus 10, met een verbeterde bescherming tegen script gebaseerde aanvallen, blijft de ideale suite voor gamers. 
De ESET productenportfolio voor thuisgebruikers heeft heel wat functionaliteiten die hun waarde bewezen hebben zoals Banking & Payment Protection, Antispyware, Anti-Phishing, Exploit Blocker, superieure Personal Firewall alsook ESET LiveGrid® Reputation System.
“De nieuwe beschermingslagen van ESET Smart Security Premium verhogen nog de totale beveiliging van de gebruikers. Naast een prima bescherming tegen malware bedreigingen, kunnen ESET gebruikers nu ook hun bestanden, wachtwoorden, webcams en zelfs hun volledige thuisnetwerk met een en dezelfde geïntegreerde oplossing beschermen,” zegt Marc Mutelet.
  
Nieuwigheden
Script-Based Attack Protection detecteert aanvallen door kwaadaardige scripts die Windows PowerShell proberen te misbruiken. Het detecteert ook kwaadaardige JavaScript code die via de browser kan aanvallen; alle belangrijke browsers worden ondersteund.

Home Network Protection biedt thuisgebruikers de mogelijkheid om hun routers te testen op kwetsbaarheden zoals zwakke wachtwoorden of verouderde firmware en biedt ook opties om eraan te verhelpen. Het verleent ook een gemakkelijk toegankelijke lijst van gekende toestellen  geklasseerd per type en laat ook zien welke geconnecteerd zijn. Zo kunnen de gebruikers zien hoe veilig hun thuisnetwerk is.
Webcam Protection controleert de processen en toepassingen die toegang hebben tot de webcam geconnecteerd met de computer en geeft meldingen als er ongewenste toepassingen toegang willen hebben tot de camera.
ESET Password Manager gebruikt de AES-256 encryptie – de toonaangevende standaard op wereldvlak – om al de wachtwoorden van de gebruiker op te slaan en vooraf in te vullen. Het kan ook nieuwe, extra sterke wachtwoorden genereren en opslaan als de gebruiker die nodig heeft.
ESET Secure Data beschermt tegen datadiefstal in geval van verloren USB-sleutel of laptop. Het maakt ook een veilige samenwerking en delen van gegevens mogelijk. 

Bezoek www.eset.com om meer te vernemen over het ESET productengamma.   

ESET lance ses nouveaux produits de sécurité pour le consommateur



ESET ® annonce la disponibilité de sa nouvelle solution de sécurité premium pour les consommateurs -  ESET Smart Security Premium, développée sur base de sa technologie NOD32 primée, offrant la meilleure combinaison de détection, de vitesse et de convivialité. Par ailleurs, cette solution de haut niveau dispose d’ESET Password Manager, un gestionnaire de mots de passe, pour une validation plus simple et plus sécurisée,  ainsi qu’ESET Secure Data pour un cryptage facile et robuste.
« Alors que les menaces venant d’internet sont de plus en plus variées, les utilisateurs ont besoin de solutions de sécurité plus  complexes avec des fonctionnalités basées sur des préférences individuelles. Notre nouveau portefeuille de produits respecte parfaitement cette tendance, » explique Marc Mutelet, CEO de MGK Technologies, distributeur exclusif des produits ESET sur la Belgique et le Luxembourg.
ESET obtient toujours d’excellents résultats lors de tests indépendants. Avec 98 récompenses VB100, c’est de loin le produit le plus primé par Virus Bulletin. Récemment, ESET a été la seule solution de sécurité offrant 100% de protection parmi les produits testés par SE Labs Home Anti-Malware Protection. ESET a également obtenu le score le plus haut dans les tests AV-Comparatives’ Performance parmi tous les produits de sécurité pour l’internet. De plus, ESET  a été classé numéro 1 en protection contre le spam, et dominait le VBSpam Test ainsi que l’AV-Comparative Anti-Spam Test.
La nouvelle gamme de produits ESET met l’accent sur le besoin de confidentialité lors de l’utilisation d’un PC ou d’un laptop. La protection ESET Webcam, disponible avec ESET Smart Security Premium et ESET Internet Security, gère l’accès à la camera et protège ainsi l’utilisateur. Ce dernier  pourra voir et bloquer/autoriser les processus et applications et déconnecter la camera afin que ceux-ci ne puissent y accéder.
Avec ESET Smart Security Premium, les utilisateurs peuvent pour la première fois bénéficier également du tout nouvel ESET Internet Security. Le légendaire ESET NOD32® Antivirus 10 reste la suite la idéale pour les gamers avec une protection améliorée en cas d’attaques à base de scripts.
Le portefeuille de produits ESET pour consommateurs dispose de nombreuses fonctionnalités qui ont fait leurs preuves telles que la protection des transactions bancaires et des paiements, Antispyware, Anti-Phishing, Exploit Blocker, pare-feu personnel avancé ainsi que ESET LiveGrid® Reputation System.
« Les nouvelles couches de protection ESET Smart Security Premium améliorent la sécurité globale des utilisateurs. En plus d’une protection supérieure contre les menaces, les utilisateurs d’ESET peuvent désormais protéger leurs fichiers, mots de passe,  webcams et même leur réseau domestique complet, le tout avec une seule solution intégrée, » ajoute Marc Mutelet.
Les nouveautés
Script-Based Attack Protection (protection contre les attaques à base de scripts) détecte les attaques faites par des scripts malveillants qui essaient d’exploiter Windows PowerShell. Il détecte aussi le code JavaScript malveillant qui peut attaquer par le biais du navigateur ; tous les principaux navigateurs sont  supportés.
Home Network Protection (protection du réseau domestique) permet de tester les vulnérabilités du routeur telles que mots de passe faibles ou micro-logiciels périmés et offre des options pour y remédier. Il offre aussi une liste facilement accessible d’appareils connus classés par type et indique lesquels sont connectés. Ceci permet aux utilisateurs de vérifier la sécurité de leurs réseaux domestiques.
Webcam Protection (protection webcam) contrôle les processus et les applications qui ont accès aux webcams connectées aux PC et informe l’utilisateur lorsque  des applications indésirables essaient d’accéder à la camera.
ESET Password Manager (gestionnaire de mots de passe) utilise le chiffrement AES-256 – le standard mondial en ce domaine – pour stocker et pré-remplir tous les mots de passe de l’utilisateur. De plus, il génère  et stocke de nouveaux mots de passe très robustes chaque fois que l’utilisateur en a besoin.
ESET Secure Data, protège contre le vol de données en cas de perte de la clé USB ou du laptop et permet une collaboration et un partage de données sécurisés.

Visitez www.eset.com pour en savoir plus au sujet des produits phare d’ESET et du nouveau ESET Smart Security Premium.

Webcam firm recalls hackable devices after mighty Mirai botnet attack



Chinese electronic firm Hangzhou XiongMai (XM) says it will recall some of its IoT devices, including webcams, after claims that they were widely exploited by malicious hackers that launched a massive denial-of-service attack on Friday October 21st.
The distributed denial-of-service attack targeted domain name service Dyn, who confirmed this weekend in a statement that it was hit by a “sophisticated attack”, which included tens of millions of attacks from from IP addresses associated with Mirai, a botnet compromised of hijacked IoT devices.
As a consequences many web users found that they were unable to visit a wide array of popular online services, including Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, and the Playstation network.

To be clear, the attack didn’t come entirely out of the blue.
At the end of September, the full force of the Mirai botnet was directed at the website of security blogger Brian Krebs, throwing him offline for a day or two until he regrouped under the protective umbrella of Google Project Shield.
What disrupted Krebs’s security blog, and impacted companies relying upon Dyn’s DNS services, was the Mirai botnet built on the shoulders of tens of thousands – if not millions – of hackable IoT devices, left poorly protected by default passwords that made it relatively trivial for attackers to hijack them for their own purposes.
As Reuters reports, Hangzhou XiongMai has said it will recall some of the products it has sold in the United States, strengthen passwords and send out a patch for some devices.
At first glance that sounds like a reasonably speedy reaction by the electronics firm, but it’s worth bearing in mind that its vulnerable components are used by third-party manufacturers in a wide range of white-labeled IoT goods.
It is all of these devices that are believed to be using the default username/password combination of root : xc3511.
There must be concerns that even if Hangzhou XiongMai issues a recall, the number of devices that will be returned for a fix could be shockingly small – meaning that the problem will not be going away anytime soon.
As an aside, Brian Krebs reports that XiongMai and the Chinese Ministry of Justice are considering taking legal action against what they describe as “false statements” that could damage the firm’s reputation.
Whether the threat of legal action is serious or not remains to be seen.
In the wake of the Mirai attack on KrebsOnSecurity, no less an authority than the Department of Homeland Security issued a warning to users and administrators about the steps that they should take to ensure that their IoT devices are not open to easy exploitation.
The DHS’s advice is just as sensible today, in the wake of the Dyn DDoS attack, as it was when Krebs was the one being targeted:
·         Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
·         Update IoT devices with security patches as soon as patches become available.
·         Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.
·         Purchase IoT devices from companies with a reputation for providing secure devices.
·         Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.
·         Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.
·         Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.
·         Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.
And, of course, it’s worth remembering that it’s not just internet-enabled webcams, DVRs and baby monitors that are being exploited by online criminals.
Research published by ESET last week revealed that 15% of all home routers use weak passwords, and 20% have open telnet ports.
As long as insecure devices continue to be attached to the internet, there will be opportunities for malicious hackers to exploit them and use them for their own ends. The IoT botnet attacks we have seen in recent weeks may only be the tip of the iceberg.
For more commentary on the DDoS attack and its impact, be sure to read Stephen Cobb’s analysis of 10 things to know about the October 21 IoT DDoS attacks.