Decrypted: Hackers show off their exploits as Black Hat goes virtual
![](data:image/svg+xml;charset=utf-8,<svg height="574" width="1024" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
Image Credits: Treedeo / Getty Images
Every year hackers descend on Las Vegas in the sweltering August heat to break ground on security research and the most innovative hacks. This year was no different, even if it was virtual.
To name a few: Hackers tricked an ATM to spit out cash. A duo of security researchers figured out a way to detect the latest cell site simulators. Car researchers successfully hacked into a Mercedes-Benz. A Windows bug some two decades old can be used to plant malware. Cryptocurrency exchanges were extremely vulnerable to hackers for a time. Internet satellites are more insecure than we thought and their data streams can contain sensitive, unencrypted data. Two security researchers lived to tell the tale after they were arrested for an entirely legal physical penetration test. And, a former NSA hacker revealed how to plant malware on a Mac using a booby-trapped Word document.
But with less than three months until millions of Americans go to the polls, Black Hat sharpened its focus on election security and integrity more so than any previous year.
Here’s more from the week.
THE BIG PICTURE
A major voting machine maker is finally opening up to hackers
The relationship between hackers and election machine manufacturers has been nothing short of fraught. No company wants to see their products torn apart for weaknesses that could be exploited by foreign spies. But one company, once resistant to the security community, has started to show signs of compromise.
Election equipment maker ES&S is opening up its voting machines to hackers — willingly — under a new vulnerability disclosure program. That will see the company embrace hackers for the first time, recognizing that hackers have knowledge, insight and experience — rather than pushing them away and ignoring the problems altogether. Or, as the company’s security chief told Wired: “Hackers gonna hack, researchers gonna research.”
Senators demand to know why election vendors still sell voting machines with ‘known vulnerabilities’
![](data:image/svg+xml;charset=utf-8,<svg height="450" width="800" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
That’s a world away from its position a year ago, under which ES&S was notoriously tightlipped about its technology and used its market power to influence regulations, Wired reports.
Open doors are a start, but the program is not a panacea. There are a ton of threats that face the election, and not just the machines we use to vote. But it will make the final voting process more secure, reliable and increase the integrity of the final result.
The State Department now has a bounty for foreign election meddling
In related election news, the State Department is offering its own bounty of up to $10 million for information relating to the identification or location of those working for a foreign government “for the purpose of interfering” with U.S. elections by way of cyberattacks and spreading disinformation.
In other words, State put a huge target on the back of anyone wanting to launch cyberattacks or hacks with the express intent on meddling with the upcoming — and future — elections.
To start with, the message was unsolicited and came in the middle of the night — around 1am Iran time — according to several recipients I spoke too. The gut feeling many had when they saw the SMS was that they were being targeted by hackers. Here’s one reaction:
pic.twitter.com/T6fYqESO4l — Raphael Satter (@razhael) August 6, 2020
![](data:image/svg+xml;charset=utf-8,<svg height="72" width="72" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
How the State Department went about it, though, raised eyebrows. State admitted it was behind a confusing mass text message campaign in Iran and Russia — where state-backed election meddlers are known to operate — soliciting tips for the whereabouts of election hackers and spreaders of manipulated media. Locals likened the campaign to “propaganda leaflets dumped out of the back of an aircraft,” reports Reuters. Others simply laughed. Even the Russian foreign ministry joked the State Department’s website would be “overwhelmed with denunciations.”
Clearly, it caught attention — if not for the wrong reasons.
MOVERS AND SHAKERS
Computer science professor Matt Blaze, one of the foremost experts on election security, gave one of two of this year’s Black Hat keynote speeches. In it, he described myriad attacks and threats that modern elections face, from vote tampering through to deliberately knocking systems offline.
Blaze said election security is one of the toughest problems he’s encountered. Every district, municipality and state takes a different approach to elections. Much of the differences are at the voting booths themselves. Many voting machines are electronic, but not all have an auditable paper trail. That’s a huge problem that security experts — and policymakers — have wanted to change.
“These attacks are not merely theoretical,” Blaze said. “In fact, every current voting system that’s been examined is terrible in some way and probably exploitable.”
But Blaze offered a glimmer of hope. Foreign election meddlers may not want a particular candidate to win, he said. Much of their efforts are about sowing discord and confusion. “They may be satisfied with simply disrupting the overall process and casting doubt on the legitimacy of the outcome and making it difficult to vote or to know who won,” he said.
Even with months to go before Election Day, Blaze pressed officials to “prepare” for a wide range of scenarios that haven’t been thought of before. With the possibility of election suppression already compounded by the logistics of voting during a pandemic, Blaze said a free and fair election was possible.
“We can do this, but we need to engage now,” he said.
$ECURITY $TARTUPS
Censys, a search engine for internet devices, has raised $15.5 million in its Series A fundraise. The Ann Arbor, Michigan-based company will use the round to better its internet mapping technology, allowing it to see more of the internet’s underbelly than before. Enterprises use Censys to see how exposed their networks are to the wider internet — ergo, avenues for attackers to strike.
Meanwhile, GreyNoise, a startup that helps to analyze the internet’s background noise to filter out actionable security alerts and attack activity, has raised close to $5 million in seed funding. Security pros use GreyNoise to reduce false-positive alerts and take action when necessary.
Email security company Ironscales also raised this week — some $8 million in an extension to its Series B, led by Jump Capital. Ironscales helps enterprises detect and prevent email phishing.
And, Perimeter 81 has closed a massive $40 million funding round after the company’s revenues spiked fourfold. It’s the company’s third raise in the past eight months. Perimeter 81 lets companies allow its remote workers access to internal applications.
Send tips securely over Signal and WhatsApp to +1 646-755-8849.
![](data:image/svg+xml;charset=utf-8,<svg height="99" width="187" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
![](data:image/svg+xml;charset=utf-8,<svg height="105" width="187" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
![](data:image/svg+xml;charset=utf-8,<svg height="107" width="187" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
![](data:image/svg+xml;charset=utf-8,<svg height="125" width="187" xmlns="http://www.w3.org/2000/svg" version="1.1"/>)
