This Week in Security: Election Bug Bounty, Malaysia Breach

U.S. Election System Bug Bounty Program

Newly unveiled legislation proposes to allow researchers to legally follow Russia’s footsteps in hacking the U.S. voting system. Similar to the “Hack the Pentagon” campaign, the proposed "Cooperative hack the Election Program" would provide legal safeguards and rewards for researchers to find vulnerabilities in voting systems outside of election seasons. If this goes anything like the Chaos Computer Club’s examination of German election software, there should be plenty of vulnerabilities exposed for fixing.

This is a great first step, but only focuses on one facet of the problem. Other defensive measures, such as maintaining paper ballots and statistical spot-checking, are crucial for detecting successful election hacks and recovering from them.

Either way, here’s hoping this sort of program can find its way through the legislative process and out into the light of day. Last year, we demonstrated our own research on voting machine insecurities, which is worth a look (we think).

Code-Signing Certs More Valuable Than Guns

Just in case you’re looking to cash in big on the darknet black market (Cylance does not endorse this), forget drugs, guns, and forged passports. The real money is in code-signing certificates.

Research conducted by the Cyber Security Research Institute (CSRI) on behalf of Venafi found that such certificates fetched up to $1,200, and unlike handguns and other physical objects, could be continually sold to buyers until revoked.

Used as an authentication measure to prevent execution of malware and untrusted programs, these certificates are valuable for malware authors looking to present their malware as legitimate trusted software.

Everyone in Malaysia Affected by Breach

Another week, another breach. This time, a massive collection of data from various Malaysian sources has been discovered for sale. Unfortunately, it looks like it affects just about everyone in Malaysia, as well as some non-Malaysians.

Targets included Malaysian government entities such as the Malaysian Medical Council, the Malaysian Medical Association, Academy of Medicine Malaysia, and many others. The most significant source of personal information such as names, addresses and phone numbers, are records from a wide range of Malaysian telcos. In total, the dump contains over 50 million records combined from various sources with breach dates ranging between 2012 and 2015.

With massive breaches becoming more of a rule than an exception, it’s unclear what can be done to clean up after them. They often involve information that’s difficult or unreasonable to change, and so many people are affected that the damage will likely last for years.

In this case, it really seems like the best option is proactive, comprehensive defense to prevent breaches in the first place, combined with visibility into infrastructure to detect as soon as possible when a breach happens. More information on this story here.