New WhatsApp policy will mean ads for users

How to Prepare for WhatsApp’s New Terms…and the Ads That Come With Them

I download very few apps. I have probably downloaded less than ten onto my current phone - just the weather, a pedometer app, an exercise app, Freedome of course, and a few others I consider necessary. I'm wary of the permissions they ask for and of not knowing what they are really doing with my data. I'm wary of Facebook too. I have a presence there, but I don't share much. I never, ever log in to any other service using my Facebook credentials. And after reading studies about how much your Facebook likes say about you, I'm even reluctant to like anything there. WhatsApp is one of the apps I consider necessary. It's by far my favorite and the one I use the most. So when I read the news last week that WhatsApp is going to start sharing my phone number with Facebook, although I wan't surprised, I reacted. I shared the article in all my social channels. And when I received the new Terms of Service message in WhatsApp later that day, instead of blindly clicking "Agree," I opted out of sharing information with Facebook. You can do this too, but you need to do it by September 25. This article shows you how to easily opt out, even if you've already accepted the new Terms of Service. After September 25, no one will be able to opt out. So what does the change in WhatsApp's policy really mean? WhatsApp promises no third-party banner ads will appear in the service, and they present this as a change that could, among other things, improve ad targeting in Facebook (and possibly all Facebook properties). But they also indicate they will explore marketing messages, saying, "Messages you may receive containing marketing could include an offer for something that might interest you." Our security advisor, Sean Sullivan, says the bottom line for WhatsApp users is that we can expect to begin receiving ads via WhatsApp messages. And that's whether we allow them to share our phone number with Facebook or not. "The difference is those who've allowed the phone number sharing will receive more targeted ads likely based on their Facebook Ad Preferences. And those who've opted out will receive more generic regional ads," he says. (Sean has also opted out.) To minimize ads you receive in either service, Sean recommends you manage your Facebook Ad Preferences by deleting unwanted sections. This could result in fewer Facebook ads, and possibly fewer WhatsApp ads as well. I hate to think of my WhatsApp experience bothered by ad messages. But I guess now it's clear why WhatsApp dropped their $1/year subscription fee in January. When you aren't paying for the product…you know the rest. If you’re looking for a less marketingy sort of experience, you could always try Signal or Wickr.   Image courtesy of Sam Azgor, flickr.com

August 31, 2016
Back to School devices

How to Get Your Kids and Devices Ready to Go Back to School

When it comes to technology, students are more connected than ever. But there also seems to be a serious disconnect between what kids and parents think about teens online activity. A recent survey of online teens conducted for the Cybersecurity Alliance found that 6 of 10 students had created social media accounts without their parents knowledge. But only 28 percent of parents suspected their offspring had secret accounts. This suggests a lot of parents are just plain oblivious of their kids' online sneakiness. And other findings are equally troubling. While two-thirds of parents expected their kids would report any online incident that made them uncomfortable, only one-third of students said they would report such incidents. And just under half of the teens said they'd seek their parents help for problems online compared to the 65 percent of moms and dads who expected their teens to share their online problems with them "most" or "all the time." This confusion between what teens and parents think about online conduct suggests that parents need to be more proactive in preparing their kids for the challenges of having access to the world through devices that fit in our pockets. One strategy is to establish a history of discussing technology with you by racking as many positive interactions related to online life before your kids are faced with a crisis. The better they feel about talking to you about tech, the better chances they'll reach out to you when they're facing a real crisis. What's a better excuse to talk technology than when you're send your kid back to school? Here are few topics of discussion to consider before the first class begins. Parental controls If you're worried about the content your younger kids can see as they use the family PC, you can manage that through parental controls feature. This gives you a chance to explain that you want to protect them from inappropriate sites and strangers so you can feel confident about them having fun the web. But parental control doesn't just have to be a negative. The power to control your kids' time online, means you can also set up online reward time -- such as an hour or two when homework is done. Apps Downloading an app to your mobile device could mean you're inviting strangers to access your phone. Some apps may demand access to your kid’s camera, microphone, contacts and photos. Use the Application Privacy feature to go through your apps together to see what kind of permissions are being accessed. Reviewing privacy settings of social networking sites also provides a chance for your kids to ask questions or express concerns. Privacy There are several apps your kids can use to make sure a mobile device's data stays private, even if it gets lost. You can use Android's locate, lock and wipe feature to help find a misplaced device or to delete all personal data in a worst case scenario. Make sure your kids know that connecting over "free Wi-Fi" can expose your data and possibly even your passwords to strangers. Avoid that by connecting via mobile networks or by using a VPN app. Also make sure that they lock their devices using an unguessable code. Security hygiene Some parents need basic security reminders as badly as kids do, whether they're just getting online or heading to university. So remind yourself and your kids to use strong unique passwords for all their most important accounts. Your passwords shouldn't use any words from the dictionary or anything someone could guess by looking at your social media. Remind them that "free" online is almost always a bad sign. Don't click on links and attachments in emails that you weren't expecting. And remind your kids that anything they post online, even on sites that promise to delete things after twenty-four hours, could be seen by anyone -- even your parents. An open and honest conversation reduces chances that a uncomfortable situation online will become a crisis. So before your kids go back to school, start talking about how important it is to you that they connect safely, especially when you're not watching them.  

August 30, 2016
iphone untrackable

Update your iPhone right now — especially if you’re an activist

A little iPhone history was made this month -- a iOS device was infected by just clicking on a link. This sort of attack had previously only worked on devices where the owner had purposely installed a "jailbreak" hack. So before you do anything -- even read the rest of this post -- you should update your iOS software to the latest version of iOS 9, or iOS 10 beta, which has some nice new privacy features. Here's how this historic attack happened, according to The Verge: Earlier this month, an Emirati human rights activist named Ahmed Mansoor got a suspicious text. It promised new details of torture in the country’s state prisons, along with a link to follow if he was interested. If Mansoor had followed the link, it would have jailbroken his phone on the spot and implanted it with malware, capable of logging encrypted messages, activating the microphone and secretly tracking its movements. To our cyber security advisor Erka Koivunen, this is a glaring example of a threat that is not "advanced" -- as in APT, advanced persistent threat. Think about what goes into a real APT. "They do reconnaissance properly and understand what the victim is susceptible to. They have good timing and only create visible noise when it suits their interest," he told us. "And they have a plan B ready in case someone starts snooping their activities." Here, the the most exploitable iPhone vulnerability ever known has now been exposed and patched -- for what? It's a bit baffling to Erka who compares it to throwing "expensive exploits at this guy like kids throwing rocks." You just don't see zero-day vulnerabilities like this -- especially on what had been one of the more secure platforms available -- that often. This has some security researchers thinking: Perverse incentives: Should I take up political activism so I get more interesting 0day sent my way? /me wonders — halvarflake (@halvarflake) August 26, 2016 //platform.twitter.com/widgets.js So, if you haven't already, update now. And if you're involved in politics in *any way* whatsoever, realize that someone will try to hack you -- sooner or later. So beware of those links in strange texts and email attachments in general. [Image by Sean MacEntee via Flickr]

August 26, 2016
BY 

Latest Posts

New WhatsApp policy will mean ads for users

I download very few apps. I have probably downloaded less than ten onto my current phone - just the weather, a pedometer app, an exercise app, Freedome of course, and a few others I consider necessary. I'm wary of the permissions they ask for and of not knowing what they are really doing with my data. I'm wary of Facebook too. I have a presence there, but I don't share much. I never, ever log in to any other service using my Facebook credentials. And after reading studies about how much your Facebook likes say about you, I'm even reluctant to like anything there. WhatsApp is one of the apps I consider necessary. It's by far my favorite and the one I use the most. So when I read the news last week that WhatsApp is going to start sharing my phone number with Facebook, although I wan't surprised, I reacted. I shared the article in all my social channels. And when I received the new Terms of Service message in WhatsApp later that day, instead of blindly clicking "Agree," I opted out of sharing information with Facebook. You can do this too, but you need to do it by September 25. This article shows you how to easily opt out, even if you've already accepted the new Terms of Service. After September 25, no one will be able to opt out. So what does the change in WhatsApp's policy really mean? WhatsApp promises no third-party banner ads will appear in the service, and they present this as a change that could, among other things, improve ad targeting in Facebook (and possibly all Facebook properties). But they also indicate they will explore marketing messages, saying, "Messages you may receive containing marketing could include an offer for something that might interest you." Our security advisor, Sean Sullivan, says the bottom line for WhatsApp users is that we can expect to begin receiving ads via WhatsApp messages. And that's whether we allow them to share our phone number with Facebook or not. "The difference is those who've allowed the phone number sharing will receive more targeted ads likely based on their Facebook Ad Preferences. And those who've opted out will receive more generic regional ads," he says. (Sean has also opted out.) To minimize ads you receive in either service, Sean recommends you manage your Facebook Ad Preferences by deleting unwanted sections. This could result in fewer Facebook ads, and possibly fewer WhatsApp ads as well. I hate to think of my WhatsApp experience bothered by ad messages. But I guess now it's clear why WhatsApp dropped their $1/year subscription fee in January. When you aren't paying for the product…you know the rest. If you’re looking for a less marketingy sort of experience, you could always try Signal or Wickr.   Image courtesy of Sam Azgor, flickr.com

August 31, 2016
Back to School devices

When it comes to technology, students are more connected than ever. But there also seems to be a serious disconnect between what kids and parents think about teens online activity. A recent survey of online teens conducted for the Cybersecurity Alliance found that 6 of 10 students had created social media accounts without their parents knowledge. But only 28 percent of parents suspected their offspring had secret accounts. This suggests a lot of parents are just plain oblivious of their kids' online sneakiness. And other findings are equally troubling. While two-thirds of parents expected their kids would report any online incident that made them uncomfortable, only one-third of students said they would report such incidents. And just under half of the teens said they'd seek their parents help for problems online compared to the 65 percent of moms and dads who expected their teens to share their online problems with them "most" or "all the time." This confusion between what teens and parents think about online conduct suggests that parents need to be more proactive in preparing their kids for the challenges of having access to the world through devices that fit in our pockets. One strategy is to establish a history of discussing technology with you by racking as many positive interactions related to online life before your kids are faced with a crisis. The better they feel about talking to you about tech, the better chances they'll reach out to you when they're facing a real crisis. What's a better excuse to talk technology than when you're send your kid back to school? Here are few topics of discussion to consider before the first class begins. Parental controls If you're worried about the content your younger kids can see as they use the family PC, you can manage that through parental controls feature. This gives you a chance to explain that you want to protect them from inappropriate sites and strangers so you can feel confident about them having fun the web. But parental control doesn't just have to be a negative. The power to control your kids' time online, means you can also set up online reward time -- such as an hour or two when homework is done. Apps Downloading an app to your mobile device could mean you're inviting strangers to access your phone. Some apps may demand access to your kid’s camera, microphone, contacts and photos. Use the Application Privacy feature to go through your apps together to see what kind of permissions are being accessed. Reviewing privacy settings of social networking sites also provides a chance for your kids to ask questions or express concerns. Privacy There are several apps your kids can use to make sure a mobile device's data stays private, even if it gets lost. You can use Android's locate, lock and wipe feature to help find a misplaced device or to delete all personal data in a worst case scenario. Make sure your kids know that connecting over "free Wi-Fi" can expose your data and possibly even your passwords to strangers. Avoid that by connecting via mobile networks or by using a VPN app. Also make sure that they lock their devices using an unguessable code. Security hygiene Some parents need basic security reminders as badly as kids do, whether they're just getting online or heading to university. So remind yourself and your kids to use strong unique passwords for all their most important accounts. Your passwords shouldn't use any words from the dictionary or anything someone could guess by looking at your social media. Remind them that "free" online is almost always a bad sign. Don't click on links and attachments in emails that you weren't expecting. And remind your kids that anything they post online, even on sites that promise to delete things after twenty-four hours, could be seen by anyone -- even your parents. An open and honest conversation reduces chances that a uncomfortable situation online will become a crisis. So before your kids go back to school, start talking about how important it is to you that they connect safely, especially when you're not watching them.  

August 30, 2016
iphone untrackable

A little iPhone history was made this month -- a iOS device was infected by just clicking on a link. This sort of attack had previously only worked on devices where the owner had purposely installed a "jailbreak" hack. So before you do anything -- even read the rest of this post -- you should update your iOS software to the latest version of iOS 9, or iOS 10 beta, which has some nice new privacy features. Here's how this historic attack happened, according to The Verge: Earlier this month, an Emirati human rights activist named Ahmed Mansoor got a suspicious text. It promised new details of torture in the country’s state prisons, along with a link to follow if he was interested. If Mansoor had followed the link, it would have jailbroken his phone on the spot and implanted it with malware, capable of logging encrypted messages, activating the microphone and secretly tracking its movements. To our cyber security advisor Erka Koivunen, this is a glaring example of a threat that is not "advanced" -- as in APT, advanced persistent threat. Think about what goes into a real APT. "They do reconnaissance properly and understand what the victim is susceptible to. They have good timing and only create visible noise when it suits their interest," he told us. "And they have a plan B ready in case someone starts snooping their activities." Here, the the most exploitable iPhone vulnerability ever known has now been exposed and patched -- for what? It's a bit baffling to Erka who compares it to throwing "expensive exploits at this guy like kids throwing rocks." You just don't see zero-day vulnerabilities like this -- especially on what had been one of the more secure platforms available -- that often. This has some security researchers thinking: Perverse incentives: Should I take up political activism so I get more interesting 0day sent my way? /me wonders — halvarflake (@halvarflake) August 26, 2016 //platform.twitter.com/widgets.js So, if you haven't already, update now. And if you're involved in politics in *any way* whatsoever, realize that someone will try to hack you -- sooner or later. So beware of those links in strange texts and email attachments in general. [Image by Sean MacEntee via Flickr]

August 26, 2016
ransomware gangs, cybercrime unicorn

Bitcoin has not only changed the economics of cybercrime by providing crooks with an encrypted, nearly anonymous payment system autonomous from any central bank. It's also changed researchers' ability to track how much money criminals are making. "Bitcoin is based on Blockchain, and Blockchain is a public ledger of transactions. So all Bitcoin transactions are public," explains Mikko Hyppönen, F-Secure's Chief Research Officer. "Now, you don’t know who is who. But we can see money moving around, and we can see the amounts." Every victim of Ransomware -- malware that encrypts files and demands a payment for their release -- is given a unique wallet to transfer money into. Once paid, some ransomware gangs move the bitcoins to a central wallet. "We've been monitoring some of those wallets," Mikko says. "And we see Bitcoins worth millions and millions. We see a lot of money." Watching crooks rake in so much money, tax-free, got him thinking: "I began to wonder if there are in fact cybercrime unicorns." A cybercrime unicorn? (View this as a PDF) A tech unicorn is a privately held tech company valued at more than a billion dollars. Think Uber, AirBNB or Spotify -- only without the investors, the overhead and oversight. (Though the scam is so profitable that some gangs actually have customer service operations that could rival a small startup.) "Can we use this comparison model to cybercrime gangs?" Mikko asks. "We probably can’t." It's simply too hard to cash out. Investors in Uber have people literally begging to buy their stakes in the company. Ransomware gangs, however, have to continually imagine ways to turn their Bitcoin into currency. "They buy prepaid cards and then they sell these cards on Ebay and Craigslist," he says. "A lot of those gangs also use online casinos to launder the money." But even that's not so easy, even if the goal is to sit down at a online table and attempt to lose all your money to another member of your gang. "If you lose large amounts of money you will get banned. So the gangs started using bots that played realistically and still lose – but not as obviously." Law enforcement is well aware of extremely alluring economics of this threat. In 2015, the FBI’s Internet Crime Complaint Center received "2,453 complaints identified as Ransomware with losses of over $1.6 million." In 2016, hardly has a month gone by without a high-profile case like Hollywood Presbyterian Medical Center paying 40 Bitcoin, about $17,000 USD at the time, to recover its files. And these are just the cases we're hearing about. The scam is so effective that it seemed that the FBI was recommending that victims actually pay the ransom. But it turned out their answer was actually more nuanced. "The official answer is the FBI does not advise on whether or not people should pay," Sean Sullivan, F-Secure Security Advisor, writes. "But if victims haven’t taken precautions… then paying is the only remaining alternative to recover files." What sort of precautions? For Mikko, the answer obvious. "Backups. If you get hit you restore yesterday’s backup and carry on working. It could be more cumbersome if it’s not just one workstation, if your whole network gets hit. But of course you should always have good, up to date, offline backups. And 'offline' is the key!" What's also obvious is that too few people are prepared when Ransomware hits. Barring any disruptions to the Bitcoin market, F-Secure Labs predicts this threat will likely persist, with even more targeted efforts designed to elicit even greater sums.  If you end up in an unfortunate situation when your files are held hostage, remember that you're dealing with someone who thinks of cybercrime as a business. So you can always try to negotiate. What else do you have to lose?

August 24, 2016
Father lecturing son in bedroom

This is really an old problem, but it’s in the headlines again. Pokémon Go is yet another example of a “free” game with a business model based on in-app purchases. These games are also known as F2P, standing for free-to-play. You can start playing, and get hooked, for free. But soon you run into a situation where you can’t proceed without buying virtual stuff in the game. The stuff you buy is virtual but the payment is very real money. This is no doubt a profitable model. Pokémon Go went straight to the top and for example Finland-based Supercell, maker of Clash of Clans, has constantly reported nice profits. This can naturally cause trouble for addicted adults, but the real problems arise when kids get hooked. There are numerous public stories about kids making purchases for hundreds or even thousands of Euros, often without even understanding how much they have spent. And the sinister part is that this can go on for a while until you get the credit card bill, and it’s too late. Your chances to get a refund are somewhere between slim and none. But how can this happen? Let’s take a look at the most common scenarios. Your kid has set up the new device and created the needed account with Apple or Google. Everything is fine until he or she needs an app that isn’t free. You enter your credit card on the kid’s device and make the purchase, but you don’t pay any attention to the security settings. This may give your kid carte blanche to buy anything he or she likes, and you pay the bill. You have entered your credit card but set up the kid’s store account so that a password only you know is required for every purchase. But there are some convenient settings that allow purchases without a password within a limited time window after the password has been entered. Kids learn very quickly to utilize this opportunity. Let’s assume the same setup as in the previous point, but with the correct security settings. Now the password is needed for every purchase. But the store account is still owned by the kid and the password can be reset. The password reset link will be sent to the kid’s mail or phone number. It’s carte blanche again with the new password. Ok, you create an account you own for the kids phone. It’s tied to your mail and phone number, so the password reset trick shouldn’t work anymore. You put down your phone and head for the toilet. Your kid has been waiting for the opportunity and initiates the password reset request. Your phone is there on the table wide open, with the reset link in the mail. You can figure out the rest yourself. And of course the simple alternative. You think the store password on your kid’s device is secret. But in reality it is either too easy to guess or someone has been looking over your shoulder. So there’s many things that can go wrong, but what can we do to avoid it? There are many ways to fight this problem, but this is in my opinion the best approach: Let the kid set up the store account on the device and set own passwords. Just like an adult would use a phone, except that there’s no payment method registered. Never enter your credit card number on the kid’s device. On Android, get familiar with Google Play Family. This feature enables you to purchase stuff for your kid on your own device. On iPhone, send apps or money as gifts. There may be applications that bypass the store and handle credit card transactions directly. This can typically be handled with vouchers or other prepaid payment methods instead. The application usually guides the users and list all supported methods. Let’s also take a look at the hard way. Follow these instructions if you for some reasons must have your credit card registered as a payment method on the kid’s device. Make sure the store is protected with a good password that only you know. Make sure the kid isn’t watching too closely when you enter it. Make sure the store is set up to require the password every time a purchase is made. Make sure the store account is attached to an e-mail only you have access to. Make sure the e-mail password is decent and not known to your kid. Make sure your phone’s security settings are decent. Use a PIN or password your kid doesn’t know and make sure it locks automatically quickly enough. Even better, do not have the e-mail of your kids store account on your phone. Access it through web mail when needed. So this is after all a quite complex issue. There are many variations and other ways to deal with the problem. Did I miss some simple and clever way? Write a comment if you think I did. And finally. Yes, there’s also many ways to lock the kids out of the store completely. This does no doubt solve some problems, but I don’t think it’s a good idea. They will after all live their lives in a world where digital devices and services are as natural as breathing. They deserve the opportunity to start practicing for that right now. Let them browse the store and discover all the fun stuff. And be part of the group and use all the same apps as their friends. Let them have fun with the phone and learn, even if they will learn some things the hard way. Don’t ruin it for them.     Safe surfing, Micke  

August 16, 2016
Check your router with F-Secure Router Checker

This has got to be the quickest Quick Tip of all. Literally. With just one click, it's too easy not to do. You know your computer can be infected. But did you know your router can, too? And because most people just aren't aware of it, if your router is compromised, it could stay that way a long time without you ever knowing. Unless, of course, you use our free Router Checker. No need to download anything. Just visit the page and click to start the check. Hacking your router is just one more method attackers use to display fraudulent advertising, spread malware, or steal your private account credentials. It's called DNS hijacking. When you type in a website name, say "cooldomain.com," you're directed to a DNS server that will find the website's IP address - say "44.567.54.69" for example, and display the website you need. But in a DNS hijack, hackers change your router's settings to direct you to a rogue DNS server. The rogue server will give a malicious IP address, purposely directing you to a website that may look like the one you want, but it's not. Here's an example: Let's say you want to log into your bank account. But unbeknownst to you, you're directed to a look-alike website that's not really your bank. You enter in your bank username and password. Now the attacker has your credentials, which he (or she) can use. F-Secure Router Checker makes sure the settings on your computers, phones, and routers connect to safe DNS servers. So what are you waiting for? Visit the F-Secure Router Checker page and click on "Check Your Router." It's too easy not to do.

August 12, 2016
NanHaiShu_blogpost_image

  F-Secure Labs recently released an analysis of the NanHaiShu Remote Access Trojan, which they believe was used to target "government and private-sector organizations that were directly or indirectly involved in the international territorial dispute centering on the South China Sea." So what does it look like when you're hit with a cyber attack that may involve some of the most powerful nations on earth? This: Pretty harmless, right? But click on that attachment and you've invited hackers -- possibly even attackers backed by a nation-state -- into your network. An attachment owning fools in 2016? The first piece of internet security advice you ever heard was probably, "Don't click on attachments you weren't expecting!"So who'd click on that?! Employees at prestigious international law firms, government agencies and possibly even the world's most powerful political parties. So how is this happening? Maybe it's a lesson that doesn't sink in, no matter how many times you've heard it. Or maybe cyber criminals have just gotten so good at tricking us with them that, like so many old threats, it's new again. Give that this method of infection is being used by attackers at the highest levels of cyber espionage, we have to assume the latter. Where attackers used to send mass emails out with infected attachments hoping to infect just a small percentage of the recipients, these new attacks utilize "spearphishing" techniques. "These are communications that appear legitimate — often made to look like they came from a colleague or someone trusted — but that contain links or attachments that when clicked on deploy malicious software that enables a hacker to gain access to a computer," The Washington Post explained. These emails are carefully crafted or "socially engineered" to seem relevant. Often, as in the case above, they play on our greatest desires, such as money in the form or salary or bonus information. One big reason attackers have gotten so much better at targeting us is that so many of us have decided to make details about our lives public via social media. This is why hackers love your LinkedIn profile. So should you scrub your profile and hide in a time capsule to avoid these attacks? You should definitely be mindful that strangers know more about you than ever and be wary of of strange email that seems overly eager to get you to click on a link or attachment. But these threats are so pervasive and potentially harmful, that they need to be addressed at an organizational level. Our Labs team put together a Threat Intelligence Brief with several recommendations for avoiding RATs like NanHaiShu, including disabling the opening of email file attachments sent from unverified sources as an enforced policy for all installed email programs. That way, you're unlikely to be the weak link that attackers are always looking for.  

August 11, 2016
2244532816_2f513f87c1_z

The lesson of almost every big cyber security story of the last year from Ukraine, to the Democratic National Committee to the South China Sea is that everything can be hacked. “Owning an election is gold; being able to influence it is silver; knowing the outcome in advance is bronze,” F-Secure cyber security advisor Erka Koivunen told us. It already appears that there has been some attempt to influence the 2016 election by releasing embarrassing email messages from the Democratic National Committee. So will whoever was behind that attack now go for the gold? And if they do, could they actually steal a presidential election? America's elections are managed on the local level, which means there are thousands of different electoral different systems involved with a single presidential election. That sounds daunting but in two out of the last four elections, the winner was decided by a victory in a single state, which limits the scope significantly. So if a nation-state wanted to intervene in the U.S.'s election and knew which candidate it wanted to win, it would either have to hack several different state's systems or focus on the three swing states that Republican candidate Donald Trump believes will decide the next election -- Florida, Pennsylvania and Ohio. All three key swing states use DRE voting machines for at least some of their voting -- only Ohio requires that the machines provide a paper trail that verifies the votes. Ryan Maness, a visiting fellow at Northeastern University, told Wired that the machines in these three states are in "relatively good shape." It's probably easier to hack a busy office network like the DNC, especially one that hasn't been told it's likely a target of a nation-state attack, than a voting machine because you can rely on the greatest vulnerability possible -- people. But if an attacker can get inside the network of a nuclear facility that's not connected to the internet, it's quite possible that voting machines that dozens if not hundreds of people have access to can be compromised. But the real issue with a cyber attack is that proximity isn't required. This year, Dave Levin, a security analyst was arrested for hacking the elections website of Lee County, Florida. "Yeah, you could be in Siberia and still perform the attack that I performed on the local supervisor of election website," he said in a video explaining why launched the attack. "So this is very important." But hacking a website or online database is one thing. Owning the actual machines is another. "Just based on the fact that many of these voting machines have been around for years, just based on that I could tell you old vulnerabilities that exist in the system,” Tim Monroe, an independent cybersecurity consultant, told BuzzFeed News. If there were some suspicion of a hack, there are some failsafes. Florida audits all its election votes, as does Ohio, which automatically recount provision if the election is close enough “Pennsylvania is of the most concern,” Maness said, “based on the fact they have so many paperless DREs in use.” Trump has suggested that the November election would be "rigged" but his implications have thus far mostly been connected to an attempt to sway the voting with things like debates purposely scheduled to minimize the audience. But even before Trump made the "rigged" suggestion, the U.S. Department of Homeland Security had proposed taking new steps to secure electronic voting. “We should carefully consider whether our election system, our election process is critical infrastructure, like the financial sector, like the power grid,” Jeh Johnson, Secretary of Homeland Security, told reporters. “There’s a vital national interest in our electoral process.” White House Press Secretary Josh Earnest, real name, recently responded to a question from reporters about the security of voting machines by relying on the security by variety argument. “That varied infrastructure and those different systems also pose a difficult challenge to potential hackers,” Earnest said. “It’s difficult to identify a common vulnerability.” So it's clear is that vulnerabilities exist. The question is whether or not a nation-state is willing to invest the resources necessary to go for the gold. [Image by Eric__I_E via Flickr]    

August 5, 2016