Hackers Exploit Voting Machine Vulnerabilities at DefCon

Today’s topics include a demonstration by hackers at DefCon on voting machine vulnerabilities; new U.S. cyber-security legislation that could help reassert Fourth Amendment rights; Microsoft previewing phone-friendly features in the Windows 10 Creators update; and Aqua Security revealing developer security risks with Docker containers.

Last week’s DefCon 25 hacking conference in Las Vegas showcased a Voting Village that gave attendees the opportunity to attempt to exploit weaknesses in voting machine designs.

A number of security researchers were successful in their attempts, including Carsten Schurmann, who was able to gain remote access to a WinVote machine that was actually used in a local election in 2014. The system had an open port that allowed Windows Remote Desktop sessions, according to Schurmann, adding that the port was discovered simply by running the open-source Wireshark network packet capture program.

Other hackers in the Voting Village also used Wireshark to compromise voting machines that had known vulnerabilities simply with the open-source Metasploit penetration testing framework.

Senators Mike Lee and Patrick Leahy have introduced the Senate version of a bipartisan bill to modernize the Electronic Communications Privacy Act. The new bill, which would modernize the original ECPA to require warrants for access to electronic communications such as email, also adds a requirement for a warrant for location information.

The original House bill, the Email Privacy Act, did not cover location information.

The bill, which if passed, would need to go to a conference committee for reconciliation. While the bill appears to have broad bipartisan support, it still needs to go the relevant committees before it will be considered by the full Senate. The bill also allows for suppression of evidence in cases where the information was obtained in violation of the ECPA.

At its Build developer conference in May, Microsoft teased some features in the upcoming Windows 10 Fall Creators Update that will allow users to resume on an iOS or Android device tasks they started on a PC and vice versa. Now, some users can take an early, if limited, peek at those phone-friendly features and the cross-device experiences they enable with the release of build 16251 to the Windows Insider program.

A new Phone icon now appears in the Windows Settings screen, inviting users to link their Android smartphones or Apple iPhones. For now, the option only supports Android and is restricted to handing off mobile and browsing sessions to PCs.

In a session at the Black Hat USA conference in Las Vegas last week, researchers from Aqua Security detailed vulnerabilities they found in Docker that could have put developers at risk.

The vulnerabilities discovered by Aqua Security have already been responsibly disclosed to Docker and were fixed in the Docker 17.05 update released at the end of May. The flaws specifically take aim at Docker for Mac and Docker for Windows desktop releases for developers and could have enabled an attacker to infect a system.

In an interview with eWEEK to discuss the findings, Sagie Dulce, senior security researcher at Aqua Security, explained that with Docker for Windows, the default configuration enabled anonymous access to the Docker API through an open TCP port. As it turns out, that TCP port could be abused by an attacker through a malicious webpage to attack a developer.