Symantec offers free anti-spoofing services to US political campaigns and election groups

Symantec is the latest private security company to offer its expertise to vulnerable political targets on the house. Today the company announced that it would extend its “Project Dolphin” service (dolphins eat phish, get it) to political campaigns, candidates and election officials, all “prime target[s] for malicious actors seeking to influence the outcome of the […]

Symantec is the latest private security company to offer its expertise to vulnerable political targets on the house. Today the company announced that it would extend its “Project Dolphin” service (dolphins eat phish, get it) to political campaigns, candidates and election officials, all “prime target[s] for malicious actors seeking to influence the outcome of the upcoming U.S. midterm elections.” The service allows for anyone to run a check on their own website to make sure no illegitimate or “spoofed” versions of it are floating around and luring unsuspecting victims.

Individuals in those qualifying groups can sign up for free for Project Dolphin, Symantec’s AI-powered system that scans for and notifies users of illegitimate websites pretending to be the real thing — just one flavor of the common hacking technique called “spoofing.” Through spoofed sites, much like spoofed email accounts, hackers can steal login credentials and other sensitive data and wreak whatever kind of havoc they want, much like they did with the DNC prior to the 2016 US presidential election.

The company will also offer some educational services on a new dedicated election security site, including best practice for poll workers and election officials, anti-tampering training, and an election security news hub.

Whether the intended audience for these materials and services will actually take note of them remains to be seen, but cobbling together election security guides now could help smooth the path to more secure elections by 2020.

“The issues that plagued the 2016 election are still prevalent today and are likely to continue to persist through the midterm elections, into 2020, and into elections globally,” Symantec CEO Greg Clark said.

“It is important for all parties, public and private, to contribute to protecting the security and integrity of our elections and democracy.”

While it’s quite late to the game — at least for 2018 midterms — Symantec joins a number of security companies that have extended free or deeply discounted services to candidates and election bodies, including Cloudflare, Valimail and Synack.

Cloudflare’s new ‘one-click’ DNSSEC setup will make it far more difficult to spoof websites

Bad news first: the internet is broken for a while. The good news is that Cloudflare thinks it can make it slightly less broken. With “the click of one button,” the networking giant said Tuesday, its users can now switch on DNSSEC in their dashboard. In doing so, Cloudflare hopes it removes a major pain-point […]

Bad news first: the internet is broken for a while. The good news is that Cloudflare thinks it can make it slightly less broken.

With “the click of one button,” the networking giant said Tuesday, its users can now switch on DNSSEC in their dashboard. In doing so, Cloudflare hopes it removes a major pain-point in adopting the web security standard, which many haven’t set up — either because it’s so complicated and arduous, or too expensive.

It’s part of a push by the San Francisco-based networking giant to try to make the pipes of the internet more secure — even from the things you can’t see.

For years, you could open up a website and take it’s instant availability for granted. DNS, which translates web addresses into computer-readable IP addresses, has been plagued with vulnerabilities, making it easy to hijack any step of the process to surreptitiously send users to fake or malicious sites.

Take two incidents in the past year — where traffic to and from Amazon and separately Google, Facebook, Apple, and Microsoft were hijacked and rerouted for between minutes and hours at a time. Terabytes of internet traffic were siphoned through Russia for reasons that are still unknown. Any non-encrypted traffic was readable, at least in theory, by the Russian government. Suspicious? It was.

That’s where a security-focused DNS evolution — DNSSEC — is meant to help. It’s like DNS, but it protects requests end-to-end, from computer or mobile device to the web server of the site you’re trying to visit, by cryptographically signing the data so that it’s far tougher — if not impossible — to spoof.

But DNSSEC adoption is woefully low. Just three percent of websites in the Fortune 1000 sign their primary domains, largely because the domain owners can’t be bothered, but also because their DNS operators either don’t support it or charge exorbitant rates for the privilege.

Cloudflare now wants to do the hard work in setting those crucial DS records, a necessary component in setting up DNSSEC, for customers on a supported registrar. Traditionally, setting a DS record has been notoriously difficult, often because the registrars themselves can be problematic.

As of launch, Gandi will be the first registrar to support one-click DNSSEC setup, with more expected to follow.

The more registrars that support the move, the fewer barriers to a safer internet, the company argues. Right now, the company says that services that users should consider switching from providers don’t support DNSSEC and “let them know that was the reason for the switch.”

Just like HTTPS was slow to adopt over the years — but finally took off in 2015 — there’s hope that DNSSEC can follow the same fate. The more companies that adoption the technology will help end users be less vulnerable to DNS attacks on the internet.

And besides the hackers, who doesn’t want that?

This is what Americans think about the state of election security right now

A wide-ranging new poll yields some useful insight into how worried the average American feels about election threats as the country barrels toward midterms. The survey, conducted by NPR and researchers with Marist College, polled 949 adult U.S. residents in early September across regions of the country, contacting participants through both landlines and mobile devices. The […]

A wide-ranging new poll yields some useful insight into how worried the average American feels about election threats as the country barrels toward midterms.

The survey, conducted by NPR and researchers with Marist College, polled 949 adult U.S. residents in early September across regions of the country, contacting participants through both landlines and mobile devices. The results are a significant glimpse into current attitudes around the likelihood of foreign election interference, election security measures and how well social media companies have rebounded in the public eye.

Attitudes toward Facebook and Twitter

As the most recent dust settles around revelations that Russia ran influence campaigns targeting Americans on social media platforms, just how much do U.S. voters trust that Facebook and Twitter have cleaned up their acts? Well, they’re not convinced yet.

In response to a question asking about how much those companies had done since 2016 “to make sure there is no interference from a foreign country” in the U.S. midterm elections, 24 percent of respondents believed that Facebook had done either “a great deal” or “a good amount,” while 62 percent believed the company had done “not very much” or “nothing at all.”

When asked the same question about Twitter, only 19 percent thought that the company had made significant efforts, while 57 percent didn’t think the company had done much. Unlike nearly every other question in the broad-ranging survey, answers to this set of questions didn’t show a divide between Republicans and Democrats, making it clear that in 2018, disdain for social media companies is a rare bipartisan position.

When it comes to believing what they read on Facebook, only 12 percent of voters had “a great deal” or “quite a lot” of confidence that content on the platform is true, while 79 percent expressed “not very much confidence” or none at all. Still, those numbers have perked up slightly from polling in 2018 that saw only 4 percent of those polled stating that they were confident in the veracity of content they encountered on Facebook.

Midterm perspectives

In response to the question “Do you think the U.S. is very prepared, prepared, not very prepared or not prepared at all to keep this fall’s midterm elections safe and secure?,” 53 percent of respondents felt that the U.S. is prepared while 39 percent believed that it is “not very prepared” or not prepared at all. Predictably, this question broke down along party lines, with 36 percent of Democrats and 74 percent of Republicans falling into the “prepared” camp (51 percent of independents felt the U.S. is prepared).

An impressive 69 percent of voters believed that it was either very likely or likely that Russia would continue to “use social media to spread false information about candidates running for office” during the midterm elections, suggested that voters are moving into election season with a very skeptical eye turned toward the platforms they once trusted.

When it came to hacking proper, 41 percent of respondents believed that it was very likely or likely that “a foreign country will hack into voter lists to cause confusion” over who can vote during midterm elections, while 55 percent of respondents said that hacked voter lists would be not very likely or not at all likely. A smaller but still quite significant 30 percent of those polled believed that it was likely or very likely that a foreign country would “tamper with the votes cast to change the results” of midterm elections.

Election security pop-quiz

Political divides were surprisingly absent from some other questions around specific election security practices. Democrats, Republicans and independent voters all indicated that they had greater confidence in state and local officials to “protect the actual results” of the elections and trusted federal officials less, even as the Department of Homeland Security takes a more active role in providing resources to protect state and local elections.

A few of the questions had a right answer, and happily most respondents did get a big one right. Overall, 55 percent of voters polled said that electronic voting systems made U.S. elections less safe from “interference or fraud” — a position largely backed by election security experts who advocate for low-tech options and paper trails over vulnerable digital systems. Only 31 percent of Democrats wrongly believed that electronic systems were safer, though 49 percent of Republicans trusted electronic systems more.

When the question was framed a different (and clearer) way, the results were overwhelmingly in favor of paper ballots — a solution that experts widely agree would significantly secure elections. Indeed, 68 percent of voters thought that paper ballots would make elections “more safe” — an attitude that both Republican and Democratic Americans could get behind. Unfortunately, legislation urging states nationwide to adopt paper ballots has continued to face political obstacles in contrast to the wide support observed in the present poll.

On one last election security competence question, respondents again weighed in with the right answer. A whopping 89 percent of those polled correctly believed that online voting would be a death knell for U.S. election security — only 8 percent said, incorrectly, that connecting elections to the internet would make them more safe.

For a much more granular look at these attitudes and many others, you can peruse the poll’s full results here. For one, there’s more interesting stuff in there. For another, confidence — or the lack thereof — in U.S. voting systems could have a massive impact on voter turnout in one of the most consequential non-presidential elections the nation has ever faced.

Facebook pilots new political campaign security tools — just 50 days before Election Day

Facebook has rolled out a “pilot” program of new security tools for political campaigns — just weeks before millions of Americans go to the polls for the midterm elections. The social networking giant said it’s targeting campaigns that “may be particularly vulnerable to targeting by hackers and foreign adversaries.” Once enrolled, Facebook said it’ll help […]

Facebook has rolled out a “pilot” program of new security tools for political campaigns — just weeks before millions of Americans go to the polls for the midterm elections.

The social networking giant said it’s targeting campaigns that “may be particularly vulnerable to targeting by hackers and foreign adversaries.”

Once enrolled, Facebook said it’ll help campaigns adopt stronger security protections, “like two-factor authentication and monitor for potential hacking threats,” said Nathaniel Gleicher, Facebook’s head of cybersecurity policy, in a Monday blog post.

Facebook’s chief Mark Zuckerberg has admitted that the company “didn’t do enough” in the 2016 presidential election to prevent meddling and spreading misinformation, yet took a lashing from lawmakers for failing to step up in the midterms.

A former Obama campaign official told TechCrunch that the offering was important — but late.

“Fifty days is an eternity in campaign time,” said Harper Reed, who served as President Obama’s chief technology officer during the 2012 re-election campaign. “At this point, if [a campaign] has made gross security problems, they’ve already made them.”

But he questioned if now equipping campaigns with security tools will “actually solve the problem, or if it just solves Facebook’s PR problem.”

Facebook — like other tech giants — has been under the microscope in recent years after the social networking giant failed to prevent foreign meddling in the 2016 presidential election, in which adversaries — typically Russia — used the platform to spread disinformation.

The company’s done more to crack down on foreign interference campaigns after facing rebuke from lawmakers.

But ahead of the midterms, even the company’s former chief security officer was critical of Facebook. In an interview at Disrupt SF, Alex Stamos said that critical steps to protect the midterms hadn’t been taken in time.

“If there’s no foreign interference during the midterms, it’s not because we did a great job. It’s because our adversaries decided to [show] a little forbearance, which is unfortunate,” said Stamos.

Facebook, for its part, said its latest rollout of security tools “might be expanded to future elections and other users” beyond the midterms.

“Hacking is a part of elections,” said Reed. But with just two months to go before voters go to the polls, campaigns “have to just keep doing what they’re doing,” he said.

Facebook pilots new political campaign security tools — just 50 days before Election Day

Facebook has rolled out a “pilot” program of new security tools for political campaigns — just weeks before millions of Americans go to the polls for the midterm elections. The social networking giant said it’s targeting campaigns that “may be particularly vulnerable to targeting by hackers and foreign adversaries.” Once enrolled, Facebook said it’ll help […]

Facebook has rolled out a “pilot” program of new security tools for political campaigns — just weeks before millions of Americans go to the polls for the midterm elections.

The social networking giant said it’s targeting campaigns that “may be particularly vulnerable to targeting by hackers and foreign adversaries.”

Once enrolled, Facebook said it’ll help campaigns adopt stronger security protections, “like two-factor authentication and monitor for potential hacking threats,” said Nathaniel Gleicher, Facebook’s head of cybersecurity policy, in a Monday blog post.

Facebook’s chief Mark Zuckerberg has admitted that the company “didn’t do enough” in the 2016 presidential election to prevent meddling and spreading misinformation, yet took a lashing from lawmakers for failing to step up in the midterms.

A former Obama campaign official told TechCrunch that the offering was important — but late.

“Fifty days is an eternity in campaign time,” said Harper Reed, who served as President Obama’s chief technology officer during the 2012 re-election campaign. “At this point, if [a campaign] has made gross security problems, they’ve already made them.”

But he questioned if now equipping campaigns with security tools will “actually solve the problem, or if it just solves Facebook’s PR problem.”

Facebook — like other tech giants — has been under the microscope in recent years after the social networking giant failed to prevent foreign meddling in the 2016 presidential election, in which adversaries — typically Russia — used the platform to spread disinformation.

The company’s done more to crack down on foreign interference campaigns after facing rebuke from lawmakers.

But ahead of the midterms, even the company’s former chief security officer was critical of Facebook. In an interview at Disrupt SF, Alex Stamos said that critical steps to protect the midterms hadn’t been taken in time.

“If there’s no foreign interference during the midterms, it’s not because we did a great job. It’s because our adversaries decided to [show] a little forbearance, which is unfortunate,” said Stamos.

Facebook, for its part, said its latest rollout of security tools “might be expanded to future elections and other users” beyond the midterms.

“Hacking is a part of elections,” said Reed. But with just two months to go before voters go to the polls, campaigns “have to just keep doing what they’re doing,” he said.

Is AliExpress Safe and Legit? Alibaba’s Online Shop Explained

aliexpress-safety

AliExpress is the international arm of the Chinese retailing giant AliBaba, aiming to challenge online giants like Amazon and eBay. But is it safe to shop there? How long will items take to arrive, and what happens if they don’t? Is AliExpress legit? And are you more likely to be the victim of fraud if you shop there? Here are the answers you need. What Is AliExpress? If you’re not familiar with AliExpress, here’s a quick primer: it’s a huge online retailer owned by The Alibaba Group, a multi-billion dollar corporation that started as a business-to-business buying and selling portal. It…

Read the full article: Is AliExpress Safe and Legit? Alibaba’s Online Shop Explained

aliexpress-safety

AliExpress is the international arm of the Chinese retailing giant AliBaba, aiming to challenge online giants like Amazon and eBay.

But is it safe to shop there? How long will items take to arrive, and what happens if they don’t? Is AliExpress legit? And are you more likely to be the victim of fraud if you shop there? Here are the answers you need.

What Is AliExpress?

If you’re not familiar with AliExpress, here’s a quick primer: it’s a huge online retailer owned by The Alibaba Group, a multi-billion dollar corporation that started as a business-to-business buying and selling portal. It has since expanded to business-to-consumer, consumer-to-consumer, cloud computing, and payment services, as well.

To give you an idea of just how big Alibaba is, they reported over $25 billion in sales on Singles’ Day (November 11) 2017.

What is AliExpress?

AliExpress is Alibaba’s online consumer marketplace for international buyers (while TaoBao is for China). It allows small businesses in China to sell to customers all over the world. Just like Amazon, you can find just about anything there. Unlike Amazon, all of the sellers on AliExpress are a third party: AliExpress itself does not sell anything. They just provide the marketplace.

Why Is AliExpress So Cheap?

If you browse some of the products on AliExpress, you’ll probably notice right away that many of the prices are really low. Why is this? There are two different distinct possibilities, both of which you’ll find in abundance on the site.

aliexpress raspberry pi bundle bargain

First, there’s the possibility that you’re buying directly from a manufacturer, which reduces the cost of selling to you. Costs for production in China are quite a bit lower than in other countries. The lax enforcement of intellectual property laws may also contribute. A lot of electronics (like this 4WD Arduino robot we built) have fantastic prices on AliExpress, because they’re made in China and you can buy them direct, avoiding the retail markup added by a middle-man.

The second possibility for an item being extremely cheap is that its either counterfeit, or fraudulent (or semi-fraudulent, as in the case of the GooPhone I5). China is known as a hotbed of counterfeit production, and AliExpress is no exception. You can get all sorts of counterfeit items there, from electronics to clothing. Some sellers have also been known to defraud buyers by tricking them into paying before they receive an item and then disappearing with the money.

Of course, being able to tell the difference is crucial.

How Long Does AliExpress Take to Deliver?

All items on AliExpress have an estimated delivery time on the product page, and it’s usually anywhere from 20 to 60 days. Yes, two months is an awfully long time to wait for something you’ve bought online! In my experience, about two weeks is the average time it takes most items to arrive, but you certainly need patience to buy direct from China.

AliExpress delivery time estimate

Be aware that this will be even slower at certain times of the year, like Chinese New Year (around the start of February), and Single’s Day (11/11). I once made the mistake of buying some Christmas presents during the Single’s Day sale: a few of them didn’t arrive until the middle of January.

Nearly all shipments (even those with free shipping) will have a tracking number once shipped, but it may take a week to actually dispatch before a tracking number is added. After that, you should be able to follow the package as it floats around various Chinese postal centers, and after a long wait, arrives in your local country’s customs clearance office.

AliExpress delivery tracking example

If you don’t have a tracking number after 10 days, you should reach out to the seller. You won’t be able to open an official non-delivery dispute until the maximum delivery time has been exceeded though.

In six years and thousands of dollars worth of shopping on AliExpress, I’ve only had to open two cases for non-delivery. One could be tracked to my local customs office, but had been sitting there for a month. The seller offered to send it again, and sure enough, I actually received both packages about a month later. Another was never dispatched, and there was no tracking number. AliExpress issued a full refund.

The Hidden Cost of AliExpress: Import Taxes

If you’re new to having an item shipped to your country from abroad, you may not have a clear idea of the import taxes involved; or that sellers will often attempt to bypass those taxes on your behalf.

Nearly all countries have an import tax: a percentage value of the cost of the goods being imported that must be paid to your government when bringing something into the country. In the EU, this is a 20% VAT that’s levied on nearly everything. It’s your legal responsibility to pay this, and the shipping company will pay on your behalf, then issue you the bill. They’ll also charge you a handling fee for the privilege; that’s another flat rate $10-15. Of course, this means that a $10 bargain gadget may not be such a bargain once the $2 tax and $10 handling fee is added on.

Many people are shocked to find these hidden charges, and end up leaving a bad review for the seller. As a consequence, you’ll find most sellers will automatically mark any packages as a low value “gift”, bypassing import duties. To be clear: this is illegal. You should pay your taxes. But unless you’re trying to pull off a large scale fraud, it’s not the sort of illegal which will actually land you in trouble.

Note that if you were trying to deliberately import something without paying the duty, you would need to do so using the slow, free shipping method. Express couriers like DHL have stricter rules and won’t carry packages marked as a gift. If something can only be shipped by express, factor in at least another 20% of the cost to pay on arrival before your package can be released.

What About AliExpress’s Quality of Goods?

In most cases, the goods you buy will be the same as those in the high street. However, sometimes you may find yourself unhappy with the product. For instance, perhaps the thickness of material for that dress is not as you expected. In that case, you should be realistic when contacting the sellers.

Unless there’s something specific in the listing that you can point to as being incorrect, simply not liking the goods you bought is not a good reason to demand a refund. So what can you do if you’re not happy?

  • Chalk it up to experience, and don’t buy from that seller again. If the item was actually delivered, and the product description and photo are accurate, AliExpress themselves won’t assist.
  • You might be able to negotiate a partial refund. If your first instinct was to review the product as 1-star, this is almost certainly no longer an option. Ratings are important, and may be your only bargaining tool.
  • You might be tempted to return the goods, but be very careful with this. Shipping something back to China may cost more than you paid for the item in the first place, and that cost won’t be refunded. Tracking items sent back into China is unreliable at best, and sometimes they can just disappear entirely at the Chinese customs office.

Be realistic about the price you’re paying. Check out some YouTube videos for an idea of the kind of quality to expect (apparently, “AliExpress haul videos” is a thing now).

The Real Danger of AliExpress: Fraudsters

AliExpress and Alipay are solid systems when it comes to security. They’re not invincible, but nothing is—and their track record is a good one, so you can be confident that you’re no more likely to have any of your information stolen via one of these services than you are using a more familiar service like Amazon or eBay (remember, even eBay has had a massive data leak).

However, there is one gaping hole in AliExpress: the merchant approval process. I can’t say what sort of process there is, as only merchants from mainland China are allowed to sell on the site, but there have been a lot of reports of scams on the site. So many, in fact, that the AliExpress Security Center has a section of fraud case studies and tips on how to avoid fraud when buying from their site.

fraud-case-study

So how do you stay safe from fraudsters and scammers when shopping on AliExpress? The same way you do everywhere else. Here are four tips—if you follow them, you should have no problems.

1. If the Price Sounds Too Good to Be True, It Probably Is

Scammers reel you in with the promise of a once-in-a-lifetime deal (this is one of the strategies used in the recent spate of eBay fraud). Check other sites to see what the going rate is for whatever you want to buy, to make sure that the price on AliExpress isn’t far too low. If it is extremely low, you’re probably buying a counterfeit product or being set up for a scam. For non-branded goods, savings of up to 75% compared to a high street retail store are not unusual.

2. Use AliPay’s Escrow Service

aliexpress-escrow

Escrow protects you in a number of ways. First, your credit card details aren’t given to the seller, so you don’t have to worry about them stealing your identity, or going on a shopping spree with your card. Second, the payment isn’t released to the seller until you’ve confirmed that you’ve received your purchase. So if you get scammed, you can just get an easy refund from AliExpress, and not have to go through the long, painful, and probably hopeless refund process with the seller.

3. Check the Seller’s Feedback Before Buying

anker-store-feedback

If a seller has a bad reputation for defrauding buyers, there will likely be evidence in their feedback and reviews. Be wary of sellers with any mentions of not delivering or sending sub-par goods. In the time I’ve spent on AliExpress, I’ve seen mostly positive reviews, and I’ve never had a problem getting what I’ve ordered. But it’s still important to be on the lookout.

4. Check Your Order Carefully When You Receive It

Because the escrow system allows you to withhold payment until you’ve received your order, you can confirm that you got what you paid for. Make sure everything is included, that it looks like what you ordered, and that, if you bought a brand-name item, it doesn’t look like a fake. Once you’ve marked an item as received, you have 15 days in which you can still open a dispute about the goods.

5. Never Buy Branded Goods on AliExpress

Branded goods are offered special protection in most countries. If you purchase fake goods, and your package is inspected, they will be seized. If you bought a lot of those goods and it looks like you might be trying to sell them on, expect a knock at the door from customs officials.

6. Be Careful With Storage and Memory Components

It’s a common scam even if you’re buying from a Shenzhen market stall, but even easier to pull off online. You buy a memory stick that reports itself to be 64Gb when put into Windows Explorer, but it’s actually a lot less. The firmware has been hacked, but you won’t know until you actually try to use the whole drive. The scammer is long gone with your money.

If you’re willing to risk it anyway, be sure to test the drive with a tool like h2TestW as soon as you receive it.

So, Is AliExpress Safe to Shop On?

The evidence suggests that shopping on AliExpress is indeed safe. However, be careful and be realistic. This is the same for any other online marketplace. Some, like Amazon, offer you more protections than others, but if you’re willing to pay attention to what you’re doing to save a lot of money, AliExpress is a fantastic option.

Read the full article: Is AliExpress Safe and Legit? Alibaba’s Online Shop Explained

Surveillance camera vulnerability could allow hackers to spy on and alter recordings

In newly published research, security firm Tenable reveals how popular video surveillance camera software could be manipulated, allowing would-be attackers the ability to view, disable or otherwise manipulate video footage. The vulnerability, which researchers fittingly dubbed “Peekaboo,” affects software created by NUUO, a surveillance system software maker with clients including hospitals, banks, and schools around […]

In newly published research, security firm Tenable reveals how popular video surveillance camera software could be manipulated, allowing would-be attackers the ability to view, disable or otherwise manipulate video footage.

The vulnerability, which researchers fittingly dubbed “Peekaboo,” affects software created by NUUO, a surveillance system software maker with clients including hospitals, banks, and schools around the globe.

The vulnerability works via a stack buffer overflow, overwhelming the targeted software and opening the door fo