Online voting is insecure, period. This doesn’t stop organizations and governments from using it. (And for low-stakes elections, it’s probably fine.) Switzerland—not low stakes—uses online voting for national elections. Ed Appel explains why it’s a bad idea:

Last year, I published a 5-part series about Switzerland’s e-voting system. Like any internet voting system, it has inherent security vulnerabilities: if there are malicious insiders, they can corrupt the vote count; and if thousands of voters’ computers are hacked by malware, the malware can change votes as they are transmitted. Switzerland “solves” the problem of malicious insiders in their printing office by officially declaring that they won’t consider that threat model in their cybersecurity assessment.

But it also has an interesting new vulnerability:

The Swiss Post e-voting system aims to protect your vote against vote manipulation and interference. The goal is to achieve this even if your own computer is infected by undetected malware that manipulates a user vote. This protection is implemented by special return codes (Prüfcode), printed on the sheet of paper you receive by physical mail. Your computer doesn’t know these codes, so even if it’s infected by malware, it can’t successfully cheat you as long as, you follow the protocol.

Unfortunately, the protocol isn’t explained to you on the piece of paper you get by mail. It’s only explained to you online, when you visit the e-voting website. And of course, that’s part of the problem! If your computer is infected by malware, then it can already present to you a bogus website that instructs you to follow a different protocol, one that is cheatable. To demonstrate this, I built a proof-of-concept demonstration.

Appel again:

Kuster’s fake protocol is not exactly what I imagined; it’s better. He explains it all in his blog post. Basically, in his malware-manipulated website, instead of displaying the verification codes for the voter to compare with what’s on the paper, the website asks the voter to enter the verification codes into a web form. Since the website doesn’t know what’s on the paper, that web-form entry is just for show. Of course, Kuster did not employ a botnet virus to distribute his malware to real voters! He keeps it contained on his own system and demonstrates it in a video.

Again, the solution is paper. (Here I am saying that in 2004.) And, no, blockchain does not help—it makes security worse.

Read More

The tech giant has issued guidance to mitigate exploitation of the flaw, which has the highest severity rating

Read More

Introduction

It is common knowledge that when it comes to cybersecurity, there is no one-size-fits all definition of risk, nor is there a place for static plans. New technologies are created, new vulnerabilities discovered, and more attackers appear on the horizon. Most recently the appearance of advanced language models such as ChatGPT have taken this concept and turned the dial up to eleven. These AI tools are capable of creating targeted malware with no technical training required and can even walk you through how to use them.

While official tools have safeguards in place (with more being added as users find new ways to circumvent them) that reduce or prevent them being abused, there are several dark web offerings that are happy to fill the void. Enterprising individuals have created tools that are specifically trained on malware data and are capable of supporting other attacks such as phishing or email-compromises.

Re-evaluating risk

While risk should always be regularly evaluated it is important to identify when significant technological shifts materially impact the risk landscape. Whether it is the proliferation of mobile devices in the workplace or easy access to internet-connected devices with minimal security (to name a few of the more recent developments) there are times when organizations need to completely reassess their risk profile. Vulnerabilities unlikely to be exploited yesterday may suddenly be the new best-in-breed attack vector today.

There are numerous ways to evaluate, prioritize, and address risks as they are discovered which vary between organizations, industries, and personal preferences. At the most basic level, risks are evaluated by multiplying the likelihood and impact of any given event. These factors may be determined through numerous methods, and may be affected by countless elements including:

Geography
Industry
Motivation of attackers
Skill of attackers
Cost of equipment
Maturity of the target’s security program

In this case, the advent of tools like ChatGPT greatly reduce the barrier to entry or the “skill” needed for a malicious actor to execute an attack. Sophisticated, targeted, attacks can be created in minutes with minimal effort from the attacker. Organizations that were previously safe due to their size, profile, or industry, now may be targeted simply because it is easy to do so. This means all previously established risk profiles are now out of date and do not accurately reflect the new environment businesses find themselves operating in. Even businesses that have a robust risk management process and mature program may find themselves struggling to adapt to this new reality. 

Recommendations

While there is no one-size-fits-all solution, there are some actions businesses can take that will likely be effective. First, the business should conduct an immediate assessment and analysis of their currently identified risks. Next, the business should assess whether any of these risks could be reasonably combined (also known as aggregated) in a way that materially changes their likelihood or impact. Finally, the business must ensure their executive teams are aware of the changes to the businesses risk profile and consider amending the organization’s existing risk appetite and tolerances.

Risk assessment & analysis

It is important to begin by reassessing the current state of risk within the organization. As noted earlier, risks or attacks that were previously considered unlikely may now be only a few clicks from being deployed in mass. The organization should walk through their risk register, if one exists, and evaluate all identified risks. This may be time consuming, and the organization should of course prioritize critical and high risks first, but it is important to ensure the business has the information they need to effectively address risks.

Risk aggregation

Once the risks have been reassessed and prioritized accordingly, they should also be reviewed to see if any could be combined. With the assistance of AI attackers may be able to discover new ways to chain different vulnerabilities to support their attacks. This may be completed in parallel to the risk assessment & analysis, but the organization should ensure this review is included as soon as they reasonably can.

Executive awareness & input

Throughout this process the organization’s executive team should be made aware of the changes to the businesses’ risk profile. This may include lunch & learn sessions discussing what AI is and how it is used, formal presentation of the reassessed risk register, or any other method that is effective. At a minimum the executive team should be aware of:

Any changes to the organizations identified risks
Any recommendations related to risk treatment options, or the organization’s risk appetite
How effective existing controls are against AI-supported attacks
Immediate or near-term risks that require immediate attention

In light of the recent SEC rulings (please see this blog for additional information) this step is doubly important for any organization that is publicly traded. Ensuring the executive team is properly informed is vital to support the effective and appropriate treatment of risk.

These recommendations are not all encompassing, however. Businesses must ensure they are adhering to industry best practices and have a sufficient foundation in place to support their program in addition to what was outlined above.

Conclusion

In today’s rapidly evolving digital landscape, the advent of powerful language models raises new questions and challenges that organizations cannot afford to ignore. These models, and the malicious tools built from them, are reshaping the cybersecurity frontier, offering both advancements and vulnerabilities. Therefore, it is imperative for organizations to actively integrate the understanding of these new technologies into their ongoing risk assessments and governance frameworks. By doing so, they can not only protect themselves from emergent threats but also harness these technologies for competitive advantage. As the saying goes, ‘the only constant is change.’ In cybersecurity, the ability to adapt to change is not just an advantage—it’s a necessity.

Read More

A new survey found that three-quarters of organizations in the UK are yet to address the five key requirements for compliance

Read More