Hackers find vulnerabilities in voting machines — but officials say there's no time to fix them by Election Day

[rebelmouse-proxy-image https://www.theblaze.com/media-library/hackers-find-vulnerabilities-in-voting-machines-but-officials-say-there-s-no-time-to-fix-them-by-election-day.jpg?id=53175575&width=1245&height=700&coordinates=0,96,0,96 crop_info="%7B%22image%22%3A%20%22https%3A//www.theblaze.com/media-library/hackers-find-vulnerabilities-in-voting-machines-but-officials-say-there-s-no-time-to-fix-them-by-election-day.jpg%3Fid%3D53175575%26width%3D1245%26height%3D700%26coordinates%3D0%2C96%2C0%2C96%22%7D" expand=1]

Participants at the Voting Village event at the 2024 DEF CON Hacking Conference in Las Vegas were able to uncover vulnerabilities in various voting machines, e-poll books, and other equipment used in elections across America — but officials say they do not have enough time to address these issues before Election Day in November.

As it has for nearly a decade, the DEF CON conference featured a Voting Village event that permitted some of the world's most skilled hackers to take their best shot at finding vulnerabilities in election-related equipment, including different sorts of voting machines, most of which are used in at least one jurisdiction in America, Politico reported.

'Even if you find a vulnerability next week in a piece of modern equipment that’s deployed in the field, there’s a challenge in getting the patch and getting the fix out to the state and local elections officials and onto the equipment before the November election.'

The event drew significant interest, and hackers stood in long lines to attempt to circumvent firewalls and other security tools meant to deter cybercriminals.

They also had to go out of their way to participate since Village Vote was held in an isolated area away from the main floor this year after some online users leveled threats and accused the event of undermining democracy.

According to Voting Village co-founder Harri Hursti, the list of security vulnerabilities discovered this year spanned "multiple pages," though he added that the total number of vulnerabilities was about average for Village Vote events.

The good news is that security vulnerabilities can often be fixed. The bad news is that the repair process takes time, and the 2024 election is only about 12 weeks away.

"Even if you find a vulnerability next week in a piece of modern equipment that’s deployed in the field, there’s a challenge in getting the patch and getting the fix out to the state and local elections officials and onto the equipment before the November election," explained Scott Algeier, executive director of the Information Technology-Information Sharing and Analysis Center.

"It’s not a 90-day fix," he continued.

Catherine Terranova, executive director of Voting Village, likewise doubted that anything could be done before November.

"As far as time goes, it is hard to make any real, major, systemic changes, but especially 90 days out from the election," she said. "It's particularly troubling during an election year like this."

The truncated timeframe is not the only problem. Hursti also expressed concerns about foreign adversaries.

"We are here only for two and a half days, and we find stuff," he said. "It would be stupid to assume that the adversaries don’t have absolute access to everything."

"If you don’t think this kind of place is running 24/7 in China, Russia, you’re kidding yourselves."

Politico reported that secretaries of state and other election officials attended the event, a sign that they are aware of potential problems with voting machines. However, these officials spent much of their time at the conference giving "talks on misinformation and disinformation threats facing the upcoming election," the outlet claimed.

"There’s so much basic stuff that should be happening and is not happening," Hursti claimed. "So yes, I’m worried about things not being fixed, but they haven’t been fixed for a long time, and I’m also angry about it."

Village Vote may be doing important work, drawing attention to vulnerabilities in American voting machines, but there are indications it may have a left-leaning political ideology.

For one thing, the main page of its website features the tagline "It takes a village to preserve democracy," seemingly adopting a phrase from Hillary Clinton, who penned a book entitled "It Takes a Village."

The social media accounts of some of its leaders likewise indicate that they harbor liberal opinions.

Chair of the board Matt Blaze proudly lists his preferred pronouns in his X bio.

An account believed to be run by secretary of the board David Jefferson retweeted a number of liberal messages and memes. One particularly disturbing meme retweeted by the account regurgitates the most extreme talking points of abortion supporters, including that pro-life advocates are "monitoring ... period apps."

Blaze News reached out to Village Vote to inquire about its apparent political biases but did not receive a response.

Like Blaze News? Bypass the censors, sign up for our newsletters, and get stories like this direct to your inbox. Sign up here!

Blaze News original: Introduction to cybersecurity by a layperson for laypeople

[rebelmouse-proxy-image https://www.theblaze.com/media-library/blaze-news-original-introduction-to-cybersecurity-by-a-layperson-for-laypeople.jpg?id=53093033&width=1200&height=600&coordinates=0,177,0,177 crop_info="%7B%22image%22%3A%20%22https%3A//www.theblaze.com/media-library/blaze-news-original-introduction-to-cybersecurity-by-a-layperson-for-laypeople.jpg%3Fid%3D53093033%26width%3D1200%26height%3D600%26coordinates%3D0%2C177%2C0%2C177%22%7D" expand=1]

Between a CrowdStrike software glitch that recently brought many global industries to a temporary standstill and security breaches at major enterprises such as UnitedHealth and Ticketmaster, the digitized systems of our world and the mechanisms designed to protect them have been brought unavoidably to the fore.

But if you are a small business owner or an ordinary individual without a sophisticated IT background, the topic itself — cybersecurity — not only causes your eyes to glaze over, but it even incites a bit of an internal panic every time it comes up in conversation.

With these recent breaches affecting companies and industries that we use every day, those of us who are cybersecurity-hesitant can no longer simply ignore it or hope that others will handle the problem for us.

For this reason, Blaze News spoke with two experts who have both spent decades in the cybersecurity field and who have dedicated their lives to making cybersecurity as easy as possible for laypeople.

The first, Rob Coté, owns a small cybersecurity company in southeastern Michigan called Security Vitals. The second, Mike Lipinski, is in charge of cybersecurity at the major accounting firm Plante Moran. In the past, he has also worked as a vendor and in consulting for IT- and cybersecurity-related companies.

What IS cybersecurity?

Since the 1990s, Hollywood has done a masterful job making cybercriminal behavior such as hacking seem mysterious and esoteric while making efforts to outdo and outsmart cybercriminals look heroic and sexy. Blockbuster hits such as "The Net" and "Hackers," both released in 1995, wove together a narrative filled with romance and digital arcana, making cybersecurity seem accessible even as the cyberworld in the movies still feels hopelessly foreign.

43% of all cybersecurity attacks happen to businesses with 500 or fewer employees. Of those affected businesses, fully 60% will go belly-up within six months of the attack.

The reality is much more mundane, and also more serious, particularly for small business owners.

43% of all cybersecurity attacks happen to businesses with 500 or fewer employees. Of those affected businesses, fully 60% will go belly-up within six months of the attack.

And while incidents involving big-name companies like Ticketmaster and UnitedHealth remind us of the importance of cybersecurity, they can also sometimes deceive us into thinking that cybersecurity is a problem only for industry giants and not for the little guy.

Both Coté and Lipinski vehemently pushed back against that assumption.

"Size doesn't necessarily dictate sophistication and security," Lipinski added.

Small businesses as 'easy opportunities'

One of the most common responses Coté says he receives when pitching cybersecurity services to owners of small and medium-sized businesses is that their businesses have too little information and too small a digital footprint to be attractive to cybercriminals. "Nobody cares about our data," they say, according to Coté.

Unfortunately, such modesty can lead to all kinds of trouble. Coté told Blaze News that bad actors are looking for "easy opportunities" and "the path of least resistance." Since large enterprises already have heavily fortified cyber environments, many cybercriminals don't even bother with them.

'You may be humming along thinking, "We're fine. We're just a small business." The reality is this ... they have direct connections with the larger company.'

Instead, cybercriminals will often target vulnerable environments that are easy to infiltrate, and they do so for two main reasons.

First: Almost every business, regardless of size, harbors sensitive data. Everything from credit card transactions to digitized personnel files carries critical information, all of which must be stored somewhere, often in the nebulous cyber zone known as "the cloud."

Such stored data makes small companies especially vulnerable to ransomware, which Coté defined as "a technology that will lock up your data, and without the key, you can't access it."

Once ransomware villains get hold of a company's data, they then demand money, often via cryptocurrency, before they will return it. However, even paying the ransom does not even ensure that the data will be restored. After all, "you're dealing with criminals here," Coté noted.

And with new privacy laws, businesses render themselves vulnerable to lawsuits for failing to protect this data against ransomware and other cyberattacks. "There's a lot of things now that are being expected of all of us to protect the information that I may have on you or you may have on me," Lipinski explained.

The other key reason that cybercriminals pester seemingly small businesses is because of their associations with larger companies. Coté cited Ford Motor Company and Target as two recognizable names that contract with much smaller firms to outsource some of their business practices.

"You may be humming along thinking, 'We're fine. We're just a small business,'" Coté said. "The reality is this ... they have direct connections with the larger company."

OK, so what can be done?

While Ford and Target have plenty of revenue with which to invest in cybersecurity, most small businesses do not.

But according to Coté and Lipinski, that should not mean small businesses do nothing. Both said there are plenty of affordable options that can help owners protect themselves.

'How do you quantify the value of reputational damage?' Coté asked rhetorically. 'You just can't.'

Such options include network scanning and monitoring, both of which are services that cybersecurity firms provide to their clients. In other words, businesses do not necessarily have to spend sometimes hundreds of thousands of dollars onboarding cybersecurity staff. They can outsource these responsibilities to experts at much lower cost.

Coté told Blaze News that some cybersecurity platforms covering 10 total devices can cost as little as a few hundred dollars a month.

Lipinski hesitated to estimate what cybersecurity might cost since different companies have so many different needs. "I've got small businesses that spend well over six figures a year just on cybersecurity protection," he told Blaze News, "and I've got other very large businesses that have thousands of employees that may spend less than that."

But regardless how much one spends, the real cost of cybersecurity, to borrow an apt phrase from Hamlet, lies "in the breach rather than the observance," both Coté and Lipinski indicated. While business owners must balance security with functionality, a breach in security brings almost all business operations to a grinding halt — and forces owners to give a public account for the error.

"How do you quantify the value of reputational damage?" Coté asked rhetorically. "You just can't."

Lipinski agreed, advising owners to conduct a "business impact analysis" when assessing their companies' risk. Those who can't afford to have operations suspended for two or three weeks should strongly consider more involved cyberattack prevention, he said.

Secondary consequences to breaches

Business owners quickly understand the hit that their bottom line and their professional reputation can take with just one security breach. What they may not consider are some of the indirect consequences that are likely to occur as well.

Lipinski noted two such indirect consequences. One is that other financial institutions may impose safeguards on business clients in order to protect themselves.

'Do you have a backup solution in place? Do you have funding in your bank? Can you cut manual checks? Do you know what people should get paid?'

"If you have a breach, and those credit cards are stolen, your payment processor, your bank, is probably not going to allow you to take credit cards any more," Lipinski said.

Another potential consequence he gave actually relates not to the business itself but one of its contractors. Using payroll as an example, Lipinski claimed that businesses must have protections in place to guard against breaches from one of their service providers.

"It's not unforeseen that they go down and have an outage for two or three weeks. So what does that do to your business?" he asked.

"Do you have a backup solution in place? Do you have funding in your bank? Can you cut manual checks? Do you know what people should get paid?" are all questions managers and bosses must consider when outsourcing vital company operations, Lipinski said.

'Probably one of the weakest vectors': The value of employee training

Another vital aspect of cybersecurity is staff training. "People are probably one of the weakest vectors," Coté said without judgment.

In an ideal world, all employees would immediately recognize when they've been approached by bad actors. Such criminals often attempt to convince employees to reveal critical information, a scam referred to as phishing, or to respond to fake emails, known as spoofing.

However, cybercriminals have come a long way from posing as Nigerian princes who just need a small up-front payment in exchange for a much larger reward down the road. Now, they often employ sophisticated disguises to conceal their antics.

For instance, criminals will sometimes send along an email using the name of a company boss and changing just one character of his or her email address to avoid detection. Coté gave the hypothetical email address robcote@companyabc.com as an example.

"Let's say I change the O in company to a zero," he said, turning that email address to robcote@c0mpanyabc.com.

"You may not even notice that when the email comes in."

Even the savviest employees can fall victim to such schemes.

Though hardly savvy, I — a former contract employee of a cybersecurity firm who has a strong connection to a cybersecurity professional — fell for a phishing scheme several months ago when a cyberattacker sent an alert to my phone, posing as Amazon, just as I was expecting an Amazon package with expedited shipping. Thankfully, I realized my error before I divulged sensitive information.

Coté said he has heard similar stories. He referenced a case in which an intelligent, hardworking employee who was used to making company purchases on behalf of her higher-ups bought several gift cards after receiving a spoofed email from a person pretending to be her boss.

Gift cards are a particularly clever idea for cybercriminals, Coté said. Once the seal protecting the card's information has been shared, the buyer has "no recourse."

Another burgeoning threat related to such scams is AI voice-modeling. Such AI models have advanced so much that they now practically have become "voice verification," Lipinski claimed.

And capturing enough of someone's pitch and cadence to generate a model is easy, Coté said. All it takes is a quick phone call for a criminal to establish a voice profile that can then be used to fool employees into sharing data or unwittingly handing over money or other valuables.

Other staff-related vulnerabilities

In addition to employees falling prey to bad actors, employees can also occasionally be bad actors themselves. Those who have been disciplined or who have received a lucrative job offer from a rival company may have a motive for sabotaging business operations at their current company.

One way to track potentially malicious behavior is to scan for unusual logins, Coté said.

"If [so-and-so] is always online between 8 a.m. and 9 p.m., and suddenly she logs in at 3 a.m. to your corporate environment and downloads two terabytes of data," he said, she may be up to no good.

In some cases, unusual behaviors are not actually malicious, Coté noted. It's easy to imagine benign circumstances under which an employee might conduct some business tasks at strange hours.

"It may have been that [so-and-so] was getting ready to leave town and needed two terabytes of data for a presentation for your company," he suggested, "but you don't know if you're not looking."

As with anything, cybersecurity tools and services come with drawbacks, many of which are borne by employees. Lengthy passwords are difficult to remember, and multiple sign-in requirements become annoying.

Lipinski advised owners to balance security concerns with the weight of cumbersome protection measures. "As a security professional, what pains me to say is there is a such thing as too much security, because if you put too many things in place and I prevent you from doing your job, then it's not effective at that point," he explained.

"You've got to find that medium."

IT vs. cybersecurity

Another point both Coté and Lipinski made was that IT and cybersecurity personnel perform two entirely separate functions, and small business owners would be wise not to entrust one person with handling both responsibilities.

"IT's job is to make things work, give you the tools that you need to do your job, to keep the applications and the network and the internet up and running," Lipinski argued, "where cybersecurity is an overlay above that that's looking at how we're doing certain things and trying to determine if there's a better or more secure way to be able to protect those assets or that data or those people."

"IT people don't understand cybersecurity," he continued. "They think differently. They act differently. Their roles are different in the organization."

Coté compared the two divisions to two company financial officers who perform completely different tasks, even though they both work with money. "Why do you have a CPA and why do you have a CFO?" he asked.

"The CFO manages your financials internally. The CPA checks up on the CFO to make sure that he or she is doing it right and they're not funneling money out."

Silence does not mean security

Both Coté and Lipinski cautioned that just because a business has never suffered a major cybersecurity breach does not mean that it is secure. Coté went so far as to say that a breach is almost "inevitable."

Perhaps even more worrisome is the fact that most cybersecurity attacks are not detected in real time. "A data breach, on average, takes nine months to discover," Coté asserted. "So ... you could have been breached six months ago. You just haven't figured it out yet."

Coté went on to liken preventive cybersecurity measures to insurance. "It is really a form of insurance because there's no way to say if I invest $10 on cybersecurity, I'll save $100," he said.

"Until you get attacked, you don't have a good baseline for knowing what it's really going to cost you."

Lipinski also reiterated something that all business owners, whether they understand cybersecurity or not, already know: The buck stops with them.

"I can't give you all of my risks," he said, speaking of business owners. "I have to understand what I still own and what I'm going to do about it."

"I gave you a part of my problem. I still own the other part."

Disclosure: The author of this piece has done contract work for Coté in the past, and a member of her family currently works for him.

Like Blaze News? Bypass the censors, sign up for our newsletters, and get stories like this direct to your inbox. Sign up here!

Why Communist China-Connected Temu Is Worse Than TikTok

Once downloaded, Temu can access almost anything on your phone — the camera, internet, audio recordings, and more — according to one study.

Russian Cyberterror Attacks Should Be A Wakeup Call To DHS: Less Censorship, More Security

The harm that could befall us if Russia, Iran, and China ratchet up the frequency of cyberattacks on our water systems is astounding.

Can we trust Signal to keep out government spying?

[rebelmouse-proxy-image https://www.theblaze.com/media-library/can-we-trust-signal-to-keep-out-government-spying.jpg?id=52268534&width=1200&height=800&coordinates=300,0,300,0 crop_info="%7B%22image%22%3A%20%22https%3A//www.theblaze.com/media-library/can-we-trust-signal-to-keep-out-government-spying.jpg%3Fid%3D52268534%26width%3D1200%26height%3D800%26coordinates%3D300%2C0%2C300%2C0%22%7D" expand=1]

In City Journal, conservative activist and author Chris Rufo takes aim at the leadership of secure messaging app Signal, asking: “Is the integrity of the encrypted-messaging application compromised by its chairman of the board?” This article follows in a line of recent criticism of embattled NPR CEO Katherine Maher, who chairs the Signal Foundation board, and Signal Foundation President Meredith Whittaker. The article also raises concerns — echoed by Elon Musk and Jack Dorsey — about the app's trustworthiness, given its links to left-wing activists and U.S. government seed funding.

While we share Rufo’s concerns about Signal's leadership's outspoken leftist views and activism, we disagree with his alarmism over the app's core security and broad mischaracterization of internet freedom programs as vectors for domestic surveillance and censorship.

In contrast with Signal’s aloof anarchist founder, Moxie Marlinspike, Meredith Whittaker and Katherine Maher are both unapologetic progressive activists with radical views on the information ecosystem, online speech, and what values the tech industry should support. Before Signal, Whittaker was notable as a lead instigator of employee walkouts and activism at Google, attempting to stop the company from working with the Pentagon and leading an effort to purge then-Heritage Foundation President Kay Coles James from its AI advisory board.

Maher, who previously worked at Wikimedia Foundation, Web Summit, and progressive advocacy group Access Now, has a similar ideological record. As Reason magazine puts it:

Maher's past tweets would be hard to distinguish from satire if one randomly stumbled across them. Her earnest, uncompromising wokeness — land acknowledgments, condemnations of Western holidays, and so on — sounds like they were written by parody accounts such as The Babylon Bee or Titania McGrath.

Here, Rufo’s criticism is entirely fair, and Signal’s board would likely benefit from picking less controversial leaders while fostering intellectual diversity to reflect its global user base better.

Enemies of your enemies

But the fact that Signal is run by an outspoken anti-government, anti-corporate, privacy maximalist like Whittaker, who built her career opposing collaboration between tech and government, also makes it an unlikely tool of the surveillance state (not to mention that an avowed anarchist founded it). Rather than being evidence of any particular conspiracy, the involvement of leftists like Maher and Whittaker is best explained as a reflection of tech’s coastal elite cultural bubble.

Let’s look closer at Signal’s alleged ties to the government. Open Whisper Systems, the initial developer of its protocol, received a series of seed grants from a State Department-funded initiative called the Open Technology Fund, a nonprofit that gives grants to support open-source internet freedom projects. OWS was later dissolved and incorporated under the Signal Foundation. However, its open-source encryption protocol was widely adopted, vetted by security researchers, and integrated into apps including Facebook Messenger, Skype, and WhatsApp.

The OTF’s programs have supported numerous internet freedom tools, including virtual private networks, the Signal protocol, and Tor. What’s more, other government funding programs have supported the creation of the internet, GPS, and the core technologies in our smartphones, as do Silicon Valley giants like Intel, Tesla, Qualcomm, Apple, and Google.

The federal government has many legitimate policy interests in funding technology tools unrelated to surveillance, including foreign policy, geopolitical security, and economic competitiveness. In particular, the U.S. government’s internet freedom programs are directly from Cold War-era anti-communist radio and television.

Ronald Reagan 1950s Crusade for Freedom commercial soliciting funds for radio Free Europewww.youtube.com

Today, these tools lend support to journalists, opposition parties, and dissident movements operating under authoritarian regimes like China, Russia, North Korea, and Iran. For instance, during the pro-democracy protests in Hong Kong, Signal rocketed to become the number-one downloaded app. Similarly, Signal usage has surged during the ongoing Russia-Ukraine war. Used in concert with VPNs, secure messaging access is a powerful freedom tool. Citing an anonymous source, Rufo’s article asserts the State Department and OTF “wield open source internet projects made by hacker communities as tools for American foreign policy goals.” Indeed. This is a feature, not a bug.

The OTF has its origins in a project of Radio Free Asia, the sister organization to Radio Free Europe, set up in response to the Tiananmen Square massacre and the growing threat of communism in Asia. Later, the OTF was spun off under the Trump administration as an independent nonprofit funded by the U.S. Agency for Global Media and chartered by Congress under 22 U.S.C. § 6208a. With a mission to “advance internet freedom in repressive environments by supporting … technologies that counter censorship and combat repressive surveillance to enable all citizens to exercise their fundamental human rights online,” the OTF is at the tip of the spear, helping support pro-freedom movements worldwide.

In the 20th century, America used radio and television broadcasts to spread freedom behind the Iron Curtain. In the 21st century, the OTF is breaking the Great Firewall and allowing people living in authoritarian states to access free and open information from around the world. The OTF’s funding of internet freedom projects such as VPNs, Tor, and yes, Signal, is intended to ensure that journalists and dissidents have “unrestricted access to uncensored sources of information via the internet.” To guarantee communications security over the technologies it supports, the OTF is legally required only to support fully open-source and auditable technologies. The OTF’s authorizing statute requires “comprehensive security audits to ensure that such technologies are secure and have not been compromised.”

If this isn’t enough, any attempt by the government to embed a secret back door would also have to get past its robust technical community and global security researchers, who can review and verify its source code on Github. Maher, a non-technical executive who joined the board in 2023, is unlikely to have had any involvement in its codebase.

For federal agencies like the State Department, knowledge of a back door would trigger the Vulnerability Equities Process, which requires federal entities, including law enforcement and intelligence agencies, to undergo independent review and disclose known exploits under certain circumstances where there is a significant risk of abuse by foreign governments, criminals, and other bad actors. On the black market, Russia-backed hackers are offering as much as $1.5 million for a Signal zero-day vulnerability.

Extraordinary claims require extraordinary evidence

To argue that Signal is insecure or untrustworthy because of indirect funding from the State Department is to fundamentally misunderstand the origins, mission, and practices of both Signal and the U.S.’ internet freedom programs. Critically, such thinking risks pushing people to far less secure alternatives like Telegram, SMS, and iMessage. While Telegram’s CEO has been an avid Signal critic, messages on its platform are still not encrypted by default. In addition to being open source and end-to-end encrypted, Signal has the added benefits of encrypting metadata, obscuring phone numbers, and employing quantum-resistant cryptography.

Internet freedom programs and their analog predecessors have historically enjoyed strong bipartisan support, including Republican champions like Newt Gingrich and Ronald Reagan. Here, Rufo’s criticism should be a warning to internet freedom advocates against placing lightning-rod activists in leadership or cultivating a partisan ideological monoculture.

Considering the federal government’s long history of abusing surveillance tools — from J. Edgar Hoover to the Patriot Act — a base level of skepticism or even paranoia is understandable. Civil liberties proponents on both sides of the aisle are right to question and challenge the security of their communication platforms, including Signal. However, as an indirect instrument of U.S. policy, Signal's role extends beyond just an app for secure messaging; it bolsters American values and safeguards the freedoms that define open societies.

Because it was created as open-source software designed to minimize what it collects and operate on hostile servers, who’s on its board or where its funding came from actually don’t matter that much. What matters is how it gets used in the world. On this count, Signal — and related programs like Tor, VPNs, and the OTF — have been a massive policy success and a worthy digital successor of programs efforts that helped bring down the Berlin Wall and end the Soviet Union.

US Sanctions Iranian Cyber Army and Militant Groups That Have Kidnapped Americans

The Biden administration on Tuesday issued a bevy of new sanctions on Iran's army of cyberterrorists, as well as several militant groups that are attempting to kidnap Americans abroad.

The post US Sanctions Iranian Cyber Army and Militant Groups That Have Kidnapped Americans appeared first on Washington Free Beacon.

FBI director warns of Chinese hacking efforts to 'wreak havoc' on US critical infrastructure

[rebelmouse-proxy-image https://www.theblaze.com/media-library/image.webp?id=51275372&width=1245&height=700&coordinates=0,0,0,0 crop_info="%7B%22image%22%3A%20%22https%3A//www.theblaze.com/media-library/image.webp%3Fid%3D51275372%26width%3D1245%26height%3D700%26coordinates%3D0%2C0%2C0%2C0%22%7D" expand=1]

FBI Director Christopher Wray told a congressional committee this week that hackers backed by the Chinese communist regime are preparing to "cripple" American infrastructure should Beijing decide "the time has come to strike."

Wray indicated in his statement to the Select Committee on the Chinese Communist Party Wednesday that the intelligence community has assessed that "China is attempting to pre-position on U.S. critical infrastructure—setting up back doors to cripple vital assets and systems in the event China invades Taiwan and therefore, limiting our ability to assist Taiwan."

"China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike," Wray told lawmakers in his oral testimony.

In one example, the FBI director noted that hackers affiliated with the Chinese military gained access to the computer networks of a major American transportation hub. Gas pipelines, the electric grid, and water treatment plants have similarly been targeted.

FBI Director Wray opening statement before @committeeonccp : "The PRC has a bigger hacking program than that of every major nation combined."
— (@)

Chairman Mike Gallagher (R-Wisc.) said that "this is the cyberspace equivalent of placing bombs on American bridges, water treatment facilities and power plants," reported CNN.

"There is no economic benefit for these actions. There's no pure intelligence-gathering rationale," continued Gallagher. "The sole purpose is to be ready to destroy American infrastructure, which would inevitably result in chaos, confusion and potentially mass casualties."

The U.S. has long known of efforts by state-backed Chinese hackers to compromise American systems and exploit vulnerabilities.

These efforts in cyberspace to compromise American security come amidst similarly brazen aerial and ground operations. The regime has, for instance, sent spy craft over the mainland U.S.; operated illegal police stations on American soil; threatened diplomats; and dispatched agents to execute espionage and political destabilization missions.

China does not appear to be merely posturing. The communist regime, which has been building up its military and preparing for war at a time when the U.S. military has been assessed as "weak," has made expressly clear in recent months that it intends to take the island nation of Taiwan. In the face of significant demographic, economic, and social troubles at home, the communist regime may increasingly see such a military adventure as an opportunity to change its fate and fortune.

"[Communist China] represents the defining threat of this era," said Wray. "There is no country that presents a broader, more comprehensive threat to our ideas, our innovation, our economic security, and, ultimately, our national security."

Wray also expressed concerns about the use of Tiktok by the Chinese regime to "control data collection on millions of users, which can be used for all sorts of intelligence operations or influence operations."

Extra to collecting data on Americans and pushing influence operations, the FBI director indicated TikTok gives Beijing the ability "to control the software on millions of devices, which means the opportunity to technically compromise millions of devices."

— (@)

Gen. Paul Nakasone, the head of the National Security Agency, told lawmakers, "We need to have a vigilance that continues onward."

"This is not an episodic threat that we're going to face. This is persistent," added Nakasone.

Like Blaze News? Bypass the censors, sign up for our newsletters, and get stories like this direct to your inbox. Sign up here!

Holiday cybercrime season is here: 12 tips for secure online shopping

[rebelmouse-proxy-image https://www.theblaze.com/media-library/holiday-cybercrime-season-is-here-12-tips-for-secure-online-shopping.jpg?id=50529852&width=1245&height=700&coordinates=0,110,0,111 crop_info="%7B%22image%22%3A%20%22https%3A//www.theblaze.com/media-library/holiday-cybercrime-season-is-here-12-tips-for-secure-online-shopping.jpg%3Fid%3D50529852%26width%3D1245%26height%3D700%26coordinates%3D0%2C110%2C0%2C111%22%7D" expand=1]

The holiday season is finally upon us, signaling the return of Black Friday and Cyber Monday sales. Shoppers across the nation are poised to take advantage of incredible deals. But be advised: Cybercriminals are also marking these dates, using the increase in online shopping to unleash phishing attacks, ransomware, and adware upon unsuspecting consumers.

This time of year, the Cybersecurity and Infrastructure Security Agency and the National Security Agency step up their game to guard against major attacks. But the real onus of vigilance falls on consumers themselves to protect their digital sleighs from these modern-day Grinches.

The top threats this holiday season

Phishing scams: These scams take on a festive guise during the holiday season, with emails and messages crafted to mimic genuine holiday specials or charity drives, aiming to trick shoppers into giving away sensitive data or downloading malicious software.

Ransomware: Perhaps the best known version of malware, ransomware demands payment to unlock access to the victim’s data and often comes cloaked in holiday-themed downloads, exploiting the season's goodwill and the lure of holiday bargains.

Adware and browser hijacking: Malicious adware and browser hijacking software programs can redirect you to counterfeit websites boasting irresistible deals, only to rob you of your credit card details and personal information.

Fraudulent password requests: A common ruse involves emails falsely claiming to be from service providers, prompting users to change their passwords with a link to a bogus website designed to steal information. Should you find yourself victimized, immediately changing your login credentials is the best move.

Social media dangers: Particularly at risk are social media enthusiasts, with new malvertising campaigns like NodeStealer, which recently launched approximately 140 ad campaigns with images of attractive individuals, pushing malicious downloads onto devices.

As the CISA and the NSA continue to monitor these threats and offer guidance, they become an invaluable resource during the holiday season. Their efforts, combined with consumer awareness, are key to a safe digital shopping experience.

12 ways to boost your online security as you shop

Be alert with emails and deals: Carefully inspect promotional emails and online offers. Be on the lookout for phishing red flags, such as poor grammar, suspicious links, and unusual requests for personal information.

Choose secure payment options: Select payment methods that offer strong consumer protections, such as virtual credit cards or established online payment services.

Update your devices: Make sure your devices have the latest security updates installed to fend off threats.

Craft strong passwords: Generate unique, complex passwords for all online accounts and update them periodically. A password manager can be a valuable tool in managing your passwords effectively.

Use two-factor authentication: Add an extra layer of protection to your accounts by enabling two-factor authentication, which might require an additional step or two, but an extra minute of inconvenience is a fine trade-off for the hours or days you’ll spend cleaning up the mess if your accounts are hacked.

Watch your transactions: Keep a close eye on your bank and credit card statements, watching for any unauthorized activity.

Use caution on public Wi-Fi: Avoid performing transactions over public Wi-Fi. If you must, use a virtual private network to secure your connection.

Keep informed on cybersecurity: Stay updated on the latest cybersecurity threats by following trusted organizations and experts.

Steer clear of suspicious links: Do not click on links from unknown sources, as they could lead to harmful sites or malware downloads.

Verify website authenticity: Only shop on known, legitimate websites, and verify that their URLs start with HTTPS to ensure a secure connection.

Question too-good-to-be-true offers: Be wary of offers that seem too incredible, as they often are and may be phishing attempts or scams. This is especially true on social media.

Back up your data: Regularly back up your important data to recover quickly in the event of a cyberattack.

Integrating these 12 tips into your holiday shopping habits can help you enjoy the season's cheer without compromising your online safety. Cybersecurity is a year-round commitment, so consider it the gift that keeps on giving.