Homecoming Queen (and her mother) arrested for alleged vote hacking
This week saw New electoral meddling revelations big and small: On one end of the spectrum, an alleged mother-daughter plot to digitally rig a Florida high school vote for Homecoming Queen. On the other, Russia’s influence operations designed to bolster Trump and sabotage Biden in the 2020 presidential election. News of this insidious project has raised questions about the fundamental resilience of American democracy – and the problem with the Kremlin is also bad enough.
Tuesday a newly declassified report from the office of the director of national intelligence shed light on how Russian intelligence agencies sought to influence the 2020 presidential election and tip it over to Trump, but without the same kind of disruptive hacking that plagued the 2016 election. other news on Russia, Apple bowed to Moscow demands to encourage users to preload Russian-made apps on his iPhone there, opening the door to similar requests from other countries.
In the UK, police and internet service providers are test a new monitoring system to record online user histories, following the adoption by the country in 2016 of a law known as the “Snooper Charter”. And in better news for internet security, Facebook has built a so called “Red Team X” of pirates which check for vulnerabilities not only in Facebook’s own software, but also in all software used by Facebook – and in doing so, this software is safer for everyone.
Towards the end of the week, a SpaceX engineer pleaded guilty conspiracy to commit securities fraud. The SEC also filed a lawsuit, marking the first time the agency has sued for dark web activity.
And there’s more! Each week we collect all the news that we haven’t covered in depth. Click on the titles to read the full stories. And stay safe there.
Last fall, election software maker Election Runner reached out to administrators at JM Tate High School to alert them to something fishy about their recent vote for the Homecoming Queen. As the Florida Department of Law Enforcement would later write in the impeachment documents, 117 votes were cast from a single IP address, all for a single 17-year-old girl, the daughter of the deputy director of the school, Laura Rose Carroll. But each of those votes required entering the student’s identification number and date of birth – a mystery that was quickly resolved when police learned from the school’s student council coordinator that the Returning Queen has reportedly talked about using her mother’s network account to vote. . Investigators say witnesses later told them the girl bragged about casually abusing her mother’s credentials to gain access to other students’ grades. And police also said they found the mother to be aware of her daughter’s behavior, likely sharing her new password when she updated it every 45 days. The mother and daughter were arrested and charged with fraudulent access to confidential information about the students. In addition to grades and student cards, the network also contained more sensitive data such as medical history and disciplinary records.
A single zero-day vulnerability in the hands of hackers usually distinguishes them from the unskilled masses. Today, Google’s Threat Analysis Group and Project Zero Vulnerability Research Team discovered a single group of hackers using as many as 11 in the nine months of last year, an arsenal perhaps unprecedented in the history of cybersecurity. Stranger still, Google had no details to offer on who the hackers might be, their stories, or their victims. The vulnerabilities they exploited were discovered in commonly used web browsers and operating systems, such as Chrome on Windows 10 and Safari on iOS, allowing them to carry out highly sophisticated “water point” attacks. that infect every visitor to an infected website that executes vulnerable people. Software. While Google has now helped expose and fix these flaws, the mystery of an unknown, hyper-sophisticated, and uniquely resourced hacker group remains baffling.
Last week, anarchist hacker Tillie Kottman made headlines with a massive security breach, hacking 150,000 security cameras sold by the Verkada company that are in businesses, prisons, schools and other organizations. worldwide. This week, Kottman, who uses the pronouns they / them, was indicted by the US Department of Justice for wire fraud, conspiracy and identity theft. Kottman is accused not only of last week’s security camera breach, but also of obtaining and publicly sharing code repositories from over 100 companies – including Microsoft, Intel, Qualcomm, Adobe, AMD, Nintendo and many more – through a website they called git. Rest in peace. In one interview with Bloomberg ahead of the security camera hack revealed last week, Tillman described their motives: “a lot of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and that’s too fun too. not to do it.
It’s always ironic that the exploiters of leaked personal data eat theirs. But this particular case may have had an expected result given the name: The hacked password collection service, WeLeakInfo, leaked information from 24,000 customers of the service, according to freelance journalist Brian Krebs. Until it was seized just over a year ago by the FBI, WeLeakInfo was one of many services that collected caches of hacked or leaked passwords and packaged them for sale. But now, after the FBI cleared one of WeLeakInfo’s domains to lapse, a hacker took over that domain and used it to reset the service’s account connection with the Stripe payment service. This revealed the personal details of all of the service’s customers whose payments were processed with Stripe, including full names, addresses, phone numbers, IP addresses, and partial credit card numbers.
Motherboard reporter Joseph Cox has discovered a gaping vulnerability in text messaging security. A hacker named Lucky225 demonstrated to him that Sakari, a service that allows companies to allow access to its software to send text messages from their own numbers, allows anyone to take over someone’s number. with only a monthly subscription of $ 16 and a “letter of authority”. in which the hacker claims he is authorized to send and receive messages from this number, all thanks to the incredibly lax security systems of the telecommunications companies. Cox actually granted this permission to Lucky225, and Lucky225 showed within seconds that he could not only receive Cox’s text messages, but also send them from his number and reset and resume Cox accounts that use the SMS as the authentication method. A less friendly hacker without permission could of course do the same.
Military contractor Ulysses has offered marketing materials to track tens of millions of cars for customers, according to a paper obtained by Joseph Cox of Motherboard, which likely deserves several investigative journalism awards by now. The company has bragged about aggregating data from car telematics systems, although it’s unclear exactly which sensors or cars share this data or how Ulysses got it. In one image, it claims to have the ability to “geotag a vehicle or 25,000,000 as shown here,” alongside a dotted map covering much of Eastern Europe, Turkey and Turkey. Russia. An Ulysses executive responded to Motherboard’s questions saying the document was “ambitious” – although the document tells a different story – and that it has no government contracts related to telematics.
More WIRED stories