This week saw New electoral meddling revelations big and small: On one end of the spectrum, an alleged mother-daughter plot to digitally rig a Florida high school vote for Homecoming Queen. On the other, Russia’s influence operations to bolster Trump and sabotage Biden in the 2020 presidential election. News of this insidious project has raised questions about the fundamental resilience of American democracy – and the problem with the Kremlin is also bad enough.
Tuesday a newly declassified report from the office of the director of national intelligence shine a light on how Russian intelligence agencies sought to influence the 2020 presidential election and tip it over to Trump, but without the same kind of disruptive hack that plagued the 2016 election. In others news about Russia, Apple bowed to Moscow’s demands to urge users to preload Russian-made apps on his iPhone there, opening the door to similar requests from other countries.
In the UK, police and internet service providers are test a new monitoring system to record online user histories, following the adoption by the country in 2016 of a law known as the “Snooper Charter”. And in better news for internet security, Facebook has builds a so called “Red Team X” of pirates that check for vulnerabilities not only in Facebook’s own software, but also in any software that Facebook uses – and by doing so, this software is safer for everyone.
Towards the end of the week, a SpaceX engineer pleaded guilty conspiracy to commit securities fraud. The SEC also filed a lawsuit, marking the first time the agency has sued for dark web activity.
And there’s more! Each week we collect all the news that we haven’t covered in depth. Click on the titles to read the full stories. And stay safe there.
Last fall, election software maker Election Runner reached out to administrators at JM Tate High School to alert them of something fishy about their recent vote for the Homecoming Queen. As the Florida Department of Law Enforcement would later write in the impeachment documents, 117 votes were cast from a single IP address, all for a single 17-year-old girl, the daughter of the deputy director of the school, Laura Rose Carroll. But each of those votes required entering the student’s identification number and date of birth – a mystery that was quickly resolved when police learned from the school’s student council coordinator that the Homecoming Queen has reportedly talked about using her mother’s network account to vote. . Investigators say witnesses later told them the girl bragged about casually abusing her mother’s credentials to gain access to other students’ grades. And police also said they discovered the mother was aware of her daughter’s behavior, likely sharing her new password when she updated it every 45 days. The mother and daughter were arrested and charged with fraudulent access to confidential information about the students. In addition to grades and student cards, the network also contained more sensitive data such as medical history and disciplinary records.
A single zero-day vulnerability in the hands of hackers usually distinguishes them from the unskilled masses. Now, Google’s Threat Analysis Group and Project Zero Vulnerability Research Team have discovered a single group of hackers using no less than 11 in the nine months of last year, an arsenal perhaps unprecedented in the history of cybersecurity. Stranger still, Google had no details to offer about the hackers, their stories, or their victims. The vulnerabilities they exploited have been found in commonly used web browsers and operating systems, such as Chrome on Windows 10 and Safari on iOS, allowing them to carry out very sophisticated ‘watering hole’ attacks. that infect every visitor to an infected website that executes vulnerable people. Software. While Google has now helped expose and fix these flaws, the mystery of an unknown, hyper-sophisticated, and uniquely resourced hacker group remains baffling.
Last week, anarchist hacker Tillie Kottman made headlines with a huge security breach, hacking 150,000 security cameras sold by the Verkada company that are in businesses, prisons, schools and other organizations. worldwide. This week, Kottman, who uses the pronouns they / them, was indicted by the US Department of Justice for wire fraud, conspiracy and identity theft. Kottman is accused not only of last week’s security camera breach, but also of obtaining and publicly sharing code repositories from over 100 companies – including Microsoft, Intel, Qualcomm, Adobe, AMD, Nintendo and many more – through a website they called git. Rest in peace. In one interview with Bloomberg ahead of the security camera hack revealed last week, Tillman described their motives: “a lot of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism – and that’s too fun too. not to do it.
It’s always ironic that the exploiters of leaked personal data eat theirs. But this particular case may have had an expected result given the name: The hacked password collection service, WeLeakInfo, leaked information from 24,000 customers of the service, according to freelance security reporter Brian Krebs. Until it was seized a little over a year ago by the FBI, WeLeakInfo was one of many services collecting caches of hacked or leaked passwords and putting them up for sale. But now, after the FBI cleared one of WeLeakInfo’s domains to lapse, a hacker took over that domain and used it to reset the service’s account connection with the Stripe payment service. This revealed the personal details of all of the service’s customers whose payments were processed with Stripe, including full names, addresses, phone numbers, IP addresses, and partial credit card numbers.
Motherboard reporter Joseph Cox has discovered a gaping vulnerability in text messaging security. A hacker named Lucky225 demonstrated to him that Sakari, a service that allows companies to allow access to its software to send text messages from their own numbers, allows anyone to take over someone’s number with only a monthly subscription of $ 16 and a “letter of authority”. in which the hacker claims he is authorized to send and receive messages from this number, all thanks to the incredibly lax security systems of the telecommunications companies. Cox actually granted this permission to Lucky225, and Lucky225 showed within seconds that he could not only receive Cox’s text messages but also send them from his number and reset and resume Cox accounts that use the SMS as the authentication method. A less friendly and permissionless hacker could of course do the same.
Military contractor Ulysses has offered marketing materials to track tens of millions of cars for customers, according to a paper obtained by Joseph Cox of Motherboard, which likely deserves several investigative journalism awards by now. The company has bragged about aggregating data from car telematics systems, although it’s unclear exactly which sensors or cars share this data or how Ulysses got it. In one image, it claims it has the ability to “geotag a vehicle or 25,000,000 as shown here,” alongside a dotted map covering much of Eastern Europe, the Turkey and Russia. An Ulysses executive responded to Motherboard’s questions saying the document was “ambitious” – although the document tells a different story – and that it has no government contracts related to telematics.
More WIRED stories