hacking the election
You probably have heard of voting machines that have various security issues.
This article isn't about that. In attempting to hack the election the "politically motivated"
have tried methods other then breaking into the voting machine infrastructure.
I have heard reports of automated phone calls, sms and seen email intended to convince
the receiver that they should vote the day after the election.
Why would you want to convince people to vote late, because that means they didn't
get to vote? People are great procrastinators given an option of doing something today or
doing something tomorrow many of us choose tomorrow;)
This is an email with headers that was sent to George Mason distribution list.
Received from caduceus1.gmu.edu ([129.174.0.40]) by mercury1.gmu.edu (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0K9S00CFRQAJRMF0@mercury1.gmu.edu>; Tue, 04 Nov 2008 01:35:07 -0500 (EST)
Received from cronus.gmu.edu ([129.174.0.112]) by caduceus1.gmu.edu (Sun Java System Messaging Server 6.2-2.05 (built Apr 28 2005)) with ESMTP id <0K9S00AZLQ20TAA0@caduceus1.gmu.edu>; Tue, 04 Nov 2008 01:35:07 -0500 (EST)
Received from ironport2.gmu.edu (ironport2.gmu.edu [129.174.0.125]) by cronus.gmu.edu (8.13.4/8.13.4) with ESMTP id mA46SYhN028499; Tue, 04 Nov 2008 01:28:43 -0500 (EST)
Received from mail04.gmu.edu ([129.174.0.116]) by ironport2.gmu.edu with ESMTP; Tue, 04 Nov 2008 01:28:42 -0500
Received from LISTSERV.GMU.EDU (mail04.gmu.edu [129.174.0.116]) by mail04.gmu.edu (8.11.7p3+Sun/8.11.7) with ESMTP id mA46Sg429402; Tue, 04 Nov 2008 01:28:42 -0500 (EST)
Received by LISTSERV.GMU.EDU (LISTSERV-TCP/IP release 14.4) with spool id 2611076 for ANNOUNCE04-L@LISTSERV.GMU.EDU; Tue, 04 Nov 2008 01:26:42 -0500
Received from ironport2.gmu.edu (ironport2.gmu.edu [129.174.0.125]) by mail04.gmu.edu (8.11.7p3+Sun/8.11.7) with ESMTP id mA46Gg427221 for <ANNOUNCE04-L@mail04.gmu.edu>; Tue, 04 Nov 2008 01:16:42 -0500 (EST)
Received from m154.prod.democracyinaction.org ([8.15.20.154]) by ironport2.gmu.edu with ESMTP; Tue, 04 Nov 2008 01:16:42 -0500
Received from [10.15.20.114] ([10.15.20.114:39637] helo=web4.mcl.wiredforchange.com) by mailer.mcl.wiredforchange.com (envelope-from <noreply@gmu.edu>) (ecelerity 2.2.2.35 r(26825/26826)) with ESMTP id BC/ED-21096-AC8EF094; Tue, 04 Nov 2008 01:16:42 -0500
Date Tue, 04 Nov 2008 01:16:42 -0500
From Office of the Provost <noreply@gmu.edu>
Subject Election Day Update
Sender ANNOUNCE04-L <ANNOUNCE04-L@mail04.gmu.edu>
To ANNOUNCE04-L@mail04.gmu.edu
Reply-to noreply@gmu.edu
Message-id <23911171.1225779402109.JavaMail.root@web4.mcl.wiredforchange.com>
MIME-version 1.0
Content-type multipart/alternative; boundary="----=_Part_3017_30982749.1225779402108"
Precedence list
X-Sender-IP 129.174.0.116
X-Sender-IP 8.15.20.154
X_DIA_Originating_IP : 85.195.123.24
X_DIA_Source : Host:web4.mcl.wiredforchange.com DB org
X_DIA_Referer :
X-SENDER-REPUTATION 4.5
X-IronPort-Anti-Spam-Filtered true
X-IronPort-Anti-Spam-Result AooAAD96D0mBrgB0kWdsb2JhbACCRzKRHgEBAQEJCwoHEQStA4YRhEuDU4Mv
X-IronPort-AV E=Sophos;i="4.33,541,1220241600"; d="scan'208";a="55510806"
X-SENDER-REPUTATION 3.7
X-IronPort-Anti-Spam-Filtered true
X-IronPort-Anti-Spam-Result AogAAP12D0kIDxSaiWdsb2JhbACCRzKRHgEBAQoLCAkQBax6hhCES4NTgy8
X-IronPort-AV E=Sophos;i="4.33,541,1220241600"; d="scan'208";a="55510203"
Comments To: ANNOUNCE04-L@mail04.gmu.edu
List-Owner <mailto:ANNOUNCE04-L-request@LISTSERV.GMU.EDU>
List-Subscribe <mailto:ANNOUNCE04-L-subscribe-request@LISTSERV.GMU.EDU>
List-Unsubscribe <mailto:ANNOUNCE04-L-unsubscribe-request@LISTSERV.GMU.EDU>
List-Help <mailto:LISTSERV@LISTSERV.GMU.EDU?body=INFO+ANNOUNCE04-L>
To the Mason Community:
Please note that election day has been moved to November 5th. We apologize for any inconvenience this may cause you.
Peter N. Stearns
Provost
Brian Krebs does a good job of covering this here:
http://voices.washingtonpost.com/securityfix/2008/11/election_hoax_e-mail_sent_via.html
These tricks aren't new they are just upgraded for the Internet and the mass
messaging capabilities that has created.
This is a list of "dirty tricks" from the 2004 election.
http://www.flcv.com/dirtytrf.html
Putting flyers on the door is a bit risky, calling from your home phone is a bit risky,
sending sms spam, email spam, etc ... is fairly safe. Just do it from a compromised system
in another nation, via an open mail relay and chances are you'll never get caught (sigh).
UPDATE:
Thanks to our friend and fequent contributor Juha-Matti we have the text of the SMS's being sent
"Due to long lines if you are voting for Barack Obama you can vote tomorrow"
or
"Due to long lines, all Obama voters are asked to vote tomorrow".
The orginating phone number is reportedly 505-507-6041.
Link: http://blog.wired.com/27bstroke6/2008/11/bogus-robo-text.html
UPDATE2:
It appears both of the campaings were hacked.
http://www.newsweek.com/id/167581
"The computer systems of both the Obama and McCain campaigns were victims
of a sophisticated cyberattack by an unknown "foreign entity," prompting
a federal investigation, NEWSWEEK reports today."
If you missed President Elect Obamas speech have some malware instead
Thanks go out to Gary Warner for alerting us to this bogus presedential
speech malware being spammed out right now.
"A very prevalent spam campaign promising a chance to view Obama's
acceptance speech is leading instead to keylogger malware that sends
the stolen keystrokes to the Ukraine."
http://garwarner.blogspot.com/2008/11/computer-virus-masquerades-as-obama.html
UPDATE:
Jack pointed out this link from Websense which also leads people to malware using a fake video this time.
http://securitylabs.websense.com/content/Alerts/3229.aspx
ms08-067 exploitation by 61.218.147.66
Tillmann at mwcollect.org wrote in with a sample ms08-067 analysis.
“we've caught an MS08-067 exploitation attempt and provide the
trace and a brief analysis here: http://honeytrap.mwcollect.org/msexploit “
The analysis is good. They have sample packets of the exploit and the call back shell. They show an example of libemu’s sctest. They find the exploiting ip 61.218.147.66. That IP is definitely sequentially scanning ip addresses for tcp 445 looking for vulnerable systems so blocking it at your enterprise gateway is recommended.
UPDATE:
Emerging Threats has released signature's to catch trojan checkin and worm traffic outbound.
2008737 - ET CURRENT_EVENTS KernelBot/MS08-67 related Trojan Checkin (emerging.rules)
2008739 - ET CURRENT_EVENTS MS08067 Worm Traffic Outbound (emerging.rules)
http://doc.emergingthreats.net/bin/view/Main/2008737
http://doc.emergingthreats.net/bin/view/Main/2008739
Joel covered Sourcefire's signatures and other details related to this activity in his diary here:
http://isc.sans.org/diary.html?storyid=5275
Bot net hunters get an improved tool from SRI bothunters
A new version of bothunter's botnet detection tool was recently released.
They have added: dynamic updating, an upgrade to the ruleset,
a basic GUI, bug fixes, malware oriented scan detection, and a set of
malware DNS-query detectors. It has support for linux, freeBSD, MacOS X,
Windows XP and a Live-CD so you can run it without installing it.
This tool uses some unusual correlation techniques to watch the
multi-directional flow of traffic from potentially infected internal systems
with external systems including c&c controllers, malware distribution etc...
From www.bothunter.net
"BotHunter flips the paradigm of classic network-based intrusion detection,"
says Phillip Porras, lead developer of the BotHunter project.
"Rather than monitoring who is trying to break into your network,
BotHunter detects those machines inside your network that are trying to
propagate infections or are being remotely controlled by external hackers."
BotHunter also includes a regular update service that allows fielded systems
to be updated with the latest information regarding remote botnet control sites,
malware related-DNS lookups, and Russian Business Network (RBN) address space,
which are used to control infected computers. "Modern malware defenses need to
be adaptive and aware of the latest strategies used by Internet malware, and
BotHunter is ready to meet this challenge."
BotHunter is available for download at www.bothunter.net.
BotHunter was funded through the Cyber-Threat Analytics (http://www.cyber-ta.org)
research grant from the U.S. Army Research Office.
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
8 months ago
Anonymous
Dec 26th 2022
8 months ago
https://defineprogramming.com/
Dec 26th 2022
8 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
8 months ago
rthrth
Jan 2nd 2023
8 months ago