Russia's hackers target Sen. McCaskill’s 2018 campaign. Use Microsoft Exchange? You'd better read this

Originally published at: https://boingboing.net/2018/07/26/russias-hackers-targeted-sen.html

6 Likes

giphy

14 Likes

Yet another reason why you should never use Microsoft Exchange.

6 Likes

Trump is fond of saying how “tough” he is on Russia, and even said recently Putin “didn’t want him to win”,. but c’mon. . . .really? Do any Republicans really think Russia wants Democrats to win and Republicans to lose?

5 Likes

So wait, this isn’t really a Microsoft Exchange vulnerability, it’s just spearphishing targeting Congresspeople to get their passwords to their Microsoft Exchange accounts.

/not a MS apologist, just a stickler for the actual fact

32 Likes

What’s the chance that people will be able to vote on a paper ballot? Anything else and I’d suspect tampering.

6 Likes

This is the meat of about any phishing attack. Tell someone they need to access an account of change a password. Is there something specific to exchange that makes this easier?

If the target clicked on the link, he or she was taken to a convincing replica of the U.S. Senate’s Active Directory Federation Services (ADFS) login page, a single sign-on point for e-mail and other services.

As with the Podesta phishing, each Senate phishing email had a different link coded with the recipient’s email address. That allowed the fake password-change webpage to display the user’s email address when they arrived, making the site more convincing.

Okay, an easily spoof-able identity site and a culture of forcing password changes.

10 Likes

To be honest, This would also work with most any other system. Just generic phishing logon page.

This is just classic social engineering.

9 Likes

Just this last week, however, Trump said, on Twitter, that he feared Russians would intervene in the 2018 midterm elections on behalf of Democrats.

Every day is opposite day in Trump’s brain…

He’s perpetually wandering around “I know you are, but what am I?” land. Like a big, orange-faced Alice.

If he said it, at least some of them think it.

8 Likes

I would be more worried about local areas counting paper ballots. It doesn’t take too much know how in a small district to hack a paper ballot election. Be careful what you wish for.

1 Like

I’d hope that any Democrat’s IT staff would implement 2-factor authentication on their Exchange stack so that even if the Russians did get a password or three, they still would need to hack the authentication process to get in (hope you’re using token and not SMS-based authentication)!

3 Likes

So you’re worried about the possibility of fraud in a small district over systemic problems? Seems rather myopic. Deibold et al need to be out of the election business.

8 Likes

Consider these two facts/probabilities:

  1. It is Russia’s goal to create political chaos in the USA. As long as the country is riven by division and arguing over bullshit like Pizzagate, we’re not interfering with Russia’s geopolitical goals.
  2. Russia has something on Cheeto Mussolini, so having him in power is convenient for them.

Having Trump in power and fighting a Democratic majority in Congress would be consistent with both of these. I’m not saying Russia is intervening on behalf of Democrats—in fact, they seem to have gone all-in with the GOP—but if that were their plan, it wouldn’t surprise me.

The chilling bit isn’t so much the phishing attack; but the fact that such a high value target might well still not be using the hardware auth tokens that substantially mitigate phishing as a strategy.

Fraud in a lot of small districts. There has never been a verified hack into an electronic voting system in America that I know of,but ballot box stuffing has a very long history. The famous hanging chad in Florida showed that someone handling paper ballots could invalidate properly filled out ballots.easily. (Not saying the hanging chad ballot was deliberately altered, but it shows that it could easily be done by people handling the ballots).

I was involved in a union election where there was one more vote counted on the machines than they had signed paper log book entries. There were around 3000 total votes cast, and it generated weeks of rechecks and hand wringing. If Seattle had voted 55 to 45 for Trump I would be worried

Russia’s election meddling was mostly trying to influence voters with false and misleading information before they voted. It worked well, as they convinced many voters who would most assuredly be hurt by Trump’s policies and presidency to vote for Trump. I don’t doubt that many Midwest farmers actually voted for Trump, though I can not fathom why. I think they are realizing they were fed a lot of lies about who loses in a trade war. But when the sheriff, mayor and justice of the peace of a small town are all related I fear paper ballots

1 Like

Fraud with paper ballots can be easily audited.

There has never been a verified hack into an electronic voting system in America that I know of

That is a big problem, in that it is infinitely easier to conceal with electronic systems.
Did you miss the recent congressional testimony on this?

Russia’s election meddling was mostly trying to influence voters with false and misleading information before they voted.

That is one instance, and does not speak to the problem with auditing machines.

2 Likes

Paper ballots aren’t going to help much when all the effort is going into swaying opinions before people get to the polling booth.

1 Like

Both vectors need to be addressed. One does not preclude the other.

3 Likes

Our politicians are no better end users then the people they represent. Convenience always comes before security, even when the IT professionals you pay to tell you what’s best tell you otherwise.