35. Hanging with the Chads
Coming up this week on Breaking Badness. Today we discuss: Election Security on Georgia’s Back Server, Fear of the Un Phone: Jeff Bezos Hacked Creating a Mobile Crisis, and our fun new game, two truths and a lie.
Here are a few highlights from each article we discussed:
- So what the expert—an election security researcher named Logan Lamb—is saying is that the server was vulnerable to Shellshock which is a little bit of an older vulnerability that allowed an attacker to very easily execute arbitrary commands. The forensic images make it look like the server was breached prior to the 2016 and 2018 elections and since it was unpatched for Shellshock that means full control of the election data by whoever hacked it. There are actual logs of a user shellshock being created after the vulnerability is exploited, then that user patched the server and removed themselves. This could have been a good samaritan hacker—but who else found it before then?
- Lamb actually found the server vulnerable to the Drupalgeddon vulnerability—a big Drupal flaw—almost 2 years ago. After publishing that report, election integrity activists sued to get a mirror image of the voting machine at Kennewick University which is where the exploitation of this other Shellshock flaw was discovered. They also discovered in that mirror image that they were running outdated voting software that contained vulnerabilities and that the Drupal logs had disappeared from 2016 on. All pretty suspicious.
- Alongside this alleged tampering, there has been news this week that hits close to home. In King County, which is where DomainTools is located, it is set to become the first in which every voter can cast a ballot using a smartphone. This is just for some municipal water election or something like that and it’s not even going to make it into fruition from what things look like. I think the reason why this has received so much news coverage is because it’s such a known terrible idea. Absolutely abysmal. Every security expert that isn’t getting paid to say otherwise will tell you that electronic voting by app is the worst idea.
- In terms of how organizations such as our government should maintain the integrity of our democracy, I think we need to be looking at maintaining the voter registration systems in key districts. If I were going to try and undermine elections that would be my easiest target. Lots of pressure on voting machines so a lot of counties using paper ballots which is perfect so the real way to swing change would be to eliminate or tamper with voter registration. If I was running a campaign I’d be looking into the vendors of the companies that do make these voting systems, pivot into the primary target’s network and would go for the supply chain attack at this point. So many people pay attention to the integrity of the servers after they’re delivered—get yourself in there upstream before the code ships. Those are the two places I’m guessing there is less emphasis on oversight and the easier places to exploit.
- The headlines around the alleged hack are definitive, the data in the forensic report is less so.
- Is it possible that Saudi Arabia leveraged a 0day in both WhatsApp and iOS to pwn Jeff Bezos’ phone? Absolutely. There aren’t many higher value targets in the world today than the CEO of Amazon. Do we have enough hard evidence to say conclusively that this is what happened here? No.
- Allegedly they are said to have had full access to the device: messages, storage, voice calls, etc.
- In terms of potential motivations behind the attack, Jeff owns the Washington Post, which has published articles critical of Saudi Arabia and also employed Jamal Kashoggi, who was murdered by the Saudi Arabia government in part for his reporting on their human rights abuses.
- Also, Jeff owns Amazon, one of the largest companies in the world. Having access to his device could be a goldmine for insider trading and corporate espionage.
Two Truths and a Lie
Introducing our newest segment on Breaking Badness. We are going to play a game you are all likely familiar with called two truths and a lie, with a fun twist. Each week, one us with come prepared with three article titles, two of which are real, and one is, you guessed it, A LIE.
You’ll have to tune in to find out!
This Week’s Hoodie/Goodie Scale
Election Security on Georgia’s Back Server
[Chad]: 5/10 Hoodies
[Taylor]: 0.5/10 Hoodies
Fear of the Un Phone: Jeff Bezos Hacked Creating a Mobile Crisis
[Chad]: 10/10 Hoodies
[Taylor]: 3.5/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!