Election hacking has become a key topic during this year's presidential elections, more so now that candidates and voters are being actively targeted by actors that are assumed to be acting with Russian support.
In this modified edition of CSO Online's Hacked Opinions series, we explore the myths and realities of hacking an election, by speaking with a number of security experts.
Q: Can the national election really be hacked? If so, how?
"It’s unlikely that the national election could really be hacked to alter the outcome. Voter registration databases have recently proven vulnerable, but adding, modifying, or deleting records doesn’t produce the intended effect (changed outcome); it just raises questions about the integrity of the database on election day," said Levi Gundert, CP of Intelligence and Strategy, Recorded Future.
Every time there's an election, the topic of hacking one comes to the surface. During a presidential election, that conversation gets louder. Yet, even the elections held every two years see some sort of vote hacking coverage. But can you really hack an election? Maybe, but that depends on your goals.
The topic of election hacking is different this year, and that's because someone is actually hacking political targets. Adding fuel to the fire, on Aug. 12, 2016, during an event in Pennsylvania, Donald Trump warned the crowd that if he loses the battleground state, it's because the vote was rigged.
Five people have been arrested in Miami who are said to be responsible for scamming 1,500 people out of more than $2 million by impersonating IRS agents. Their scams centered on contacting individual taxpayers out of the blue and demanding payments under the threat of jail time.
News of the arrests circulated Tuesday after the Associated Press reported on them. Sources in the Treasury Department said that the five individuals - all Cuban nationals - demanded money from their victims, threatening arrest if the payments were not wired immediately.
In recent months, the scammers demanded payment via iTunes gift cards.
Scams such as this, Deputy Inspector General Tim Camus told the Washington Post, have become the "largest and most pervasive" the IRS has faced over the last three decades. Some 6,400 victims have reported more than $36 million in losses, some paying up to $5,700 on average.
On Tuesday, Microsoft updated their Certificate Trust List (CTL) after the private key for xboxlive.com was leaked to the Web. The company didn't explain how the leak happened, but the exposed certificates were immediately revoked and replaced.
"Microsoft is aware of an SSL/TLS digital certificate for *.xboxlive.com for which the private keys were inadvertently disclosed. The certificate could be used in attempts to perform man-in-the-middle attacks," the software giant explained in their advisory.
"To help protect customers from potentially fraudulent use of the SSL/TLS digital certificate, the certificate has been deemed no longer valid and Microsoft is updating the Certificate Trust list (CTL) for all supported releases of Microsoft Windows to remove the trust of the certificate."
In court documents shared with CSO Online, the prosecutors say that between 2012 and 2015, the three pulled off "the largest theft of customer data from a U.S. financial institution in history" by stealing the personal information of more than 100 million people.
Over the weekend, a reader (@flanvel) directed Salted Hash to a post on a Dark Web marketplace selling a number of questionable, if not outright illegal goods. The post in question offered a list of 590,000 Comcast email addresses and corresponding passwords.
As proof, the seller offered a brief list of 112 accounts with a going rate of $300 USD for 100,000 accounts. However, one wished to purchase the entire list of 590,000 accounts, the final price was $1,000 USD.
Saturday evening, Salted Hash contacted Comcast about the account list being sold online. By the time our message reached them, Comcast had already obtained a copy of the list and their security team was checking each record against the ISP's current customer base.
Last week, during the 2015 Cyber Security Summit in Boston, Special Agent Joseph Bonavolonta said that the FBI's advice for some Ransomware attacks is to pay the ransom. Immediately, some security professionals took offense at his remarks, but the bigger picture is that payment might be the only option.
Bonavolonta, who is the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program at the Boston field office, made his comments while discussing Ransomware, particularly CryptoWall.
On Friday, in a letter to customers, the CEO of Dow Jones & Co. disclosed a data breach affecting 3,500 people. Based on public details, the incident seems similar to a breach reported by Scottrade last week that impacted 4.6 million investors.
In his letter, Dow Jones Chief Executive William Lewis said that law enforcement officials informed the company about the potential breach in late July.
After bringing in outside help, an investigation turned up a confirmation that the systems housing the customer data was accessed – but there is no proof that data was exfiltrated. The investigators also determined that the attackers had access to the system between August 2012 and July 2015.
LAS VEGAS - There have been several notable security incidents in the news this year, from healthcare and retail breaches, to financial; even security firms themselves have been targeted.
In each instance, attribution seems to take the lead during incident response, something organizations should resist. The key is collecting the right information and passing it on to the right people. When it comes to figuring out who did it and where they are, authorities are the ones who should take the lead – organizations that focus on this area first are wasting resources and time.
US Attorney Ed McAndrew (DE), who has years of experience working cases dealing with Internet-based crimes under his belt, recently spoke to CSO Online and offered some unique insight into the federal side of incident response and what organizations can to do better prepare for law enforcement involvement.
Since then, the RIG's author has released version 3.0, which was recently discovered by researchers from Trustwave. The latest version uses malvertising in order to deliver a majority of its traffic, infecting some 1.25 million systems to date.
There have been a few notable changes made to RIG between versions, including a cleaner control panel that's easier to navigate, changes to the URL structure used by the kit that helps it avoid detection, and a security structure that prevents unauthenticated users from accessing internal files – clearly implemented to avoid leaks such as the one that exposed the source code for the previous version.