A Homecoming Queen Was Arrested for Alleged Vote Hacking
This week saw new revelations of election interference, both big and small: On one end of the spectrum, an alleged mother-daughter conspiracy to digitally rig a Florida high school’s vote for homecoming queen. On the other, Russia’s influence operations designed to bolster Trump and sabotage Biden in the 2020 presidential election. News of this insidious scheme has raised questions about the fundamental resilience of American democracy—and the thing with the Kremlin is pretty bad too.
On Tuesday, a newly declassified report from the Office of the Director of National Intelligence shed light on how Russian intelligence agencies sought to influence the 2020 presidential election and swing it towards Trump—though without the same kind of disruptive hacking that plagued the 2016 election. In other Russia news, Apple caved to Moscow’s demands that it prompt users to preload Russian-made apps on its iPhone there, opening the door to similar demands from other countries.
In the UK, police and internet service providers are testing a new surveillance system to log users’ online histories, following the country’s passage in 2016 of a law that’s come to be known as the “Snooper’s Charter.” And in better news for the security of the internet, Facebook has built a so-called “Red Team X” of hackers who seek out vulnerabilities in not only Facebook’s own software, but all the software Facebook uses—and in the process making that software more secure for everyone.
Toward the end of the week, a SpaceX engineer pleaded guilty to conspiracy to commit securities fraud. The SEC filed a complaint as well, marking the first time the agency has pursued charges related to dark web activity.
And there’s more! Each week we round up all the news we didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.
Last fall, election software maker Election Runner contacted school administrators at J. M. Tate High School to alert them to something fishy about their recent vote for homecoming queen. As the Florida Department of Law Enforcement would later write in charging documents, 117 votes had been cast from a single IP address, all for a single 17-year-old girl, the daughter of the school’s vice principal, Laura Rose Carroll. But each of those votes had required entering the voter’s unique student ID number and birth date—a mystery that was soon solved when police learned from the school’s student council coordinator that the homecoming queen allegedly had been talking about using her mother’s network account to cast votes. Investigators say witnesses later told them that the girl had bragged about casually abusing her mother’s credentials to access other students’ grades. And police also say they found that the mother was aware of her daughter’s behavior, likely sharing her new password when she updated it every 45 days. Both mother and daughter were arrested and charged with fraudulently accessing confidential student information—aside from grades and student IDs, the network also contained more sensitive data like medical history and disciplinary records.
A single zero-day vulnerability in the hands of hackers usually sets them apart from the unskilled masses. Now Google’s Threat Analysis Group and Project Zero vulnerability research team have discovered a single hacker group using no fewer than 11 over the course of just nine months last year—an arsenal that is perhaps unprecedented in cybersecurity history. Stranger still, Google had no details to offer about who the hackers might be, their history, or their victims. The vulnerabilities they exploited were found in commonly used web browsers and operating systems—such as Chrome on Windows 10 and Safari on iOS–allowing them to carry out highly sophisticated “watering hole” attacks that infect every visitor to an infected website that runs the vulnerable software. Though Google has now helped to expose those flaws and get them patched, the mystery of an unknown, hyper-sophisticated and uniquely well-resourced hacker group remains disconcerting.
Last week the anarchist hacker Tillie Kottman made headlines with an enormous security breach, hacking 150,000 security cameras sold by the firm Verkada that sit inside companies, prisons, schools, and other organizations around the world. This week Kottman, who uses the pronouns they/them, was indicted by the US Department of Justice for wire fraud, conspiracy, and identity theft. Kottman is accused of not only last week’s security camera breach, but also obtaining and publicly sharing code repositories from more than 100 firms—including Microsoft, Intel, Qualcomm, Adobe, AMD, Nintendo, and many more—through a website they called git.rip. In an interview with Bloomberg ahead of the security camera hack revealed last week, Tillman described their motivations: “lots of curiosity, fighting for freedom of information and against intellectual property, a huge dose of anti-capitalism, a hint of anarchism—and it’s also just too much fun not to do it.”
It’s always ironic when exploiters of leaked personal data eat their own. But this particular case had perhaps an expected outcome given the name: Defunct hacked-password collection service WeLeakInfo has leaked the information of 24,000 customers of the service, according to independent security journalist Brian Krebs. Until it was seized a little over a year ago by the FBI, WeLeakInfo was one of several services that collected caches of hacked or leaked passwords and packaged them for sale. But now, after the FBI allowed one of WeLeakInfo’s domains to lapse, a hacker took over that domain and used it to reset the service’s account login with payment service Stripe. That revealed the personal data of all of the service’s customers whose payments were processed with Stripe, including full names, addresses, phone numbers, IP addresses, and partial credit card numbers.
Motherboard reporter Joseph Cox has discovered a gaping vulnerability in the security of text messaging. A hacker named Lucky225 demonstrated to him that Sakari, a service that allows businesses to grant access to its software to send SMS text messages from own numbers, lets anyone to take over someone’s number with only a $16 monthly subscription and a “letter of authority” in which the hacker claims they’re authorized to send and receive messages from that number—all thanks to the incredibly lax security systems of the telecommunications companies. Cox did in fact grant Lucky225 that permission, and Lucky225 showed in seconds that he could not only receive Cox’s text messages but send them from his number and reset and take over Cox’s accounts that use SMS as an authentication method. A less friendly hacker without permission could, of course, do the same.
Military contractor Ulysses has offered in marketing materials to track tens of millions of cars for customers, according to a document obtained by Motherboard’s Joseph Cox, who probably deserves several investigative journalism awards by now. The company bragged that it aggregates data from cars’ telematics systems, though it’s not clear exactly which sensors or which cars are sharing that data or how Ulysses obtained it. In one image, it claims it has the ability to “geo-locate one vehicle or 25,000,000, as shown here,” next to a map covered with dots covering much of Eastern Europe, Turkey, and Russia. An executive for Ulysses responded to Motherboard’s questions by claiming the document was “aspirational”—though the document tells a different story–and that it has no government contracts related to telematics.
More Great WIRED Stories