Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: hacking the election - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
hacking the election

You probably have heard of voting machines that have various security issues.
This article isn't about that. In attempting to hack the election the "politically motivated"
have tried methods other then breaking into the voting machine infrastructure.

I have heard reports of automated phone calls, sms and seen email intended to convince
the receiver that they should vote the day after the election.
Why would you want to convince people to vote late, because that means they didn't
get to vote? People are great procrastinators given an option of doing something today or
doing something tomorrow many of us choose tomorrow;)



This is an email with headers that was sent to George Mason distribution list.

Return-path View brief message
headers<owner-announce04-l@mail04.gmu.edu<mailto:owner-announce04-l@mail04.gmu.edu>
<mailto:owner-announce04-l@mail04.gmu.edu<mailto:owner-announce04-l@mail04.gmu.edu>> >
Received from caduceus1.gmu.edu<http://caduceus1.gmu.edu>
<http://caduceus1.gmu.edu/> ([129.174.0.40<http://129.174.0.40>
<http://129.174.0.40/> ]) by mercury1.gmu.edu<http://mercury1.gmu.edu>
<http://mercury1.gmu.edu/> (Sun Java System Messaging Server
6.2-2.05 (built Apr 28 2005)) with ESMTP id
<0K9S00CFRQAJRMF0@mercury1.gmu.edu<mailto:0K9S00CFRQAJRMF0@mercury1.gmu.edu>
<mailto:0K9S00CFRQAJRMF0@mercury1.gmu.edu<mailto:0K9S00CFRQAJRMF0@mercury1.gmu.edu>> >;
Tue, 04 Nov 2008 01:35:07 -0500 (EST)
Received from cronus.gmu.edu<http://cronus.gmu.edu> <http://cronus.gmu.edu/>
([129.174.0.112<http://129.174.0.112> <http://129.174.0.112/> ]) by
caduceus1.gmu.edu<http://caduceus1.gmu.edu> <http://caduceus1.gmu.edu/> (Sun Java
System Messaging Server 6.2-2.05 (built Apr 28 2005)) with
ESMTP id <0K9S00AZLQ20TAA0@caduceus1.gmu.edu<mailto:0K9S00AZLQ20TAA0@caduceus1.gmu.edu>
<mailto:0K9S00AZLQ20TAA0@caduceus1.gmu.edu<mailto:0K9S00AZLQ20TAA0@caduceus1.gmu.edu>> >;
 Tue, 04 Nov 2008 01:35:07 -0500 (EST)
Received from ironport2.gmu.edu<http://ironport2.gmu.edu>
<http://ironport2.gmu.edu/> (ironport2.gmu.edu<http://ironport2.gmu.edu>
<http://ironport2.gmu.edu/> [129.174.0.125<http://129.174.0.125>
<http://129.174.0.125/> ]) by cronus.gmu.edu<http://cronus.gmu.edu>
<http://cronus.gmu.edu/> (8.13.4/8.13.4) with ESMTP id
mA46SYhN028499; Tue, 04 Nov 2008 01:28:43 -0500 (EST)
Received from mail04.gmu.edu<http://mail04.gmu.edu> <http://mail04.gmu.edu/>
([129.174.0.116<http://129.174.0.116> <http://129.174.0.116/> ]) by
ironport2.gmu.edu<http://ironport2.gmu.edu> <http://ironport2.gmu.edu/> with ESMTP;
Tue, 04 Nov 2008 01:28:42 -0500
Received from LISTSERV.GMU.EDU<http://LISTSERV.GMU.EDU>
<http://listserv.gmu.edu/> (mail04.gmu.edu<http://mail04.gmu.edu>
<http://mail04.gmu.edu/> [129.174.0.116<http://129.174.0.116>
<http://129.174.0.116/> ]) by mail04.gmu.edu<http://mail04.gmu.edu>
<http://mail04.gmu.edu/> (8.11.7p3+Sun/8.11.7) with ESMTP id
mA46Sg429402; Tue, 04 Nov 2008 01:28:42 -0500 (EST)
Received by LISTSERV.GMU.EDU<http://LISTSERV.GMU.EDU> <http://listserv.gmu.edu/>
(LISTSERV-TCP/IP release 14.4) with spool id 2611076 for
ANNOUNCE04-L@LISTSERV.GMU.EDU<mailto:ANNOUNCE04-L@LISTSERV.GMU.EDU>
<mailto:ANNOUNCE04-L@LISTSERV.GMU.EDU<mailto:ANNOUNCE04-L@LISTSERV.GMU.EDU>> ;
Tue, 04 Nov 2008 01:26:42 -0500
Received from ironport2.gmu.edu<http://ironport2.gmu.edu>
<http://ironport2.gmu.edu/> (ironport2.gmu.edu<http://ironport2.gmu.edu>
<http://ironport2.gmu.edu/> [129.174.0.125<http://129.174.0.125>
<http://129.174.0.125/> ]) by mail04.gmu.edu<http://mail04.gmu.edu>
<http://mail04.gmu.edu/> (8.11.7p3+Sun/8.11.7) with ESMTP id
mA46Gg427221 for <ANNOUNCE04-L@mail04.gmu.edu<mailto:ANNOUNCE04-L@mail04.gmu.edu>
<mailto:ANNOUNCE04-L@mail04.gmu.edu<mailto:ANNOUNCE04-L@mail04.gmu.edu>> >; Tue, 04 Nov 2008
01:16:42 -0500 (EST)
Received from m154.prod.democracyinaction.org<http://m154.prod.democracyinaction.org>
<http://m154.prod.democracyinaction.org/> ([8.15.20.154<http://8.15.20.154>
<http://8.15.20.154/> ]) by ironport2.gmu.edu<http://ironport2.gmu.edu>
<http://ironport2.gmu.edu/> with ESMTP; Tue, 04 Nov 2008
01:16:42 -0500
Received from [10.15.20.114<http://10.15.20.114> <http://10.15.20.114/> ]
([10.15.20.114:39637<http://10.15.20.114:39637> <http://10.15.20.114:39637/> ]
helo=web4.mcl.wiredforchange.com<http://web4.mcl.wiredforchange.com>
<http://web4.mcl.wiredforchange.com/> ) by
mailer.mcl.wiredforchange.com<http://mailer.mcl.wiredforchange.com>
<http://mailer.mcl.wiredforchange.com/> (envelope-from
<noreply@gmu.edu<mailto:noreply@gmu.edu>
<mailto:noreply@gmu.edu<mailto:noreply@gmu.edu>> >) (ecelerity
2.2.2.35<http://2.2.2.35> <http://2.2.2.35/> r(26825/26826)) with ESMTP id
BC/ED-21096-AC8EF094; Tue, 04 Nov 2008 01:16:42 -0500
Date Tue, 04 Nov 2008 01:16:42 -0500
From Office of the Provost <noreply@gmu.edu<mailto:noreply@gmu.edu>
<mailto:noreply@gmu.edu<mailto:noreply@gmu.edu>> >
Subject Election Day Update
Sender ANNOUNCE04-L <ANNOUNCE04-L@mail04.gmu.edu<mailto:ANNOUNCE04-L@mail04.gmu.edu>
<mailto:ANNOUNCE04-L@mail04.gmu.edu<mailto:ANNOUNCE04-L@mail04.gmu.edu>> >
To ANNOUNCE04-L@mail04.gmu.edu<mailto:ANNOUNCE04-L@mail04.gmu.edu>
<mailto:ANNOUNCE04-L@mail04.gmu.edu<mailto:ANNOUNCE04-L@mail04.gmu.edu>>
Reply-to noreply@gmu.edu<mailto:noreply@gmu.edu> <mailto:noreply@gmu.edu<mailto:noreply@gmu.edu>>
Message-id
<23911171.1225779402109.JavaMail.root@web4.mcl.wiredforchange.
com
<mailto:23911171.1225779402109.JavaMail.root@web4.mcl.wiredfor
<mailto:23911171.1225779402109.JavaMail.root@web4.mcl.wiredfor>
change.com<http://change.com>> >
MIME-version 1.0
Content-type multipart/alternative;
boundary="----=_Part_3017_30982749.1225779402108"
Precedence list
X-Sender-IP 129.174.0.116<http://129.174.0.116> <http://129.174.0.116/>
X-Sender-IP 8.15.20.154<http://8.15.20.154> <http://8.15.20.154/>
X_DIA_Originating_IP : 85.195.123.24<http://85.195.123.24> <http://85.195.123.24/>
X_DIA_Source : Host:web4.mcl.wiredforchange.com<http://web4.mcl.wiredforchange.com>
<http://web4.mcl.wiredforchange.com/> DB org
X_DIA_Referer :
X-SENDER-REPUTATION 4.5
X-IronPort-Anti-Spam-Filtered true
X-IronPort-Anti-Spam-Result
AooAAD96D0mBrgB0kWdsb2JhbACCRzKRHgEBAQEJCwoHEQStA4YRhEuDU4Mv
X-IronPort-AV E=Sophos;i="4.33,541,1220241600";
d="scan'208";a="55510806"
X-SENDER-REPUTATION 3.7
X-IronPort-Anti-Spam-Filtered true
X-IronPort-Anti-Spam-Result
AogAAP12D0kIDxSaiWdsb2JhbACCRzKRHgEBAQoLCAkQBax6hhCES4NTgy8
X-IronPort-AV E=Sophos;i="4.33,541,1220241600";
d="scan'208";a="55510203"
Comments To: ANNOUNCE04-L@mail04.gmu.edu<mailto:ANNOUNCE04-L@mail04.gmu.edu>
<mailto:ANNOUNCE04-L@mail04.gmu.edu<mailto:ANNOUNCE04-L@mail04.gmu.edu>>
List-Owner <mailto:ANNOUNCE04-L-request@LISTSERV.GMU.EDU
<mailto:ANNOUNCE04-L-request@LISTSERV.GMU.EDU>
<mailto:ANNOUNCE04-L-request@LISTSERV.GMU.EDU<mailto:
ANNOUNCE04-L-request@LISTSERV.GMU.EDU>> >
List-Subscribe
<mailto:ANNOUNCE04-L-subscribe-request@LISTSERV.GMU.EDU
<mailto:ANNOUNCE04-L-subscribe-request@LISTSERV.GMU.EDU>
<mailto:ANNOUNCE04-L-subscribe-request@LISTSERV.GMU.EDU
<mailto:ANNOUNCE04-L-subscribe-request@LISTSERV.GMU.EDU>> >
List-Unsubscribe
<mailto:ANNOUNCE04-L-unsubscribe-request@LISTSERV.GMU.EDU
<mailto:ANNOUNCE04-L-unsubscribe-request@LISTSERV.GMU.EDU>
<mailto:ANNOUNCE04-L-unsubscribe-request@LISTSERV.GMU.EDU
<mailto:ANNOUNCE04-L-unsubscribe-request@LISTSERV.GMU.EDU>> >
List-Help <mailto:LISTSERV@LISTSERV.GMU.EDU<mailto:LISTSERV@LISTSERV.GMU.EDU>
<mailto:LISTSERV@LISTSERV.GMU.EDU<mailto:LISTSERV@LISTSERV.GMU.EDU>>
?body=INFO+ANNOUNCE04-L>

To the Mason Community:

Please note that election day has been moved to November 5th.
We apologize for any inconvenience this may cause you.

Peter N. Stearns
Provost


Brian Krebs does a good job of covering this here:
http://voices.washingtonpost.com/securityfix/2008/11/election_hoax_e-mail_sent_via.html


These tricks aren't new they are just upgraded for the Internet and the mass
messaging capabilities that has created.

This is a list of "dirty tricks" from the 2004 election.
http://www.flcv.com/dirtytrf.html

Putting flyers on the door is a bit risky, calling from your home phone is a bit risky,
sending sms spam, email spam, etc ... is fairly safe. Just do it from a compromised system
in another nation, via an open mail relay and chances are you'll never get caught (sigh).

donald

206 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!