December 21, 2020 |
Cybersecurity serial entrepreneur, election security specialist, and jack-of-all-trades startup developer. World-recognized expert and speaker on the topic of election cybersecurity with a focus in piloting revolutionary auditing methods. Featured in HBO's election security documentary "Kill Chain" and speaker at DEF CON, Shmoocon, Diana Initiative, Pac Sec, Verizon, and in presentations to Capitol Hill.
Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.
Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:
Act 1. Shadow Inc.
In our double episode on Election Hacking, we focused on Georgia – and in particular, Brian Kemp–the Republican Secretary of State. But mismanagement of elections is not something unique to the republican party, and the following story will demonstrate.
America isn’t the world’s biggest democracy, or its best-functioning democracy. But when we think of democracy in the world, we all look to the USA. Which is strange, because sometimes America’s elections system makes absolutely no sense. Like how, every four years, candidates battling for their party’s nomination flock to the state of Iowa to make speeches, eat corndogs and schmooze with voters.
For over half a century, America’s primary elections–the races that determine who gets to run for president on behalf of the party–have begun in this most unremarkable of states. There’s nothing wrong with Iowa, of course, but it’s a small state, which means it doesn’t hold much sway in the electoral college. And its population is overwhelmingly white, so you can’t really tell whether a candidate’s popularity in Iowa will reflect their popularity in more diverse states, like North Carolina or Arizona.
And yet, every four years, Iowa becomes the single most important story in politics. Simply by virtue of being first, it holds immense sway. Whoever wins Iowa is considered the frontrunner for their party’s nomination, earning positive media coverage, more fundraising, and momentum they can ride into the next few states. And it’s not just speculation–from Bill Clinton in 1996, through Hillary Clinton in 2016, every single Democrat to win the state of Iowa ended up as their party’s presidential nominee.
So there were a lot of high expectations for this year’s Iowa caucuses. Millions upon millions of dollars poured into the state, as candidates campaigned to sway voters one by one. With two dozen candidates in the running, every point mattered.
“[Maggie] So the issue with the Iowa caucus is they were introducing new technology into the mix.”
That’s Maggie MacAlpine, whom you may remember from our episode on Georgia’s 2018 gubernatorial race.
“[Maggie] and by they, I mean the Democratic Party.”
The Democrats’ problem in Iowa began in 2016. After Hillary Clinton narrowly defeated Bernie Sanders in the state, Sanders supporters cried foul, pointing to instances of possible mismanagement and fraud, like when a delegate for Sanders in the Grinnell Ward 1 precinct was quietly, inexplicably transferred to Clinton. Whether justified or not–we don’t have time to analyze the claims here–the confusion and lack of transparency meant that, by 2020, the system needed a change. The party needed a better, more transparent system for tracking and counting votes in Iowa.
One small company stepped in to help. They called themselves “Shadow Inc.”
Let’s address the obvious here. Shadow Inc.?! Are you freaking kidding me? Whoever hired Shadow Inc. to build a more transparent voting process in Iowa is the same kind of person who’d hire the Zodiac Killer to install their home security.
Perhaps what sold the Democrat party on Shadow was their unbelievably cheap price. The company designed an app for precincts to report vote tallies, taking only two months to build the entire thing, at a cost of only $60,000. Two months, $60,000. Even for a little iPhone game that’d be pretty good value on the dollar, but for a comprehensive voting system, that’s crazy little.
Shadow’s app was introduced to precincts just a few weeks before Iowans were set to vote, meaning volunteers didn’t have much time to learn the system. More importantly, there was no time to test it. Election day would be the first time anybody used the Shadow app. They could only hope that it, you know, worked.
Of course, it did not.
“[Maggie] it was basically a disaster. They were still updating the app up to the day before the caucus in test flight. They had no real app to download. They had – they only had the beta version.”
Just about everything that could have gone wrong, did. Many poll workers couldn’t sign into the app, and many others were unable to communicate with party headquarters–to, for example, report vote counts.
“[Maggie] They had not considered the fact that there were caucus locations in Iowa that didn’t have internet access or cell phone reception.”
A few poll workers were able to send some, incomplete data to party headquarters. But the database where the votes were collated required two-factor authentication, and employees at party headquarters weren’t allowed to have their phones with them.
After it became clear that the system was broken, precincts were asked to call in their vote counts to a centralized phone line. But…
“[Maggie] they released a phone number to – for people to call in the results instead of transferring them with the app and that phone number got leaked and then DDoSed, basically. “
For the first time in the history of Iowa’s caucuses, nobody knew who the heck had won. The two frontrunners–Pete Buttigieg, and Bernie Sanders himself–were in a tight battle, and nobody in the state had the data to figure out what the actual vote count was.
“[Maggie] now luckily, because election security experts and other people who have experienced administering elections raised flags about this app very early on, the catastrophe wasn’t as bad as it could have been and there were plentiful paper backups. [. . .] Basically if not for those paper copies, those paper backups, it would have been an even bigger disaster than it was.”
For days, the nation waited to find out the winner in Iowa. But the damage was already done.
The whole purpose of Iowa is momentum. Iowa is a story we tell ourselves, and repeat in the media every four years: that somehow whoever wins this little state will end up winning the nomination. It’s an excuse for the winning candidate to generate positive media coverage, earn more fundraising and convince voters in other states that they’re in the lead. But if no winner is announced? All of that goes away.
After nearly a month, the final results were confirmed. It didn’t even matter at that point, as the story had long since passed. Neither Pete nor Bernie were in as strong a position as they could have been, and for the first time since 1992, the winner of Iowa did not receive the party’s presidential nomination.
In the aftermath of election night, the public learned who was behind Shadow Inc. Its employees, it turned out, were mostly former staffers of Hillary Clinton–Bernie’s primary opponent in 2016. Its founder, a woman named Tara McGowan, was the wife of a senior strategist for Pete Buttigieg–Bernie’s primary opponent in 2020.
There’s a lesson here. In our episodes on election hacking last month, we were pretty hard on Brian Kemp–the Republican Secretary of State who oversaw his own, potentially compromised election in Georgia. Some of you may have interpreted our story as being politically motivated. Others may have felt vindicated, that a guy like Kemp belonged to the other party, not yours.
But make no mistake, listeners: corruption, and bad technology, cross party lines. In this age of political strife, maybe we can all come together in knowing that both teams are rigging the game, and doing it poorly.
Act 2. J and K.
On November 22nd, 1987, a hacker took over the signals of two Chicago-area TV stations and broadcast two rather bizarre and somewhat vulgar messages. This is the story of a man who thought he knew who this hacker was.
When the Max Headroom hacker hijacked two Chicago television stations on a single night in 1987, they aired a video message in which they were wearing a mask, and the background of their shot was covered up by plates of corrugated metal. So when the FCC opened an investigation to try and uncover the hacker’s identity, there was precious little evidence to go on. The only personally-identifying trait they could point to was the man’s lily-white butt, which he’d aired on national television while being spanked by a fly swatter.
The best lead the FCC had to go on was a tip about a warehouse in north Chicago where the hacker might have shot his video. But without a suspect, or a warrant to search the site, it was useless. The investigation fizzled out, and the Max Headroom hijacker was off the hook.
Two decades later, a programmer from Chicago named Bowie J. Poag went on Reddit to do an AMA. He began his post writing, quote:
“I believe I know who was behind the “Max Headroom Incident”
Bowie knew he would be met with skepticism, so he told his story from the beginning. The following passages are taken from his much longer post. Quote:
“When I was in my early teens, a number of my friends were into the local phreaking/hacking scene. (This was suburban Chicago, from about 1985 until 1993 or so.) [. . .] I spent countless hours/nights over the ensuing years hanging out with them on local BBS’es and dial-up chat systems, and the occasional in-person get together. Most of them were just casual acquaintances. In most cases, I only knew them by their handle, but a few I knew by name. Two of the people I knew were brothers. [. . .]
one of the two brothers, who we’ll call “J”, the one who I believe was behind it. Secondly, the person who I believe did it, J, has moderate to severe autism, and, at least at the time, was being cared for by his brother, who we’ll call “K”. [. . .]
K was a quiet guy. Even though he lived in this apartment with his girlfriend, he often took care of his older brother J who still lived at home. The degree of J’s autism was such that I doubt he could ever hold down a job, even a part time job. J, despite having fairly severe autism, and coming off as basically…crazy, was actually kind of funny. His sense of humor was sort of disturbing, sort of sexually deviant in nature. He wasn’t very personable, but he was funny.. The sort of person that you would feel kind of uncomfortable sitting next to as a kid, but he would grow on you after a while, and you would accept him as one of the group after realizing that his mannerisms were odd but basically harmless. No eye contact, ever, but the dirty jokes were funny, at least to me as a 13 year old at the time.”
For Bowie, J’s personality matched up perfectly with the Max Headroom hacker. They had the same graphic, off-putting sense of humor, like how J kept a can of nerve gas in his car–it just seemed like very few people would do that, but the same kind of person who would do that might also hack a T.V. station. They had the same manner of speaking: jumping, inexplicably, from one sentence to something entirely unrelated, then a third thing, without any throughline–a schizophrenic clutter of clashing topics and ideas. It was even in little mannerisms.
“the way he spoke was in line with the type of verbal mannerisms of the guy in the mask. Where most people would say “um” in conversation, J said “Oh” in various lengths. “Oooooh” if he struggled to find something to say. […] We [once] talked about what he did for a hobby. He was very proud of a radio he recently acquired, a police radio that he had hacked to cover practically everything “from whale farts to gamma rays.”, he said [. . .] J knew a great deal about not just the broadcast spectrum, but the electronics that underpinned that sort of stuff. By definition, J was a broadcast hacker. “
Bowie used many more instances of circumstantial evidence to connect J to the hacker, most of which we don’t have time for here. But all the circumstantial evidence in the world wasn’t enough to make a strong case. Rather, it was one particular memory which seemed like the key to everything. Bowie remembered a party he attended at K’s house, on the very night of the Max Headroom hack.
“J was at the party in the apartment that afternoon. I didn’t talk with him directly [. . .] but I did overhear what the others were talking about. They were referring to J planning to do something “big” over the weekend. I remember that word, “big”, because it piqued my curiosity as to what might be considered “big” by their standards. I later asked them collectively during the dinner we all had at Pizza Hut later that night what they were talking about earlier, what “big” was, and someone (probably K) told me to “Just watch Channel 11 later tonight.” …As sort of an offhanded suggestion. I did happen to be watching Channel 11 later that night, having forgotten about the whole “big” conversation earlier that day.”
If Bowie were telling the truth, this would be strong evidence that J was, in fact, the hacker. But if Bowie basically knew who the Max Headroom hacker was, all the way back in 1987, why didn’t he do or say anything until 2011? In an interview with Vice Motherboard, he recalled, quote:
“The fact that one of them told me to watch Channel 11 later that night was about as weighty as a remark as a dozen other things I heard that day from them. [. . .] I know it sounds strange, but, I honestly didn’t put two and two together at the time.”
Should we believe Bowie? Some of you have probably already made up your minds.
One person who didn’t believe Bowie was Rick Klein. As the Curator of the Museum of Classic Chicago Television, Klein was well-educated on the matter. He didn’t buy the J story, quote, “for a variety of reasons.” End quote. But the renewed interest in the case–the simple fact that people were talking about it again–seemed worth building on. As Bowie recalled in a follow-up Reddit post, quote:
“After the publication of the Motherboard/Vice Magazine article which talked about the incident, Rick Klein [. . .] and I agreed to stay in touch with each other; We’ve become friends in the process, too, which is kinda cool.. But anyway, in the meantime, I occasionally revisited the idea of examining the video/audio end of things in more detail, while Rick continued to interview folks connected with the local radio/television broadcast industry in Chicago at that time. My own efforts were met with some limited success, but Rick’s efforts have turned out to be vital.
Several weeks ago, Rick and I had the luxury of meeting and speaking with several engineers and technicians who were actively working for WBBM, WTTW, WGN, and other companies in the Chicago broadcasting community at the time. They yielded a wealth of very detailed information, including specifics about what kind of locations, gear, physical access, and more importantly, what sort of station-specific knowledge would have been necessary in order to pull off the intrusions themselves. This was the kind of heavy engineering-perspective knowledge that we had only bits and pieces to work with before, and had been trying to obtain for some time, with great difficulty.”
Bowie and Rick were no closer to any specific identity for the hacker, but they now had enough information to determine the exact profile of who the hacker could’ve been. Quote:
“After the last round of interviews [. . .] and having looked at the resulting evidence pile in total, Rick and I have concluded that the possibility of this having been an “outside job” is basically zero; To make a long story short, all the things which needed to have been possessed by an outside amateur or amateurs, no matter how talented, simply did not exist in the wild in 1987. This, and other information we were never able to corroborate, is what allows us to free J and K as suspects with full confidence. [. . .] J and K have been excluded as suspects in the Max Headroom incident. My original theory was incorrect.”
If J and K are off the hook – who, then, is the new suspect? Bowie says he has someone in mind – but he’s unwilling to disclose his or her name, nor provide any details on the findings of his and Rick’s investigation, and what exactly makes them think that it couldn’t have been an outside job. Bowie says that, quote:
“Fame and notoriety isn’t always positive, for one. Second to that, going public would potentially jeopardize any number of things. Suppose “Max” is now retired with pension benefits, or is still actively employed. Going public would risk both. Even though the statute of limitations has expired, the FCC would almost certainly strip such an individual of any right to participate in broadcasting.”
It kind of makes you think about the nature of the legacy these sort of hacks leave behind them. If we knew who was behind the Max Headroom hack- how would this knowledge affect our perception of their act? After all, most of us have some sort of a ‘mental image’ of the hacker – whether we see him as a Hero or as a Villain – and that image is largely based on our own ideals and values. How would this mental image change, if we learned who Max really is? For example, what if J was indeed the hacker. Would knowing that he was probably autistic – change your attitude towards his act?
Indeed, this legacy is one of the reasons Bowie gave for not disclosing more information from his investigation. Quote:
“There are a number of reasons for this, but the biggest one would probably be the hacker community itself..a large chunk of which views Max sympathetically, as something like a patron saint of old-school skill and anonymity. I know more than a few people who were actually inspired by the incident, and would be fairly pissed off if someone tried to tarnish that achievement. Just on balls alone, it’s a pretty strong contender for the greatest hack of all time. Messing with that legacy would be playing with fire.”
Food for thought, no doubt. In any case, yet again, twenty years after he did it the first time, the Max Headroom hacker had slipped through our fingers. But now we know one thing for certain–something that brings us a step closer to, maybe, one day, solving the mystery. It was an inside job. Quote:
“Rick is continuing to work the theory he has maintained all along, the angle that “Max” had ties to the local Chicago broadcast community. For my part, this pretty much marks the end of my direct involvement in the case.. I’m actually kind of happy about it, in a way, because at least it frees up the focus of the investigation to move where it appears it should. For what it’s worth, we recently obtained a photo of J. He seems like a happy, normal, well-rounded adult with a family…a far cry from the off-the-wall character I recall him being 27 years ago, when I was a newly-minted, nervous 13 year old at a party.”
Act 3. T-Shirt-Gate.
In our double episode titled ‘Yahoo’s Ugly Death’, we told the story of the two major data breaches that hit the company. We also discussed the mismanagement of everything related to cybersecurity in Yahoo. The following story will illustrate once again just how bad was this mismanagement.
In only her first year as CEO of Yahoo, Marissa Mayer had to deal with two major cyber incidents. The first didn’t even happen under her watch–four days before she took the job, around 450 million Yahoo accounts had been published to the dark web. Then, in January 2013, a phishing campaign began exploiting publicly-known vulnerabilities in Yahoo’s infrastructure in order to hijack user accounts.
Having that kind of year leaves a mark on a company. It forces you to respond: to rethink how you do security, and what you need to completely change in your approach.
Yahoo’s response to those incidents would be tested in the Fall. That’s when High-Tech Bridge, a small security firm, decided to do some experimenting. They went looking for security holes in popular websites, to see how quickly they could find them and how the companies in question would respond.
On September 18th, 2013 they tested Yahoo. They began to pour over Yahoo’s systems, scouring their defenses for any little crack. It was long, tireless work but, after much toil, they found something: a XSS vulnerability in Yahoo’s marketing solutions domain.
Also, I was just kidding. It wasn’t long, nor tireless work. The researchers found their zero-day in only 45 minutes.
High-Tech Bridge notified Yahoo of their discovery. Yahoo replied the following day. Quote: “Unfortunately this submission does not qualify for a reward because it has already been reported by another individual. Please continue to send in any other vulnerabilities that you may discover in the future.” End quote.
It was odd–Yahoo didn’t present any actual evidence that somebody had already found the bug. And if it really had been reported already, why hadn’t it been fixed yet?
The researchers didn’t spend too much time dwelling on the issue, maybe because it only cost them 45 minutes’ work. At that rate, maybe, they could try again and find something else.
And they weren’t disappointed. Within just a few days, they found three more XSS zero-days in two other Yahoo domains. It’s worth noting, too: these were not minor security failures. Saying there were three of them makes them seem pretty ordinary, but these were three critical vulnerabilities. If weaponized in a phishing attack, any one of them could allow an attacker to completely take over any Yahoo account.
So this was a major problem. On the 23rd, the research team rushed their findings to Yahoo. 48 hours later, Yahoo responded. They recognized two of the three vulnerabilities as original, “warmly thanking” the researchers and, as a reward, paying them in bounties.
For those of you unfamiliar: software companies put out “bounties” on zero-day vulnerabilities like these, to incentivize researchers and hackers around the world to do extra security for them. It’s a win-win situation–good hackers can earn handsome rewards, and the companies patch up holes which could potentially have cost them much, much more down the road, if the wrong kind of person found them first. Because of the sheer stakes in this game, bounty payments can range from a few hundred to tens of thousands of dollars. For critical vulnerabilities like the ones in Yahoo’s site, we’re talking about healthy payouts.
So, as a reward for finding these system-breaking bugs, Yahoo gave the researchers their reward: $25.
Actually, let me amend that. It wasn’t $25. It was $25 in Yahoo store credit. Plus a Yahoo t-shirt.
In a blog post, the CEO at High-Tech Bridge highlighted how it was more than just a personal embarrassment to have been compensated so little. Quote:
“Paying several dollars per vulnerability is a bad joke and won’t motivate people to report security vulnerabilities to them, especially when such vulnerabilities can be easily sold on the black market for a much higher price.”
That, ultimately, is the lesson here. When you don’t invest in cybersecurity, you become an easy mark. Hacking Yahoo, in the mid-2010s, became very profitable at a time when defending Yahoo was not.
Amid public pressure, the company agreed to change their policy, paying out industry-standard rates for bounties moving forward. High-Tech Bridge was, retroactively, given appropriate compensation. But a culture of cutting corners and failing to invest in security remained. That’s the reason why, in the years that followed, Yahoo fell victim to two of the biggest data breaches in history. Not because they were unlucky, or because their adversaries were too powerful, but because they just didn’t do much to stop it.