Bugtraq readers, This may be a little off-topic, but hopefully still of interest to this audience, Last Friday I had the opportunity to moderate a panel - Political Phishing - A Threat to the 2008 Campaign? - held as part of the Anti-Phishing Working Group eCrime Researchers Summit hosted by Carnegie Mellon CyLab in Pittsburgh, PA. Our panelists were Rachna Dhamija from Harvard University, Chris Soghoian from Indiana University , and Pat Clarke of Jackson/Clark Partners. We had some great discussion on the potential impact of Internet-borne threats to the upcoming US Presidential Election. I wanted to draw your attention to some new research that I conducted, focusing on the impact of cyber threats on the electoral system, with particular emphasis on the upcoming 2008 election. You can find an introduction and link to the paper on my blog, here: http://www.symantec.com/enterprise/security_response/weblog/2007/10/cybe rcrime_politics.html And the paper itself hosted here: http://www.symantec.com/content/en/us/enterprise/media/security_response /whitepapers/cybercrime-electoral-system.pdf Some the areas that we examined include, Abuse of Candidates' Internet Domain Names and Typo Squatting - In order to determine the current level of domain name speculation and typo squatting in the 2008 federal U.S. election, we performed an analysis of 17 well known candidate domain names in order to seek out domain speculators and typo squatters. Our results were interesting to say the least. Candidates have not done a good job at protecting themselves. Some of the examples of infringement are quite interesting and humorous. Phishing - When considering the 2004 election as a whole, phishing presented only a marginal risk. At the time, phishing itself was still in its infancy, and had yet to grow into the epidemic that can be observed today. When we revisit the potential risk of phishing to the 2008 federal election, we find ourselves in a much different position. Candidates have flocked to the Internet in order to communicate with constituents, as well as to raise campaign contributions online. We performed an analysis of campaign web sites in order to determine to what degree they allow contributions to be made online. The most concerning attack may involve the diversion of online campaign donations intended for one candidate, to another, entirely different candidate, entirely undermining voter confidence in online donations. Adware - There are a variety of ways in which adware may be used in order to influence or manipulate users during the course of an election. We discuss those in this chapter as well. Spyware - Spyware poses a new risk to the mass accumulation of election-related statistics used to track election trends. Spyware has the ability to capture and record user behavior (including Web browsing, party affiliation, online campaign contributions and email traffic) without voters' knowledge or consent. This changes the landscape dramatically when it comes to election-related data collection. Keyloggers and Crimeware - Crimeware can collect personal, potentially sensitive, or legally questionable information about individuals that malicious actors can use either to intimidate voters or hold for ransom to sway votes. A carefully placed, targeted key logger has the potential to cause material damage to a candidate in the process of an election. Such code may also be targeted towards campaign staff, family members, or others who may be deemed material to the candidate's efforts. Campaign Web Site Security - The breach of a legitimate candidate's Web site would allow an attacker to have direct control over all content viewed by visitors to that site. This may allow for the posting of misinformation, or worse, the deployment of malicious code to unsecured visitors. Public Voter Information Sources - The Federal Election Commission (FEC) maintains a publicly available record of all campaign contributions. The database contains contributors' personal information. Intercepting Voice Communications - With the evolution of smart-phone spyware, the infection of a candidate, campaign staff, or candidate's family's cell phone with such a freely available application could have dire consequences. Now, all back-room and hallway conversations partaken by the candidate can be monitored at all times and intercepted by the attacker. Worse, opinions that were perhaps not shared with the public or outsiders are recorded and available for later playback, introducing the potential for widespread exposure and damage. Oliver
