researching the security of (us) presidential candidate...

INFOSEC

INSTITUTE

THOTCON 2016 www.thotcon.comINFOSECI N S T I T U T E

Jonathan Lampe Hack All the Candidates

Hack All the CandidatesJonathan Lampe, CISSP

InfoSec [email protected]

@infosecedu – securityiq.infosecinstitute.com

Researching the Security of (US) Presidential Candidate Websites

INFOSECI N S T I T U T E

THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates

What You’ll Hear Today

» Backstory – Origin of “No Hacking Recon”

» Why Candidates?

» Round One – “Top Five at the Time”

» Round Two – “Wordpress Candidates”

» Round Three – “Last Five Standing”



Backstory

» Origin of “No Hacking” Recon

Backstory



Um…who said you could do this?

4

» “No good deed goes unpunished.”

• Oscar Wilde

Backstory



The “Customer Summit” App

5

» Working as an application pen tester

» Found a “Customer Summit” mobile app

• Contained a “birds of feathers” feature

» Cracked it and found entire attendee list

• Names, titles, emails, phone numbers of 95% of the company’s key customers

Backstory



The “Customer Summit” App

6

» Posted on Apple’s and Google’s app stores

» Therefore:

• Contact info of major customers

• Available for free to the public

» App removed immediately

• Good, right?Backstory



Every Good Deed…

7

» “OK, smarty-pants. Now find us a secure replacement for the app YOU took from us.”

• The Company

» “Did we mention the next conference is next month?”

Backstory



The Challenge, Re-Expressed

» “Here’s a cloud service we’d like to use”

» “It has a web site and mobile apps”

» “We want to use it with [type of information]”

» “Mr. Security, are you OK with that?”

» “Let us know by END OF WEEK, mkay?”

8

Backstory



This Kind of Request is COMMON

9

» “Hey, security guy/gal. We’d like to use X for Y.”

» “Don’t spend much time on it, but…”

» “…we’ll be buying soon so speak up now.”

Backstory



Like to Do vs. Can DoWhat we’d like to do. What we have time to do.

Interview someone from theirsecurity team.

See if it looks like they have a security team.

Review their security response procedures.

Review their security response promises.

Pentest a test instance of theirapplication.

Poke around the edges of their production application.

Crack their mobile apps. Poke around their mobile apps.

Schedule a concall, get their permission and discuss our tests in advance.

Do something. Now.(In fact, why are you still here?)

Backstory



“Listening Very Carefully”» Every IT security person should know how to use

attack proxies, spanning ports and other legal man-in-the-middle techniques

» Long Version: “Evaluating the Security of Potential Partners ...Without Permission!” – Lampe - (ISC)2 Congress 2015



Examples of “Listening” Recon



“Poke Around Edges” = Light Recon1. Use of HTTPS to protect traffic2. Quality of SSL certificate3. Avoids client-side secrets or authentication4. Up-to-date software5. Secure site headers6. Proper location and protection of vital assets7. Avoids information leakage through “extra” fields8. Access controls on web APIs (sometimes)

Backstory



Why Candidates?» Why did you decide to look at presidential

candidates’ web sites?

Backstory – Why Candidates?



Candidates Have Online Stores» Article in “The Isthmus”

(Madison weekly)

» All the unbelievable crap you could buy from candidates’ stores

» “Wait, political candidatesare running online stores?”

Image of mind blown!

Backstory – Why Candidates?http://isthmus.com/news/cover-story/Campaign-Swag-Merchandise/



Presidential Swag

http://isthmus.com/news/cover-story/Campaign-Swag-Merchandise/



Idea: Perform Light Recon of Candidate’s Web Sites, Including Stores and Donations» The “top five candidates” (with some staying power)





• Clinton (#1 D) – Mathematically impossible to beat





• Sanders (#2 D) – Nothing to lose





• Trump (#1 R) – Self-funded publicity hound





• Carson (#2 R) – Demonstrated party’s diversity





• Bush (+1 R) – Had $100M to blow





• Clinton (#1 D) – Mathematically impossible to beat

• Sanders (#2 D) – Nothing to lose

• Trump (#1 R) – Self-funded publicity hound

• Carson (#2 R) – Demonstrated party’s diversity

• Bush (+1 R) – Had $100M to blow




Round One» Top five candidates (at the time)

» Light recon• HTTPS config

• DOS protection

• Store/donations

• Main site

» One day max

Backstory – Why Candidates? – Round One



Depth of Recon (Round One)» Goal: Steal or tamper input (including passwords)

» HTTP/S and quality of SSL (really TLS)• Everyone was pretty good!

- 2048-bit key, no SSL

• Mostly turned on by default• Mostly used decent configurations• Few anomalies in certificates

- Bush: extra sites in X.509 “Subject Alt Name”




Example of Boring X.509 Anomoly




Depth of Recon (Round One)

» Goal: DOS (Denial of Service)

» CDN (Content Delivery Network)

• Everyone was pretty good!

• All top candidates already used these

• Resulting in…good HTTPS configs and certs




Who Used What CDNCandidate CDN

Clinton Fastly

Bush CloudFlare

Trump CloudFlare

Sanders CloudFlare

Carson Akamai

* As of October 2015 – I haven’t checked since




Depth of Recon (Round One)

» Goal: Theft and Defacement

» What runs the site, web store, donations and volunteer registration?




Who’s Running What?Candidate Main Site Store Donations Volunteers

Clinton

Sanders

Trump

Carson

Bush




Clinton’s Site

» Roll-your-own

» Developed like a typical“brogrammer” startup




Clinton’s Site» What “brogrammer”

tech exactly?




Clinton’s Site» eComm helper: Shopify




Clinton’s Site» Motto: “…ship early and often. Done

is always better than perfect.”




Clinton’s Site» “The Claw” Web Service




Clinton’s Site» Are you lying to us again?

• Yes, but this time it’s OK.

» Varnish obfuscates actual server




Clinton’s Grade (October 2015)Candidate Main Site Store Donations Volunteers

Clinton Roll-Your-Own Roll-Your-Own (On top of Shopify)

Roll-Your-Own Roll-Your-Own

Candidate Cybersecurity

Grade

Pro Con

Hillary Clinton (D)

BBuilding a security

team. Runs up-to-date

software.

Large attack surface that

relies on a quickly-built

custom application.




Sanders' Site

» WordPress

» Yes, THAT WordPress.

Wikipedia: “WordPress was used by more than 23.3% of the top 10 million websites as of January 2015. WordPress is the most popular blogging system in use on the Web, at more than 60 million websites.”




Sanders' Site» OK, it’s WordPress.

• Cue: Take a deep breath.

» But it’s locked down, right? • Current version• Current/secure plug-ins• No self registration• No user enumeration• No directory listing• Inaccessible sign ons




Sanders' Site

» WordPress security checklist:• Current version - YES

• Current/secure plug-ins - YES

• No self registration - YES

• No user enumeration

• No directory listing - YES

• Inaccessible sign ons




Sanders' Site

» WordPress security checklist:• No user enumeration - FAIL




Sanders' Site» Who dat?

• Lookup via p2016.org, revolutionmessaging.com or LinkedIn

Pinky Weitzman (Digital Director*), Claire Sandberg (Digital Organizing Director), Hector Sigala (Digital Media Director), Scott Goodstein (CEO of Revolution Messaging), Dana McDonough (Revolution Messaging), Michael Whitney (Revolution Messaging), Zack Exley (Senior Advisor), and Richard Eskow(Writer/Editor). Usernames of Jeff Weaver (Campaign Manager), Kenneth Pennington (Digital Director), Arianna Jones (Deputy Communications Manager) and Jonathan Dauz (Revolution Messaging)




Sanders' Site

» WordPress security checklist:• Inaccessible sign ons - FAIL




Sanders' Site

» Other:• You’ve been using WordPress for a

LONG time, haven’t you?




Sanders' Site




• No user enumeration - FAIL


• Inaccessible sign ons - FAIL




Sanders' Site

» Store is WooCommerce / Shopify



Sanders' Site

» Donations are ActBlue





Sanders Wordpress WooCommerce(built on Shopify)

ActBlue WordPress


Grade

Pro Con

Bernie Sanders (D)

COutsources donation

services.

Uses unsecured WordPress

site that exposes

usernames and sign on

page.




Trump’s Site» Main site: Custom Build

• Trump’s usual web dev outfitin San Antonio: Parscale




Trump’s Site» Volunteers: Also Parscale

(pretend I have an interesting screenshot here)

• uses a custom script• sets a custom “djt__last_activity” cookie

to record whether or not you have volunteered yet

DJT = “Donald J Trump”The Best Cookie Evar




Trump’s Site» Store: Written in ASP.NET,

uses Volusion




Trump’s Site» Donations: Victory Passport

…which is a WordPress plug-in?




Trump’s Site» Donations: Victory Passport

…which is a WordPress plug-in?

DENIED: PROJECT WAS MISSING




Trump’s Site» Who is Victory Passport?

• ActBlue’s Nate Thames raised a stink in 2013 about “direct submission of CC data to WordPress server”

• Victory Password denied it…but changed something anyway

https://www.washingtonpost.com/news/the-switch/wp/2013/12/19/liberals-said-the-gops-new-one-click-donation-tool-was-insecure-they-were-wrong/http://victorypassportisnotsecure.tumblr.com/




Trump’s Site» Should we be worried?

• Maybe – could be an OLD plug-in

Current WordPressversion is: 4.5.1

On the other hand, it’s just a “readme” and the company may have stopped updating the doc once they yanked the plug-in from github.




Trump’s Site




• No user enumeration - YES






Trump’s Site






Trump Custom (Giles-Parscale)

Roll-Your-Own(ASP.NET / Volusion)

Targeted Victory (WordPress with Victory Passport plug-in)

Custom (Giles-Parscale)


Grade

Pro Con

Donald Trump (R)

BOutsources donation

services.

May be using old

software. Uses partially

secured WordPress site that

exposes sign on page and

leaks other information. May

be running old donation

WordPress plug-in.




Carson’s Site» Main site: Hubspot

• Also volunteers




Carson’s Site» Main site: Hubspot

• Also volunteers

“Hubspot itself has a short history of vulnerabilities but it has also demonstrated the ability to identify and close them quickly.”




Carson’s Site» No store (at the time)

» Donations: Spark eCommerce





Carson Hubspot (none)(Added later)

Spark eCommerce

Hubspot


Grade

Pro Con

Ben Carson (R)

AOutsources donation and

volunteer services. No

store. Small attack

surface.

(none)





Bush’s Site» Main site: Wordpress

• Here we go again?

InfoSecs-MacBook-Pro:wpscan jgl$ ruby wpscan.rb --url www.jeb2016.com -e u[1-30] _______________________________________________________________

__ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \\ /\ / | | ____) | (__| (_| | | | |\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team Version 2.8

Sponsored by Sucuri - https://sucuri.net@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_

_______________________________________________________________

[i] The remote host tried to redirect to: https://jeb2016.com/[?] Do you want follow the redirection ? [Y]es [N]o [A]bort, default: [N]Y[+] URL: https://jeb2016.com/[+] Started: Tue Oct 13 08:01:54 2015

…

[+] WordPress version 4.3.1 identified from advanced fingerprinting



Bush’s Site» Main site: Wordpress

• “Handrolled” indeed

[+] WordPress theme in use: jeb - v1.0

[+] Name: jeb - v1.0| Location: https://jeb2016.com/wp-content/themes/jeb/| Style URL: https://jeb2016.com/wp-content/themes/jeb/style.css| Referenced style.css: wp-content/themes/jeb/library/css/style.css| Theme Name: Jeb| Theme URI: https://jeb2016.com/| Description: This site was handrolled by hardworking Americans in support of Jeb Bush for President.| Author: Jeb Bush for President| Author URI: https://jeb2016.com/




Bush’s Site




• No user enumeration - FAIL






Bush’s Site

» WordPress security checklist:• No user enumeration - FAIL





Bush’s Site» Who dat?

• Lookup via p2016.org, fec.gov, ucsc-extension.edu or LinkedIn

Ambert Rodriguez (Lead Designer*), Joel Graves (Social Media Manager), Catherine Brady and Sarah Delahunty(Regional Finance Coordinator), Liz Horning (Regional Coordinator), Dane Bahnsen (member of National Veterans Coalition), Josh Venable (untitled member of Bush 2016), Ron Thompson (Digital Analytics Director), Danielle Mendheim (digital media analyst), Daria Grastara (digital media intern), Kevin Zambrano and Chris Georgia ("digital" members of Bush 2016), Andrew Finnan (unknown relationship but previously listed on payroll), and Allison Del Castillo, Cami Morrow, Jack Miles and Andrew Johnson (unknown relationship). Usernames of Mittera (Iowa-based design firm), Flywheel Communications (Vermont-based PR firm), Nova Retail (booth display firm), Jesse Hunt (untitled member of Bush 2016) and Fernando Azevedo(Mittera employee)




Bush’s Site




Bush’s Site

» Other WordPress interesting notes:• Different menu systems for public / non-public





Bush Wordpress WooCommerce Revv(based on StripeeCommerce)

Wordpress


Grade

Pro Con

Jeb Bush (R)

COutsources donation services. Uses unsecured WordPress site

that exposes usernames, sign

on page and leaks other

information.



Final Grades from Round OneCandidate Cybersecurity

Grade

Pro Con

Hillary Clinton (D) BBuilding a security team. Runs up-to-date

software.

Large attack surface that relies on a quickly-

built custom application.

Bernie Sanders (D) COutsources donation services. Uses unsecured WordPress site that

exposes usernames and sign on page.

Donald Trump (R) BOutsources donation services. May be using old software. Uses partially

secured WordPress site that exposes sign

on page and leaks other information. May be

running old donation WordPress plug-in.

Ben Carson (R) AOutsources donation and volunteer services.

No store. Small attack surface.

(none)

Jeb Bush (R) COutsources donation services. Uses unsecured WordPress site that

exposes usernames, sign on page and leaks

other information.

ALL CANDIDATES n/a Require use of well-configured HTTPS. Use

CDN to avoid single-site availability issues.

No response to inquiry about reporting

security vulnerabilities.



Published Article: October 2015“Which Top Five Presidential Candidate is Most Likely To Be Hacked”



Meanwhile, on the Internet…




MOST of the candidates run Wordpress?Really?


MOST PRESIDENTIAL CANDIDATES RUN FREE “WORDPRESS” SOFTWARE

CAT FANCIERS AND POTENTIAL POTUSI (POTUSES?) UNITE ON WORLD’S MOST POPULAR AND VULNERABLE PLATFORM



Round Two» Everyone Running WordPress» WP-specific recon

• Current version• Current/secure plug-ins• No self registration• No user enumeration• No directory listing• Inaccessible sign ons

» One day max

Backstory – Why Candidates? – Round One – Round Two



WPScan is your friend

» Ran from a command prompt on a Mac

» Uses Ruby

» Script-kiddie accessible

» Only tool I used in Round 2 (and 3)




Basic WPScan Commands

InfoSecs-MacBook-Pro:~ jgl$ cd /Applications/wpscan

InfoSecs-MacBook-Pro:wpscan jgl$ ruby wpscan.rb --urlwww.berniesanders.com –enumerate u[1-30]

“enumerate” = look for stuff

“u[1-30]” = try to look for users #1 through #30




What if the site “flips you off”?IMP:wpscan jgl$ ruby wpscan.rb -r --url https://www.webb2016.com/ -e u[1-30][!] The WordPress URL supplied 'https://www.webb2016.com/' seems to be down.IMP:wpscan jgl$ ruby wpscan.rb -r --url https://www.webb2016.com/ -e u[1-30][i] The remote host tried to redirect to: https://www.webb2016.com/[?] Do you want follow the redirection ? [Y]es [N]o [A]bort, default: [N]Y[!] The remote website is up, but does not seem to be running WordPress.

IMP:wpscan jgl$ ruby wpscan.rb -r --force --url http://www.webb2016.com/ -e u[1-30][!] The wp_content_dir has not been found, please supply it with --wp-content-dir

IMP:wpscan jgl$ ruby wpscan.rb -r --force --wp-content-dir "wp-content" --urlhttp://www.webb2016.com/ --connect-timeout 30 --request-timeout 30 -e u[1-30][+] This site seems to be a multisite (http://codex.wordpress.org/Glossary#Multisite)[i] WordPress version can not be detected[+] Enumerating plugins from passive detection ... Add:

-force-wp-content-dir=“wp-content”




More “anti flip off” commands

IMP:wpscan jgl$ ruby wpscan.rb --url https://www.tedcruz.org -f --user-agent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" --enumerate --wp-plugins-dir /wp-content/plugins

Add: --user-agent “(full user agent)”--wp-plugins-dir /wp-content/plugins -f = -force

Lie about who you are. (This works great for attack proxies too.)




What a bad WordPress site looks likeInfoSecs-MacBook-Pro:wpscan jgl$ ruby wpscan.rb -r --url https://www.marcorubio.com/ -e u[1-30]_______________________________________________________________

__ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \\ /\ / | | ____) | (__| (_| | | | |\/ \/ |_| |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team Version 2.8

Sponsored by Sucuri - https://sucuri.net@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_

_______________________________________________________________

[i] The remote host tried to redirect to: https://marcorubio.com[?] Do you want follow the redirection ? [Y]es [N]o [A]bort, default: [N]y[+] URL: https://marcorubio.com/[+] Started: Wed Oct 14 10:31:50 2015





What a bad WordPress site looks like[+] robots.txt available under: 'https://marcorubio.com/robots.txt'[!] The WordPress 'https://marcorubio.com/readme.html' file exists exposing a version number[+] Interesting header: AGE: 0[+] Interesting header: CF-RAY: 23545575ed980418-ORD[+] Interesting header: SERVER: cloudflare-nginx[+] Interesting header: VIA: 1.1 varnish-v4[+] Interesting header: X-CACHE: MISS[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.13[+] Interesting header: X-VARNISH: 19143588[+] XML-RPC Interface available under: https://marcorubio.com/xmlrpc.php[!] Upload directory has directory listing enabled: https://marcorubio.com/wp-content/uploads/

[+] WordPress version 4.3.1 identified from meta generator

[+] WordPress theme in use: theme

[+] Name: theme| Location: https://marcorubio.com/wp-content/themes/theme/[!] Directory listing is enabled: https://marcorubio.com/wp-content/themes/theme/| Style URL: https://marcorubio.com/wp-content/themes/theme/style.css| Description:




“Directory Listing Enabled”



What a bad WordPress site looks like[+] Enumerating plugins from passive detection ...| 3 plugins found:

[+] Name: advanced-responsive-video-embedder| Latest version: 6.3.4 | Location: https://marcorubio.com/wp-content/plugins/advanced-responsive-video-embedder/| Readme: https://marcorubio.com/wp-content/plugins/advanced-responsive-video-embedder/README.txt

[+] Name: minimalist-twitter-widget - v1.5| Latest version: 1.5 (up to date)| Location: https://marcorubio.com/wp-content/plugins/minimalist-twitter-widget/| Readme: https://marcorubio.com/wp-content/plugins/minimalist-twitter-widget/readme.txt

[+] Name: roost-for-bloggers - v2.3.6| Latest version: 2.3.6 (up to date)| Location: https://marcorubio.com/wp-content/plugins/roost-for-bloggers/| Readme: https://marcorubio.com/wp-content/plugins/roost-for-bloggers/readme.txt[!] Directory listing is enabled: https://marcorubio.com/wp-content/plugins/roost-for-bloggers/




What a bad WordPress site looks like[+] Enumerating usernames ...[+] Identified the following 8 user/s:

+----+---------------------------+--------------------+| Id | Login | Name |+----+---------------------------+--------------------+| 1 | ******** | PDAdmin || 2 | ******** | preview || 3 | ******** | optimus || 4 | ******** | Eric Wilson || 5 | ******** | Arpit Patel || 6 | ******** | Olivia Perez-Cubas || 7 | ******** | Cabot Phillips || 9 | ******** | Patrick Brennan |+----+---------------------------+--------------------+

[+] Finished: Wed Oct 14 10:32:07 2015[+] Requests Done: 137[+] Memory used: 103.457 MB[+] Elapsed time: 00:00:16




How does WordPress user enumeration work again?


Rinse and repeat for users #1….???



More bad WordPress site stuff[+] Enumerating plugins from passive detection ...| 1 plugin found:

[+] Name: wordpress-seo - v2.1.1| Location: https://martinomalley.com/wp-content/plugins/wordpress-seo/| Readme: https://martinomalley.com/wp-content/plugins/wordpress-seo/readme.txt| Changelog: https://martinomalley.com/wp-content/plugins/wordpress-seo/changelog.txt[!] The version is out of date, the latest version is 2.3.5

[!] Title: WordPress SEO by Yoast <= 2.1.1 - Authenticated Stored DOM XSSReference: https://wpvulndb.com/vulnerabilities/8045Reference: https://inventropy.us/blog/yoast-seo-plugin-cross-site-

scripting-vulnerability/Reference: http://packetstormsecurity.com/files/132294/Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6692

[i] Fixed in: 2.2Backstory – Why Candidates? – Round One – Round Two



What does a better site look like?(Upon start)[!] The target is responding with a 403, this might be due to a WAF or a plugin.

[+] Enumerating installed plugins (only ones with known vulnerabilities) ...[+] No plugins found

[+] Enumerating usernames ...[!] Stop User Enumeration plugin detected, results might be empty. However a bypass exists for v1.2.8 and below, see stop_user_enumeration_bypass.rb in /Applications/wpscan[+] We did not enumerate any usernames




What are good WordPress defenses?

• Current version – Do it (duh)

• Current/secure plug-ins – Do it (duh)

• No self registration – Turn off option

• No user enumeration – INSTALL PLUG-IN

• No directory listing – TWEAK WEB CONFIG

• Inaccessible sign ons – Meh, maybe tweak web config to do basic authentication, etc.




What “no user enumeration” plug-in?

» No user enumeration – INSTALL PLUG-IN

• “Stop User Enumeration” (free)

• “WordFence” (not free, multiple protections)

• Others[+] Enumerating usernames ...[!] Stop User Enumeration plugin detected, results might be empty. However a bypass exists for v1.2.8 and below, see stop_user_enumeration_bypass.rb in /Applications/wpscan[+] We did not enumerate any usernames




What “web tweaks”?

» No directory listing – TWEAK WEB CONFIG• Disable directory listings on specific folders

(should already be disabled for site by default)

» Inaccessible sign ons – Meh, maybe tweak web config to do basic authentication, etc.• E.g., require basic authentication on sign-on URLs

(admin and sign on, etc.) Backstory – Why Candidates? – Round One – Round Two



I stopped directory listing?


Candidates get cute with 404’s.



The Results




Published Article: October 2015“Doesn’t Any Presidential Candidate Know How to Secure WordPress?”




The ReactionThanks for doing a free security review of my web site. We’ll get our

security issues fixed as soon as we can and keep you posted! *

I told you I was the best. I beat everyone but Jim Gilmore, and he’s a nobody. *

* = said none of them.Backstory – Why Candidates? – Round One – Round Two



The Actual Reaction(crickets)

(the best crickets)




But wait…what’s this?



Round Three» Remaining five candidates

» WP-specific recon on most

» Revisit Clinton’s site

» Half day max

Backstory – Why Candidates? – Round One – Round Two – Round Three



WordPress Recon, 5 Months Later

“Well, someone must have read the report because…NUTS! Everyone gets an A- now!”





And Some Sites Are Now Actively Flipping Me OffTedCruz.com – October 2015 TedCruz.com – March 2016

IMP:wpscan jgl$ ruby wpscan.rb --url www.tedcruz.com --enumerateWordPress Security Scanner by the WPScan Team

Version 2.8________________________________________________________

[!] The remote website is up, but does notseem to be running WordPress.

IMP:wpscan jgl$ ruby wpscan.rb -r --urlwww.tedcruz.org -enumerate[+] WordPress version 4.3.1 identified from rssgenerator[+] Enumerating plugins from passive detection ...| 1 plugin found:

[+] Enumerating usernames ...[+] Identified the following 16 user/s:

+----+------------------------------+--------------------+

[+] Finished: Wed Oct 14 10:17:32 2015[+] Requests Done: 106[+] Memory used: 88.645 MB[+] Elapsed time: 00:00:33

(This is before using WPScanoptions, of course.)




So…what’s Clinton been up to lately?




Young People Don’t Like Clinton



“Hey daddios and hep cats: if you like your social media, you can keep your social media.” *

* Summarizing, a bit.

Since I last checked (in October), Clinton’s team built a “social” grassroots function into her main web site• Anyone can register• Anyone can set up a campaign event• Anyone can invite other people to that event• …with the message of their choice

Hmmm…now could that be abused? (5 minutes pass)Yep. Guess so.





Abusing Clinton’s Insecure SiteStep 1:REGISTER

Any email will do.

Security Mistake #1: The site doesn’t send a verification link to the email addresses people enter. Instead, all accounts are active immediately.



Abusing Clinton’s Insecure SiteStep 2:LOGIN

Wait. I’m already logged in after registration?

Security Mistake #2: The site signs you on immediately after registration. This allows people to use junk emails to get on!




Abusing Clinton’s Insecure SiteStep 3:CREATE NEW EVENT

Click the button and create a new event.




Abusing Clinton’s Insecure SiteStep 4:POST NEW EVENT

Fill out the form and submit it.

Security Mistakes #3/4: All events are instantly available to other users. There is no verification or validation.




Abusing Clinton’s Insecure SiteStep 5:INVITE SOME “FRIENDS”TO YOUR EVENT, AND INCLUDE A LINK TO A MALWARE SITE

Enter the email addresses of some potential victims and a message that contains a link to a malware site.

Security Mistake #5: Letting unverified users send links to other people.




Definition of Phishing



What did we just do on Clinton’s site?

» Sent a malware link in an email that appeared to come from Hillary Clinton’s campaign.

» That’s PHISHING, right?




Politico’s Darren Samuelsohn Asked the Clinton Campaign About This

Let’s test this. Maybe with an email client built by Google?

http://www.politico.com/story/2016/03/hackers-declare-war-on-trump-221442

Clinton Campaign CTO Stephanie Hannon



Abusing Clinton’s Insecure SiteStep 6:EMAIL CLIENT (GMAIL) AUTOMATICALLY MAKES URL TO MALWARE “HOT”

User sees message from “Hillary for America” ([email protected]) in their inbox (not spam). User clicks on the link. Malware installs.




New Cybersecurity Grade for Clinton’s Site


Grade

Pro Con

Hillary Clinton (D)

DEmploys security experts

(maybe to watch the IT

infrastructure). Runs up-

to-date software.

Large attack surface that

relies on a quickly-built

custom application.

Allows phishing and it’s

“by design” as per CTO.



So…How Effective Would a “Hillary for America” Phishing Campaign Be?

» Good thing I designed a “phishing simulator” for the InfoSec Institute!

» Created a similar template in our “SecurityIQ” phishing simulator

» Sent to 38 employees and reporters




» Smart users could detect simulated phishing message by:

• looking at URL on link

• reading footer





» Phished an InfoSecInstitute employee within 5 minutes• 1 for 1 on employees

with “social justice” in their social profiles

» 20% opened the message within the first hour• 35% in two days





» 4 People Phished• 11% click rate

(12% is normal*)

» 20 People Opened• 53% open rate

(30% is normal*)



HFA Phishing Email:• God-like open rate• Great click rate

20 different people4 different people

* Survey of 8 million phishing messages from Verizon 2016 Breach Investigations Report



What Never Happened

Hey! Why are you phishing people from my web site?

Um…because WE CAN?



Conclusion» What did we learn over the past six months?

Backstory – Why Candidates? – Round One – Round Two – Round Three - Conclusion



Takeaways» Most candidates started the campaign season with their pants down

• Not Trump, and probably not Clinton

» Most candidates realized the error of their ways and made corrections• Kasich, Sanders, Trump and Cruz all get an “A-” on web site security now

• However, they are still running Wordpress – thus the “minus”

» Clinton’s team appears to be tone deaf to cybersecurity• “With the email server in the bathroom thing, don’tcha think you ought’a tread lightly?”

• Intentionally developed and released a site that allows anyoneto phish anyone else using Clinton campaign resources

- Phishing remains one of the most effective ways for hackers to get a footholdin any organization; large organizations incur about $4M/year EACH inphishing losses and it remains one of IT security’s top concerns

- CTO unmoved, seemed unaware that Gmail automatically converts URLs to links

Backstory – Why Candidates? – Round One – Round Two – Round Three - Conclusion

researching the security of (us) presidential candidate...

Documents