researching the security of (us) presidential candidate...
TRANSCRIPT
INFOSEC
INSTITUTE
THOTCON 2016 www.thotcon.comINFOSECI N S T I T U T E
Jonathan Lampe Hack All the Candidates
Hack All the CandidatesJonathan Lampe, CISSP
InfoSec [email protected]
@infosecedu – securityiq.infosecinstitute.com
Researching the Security of (US) Presidential Candidate Websites
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
What You’ll Hear Today
» Backstory – Origin of “No Hacking Recon”
» Why Candidates?
» Round One – “Top Five at the Time”
» Round Two – “Wordpress Candidates”
» Round Three – “Last Five Standing”
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Backstory
» Origin of “No Hacking” Recon
Backstory
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Um…who said you could do this?
4
» “No good deed goes unpunished.”
• Oscar Wilde
Backstory
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
The “Customer Summit” App
5
» Working as an application pen tester
» Found a “Customer Summit” mobile app
• Contained a “birds of feathers” feature
» Cracked it and found entire attendee list
• Names, titles, emails, phone numbers of 95% of the company’s key customers
Backstory
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
The “Customer Summit” App
6
» Posted on Apple’s and Google’s app stores
» Therefore:
• Contact info of major customers
• Available for free to the public
» App removed immediately
• Good, right?Backstory
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Every Good Deed…
7
» “OK, smarty-pants. Now find us a secure replacement for the app YOU took from us.”
• The Company
» “Did we mention the next conference is next month?”
Backstory
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
The Challenge, Re-Expressed
» “Here’s a cloud service we’d like to use”
» “It has a web site and mobile apps”
» “We want to use it with [type of information]”
» “Mr. Security, are you OK with that?”
» “Let us know by END OF WEEK, mkay?”
8
Backstory
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
This Kind of Request is COMMON
9
» “Hey, security guy/gal. We’d like to use X for Y.”
» “Don’t spend much time on it, but…”
» “…we’ll be buying soon so speak up now.”
Backstory
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Like to Do vs. Can DoWhat we’d like to do. What we have time to do.
Interview someone from theirsecurity team.
See if it looks like they have a security team.
Review their security response procedures.
Review their security response promises.
Pentest a test instance of theirapplication.
Poke around the edges of their production application.
Crack their mobile apps. Poke around their mobile apps.
Schedule a concall, get their permission and discuss our tests in advance.
Do something. Now.(In fact, why are you still here?)
Backstory
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
“Listening Very Carefully”» Every IT security person should know how to use
attack proxies, spanning ports and other legal man-in-the-middle techniques
» Long Version: “Evaluating the Security of Potential Partners ...Without Permission!” – Lampe - (ISC)2 Congress 2015
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Examples of “Listening” Recon
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
“Poke Around Edges” = Light Recon1. Use of HTTPS to protect traffic2. Quality of SSL certificate3. Avoids client-side secrets or authentication4. Up-to-date software5. Secure site headers6. Proper location and protection of vital assets7. Avoids information leakage through “extra” fields8. Access controls on web APIs (sometimes)
Backstory
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Why Candidates?» Why did you decide to look at presidential
candidates’ web sites?
Backstory – Why Candidates?
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Candidates Have Online Stores» Article in “The Isthmus”
(Madison weekly)
» All the unbelievable crap you could buy from candidates’ stores
» “Wait, political candidatesare running online stores?”
Image of mind blown!
Backstory – Why Candidates?http://isthmus.com/news/cover-story/Campaign-Swag-Merchandise/
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Presidential Swag
http://isthmus.com/news/cover-story/Campaign-Swag-Merchandise/
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Idea: Perform Light Recon of Candidate’s Web Sites, Including Stores and Donations» The “top five candidates” (with some staying power)
Backstory – Why Candidates?
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Idea: Perform Light Recon of Candidate’s Web Sites, Including Stores and Donations» The “top five candidates” (with some staying power)
• Clinton (#1 D) – Mathematically impossible to beat
Backstory – Why Candidates?
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Idea: Perform Light Recon of Candidate’s Web Sites, Including Stores and Donations» The “top five candidates” (with some staying power)
• Sanders (#2 D) – Nothing to lose
Backstory – Why Candidates?
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Idea: Perform Light Recon of Candidate’s Web Sites, Including Stores and Donations» The “top five candidates” (with some staying power)
• Trump (#1 R) – Self-funded publicity hound
Backstory – Why Candidates?
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Idea: Perform Light Recon of Candidate’s Web Sites, Including Stores and Donations» The “top five candidates” (with some staying power)
• Carson (#2 R) – Demonstrated party’s diversity
Backstory – Why Candidates?
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Idea: Perform Light Recon of Candidate’s Web Sites, Including Stores and Donations» The “top five candidates” (with some staying power)
• Bush (+1 R) – Had $100M to blow
Backstory – Why Candidates?
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Idea: Perform Light Recon of Candidate’s Web Sites, Including Stores and Donations» The “top five candidates” (with some staying power)
• Clinton (#1 D) – Mathematically impossible to beat
• Sanders (#2 D) – Nothing to lose
• Trump (#1 R) – Self-funded publicity hound
• Carson (#2 R) – Demonstrated party’s diversity
• Bush (+1 R) – Had $100M to blow
Backstory – Why Candidates?
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Round One» Top five candidates (at the time)
» Light recon• HTTPS config
• DOS protection
• Store/donations
• Main site
» One day max
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Depth of Recon (Round One)» Goal: Steal or tamper input (including passwords)
» HTTP/S and quality of SSL (really TLS)• Everyone was pretty good!
- 2048-bit key, no SSL
• Mostly turned on by default• Mostly used decent configurations• Few anomalies in certificates
- Bush: extra sites in X.509 “Subject Alt Name”
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Example of Boring X.509 Anomoly
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Depth of Recon (Round One)
» Goal: DOS (Denial of Service)
» CDN (Content Delivery Network)
• Everyone was pretty good!
• All top candidates already used these
• Resulting in…good HTTPS configs and certs
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Who Used What CDNCandidate CDN
Clinton Fastly
Bush CloudFlare
Trump CloudFlare
Sanders CloudFlare
Carson Akamai
* As of October 2015 – I haven’t checked since
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Depth of Recon (Round One)
» Goal: Theft and Defacement
» What runs the site, web store, donations and volunteer registration?
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Who’s Running What?Candidate Main Site Store Donations Volunteers
Clinton
Sanders
Trump
Carson
Bush
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Clinton’s Site
» Roll-your-own
» Developed like a typical“brogrammer” startup
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Clinton’s Site» What “brogrammer”
tech exactly?
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Clinton’s Site» eComm helper: Shopify
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Clinton’s Site» Motto: “…ship early and often. Done
is always better than perfect.”
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Clinton’s Site» “The Claw” Web Service
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Clinton’s Site» Are you lying to us again?
• Yes, but this time it’s OK.
» Varnish obfuscates actual server
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Clinton’s Grade (October 2015)Candidate Main Site Store Donations Volunteers
Clinton Roll-Your-Own Roll-Your-Own (On top of Shopify)
Roll-Your-Own Roll-Your-Own
Candidate Cybersecurity
Grade
Pro Con
Hillary Clinton (D)
BBuilding a security
team. Runs up-to-date
software.
Large attack surface that
relies on a quickly-built
custom application.
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Sanders' Site
» WordPress
» Yes, THAT WordPress.
Wikipedia: “WordPress was used by more than 23.3% of the top 10 million websites as of January 2015. WordPress is the most popular blogging system in use on the Web, at more than 60 million websites.”
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Sanders' Site» OK, it’s WordPress.
• Cue: Take a deep breath.
» But it’s locked down, right? • Current version• Current/secure plug-ins• No self registration• No user enumeration• No directory listing• Inaccessible sign ons
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Sanders' Site
» WordPress security checklist:• Current version - YES
• Current/secure plug-ins - YES
• No self registration - YES
• No user enumeration
• No directory listing - YES
• Inaccessible sign ons
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Sanders' Site
» WordPress security checklist:• No user enumeration - FAIL
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Sanders' Site» Who dat?
• Lookup via p2016.org, revolutionmessaging.com or LinkedIn
Pinky Weitzman (Digital Director*), Claire Sandberg (Digital Organizing Director), Hector Sigala (Digital Media Director), Scott Goodstein (CEO of Revolution Messaging), Dana McDonough (Revolution Messaging), Michael Whitney (Revolution Messaging), Zack Exley (Senior Advisor), and Richard Eskow(Writer/Editor). Usernames of Jeff Weaver (Campaign Manager), Kenneth Pennington (Digital Director), Arianna Jones (Deputy Communications Manager) and Jonathan Dauz (Revolution Messaging)
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Sanders' Site
» WordPress security checklist:• Inaccessible sign ons - FAIL
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Sanders' Site
» Other:• You’ve been using WordPress for a
LONG time, haven’t you?
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Sanders' Site
» WordPress security checklist:• Current version - YES
• Current/secure plug-ins - YES
• No self registration - YES
• No user enumeration - FAIL
• No directory listing - YES
• Inaccessible sign ons - FAIL
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Sanders' Site
» Store is WooCommerce / Shopify
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Sanders' Site
» Donations are ActBlue
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Who’s Running What?Candidate Main Site Store Donations Volunteers
Sanders Wordpress WooCommerce(built on Shopify)
ActBlue WordPress
Candidate Cybersecurity
Grade
Pro Con
Bernie Sanders (D)
COutsources donation
services.
Uses unsecured WordPress
site that exposes
usernames and sign on
page.
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Trump’s Site» Main site: Custom Build
• Trump’s usual web dev outfitin San Antonio: Parscale
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Trump’s Site» Volunteers: Also Parscale
(pretend I have an interesting screenshot here)
• uses a custom script• sets a custom “djt__last_activity” cookie
to record whether or not you have volunteered yet
DJT = “Donald J Trump”The Best Cookie Evar
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Trump’s Site» Store: Written in ASP.NET,
uses Volusion
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Trump’s Site» Donations: Victory Passport
…which is a WordPress plug-in?
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Trump’s Site» Donations: Victory Passport
…which is a WordPress plug-in?
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Trump’s Site» Donations: Victory Passport
…which is a WordPress plug-in?
DENIED: PROJECT WAS MISSING
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Trump’s Site» Who is Victory Passport?
• ActBlue’s Nate Thames raised a stink in 2013 about “direct submission of CC data to WordPress server”
• Victory Password denied it…but changed something anyway
https://www.washingtonpost.com/news/the-switch/wp/2013/12/19/liberals-said-the-gops-new-one-click-donation-tool-was-insecure-they-were-wrong/http://victorypassportisnotsecure.tumblr.com/
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Trump’s Site» Should we be worried?
• Maybe – could be an OLD plug-in
Current WordPressversion is: 4.5.1
On the other hand, it’s just a “readme” and the company may have stopped updating the doc once they yanked the plug-in from github.
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Trump’s Site
» WordPress security checklist:• Current version - YES
• Current/secure plug-ins - YES
• No self registration - YES
• No user enumeration - YES
• No directory listing - YES
• Inaccessible sign ons - FAIL
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Trump’s Site
» WordPress security checklist:• Inaccessible sign ons - FAIL
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Who’s Running What?Candidate Main Site Store Donations Volunteers
Trump Custom (Giles-Parscale)
Roll-Your-Own(ASP.NET / Volusion)
Targeted Victory (WordPress with Victory Passport plug-in)
Custom (Giles-Parscale)
Candidate Cybersecurity
Grade
Pro Con
Donald Trump (R)
BOutsources donation
services.
May be using old
software. Uses partially
secured WordPress site that
exposes sign on page and
leaks other information. May
be running old donation
WordPress plug-in.
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Carson’s Site» Main site: Hubspot
• Also volunteers
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Carson’s Site» Main site: Hubspot
• Also volunteers
“Hubspot itself has a short history of vulnerabilities but it has also demonstrated the ability to identify and close them quickly.”
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Carson’s Site» No store (at the time)
» Donations: Spark eCommerce
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Who’s Running What?Candidate Main Site Store Donations Volunteers
Carson Hubspot (none)(Added later)
Spark eCommerce
Hubspot
Candidate Cybersecurity
Grade
Pro Con
Ben Carson (R)
AOutsources donation and
volunteer services. No
store. Small attack
surface.
(none)
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Backstory – Why Candidates? – Round One
Bush’s Site» Main site: Wordpress
• Here we go again?
InfoSecs-MacBook-Pro:wpscan jgl$ ruby wpscan.rb --url www.jeb2016.com -e u[1-30] _______________________________________________________________
__ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \\ /\ / | | ____) | (__| (_| | | | |\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team Version 2.8
Sponsored by Sucuri - https://sucuri.net@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[i] The remote host tried to redirect to: https://jeb2016.com/[?] Do you want follow the redirection ? [Y]es [N]o [A]bort, default: [N]Y[+] URL: https://jeb2016.com/[+] Started: Tue Oct 13 08:01:54 2015
…
[+] WordPress version 4.3.1 identified from advanced fingerprinting
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Bush’s Site» Main site: Wordpress
• “Handrolled” indeed
[+] WordPress theme in use: jeb - v1.0
[+] Name: jeb - v1.0| Location: https://jeb2016.com/wp-content/themes/jeb/| Style URL: https://jeb2016.com/wp-content/themes/jeb/style.css| Referenced style.css: wp-content/themes/jeb/library/css/style.css| Theme Name: Jeb| Theme URI: https://jeb2016.com/| Description: This site was handrolled by hardworking Americans in support of Jeb Bush for President.| Author: Jeb Bush for President| Author URI: https://jeb2016.com/
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Bush’s Site
» WordPress security checklist:• Current version - YES
• Current/secure plug-ins - YES
• No self registration - YES
• No user enumeration - FAIL
• No directory listing - YES
• Inaccessible sign ons - FAIL
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Bush’s Site
» WordPress security checklist:• No user enumeration - FAIL
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Backstory – Why Candidates? – Round One
Bush’s Site» Who dat?
• Lookup via p2016.org, fec.gov, ucsc-extension.edu or LinkedIn
Ambert Rodriguez (Lead Designer*), Joel Graves (Social Media Manager), Catherine Brady and Sarah Delahunty(Regional Finance Coordinator), Liz Horning (Regional Coordinator), Dane Bahnsen (member of National Veterans Coalition), Josh Venable (untitled member of Bush 2016), Ron Thompson (Digital Analytics Director), Danielle Mendheim (digital media analyst), Daria Grastara (digital media intern), Kevin Zambrano and Chris Georgia ("digital" members of Bush 2016), Andrew Finnan (unknown relationship but previously listed on payroll), and Allison Del Castillo, Cami Morrow, Jack Miles and Andrew Johnson (unknown relationship). Usernames of Mittera (Iowa-based design firm), Flywheel Communications (Vermont-based PR firm), Nova Retail (booth display firm), Jesse Hunt (untitled member of Bush 2016) and Fernando Azevedo(Mittera employee)
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Backstory – Why Candidates? – Round One
Bush’s Site
» WordPress security checklist:• Inaccessible sign ons - FAIL
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Bush’s Site
» Other WordPress interesting notes:• Different menu systems for public / non-public
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Who’s Running What?Candidate Main Site Store Donations Volunteers
Bush Wordpress WooCommerce Revv(based on StripeeCommerce)
Wordpress
Candidate Cybersecurity
Grade
Pro Con
Jeb Bush (R)
COutsources donation services. Uses unsecured WordPress site
that exposes usernames, sign
on page and leaks other
information.
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Final Grades from Round OneCandidate Cybersecurity
Grade
Pro Con
Hillary Clinton (D) BBuilding a security team. Runs up-to-date
software.
Large attack surface that relies on a quickly-
built custom application.
Bernie Sanders (D) COutsources donation services. Uses unsecured WordPress site that
exposes usernames and sign on page.
Donald Trump (R) BOutsources donation services. May be using old software. Uses partially
secured WordPress site that exposes sign
on page and leaks other information. May be
running old donation WordPress plug-in.
Ben Carson (R) AOutsources donation and volunteer services.
No store. Small attack surface.
(none)
Jeb Bush (R) COutsources donation services. Uses unsecured WordPress site that
exposes usernames, sign on page and leaks
other information.
ALL CANDIDATES n/a Require use of well-configured HTTPS. Use
CDN to avoid single-site availability issues.
No response to inquiry about reporting
security vulnerabilities.
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Published Article: October 2015“Which Top Five Presidential Candidate is Most Likely To Be Hacked”
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Meanwhile, on the Internet…
Backstory – Why Candidates? – Round One
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
MOST of the candidates run Wordpress?Really?
Backstory – Why Candidates? – Round One
MOST PRESIDENTIAL CANDIDATES RUN FREE “WORDPRESS” SOFTWARE
CAT FANCIERS AND POTENTIAL POTUSI (POTUSES?) UNITE ON WORLD’S MOST POPULAR AND VULNERABLE PLATFORM
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Round Two» Everyone Running WordPress» WP-specific recon
• Current version• Current/secure plug-ins• No self registration• No user enumeration• No directory listing• Inaccessible sign ons
» One day max
Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
WPScan is your friend
» Ran from a command prompt on a Mac
» Uses Ruby
» Script-kiddie accessible
» Only tool I used in Round 2 (and 3)
Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Basic WPScan Commands
InfoSecs-MacBook-Pro:~ jgl$ cd /Applications/wpscan
InfoSecs-MacBook-Pro:wpscan jgl$ ruby wpscan.rb --urlwww.berniesanders.com –enumerate u[1-30]
“enumerate” = look for stuff
“u[1-30]” = try to look for users #1 through #30
Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
What if the site “flips you off”?IMP:wpscan jgl$ ruby wpscan.rb -r --url https://www.webb2016.com/ -e u[1-30][!] The WordPress URL supplied 'https://www.webb2016.com/' seems to be down.IMP:wpscan jgl$ ruby wpscan.rb -r --url https://www.webb2016.com/ -e u[1-30][i] The remote host tried to redirect to: https://www.webb2016.com/[?] Do you want follow the redirection ? [Y]es [N]o [A]bort, default: [N]Y[!] The remote website is up, but does not seem to be running WordPress.
IMP:wpscan jgl$ ruby wpscan.rb -r --force --url http://www.webb2016.com/ -e u[1-30][!] The wp_content_dir has not been found, please supply it with --wp-content-dir
IMP:wpscan jgl$ ruby wpscan.rb -r --force --wp-content-dir "wp-content" --urlhttp://www.webb2016.com/ --connect-timeout 30 --request-timeout 30 -e u[1-30][+] This site seems to be a multisite (http://codex.wordpress.org/Glossary#Multisite)[i] WordPress version can not be detected[+] Enumerating plugins from passive detection ... Add:
-force-wp-content-dir=“wp-content”
Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
More “anti flip off” commands
IMP:wpscan jgl$ ruby wpscan.rb --url https://www.tedcruz.org -f --user-agent "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" --enumerate --wp-plugins-dir /wp-content/plugins
Add: --user-agent “(full user agent)”--wp-plugins-dir /wp-content/plugins -f = -force
Lie about who you are. (This works great for attack proxies too.)
Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
What a bad WordPress site looks likeInfoSecs-MacBook-Pro:wpscan jgl$ ruby wpscan.rb -r --url https://www.marcorubio.com/ -e u[1-30]_______________________________________________________________
__ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \\ /\ / | | ____) | (__| (_| | | | |\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team Version 2.8
Sponsored by Sucuri - https://sucuri.net@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________
[i] The remote host tried to redirect to: https://marcorubio.com[?] Do you want follow the redirection ? [Y]es [N]o [A]bort, default: [N]y[+] URL: https://marcorubio.com/[+] Started: Wed Oct 14 10:31:50 2015
Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Backstory – Why Candidates? – Round One – Round Two
What a bad WordPress site looks like[+] robots.txt available under: 'https://marcorubio.com/robots.txt'[!] The WordPress 'https://marcorubio.com/readme.html' file exists exposing a version number[+] Interesting header: AGE: 0[+] Interesting header: CF-RAY: 23545575ed980418-ORD[+] Interesting header: SERVER: cloudflare-nginx[+] Interesting header: VIA: 1.1 varnish-v4[+] Interesting header: X-CACHE: MISS[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.13[+] Interesting header: X-VARNISH: 19143588[+] XML-RPC Interface available under: https://marcorubio.com/xmlrpc.php[!] Upload directory has directory listing enabled: https://marcorubio.com/wp-content/uploads/
[+] WordPress version 4.3.1 identified from meta generator
[+] WordPress theme in use: theme
[+] Name: theme| Location: https://marcorubio.com/wp-content/themes/theme/[!] Directory listing is enabled: https://marcorubio.com/wp-content/themes/theme/| Style URL: https://marcorubio.com/wp-content/themes/theme/style.css| Description:
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Backstory – Why Candidates? – Round One – Round Two
“Directory Listing Enabled”
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
What a bad WordPress site looks like[+] Enumerating plugins from passive detection ...| 3 plugins found:
[+] Name: advanced-responsive-video-embedder| Latest version: 6.3.4 | Location: https://marcorubio.com/wp-content/plugins/advanced-responsive-video-embedder/| Readme: https://marcorubio.com/wp-content/plugins/advanced-responsive-video-embedder/README.txt
[+] Name: minimalist-twitter-widget - v1.5| Latest version: 1.5 (up to date)| Location: https://marcorubio.com/wp-content/plugins/minimalist-twitter-widget/| Readme: https://marcorubio.com/wp-content/plugins/minimalist-twitter-widget/readme.txt
[+] Name: roost-for-bloggers - v2.3.6| Latest version: 2.3.6 (up to date)| Location: https://marcorubio.com/wp-content/plugins/roost-for-bloggers/| Readme: https://marcorubio.com/wp-content/plugins/roost-for-bloggers/readme.txt[!] Directory listing is enabled: https://marcorubio.com/wp-content/plugins/roost-for-bloggers/
Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
What a bad WordPress site looks like[+] Enumerating usernames ...[+] Identified the following 8 user/s:
+----+---------------------------+--------------------+| Id | Login | Name |+----+---------------------------+--------------------+| 1 | ******** | PDAdmin || 2 | ******** | preview || 3 | ******** | optimus || 4 | ******** | Eric Wilson || 5 | ******** | Arpit Patel || 6 | ******** | Olivia Perez-Cubas || 7 | ******** | Cabot Phillips || 9 | ******** | Patrick Brennan |+----+---------------------------+--------------------+
[+] Finished: Wed Oct 14 10:32:07 2015[+] Requests Done: 137[+] Memory used: 103.457 MB[+] Elapsed time: 00:00:16
Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
How does WordPress user enumeration work again?
Backstory – Why Candidates? – Round One – Round Two
Rinse and repeat for users #1….???
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
More bad WordPress site stuff[+] Enumerating plugins from passive detection ...| 1 plugin found:
[+] Name: wordpress-seo - v2.1.1| Location: https://martinomalley.com/wp-content/plugins/wordpress-seo/| Readme: https://martinomalley.com/wp-content/plugins/wordpress-seo/readme.txt| Changelog: https://martinomalley.com/wp-content/plugins/wordpress-seo/changelog.txt[!] The version is out of date, the latest version is 2.3.5
[!] Title: WordPress SEO by Yoast <= 2.1.1 - Authenticated Stored DOM XSSReference: https://wpvulndb.com/vulnerabilities/8045Reference: https://inventropy.us/blog/yoast-seo-plugin-cross-site-
scripting-vulnerability/Reference: http://packetstormsecurity.com/files/132294/Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6692
[i] Fixed in: 2.2Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
What does a better site look like?(Upon start)[!] The target is responding with a 403, this might be due to a WAF or a plugin.
[+] Enumerating installed plugins (only ones with known vulnerabilities) ...[+] No plugins found
[+] Enumerating usernames ...[!] Stop User Enumeration plugin detected, results might be empty. However a bypass exists for v1.2.8 and below, see stop_user_enumeration_bypass.rb in /Applications/wpscan[+] We did not enumerate any usernames
Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
What are good WordPress defenses?
• Current version – Do it (duh)
• Current/secure plug-ins – Do it (duh)
• No self registration – Turn off option
• No user enumeration – INSTALL PLUG-IN
• No directory listing – TWEAK WEB CONFIG
• Inaccessible sign ons – Meh, maybe tweak web config to do basic authentication, etc.
Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
What “no user enumeration” plug-in?
» No user enumeration – INSTALL PLUG-IN
• “Stop User Enumeration” (free)
• “WordFence” (not free, multiple protections)
• Others[+] Enumerating usernames ...[!] Stop User Enumeration plugin detected, results might be empty. However a bypass exists for v1.2.8 and below, see stop_user_enumeration_bypass.rb in /Applications/wpscan[+] We did not enumerate any usernames
Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
What “web tweaks”?
» No directory listing – TWEAK WEB CONFIG• Disable directory listings on specific folders
(should already be disabled for site by default)
» Inaccessible sign ons – Meh, maybe tweak web config to do basic authentication, etc.• E.g., require basic authentication on sign-on URLs
(admin and sign on, etc.) Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
I stopped directory listing?
Backstory – Why Candidates? – Round One – Round Two
Candidates get cute with 404’s.
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
The Results
Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Published Article: October 2015“Doesn’t Any Presidential Candidate Know How to Secure WordPress?”
Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
The ReactionThanks for doing a free security review of my web site. We’ll get our
security issues fixed as soon as we can and keep you posted! *
I told you I was the best. I beat everyone but Jim Gilmore, and he’s a nobody. *
* = said none of them.Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
The Actual Reaction(crickets)
(the best crickets)
Backstory – Why Candidates? – Round One – Round Two
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
But wait…what’s this?
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Round Three» Remaining five candidates
» WP-specific recon on most
» Revisit Clinton’s site
» Half day max
Backstory – Why Candidates? – Round One – Round Two – Round Three
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
WordPress Recon, 5 Months Later
“Well, someone must have read the report because…NUTS! Everyone gets an A- now!”
Backstory – Why Candidates? – Round One – Round Two – Round Three
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Backstory – Why Candidates? – Round One – Round Two – Round Three
And Some Sites Are Now Actively Flipping Me OffTedCruz.com – October 2015 TedCruz.com – March 2016
IMP:wpscan jgl$ ruby wpscan.rb --url www.tedcruz.com --enumerateWordPress Security Scanner by the WPScan Team
Version 2.8________________________________________________________
[!] The remote website is up, but does notseem to be running WordPress.
IMP:wpscan jgl$ ruby wpscan.rb -r --urlwww.tedcruz.org -enumerate[+] WordPress version 4.3.1 identified from rssgenerator[+] Enumerating plugins from passive detection ...| 1 plugin found:
[+] Enumerating usernames ...[+] Identified the following 16 user/s:
+----+------------------------------+--------------------+
[+] Finished: Wed Oct 14 10:17:32 2015[+] Requests Done: 106[+] Memory used: 88.645 MB[+] Elapsed time: 00:00:33
(This is before using WPScanoptions, of course.)
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Backstory – Why Candidates? – Round One – Round Two – Round Three
So…what’s Clinton been up to lately?
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Backstory – Why Candidates? – Round One – Round Two – Round Three
Young People Don’t Like Clinton
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
“Hey daddios and hep cats: if you like your social media, you can keep your social media.” *
* Summarizing, a bit.
Since I last checked (in October), Clinton’s team built a “social” grassroots function into her main web site• Anyone can register• Anyone can set up a campaign event• Anyone can invite other people to that event• …with the message of their choice
Hmmm…now could that be abused? (5 minutes pass)Yep. Guess so.
Backstory – Why Candidates? – Round One – Round Two – Round Three
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Backstory – Why Candidates? – Round One – Round Two – Round Three
Abusing Clinton’s Insecure SiteStep 1:REGISTER
Any email will do.
Security Mistake #1: The site doesn’t send a verification link to the email addresses people enter. Instead, all accounts are active immediately.
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Abusing Clinton’s Insecure SiteStep 2:LOGIN
Wait. I’m already logged in after registration?
Security Mistake #2: The site signs you on immediately after registration. This allows people to use junk emails to get on!
Backstory – Why Candidates? – Round One – Round Two – Round Three
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Abusing Clinton’s Insecure SiteStep 3:CREATE NEW EVENT
Click the button and create a new event.
Backstory – Why Candidates? – Round One – Round Two – Round Three
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Abusing Clinton’s Insecure SiteStep 4:POST NEW EVENT
Fill out the form and submit it.
Security Mistakes #3/4: All events are instantly available to other users. There is no verification or validation.
Backstory – Why Candidates? – Round One – Round Two – Round Three
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Abusing Clinton’s Insecure SiteStep 5:INVITE SOME “FRIENDS”TO YOUR EVENT, AND INCLUDE A LINK TO A MALWARE SITE
Enter the email addresses of some potential victims and a message that contains a link to a malware site.
Security Mistake #5: Letting unverified users send links to other people.
Backstory – Why Candidates? – Round One – Round Two – Round Three
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Definition of Phishing
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
What did we just do on Clinton’s site?
» Sent a malware link in an email that appeared to come from Hillary Clinton’s campaign.
» That’s PHISHING, right?
Backstory – Why Candidates? – Round One – Round Two – Round Three
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Politico’s Darren Samuelsohn Asked the Clinton Campaign About This
Let’s test this. Maybe with an email client built by Google?
http://www.politico.com/story/2016/03/hackers-declare-war-on-trump-221442
Clinton Campaign CTO Stephanie Hannon
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Abusing Clinton’s Insecure SiteStep 6:EMAIL CLIENT (GMAIL) AUTOMATICALLY MAKES URL TO MALWARE “HOT”
User sees message from “Hillary for America” ([email protected]) in their inbox (not spam). User clicks on the link. Malware installs.
Backstory – Why Candidates? – Round One – Round Two – Round Three
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
New Cybersecurity Grade for Clinton’s Site
Candidate Cybersecurity
Grade
Pro Con
Hillary Clinton (D)
DEmploys security experts
(maybe to watch the IT
infrastructure). Runs up-
to-date software.
Large attack surface that
relies on a quickly-built
custom application.
Allows phishing and it’s
“by design” as per CTO.
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
So…How Effective Would a “Hillary for America” Phishing Campaign Be?
» Good thing I designed a “phishing simulator” for the InfoSec Institute!
» Created a similar template in our “SecurityIQ” phishing simulator
» Sent to 38 employees and reporters
Backstory – Why Candidates? – Round One – Round Two – Round Three
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
» Smart users could detect simulated phishing message by:
• looking at URL on link
• reading footer
Backstory – Why Candidates? – Round One – Round Two – Round Three
So…How Effective Would a “Hillary for America” Phishing Campaign Be?
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
» Phished an InfoSecInstitute employee within 5 minutes• 1 for 1 on employees
with “social justice” in their social profiles
» 20% opened the message within the first hour• 35% in two days
Backstory – Why Candidates? – Round One – Round Two – Round Three
So…How Effective Would a “Hillary for America” Phishing Campaign Be?
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
» 4 People Phished• 11% click rate
(12% is normal*)
» 20 People Opened• 53% open rate
(30% is normal*)
Backstory – Why Candidates? – Round One – Round Two – Round Three
So…How Effective Would a “Hillary for America” Phishing Campaign Be?
HFA Phishing Email:• God-like open rate• Great click rate
20 different people4 different people
* Survey of 8 million phishing messages from Verizon 2016 Breach Investigations Report
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
What Never Happened
Hey! Why are you phishing people from my web site?
Um…because WE CAN?
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Conclusion» What did we learn over the past six months?
Backstory – Why Candidates? – Round One – Round Two – Round Three - Conclusion
INFOSECI N S T I T U T E
THOTCON 2016 www.thotcon.comJonathan Lampe Hack All the Candidates
Takeaways» Most candidates started the campaign season with their pants down
• Not Trump, and probably not Clinton
» Most candidates realized the error of their ways and made corrections• Kasich, Sanders, Trump and Cruz all get an “A-” on web site security now
• However, they are still running Wordpress – thus the “minus”
» Clinton’s team appears to be tone deaf to cybersecurity• “With the email server in the bathroom thing, don’tcha think you ought’a tread lightly?”
• Intentionally developed and released a site that allows anyoneto phish anyone else using Clinton campaign resources
- Phishing remains one of the most effective ways for hackers to get a footholdin any organization; large organizations incur about $4M/year EACH inphishing losses and it remains one of IT security’s top concerns
- CTO unmoved, seemed unaware that Gmail automatically converts URLs to links
Backstory – Why Candidates? – Round One – Round Two – Round Three - Conclusion