I’ve spent 30 years hacking computers. I’ve done just about every trick in the book.
Many people I’ve known over the years have spent time in jail or in some other capacity that is specifically unclear after their hacking was uncovered.
And many people I know have never been discovered.
A) THE ABCs OF HACKING
I want to stick to the basics so people can understand what they are seeing in the news and think intelligently about it.
I also want to underline what the real problems are and not just the isolated problems we saw in this past election (although they are serious and I use them to demonstrate why the real issues could be much more serious).
First: what is hacking? How do people hack? What’s the difference between the movies/TV and real hacking? What is legal in this particular situation and what is illegal?
First, the WHAT: How does someone hack in today’s world (and the rules and techniques change constantly since 30 years ago).
TECHNIQUES:
1) HOLES IN THE NETWORK
One time a friend of mine was playing a joke on a well known media company.
For the sake of explanation, let’s say that media company had the initials “M” “T” “V” and just for the purposes of why it would have such strange initials, let’s say that stands for “Music TeleVision”.
MTV had a hole in their network. Every network has thousands of “ports”, like a massive cruise liner.
An “open port” sends messages back and forth. Like someone waving from a cruise ship as it pulls away.
Most ports are simply closed. But some are open in order to receive various special messages.
For instance, there is a port that listens for requests for web pages.
Like when you type into your URL box: “http://mtv.com” a message is sent (usually) to port number 80 at a computer at MTV (or wherever MTV stores their web pages).
Then a special language is spoken between your browser and the server at MTV that is listening to port 80.
An example conversation in the special “HTTP language” might be:
(from the browser) GET /pages/index.html
(from the server after sending the html): HTTP 1.1 200 OK
(this is very rough and abbreviated).
There are other ports open to listen to other computers on the local network: requests for files to be transferred in non-HTTP protocols (like FTP), and most importantly, requests for email.
Some software will OPEN unassigned ports for their own nefarious purposes.
Malicious software that keeps track of every letter typed on the keyboard might open and use such a port. VERY common.
Back to: One time in 1995 I was having fun with a friend of mine. He was pulling a prank on MTV.
MTV had an open port that they weren’t protecting properly. It was the SMTP (EMAIL!) port.
I logged directly into it (rather than send an email) and pretended to be “legal@mtv.com” and then I sent an email to my friend from that address saying he was in “BIG TROUBLE” unless he called immediately and confessed.
Fun things happened.
Most companies (maybe 99.99%) have now covered up basic holes like that and it’s much more difficult.
That said, for every type of software that does any network communication, there are always holes in the ports that are forgotten until someone hacks them and then they are patched.
If there’s a new computer or phone, then there are new security breaches. 100% of the time!
2) PASSWORD LAZINESS
Again, 15 or so years ago, I was in charge of a particular website.
Someone was causing a lot of problems on the site. He was a massive troll and was harassing people.
I tried to reason with him, but he ignored me.
So this is basic hack #2.
Most people use the SAME password for everything, or for most things. Hackers know this.
I looked up the password he was using for my site. I then tried it out on his email site.
BING!
I logged into his email (yes…illegally) and learned everything about him. Then I “messed his email up”. I won’t describe what that means but he wasn’t a problem on the website anymore.
This is what happens to trolls: trolls graduate to worse things. 15 years later this person is now in jail for 30 years to life for first degree murder.
This is a longish post because I’m explaining the basics of something that others have put their 10,000 hours into in order to get really good.
But #1 and #2 are the basics of almost all hacking right now.
There’s a #3 and #4 but they are infinitely more complicated and don’t really work except in the movies.
#3: For instance, “packet sniffing” is when someone hacks into the actual network pipes (or wireless) that sends information from outside of a company into a company.
If you can gather all the packets, and then like a giant puzzle, put them in order, you can see every password and piece of information going into a network. Which is a big assumption.
And then you have to assume that packets aren’t encrypted at the “firewall” level of a company, which they almost always are.
So this method is mostly useless.
#4: BOT ARMIES
This is related to other techniques and probably occurred (and is still occurring) with the Russian hacks.
A “bot” is a small piece of software that sits on your computer and sits on most of the other computers in your company’s network.
A Bot is malicious.
It has some code that is ready to do something bad to your network. It got into your computer through some other technique similar to the Russian hack which we will describe below.
Millions of bots exist on computers around the US. Maybe 70 or 80% of companies are infected with “bot armies”.
They are like sleeper cells waiting for a message to act.
Millions of hours of effort are spent identifying bots and eliminating them from networks.
I once visited a company manned by about 100 PHDs that were trying to figure out how to fight bot armies.
They told me something that stuck with me: “No matter how smart we are, the people creating these bots are smarter”.
The answer then is…who knows. Bad things are happening and there’s nothing we can do about it.
But since networks and security are constantly being updated in various unknown ways each year, it’s often hard for the bots to stay updated. This is probably the best defense. So a “sleeper bot” that infected a computer a year ago might be useless today.
What is the best defense against a bot army? There is really only one if you think you are infected.
THROW OUT your computers, throw out your routers and pipes and everything that created your network and buy totally new computers straight out of the warehouse and then you MIGHT be safe.
If your computer is logged onto the Internet for about ten minutes without any security then there’s a decent chance a bot has infected it.
There’s a #5, #6, #7 but they are more advanced versions of what I described above.
The one exception is not so much a hack INTO the network but a hack that destroys your network called a “denial of service attack”.
Since this is not related to the Russian election hack (yet) I’m not going to deal with it now.
The only thing I will mention is that often the reason a bot army is so dangerous is because they are very effective at initiating denial of service attacks to bring down a network.
When you hear something like, “Netflix was down from a hacker attack today” it usually means a massive bot army sent billions or even trillions of requests for “House of Cards” at the same second to Netflix and the Netflix servers went down.
And since the bot requests are coming from unsuspecting computers all over the world and hitting every open port at Netflix, it is very hard to block.
Congratulations! Those are the ABCs. Now for the more advanced stuff so you, too, can hack election systems on the world’s most powerful country.
B) PHISHING AND SPEAR PHISHING
As opposed to all the movies where hackers are trying to figure out passwords and do packet sniffing, etc. almost all hacking today begins with a Phishing email.
A Phishing email might look like this:
“Dear James,
Someone just tried three times in a row to unsuccessfully log into your Gmail account. At Google, we take security very seriously.
We will be shutting down your Gmail account effective immediately unless you log into our secure site and confirm that the Gmail log-ins were legitimate or not.
We also strongly suggest you change your password when you log into our security site.
Please click HERE to validate your account. Thank you.
– The Google Security Team
”
“HERE” is a link to a page that looks like Google and the URL might be a bit.ly link, which looks somewhat obscure but we are used to seeing obscure shortened links so we might not care.
Once you click on HERE, you did two things:
– you notified the hackers that you are the type of person who can potentially respond to a Phishing attack. So even if you don’t proceed further, you might on the next one (coming, say, from your bank).
– you might type in your password. In which case, not only do the hackers instantly download all of your emails and storage, etc but they have access to your password, which means they probably know your password for Facebook, twitter, your company accounts, etc. (see above).
Millions of these phishing attacks are sent out every day and you can find them usually in your Spam folder. Often the ISP that provides you Internet access will recognize these attacks and block them before you see them.
SPEAR IT:
Which is why SPEAR PHISHING is often more effective and is the technique used in the “Russia hacks”.
SPEAR PHISHING is when the mail is directed very specifically TO YOU. You are “speared”.
This happened when Russian hackers attacked Norman Podesta at the DNC and revealed his various unusual tastes that embarrassed the Democratic campaign of Hillary Clinton.
It’s a spear because very specifically emails were sent to officials at the DNC and although I don’t know what they said, they probably had enough information about the recipient to make it even more likely that they would pass through the network security servers and make it more possible for Podesta to click the link.
In fact, the email was so specific, he apparently sent it to his IT department and said, “Is this real?” and they wrote back right away, “RESPOND TO THAT IMMEDIATELY!” So he did.
He logged into a fake server. Typed in his password, and the rest is history.
Another example of a spear phishing attach worth mentioning:
MALWARE
instead of clicking on a link and typing in a password the Phishing email might say,
“Hey John, here’s the latest info on the delegates in Indiana you should know about”.
Then there’s an attachment. John clicks on it. It’s a simple Microsoft Word document and John is working on a Microsoft Windows machine.
Microsoft Word, every now and then, has a security breach.
MS Word can talk to other pieces of software on the computer. For instance, the software that controls the printer. Or the software that controls the web browser. Or the software that controls the calendar.
And some MS Word documents are much more sophisticated and can download applications right into the operating system.
These applications can never be detected.
For instance, a hack that I “have never done” is where you get someone to accidentally download a “keystroke logger”.
The keystroke logger is installed inside the operating system and can never be detected.
It opens up a new port (see above) and starts sending every key ever typed. So you can get every password for every service the person uses and then do whatever you want.
The port sends all the passwords to a server that is offshore and untraceable. The hacker logs into it and sees all the information about who ever has the malware.
The ONLY solution if you suspect you have been hacked this way: change every password and throw away EVERY computer and phone you own.
I can say for sure: this type of attack works and is more common than people think.
People who are good at this form of attack should never even be allowed to touch a computer or phone because it might only take seconds to execute in one form or other.
C) WHAT WAS THE RUSSIAN SPEAR PHISHING ATTACK
The true answer, despite the NSA leak, is that we don’t know and will never know.
All we know are these facts:
– Some election company was targeted by someone in sophisticated Spear attack.
– This was a “double spear” attack: once the first company was infiltrated, they used fake accounts at the first election company to then launch spear attacks at other election officials.
They speared and then went viral.
For instance, it’s one thing if you get a random email from someone. It’s another if you are an election official in Ohio and you get an email from someone who appears to be working at one of your election software vendors (the first company attacked and infiltrated) and they say, “Hey, we’re just testing the software to make sure Ohio is safe. Click HERE.”
The first successful Spear Phishing led to an even more successful Spear Phishing. Hence the “DOUBLE SPEAR”.
– According to the NSA leak, the initial Spear attack seems to have come from a Russian military team that is set up just to do Spear Phishing attacks against the US.
Similar to teams we probably have set up at the NSA, the CIA, the DIA, the FBI, and probably places with initials we don’t know.
What we DON’T KNOW:
– what information they received from us.
– how they infected the software of the election vendors or the election offices
– if they left any bots or malware behind (e.g. 2020 might be their target and not 2016).
– who told them to do this. This was probably their normal jobs. It’s probably not the case that Putin made a specific call and said, “hack this software election provider”.
It’s more likely they have a general mandate to disrupt our elections all of the time in every possible way. Just like we have teams that do the same. This is not excusing them. This is reality.
What we SUSPECT but DON’T KNOW
– Did Trump, or someone from Trump’s camp, talk to Putin, or someone from Putin’s camp and said “don’t just disrupt the election but do something specific that hurts Hillary and helps Trump.”
We simply don’t know that although the inference is often made because the attack on Podesta seems like this attack was very focused on Democrats.
That said, Podesta and his IT team were particularly foolish and even Obama, afterwards, said, no election services were effected. But….he would really have no idea. Nobody would.
– WHAT SPECIFIC VENDORS WERE ATTACKED AND WHAT DAMAGE COULD THEY CAUSE?
According to the NSA leak, it’s still very unclear. Some possibilities.
A) VR SYSTEMS (and probably similar companies)
VR Systems makes an electronic poll book. This has nothing to do with counting votes.
This has entirely to do with how people register to vote.
For instance, when people come into vote they are either registered to vote or not. A database needs to be checked (it used to be all on paper until fairly recently).
The electronic poll book allows for quick checking, and even registering of new voters.
Two very bad things can happen if pollbook companies like VR are effected:
A) REGISTRATION SCREWUPS
Any damage or interference on an electronic poll book could cause voter turmoil among a targeted class of voters (e.g. Democrats, or people from a specific county, etc).
It doesn’t stop people from voting (there are backup ways to find out who is registered) but can make it so inconvenient that people give up.
If the Russians wanted the Republicans to win, for instance, they can disrupt or slowdown the registration checking process in mostly Democratic counties.
B) DEEPER PHISHING
Companies like VR Systems are in email contact with election officials in every state. It could be that pollbooks / registration systems were not the final target but a leaping off point for a deeper Spear Phishing attack.
An election official in Indiana can get an email from VR (as described above) that says, “Doing a last minute check. Click HERE”. And now the entire Indiana election system is in question FOREVER.
Not only registrations but these election officials are presumably also in contact with the software companies that COUNT votes. These companies can now be targeted for future elections.
My guess is this is what happened and the attacks are far from over.
– WHO IS GUILTY?
Possible guilty parties that have been mentioned include Russia, rogue groups within Russa, the Russian military that operated independently from Putin.
On the American side, guilty parties mentioned include: Trump, Jared Kushner, other people working for Trump, the Republican party, rogue participants that wanted influence, etc.
It’s also possible that Putin wanted Trump elected, he got his people to hack, and he never notified Trump’s team of this at all. There is no law broken here. But if evidence is found that this is true, some punishment (sanctions, tariffs, cyber warfare) would have to be put in place.
What do we know?
Nothing.
What is legal?
Unclear.
It’s grossly illegal to effect a US election.
But it’s also VERY UNLIKELY Trump (or anyone hired by Trump) simply called Putin (or anyone working for Putin) and said, “use your hackers to make sure I win the election.”
That would be incredibly stupid and so obviously illegal as to defy belief.
Here’s the worst case scenario: someone maybe working for Russia (maybe!) called someone maybe working for Trump (maybe!) and said, “we can do something” and the Trump person most likely said, inappropriately, “I don’t want to hear about it but…I DON’T want to hear about it”. In other words, a wink.
But this is not illegal. If this happened (which is just my worst-case scenario guess), the American side could have said, “Don’t do anything” but that might be just as illegal also (to have any communication whatsoever with a bad participant).
This is where guys like Comey and Flynn get involved and we still don’t know the extent of what they knew and who they spoke to.
The law is very unclear on ALL of this and even Democrat-leaning lawyer Alan Dershowitz has stated no crime was committed by a US citizen in terms of this attack or any influence on the elections. And Barak Obama, probably prematurely, said there was no direct attack on the US election system.
But….we don’t know and never will.
WHY IS THIS IMPORTANT?
So many US elections have been improperly influenced (Nixon 1972 is most prominent as an attempt to influence, Reagan 1980 and his pre-election discussions with Iran were an influence, Kennedy in 1960 in Chicago was an influence, and probably every pre-Kennedy election) that it is not a trivial issue.
Every year there are improvements to the systems to prevent any influence. A lack of faith in the election system would be a lack of faith in the entire republic that the system creates.
As much as I dislike the way the system is built and think there are opportunities to rebuild from the ground up, this is the reality and the law.
CAN HACKERS EFFECT THE SYSTEM?
Yes, and they probably have, and their ability to do so again is probably stronger than ever.
ARE AMERICANS INVOLVED?
No, probably not. When you let the thief in door, nobody is safe, not even people who think they are colluding. Everyone knows this.
BUT…Americans certainly hack the elections of others just like many attempt to hack our elections. This is my guess but why wouldn’t it be true?
CONCLUSION:
A) The US election system is hacked beyond belief.
– Passwords of top officials are known
– Computers are sending every keystroke to bad agents
– Bot armies are ready to shut down election centers at the press of a button
– registration software is probably hopelessly infected
– vote counting software is probably effected but this is much more difficult since there are many backup systems for storage and replication of counting.
B) Hacking is not difficult.
When a team of fairly intelligent people are spending 24 hours a day trying to infiltrate 100s of companies, bad things are unavoidable. There is no stopping this.
C) WHAT CAN WE DO?
1) Awareness is the key.
– party officials can be hacked and embarrassed (Podesta, Hillary, etc), grossly effecting elections.
– registration software can be hacked. Awareness includes backup systems that are disconnected from each other and used to check each other’s work.
– vote counting software can be hacked.
– electors, congressman, election officials can be blackmailed when their emails are read.
2) Punishment of bad parties
At the hint of any other government involvement (or even country involvement without the government being aware) we should threaten immediate sanctions that can’t be stopped without some sort of super majority in Congress.
This would incentivize other governments to work to prevent any hacking of our elections.
3) Mutual Assured Destruction
While cyber warfare is different than nuclear warfare, we should certainly scale up our own efforts to be “bad agents” towards every other government.
Knowledge is power and, unfortunately, hacking gets the knowledge.
4) What about fixing the problem on our side?
Answer: it CANNOT be fixed with better software. Again, however smart the “good agents” are, the “bad agents” are simply smarter and it’s easier to break in than to block.
HAVE I LEFT ANYTHING OUT?
Yes.
I’ve left many many things out. These are the basics.
But the basics provide enough knowledge to understand what is happening in the news, how to learn more about basic hacking, what actually probably happened in the US election, and what the probable involvement of everyone was.
I’m sure we’ll be learning more. But we’re not going to be learning that much more .
The reality is: we were hacked more than will ever be revealed. And the hacking will cause damage.
And like the 44 elections prior, most of which have been manipulated, the US will survive, flourish, and move forward like it always has done.