Twist: Clinton Even Bit-Flips Controversy Away?

Earlier today I made an interesting find. There is a website, wontvotehillary.com where people sign a pledge not to vote for her, under any circumstances. While showing this to a friend, he accidentally typed in wontvotehilary.com, forgetting the second l. The domain resolved to what appeared to be some type of malicious website, and he quickly exited the page. This is an attack called key-squatting that takes advantage of mistyped or misspelled domain names to direct the client's query to an unintended destination server with a similar domain. Typically this is done for nefarious reasons, sometimes for ip-address harvesting, but usually to serve malicious JavaScript code

Further investigating the issue, I discovered another one, but this time it looked like a site possibly being prepped for a bitsquat attack. Initially I anonymously notified the author. Next I enumerated all of the possible bit or key squats and checked to see which are currently registered. Out of 396 potential similar domains, two were active. (Links don't go to the sites themselves, rather to shodan):


Original*   wontvotehillary.com    208.113.222.56 (real site)
-----------------------------------------------------------------------------------------------------------------
Omission    wontvotehilary.com     174.137.132.28 (keyflip or 'typo' attack site)
Subdomain   wontvoteh.illary.com   198.64.249.65 keyflip with bitsqat potential ?)



Turns out that the same thing is happening for superdelagatelist.com , which is a website where constituents can get in touch with their super delegates and try to tell them to vote the way that the people vote in their states:

Original*      superdelegatelist.com    208.113.223.13
----------------------------------------------------------------------------------------------------------------------
Bitsquatting   superdelagatelist.com    141.8.224.93
Subdomain      super.delegatelist.com   178.79.174.192
Subdomain      superdele.gatelist.com   104.130.124.96 (cloudfare, go figure)
Subdomain      superdelega.telist.com   72.52.4.119
Subdomain      superdelegate.list.com   141.8.224.183
Subdomain      superdelegatel.ist.com   109.235.170.97

And what do you know, looks like berniesanders.com could also be targeted...

Original*       berniesanders.com      104.16.42.58
------------------------------------------------------------------------------------
Bitsquatting    ferniesanders.com      192.64.119.18
Bitsquatting    barniesanders.com      141.8.224.169
Bitsquatting    burniesanders.com      168.235.79.101
Bitsquatting    berniesandars.com      50.63.202.39
Homoglyph       berniesamders.com      185.53.177.7
Homoglyph       bermiesanders.com      141.8.224.183
Homoglyph       berniesandlers.com     141.8.224.93
Hyphenation     bernie-sanders.com     104.131.97.43
Insertion       berniewsanders.com     174.137.132.28
Insertion       brerniesanders.com     174.137.132.28
Insertion       bereniesanders.com     103.224.182.226
Insertion       berniersanders.com     158.69.143.80
Insertion       berniesandeers.com     141.8.224.93
Insertion       beerniesanders.com     184.168.221.60
Insertion       berniesansders.com     141.8.224.93
Insertion       berniesanderes.com     174.137.132.28
Insertion       berniessanders.com     141.8.224.93
Omission        berniesandrs.com       141.8.224.93
Omission        berniesandes.com       185.53.177.7
Omission        beniesanders.com       51.254.28.161
Omission        beriesanders.com       174.137.132.28
Omission        bernesanders.com       192.64.147.196
Omission        erniesanders.com       141.8.224.93
Omission        bernisanders.com       199.59.243.120
Omission        berniesander.com       50.63.202.17
Omission        berniesaders.com       185.53.177.7
Omission        brniesanders.com       141.8.224.93
Omission        bernieanders.com       199.59.243.120
Omission        berniesaners.com       74.208.178.101
Omission        berniesnders.com       141.8.224.93
Repetition      bberniesanders.com     141.8.224.93
Repetition      bernniesanders.com     141.8.224.169
Replacement     berniessnders.com      141.8.224.93
Replacement     beeniesanders.com      141.8.224.93
Replacement     berniesandrrs.com      141.8.224.93
Replacement     berniesabders.com      141.8.224.93
Replacement     betniesanders.com      141.8.224.93
Replacement     bernirsanders.com      185.53.177.7
Replacement     berniesandera.com      141.8.224.169
Replacement     berbiesanders.com      141.8.224.93
Replacement     verniesanders.com      184.168.221.39
Replacement     bernuesanders.com      141.8.224.93
Replacement     berniesandwrs.com      54.72.9.51
Replacement     bernoesanders.com      141.8.224.93
Replacement     berniwsanders.com      185.53.177.8
Replacement     berniedanders.com      141.8.224.169
Replacement     nerniesanders.com      54.72.9.51
Replacement     bernissanders.com      141.8.224.169
Subdomain       b.erniesanders.com     141.8.224.93
Subdomain       be.rniesanders.com     141.8.224.169
Subdomain       berni.esanders.com     208.73.210.217
Subdomain       berniesa.nders.com     98.124.245.24
Subdomain       berniesan.ders.com     98.124.199.24
Transposition   benriesanders.com      174.137.132.28
Transposition   berinesanders.com      174.137.132.28
Transposition   berneisanders.com      185.53.177.7
Transposition   berniesnaders.com      141.8.224.93
Transposition   berniesandres.com      185.53.179.9
Various         wwwberniesanders.com   185.53.178.6


And just for static record, here are dig queries of the domains as of last night:

$ dig wontvoteh.illary.com
; <<>> DiG  <<>> wontvoteh.illary.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22876
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wontvoteh.illary.com.        IN    A
;; ANSWER SECTION:
wontvoteh.illary.com.    86400    IN    A    198.64.249.65
;; AUTHORITY SECTION:
illary.com.        172799    IN    NS    ns14.databasemart.net.
illary.com.        172799    IN    NS    ns13.databasemart.net.
illary.com.        172799    IN    NS    ns5.databasemart.net.
illary.com.        172799    IN    NS    ns6.databasemart.net.
;; ADDITIONAL SECTION:
ns13.databasemart.net.    172799    IN    A    45.35.0.97
ns14.databasemart.net.    172799    IN    A    67.211.45.3
;; Query time: 866 msec
;; SERVER: 10.69.69.69#53(10.69.69.69)
;; WHEN: Wed Apr 27 06:49:38 EDT 2016
;; MSG SIZE  rcvd: 187

$ dig wontvotehilary.com
; <<>> DiG  <<>> wontvotehilary.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13424
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;wontvotehilary.com.        IN    A
;; ANSWER SECTION:
wontvotehilary.com.    1800    IN    A    174.137.132.28
;; AUTHORITY SECTION:
wontvotehilary.com.    172800    IN    NS    is2.domainingdepot.com.
wontvotehilary.com.    172800    IN    NS    is1.domainingdepot.com.
;; ADDITIONAL SECTION:
is1.domainingdepot.com.    167262    IN    A    174.137.132.44
is2.domainingdepot.com.    167262    IN    A    174.137.132.44
;; Query time: 327 msec
;; SERVER: 10.69.69.69#53(10.69.69.69)
;; WHEN: Wed Apr 27 06:50:28 EDT 2016
;; MSG SIZE  rcvd: 146

This attack is possible due to incontrollable circumstances such as cosmic rays, excessive heat, poor quality RAM or capacitors, and other unpredictable environmental phenomenons affecting computer memory. Defcon had a presentation on DNS bitflipping (which you should watch if you want to understand the attack), which is what it would appear that her campaign may be doing. Basically, an anomaly occurs in memory, and characters that are digitally similar on the ASCII chart can become different characters, provided the computer, for whatever reason, reads the data incorrectly. Related, from the wiki page, this is how a bit flip attack works:

A bit-flipping attack is an attack on a cryptographic cipher in which the attacker can change the ciphertext in such a way as to result in a predictable change of the plaintext, although the attacker is not able to learn the plaintext itself. Note that this type of attack is not—directly—against the cipher itself (as cryptanalysis of it would be), but against a particular message or series of messages. In the extreme, this could become a Denial of service attack against all messages on a particular channel using that cipher.^[1]
The attack is especially dangerous when the attacker knows the format of the message. In such a situation, the attacker can turn it into a similar message but one in which some important information is altered. For example, a change in the destination address might alter the message route in a way that will force re-encryption with a weaker cipher, thus possibly making it easier for an attacker to decipher the message.

When applied to digital signatures, the attacker might be able to change a promissory note stating "I owe you $10.00" into one stating "I owe you $10000".

Or from  "wontvotehillary.com" to "wontvoteh.illary.com"..? In this case it's plain text DNS that's affected rather than cryptographic errors. This type of error can occur on either the client machine, or somwhere along the route, probably at the dns server. For more information, see this.  I am not sure if character additions happen in bit errors, but I wouldn't doubt that's possible. Even if not, than it certainly has key squat potential, but with a lower probably of a hit than from the missing "l" domain.

For obvious reasons, I did not want to look much more into it beyond that. The point is, first it was million dollar trolls going after Bernie supporters. Now this suggests there is more under the surface, and perhaps that the Secretary is less "for us" than she claims. If she indeed has a cyber mercenary force working with her campaign, than that is disturbing. Imagine what she would do as president, armed with the NSA? Ask yourself, who else stands to gain from trying to pull off this kind of sophisticated attack? To be fair, it is possible, although unlikely, that these domains were registered by someone else, whom has no affiliation with her campaign, perhaps a security researcher.

Couple this with the Sanders facebook groups vanishing due to hilltrolls plastering porn all of them or something, and the fact that she (and Trump, disappointingly) also mocked the concept of free speech on the internet, and you've got a recipe for disaster.  I guess that we know #WhichHillary won this week. Now you should have little doubt that she will censor and manipulate our internet. Since you're at this blog, I assume that internet freedom is somewhat important to you. Bernie is for the internet. Alas, at least Trump said "We need to talk to Bill Gates and some of these people that reallt know what's happening ..." before claiming we may have to "shut down the internet in some of the places." That shows Trump is quite oldschool and rather ill-informed on technology. The only silver lining is that he is admitting that he needs to talk to someone that knows something, even if he's confused about whom that may be. Besides, I would like to think that Gates would tell Trump that he's wrong. Hillary appears to have already started attacking the internet. She can't earn our respect, she can't magically erase public record, and she can't get away with flip-flopping policies as easily these days. Instead of trying to earn our votes, she hired an army of trolls to make it look like she has inspired the people. I'm sorry Madam Secretary, but you simply cannot buy passion. These people are incredibly easy to spot on the net. They're aura of inauthenticity is blatantly obvious, even after radiating through thousands of miles of fiber-optic cable.

So that's just one more reason why you should probably sign the pledge on the real site, http://wontvotehillary.com . I was going to write a boring blog about how Hillary Clinton made me dislike Hillary Clinton, but than she pretty much made the case for me.