Discussion: Prosecutors: Russian Hackers Exploited US Cyber Vulnerability

I am a patient man, at my age. And I know that if I wait, patiently, long enough, I am going to eventually find out how the Alpha Bank server located inside Trump Tower during the Presidential Campaign, fits in with all of this.

5 Likes

One of their carefully crafted fraudulent emails had hit pay dirt, enticing an employee to click a link and enter her password.

And the amount of free software out there available to prevent stuff like this over the last ten years might’ve prevented this in the first place.

I had an IT manager once upon a time (in the 90’s, to be honest) who decided that NO one would get access to the internet because he didn’t want to be responsible for a hack. That was then. Apparently the DNC was no better just five years ago.

2 Likes

From the above, “Despite the use of U.S.-based servers, such vendors typically aren’t legally liable for criminal activities unless it can be proved in federal court that the operator was party to the criminal activity.”

I know this is a bit wonky, and perhaps a bit off topic, but the above comment illustrates exactly why the Internet and it’s infrastructure should be considered a “Public Utility”. Every law which governs the criminal and civil penalties are supported on the foundation of “Public Utility” jurisprudence. This is another clear difference between the Parties. The GOP has supported treating it a like an open marketplace, not a utility that all societies should be guaranteed and required such as roads, power, and water. The democrats believe that the internet should be treated the same.

5 Likes

Dana Milbank has a “smart” headline and a decent article on all this:

2 Likes

Weeeeeelll … sure, they obviously could have done better than they did. But, for a bit of perspective, cybersecurity is my Day Job, and it is a maxim that 100% prevention is basically impossible, and anyone promising such a thing is (a) either confused or dishonest, and (b) definitely selling something. The goal is to keep as much stuff as possible out, but also to understand that a sufficiently advanced, determined, persistent, and/or lucky adversary will eventually get in. At that point, the game becomes one of limiting the damage through a combination of segmenting your network and having decent monitoring and detection systems.

This is why a physical bank location has both a stout lock on the door and motion detectors on the inside.

Not excusing any lapses. Just want to point out that the mere fact that a breach occurred is not automatically evidence of incompetence.

3 Likes

The sad part is that all of this is part of standard anti-phishing practices and subsequent security architecture.

  1. Obviously a lot of the people at the DNC weren’t very computer literate. In Outlook, if you get an embedded link that you even slightly doubt (and if you don’t know the sender, you doubt strongly), at a minimum hover over the link and see where it goes. And make sure that anything that tries to install and/or alter anything goes through the annoying but useful windows elevation popups, and require passwords even if the user is otherwise privileged enough.

  2. As pointed out by @becca656, there is quite a bit of free software out there. The good stuff comes with the paid upgrades or is commercial. And something like Symantec is still the first line of defense: Adguard is second (the paid version, which can check stuff like email), and the various free adware scanners, which tend to be more aggressive in terms of who goes on their blacklist. Oh yes, Norton can be set up to maintain a white list of anything that tries to talk to the outside world and in any event there are a million other software firewalls (many free) out there for Windows. A lot of them know about evil network activity. It’s not just where they’re connecting (I’m sure the malware knows how to use reasonable targets, e.g. probably not http:/ /docdump.fsb.gov.ru – don’t click on that link, I made it up and who knows where it goes.) It’s who’s requesting the connection. Note that Win 10 and standard corporate security software are fairly nasty about jumping on anything that causes the signatures of executables to change.

  3. Run backups (with incrementals) and/or have users use a shared network drive for their documents. Then make it easy to reimage the machine at the slightest hint of problems. Reimaging is still the most effective anti-malware tool out there.

  4. Quit hiring pseudo-dems like Debbie Wassermann-Shultz and have professional managers run the place. The DNC proper is basically a board of trustees; someone who knows what they’re doing should be actually doing the CIO functions. And for God’s sake, don’t hire politically connected IT contractors, who tend not to be top notch talent.

1 Like

Sorry but this is pathetic. The vulnerability is that computers exist? I won’t be surprised if hackers did indeed exploit a vulnerability (or several) but I don’t see anything in this article describing what that vulnerability (or several) might be.

However, you would think an organization with the high visibility of the DNC would be a little more careful. It may not be incompetence, but it certainly doesn’t instill any kind of confidence.

ETA: and for the record, I’m a software applications consultant - have been for 23 years. There isn’t an organization I’ve worked for that hasn’t had some kind of firewall. Did the DNC think they were a special case that would never be broken?

Once hackers gained access to the DCCC network, it searched one computer for terms that included “hillary,” ”cruz,” and “trump” and copied select folders, including “Benghazi Investigations.”

Of course they did. Because they knew that when it came time to shop their ill-gotten wares to the GOP, nothing would capture their avaricous little hearts more than being able to offer info on Benghazi! Benghazi! Benghazi!

(Credit to Charlie Peirce for this excellent way of depeicting the GOP’s unhealthy obssession with Benghazi)

1 Like

Your mileage may vary, and I have no specific knowledge of the defenses that the DNC had in place (and if I did, I couldn’t comment here), but from the public information I’ve seen, I would presume that they did have the usual defenses in place – network firewall, endpoint antivirus software, email filters, and so on.

Modern advanced attackers know how to function, and even thrive, in environments with the “usual” defenses.

So you use customized malware that doesn’t get detected by the usual signatures. So you use targeted email links to trick users (and it only takes one person with one moment of inattention) into clicking on something. And once you’ve conned an authorized user into doing something on their own system, most of the traditional tools are blind to that. Once you’ve obtained actual credentials that you can use to log in as that person, many defenses can no longer tell the difference between the real user and the imposter.

When you’re up against a skilled and well resourced adversary, it’s a different ball game.

Again, I’m not saying that there weren’t lapses. Obviously there were. But I think they happened at a more advanced level than “you didn’t lock the front door, you idiots”.

3 Likes

Thanks for sharing.

I doubt many organizations have been expecting to need military grade security (and who could afford it, how would they judge efficacy???). As we now see, that expectation is incorrect. In an ideal world, our government would be taking a lead in detecting & defending against cyber-attacks. But again, who imagined our government itself was riddled with Russian agents??!!

Security is difficult. That’s why I was skeptical months ago when various state elections officials assured us “our data was never breached.” How would they really know that?

1 Like

Two years ago, I’ll bet that John Podesta did not know what a “phishing” email was. He does now.

1 Like