DNC Comms Guy Mocked Story Saying DNC Is Bad At Cybersecurity; Revealed Because DNC Is Bad At Cybersecurity

from the karma dept

Mon, Jul 25th 2016 6:26am — Mike Masnick

Protip: maybe don't laugh off accusations that you're bad at cybersecurity in emails on a network that has already been infiltrated by hackers. That message did not make it through to one Eric Walker, deputy communications director for the Democratic National Committee. As you've heard by now, the DNC got hacked and all the emails were posted on Wikileaks. An anonymous user in our comments pointed us to a now revealed email from Walker brushing off a story in BuzzFeed, quoting cybersecurity professionals arguing that both the RNC and the DNC are bad at cybersecurity, mainly because they're handing out USB keys at their conventions.

Reporters who registered for the Republican and Democratic National Conventions were given tote bags by convention organizers filled with instructions and logistical information. Buried inside the totes were thumb drives, also known as USB flash drives, with information on the upcoming events.

“Who does that anymore? It’s just asking to get infected with any variety of malware,” said Ajay Arora, CEO of VERA, a cybersecurity firm. “Those thumb drives are the number one way to infect a computer… It is borderline stupidity to give them out to people, or for people to even think of using them.”

Thumb drives are known within the cybersecurity world for their fundamental security weaknesses, because when someone plugs a thumb drive into their computers they are opening up their system to anything on that drive — from the best hotels to stay in during the Republican National Convention to a virus that silently uploads itself onto the hard drive. Neither the Republican or Democratic National Committees replied to a BuzzFeed News inquiry about the thumb drives.

That's a reasonable assessment. It's dumb to hand out USB keys these days and anyone should be aware of that by now. But Walker's email sarcastically mocked this:

The thesis: we hand out thumb drives at events, which could infect the reporters/attendees' computers. So that means that we're bad at cybersecurity. Okay.

Well, truth be told, there are many reasons why you may be bad at cybersecurity, including the fact that you apparently let a group of hackers sit on your network for a year or more. But also, handing out USB keys is a super bad idea too.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cybersecurity, dnc, dnc leak, eric walker, usb keys

45 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

That Anonymous Coward (profile), 25 Jul 2016 @ 6:44am

Not only are they bad at cyber security, they missed a golden opportunity to infect the systems of those covering them so they could see what stories were coming and get ahead of them.

Just curious... whats the over/under on finding out the DNC hack was caused by a flash drive?
[ link to this | view in chronology ]
- Anonymous Coward, 25 Jul 2016 @ 7:20am
  
  Re:
  Does it really matter? It's like having a drunk orgy and wondering which one got you off. It really does not matter how because the payload WAS delivered...
  
  There is likely more shit that happened that WILL be kept under wraps.
  
  What IS entertaining about all of this is the faux surprise. Like the Emperors New Clothes, they were very open about their corruption, just DARED anyone to prove it, and now someone did.
  
  Please raise your hand if you were the moron that thought the DNC were honest and upstanding folk. Congratulations, you make a terrible citizen.
  [ link to this | view in chronology ]
- Anonymous Coward, 25 Jul 2016 @ 7:52am
  
  Re:
  they missed a golden opportunity to infect the systems of those covering them so they could see what stories were coming and get ahead of them
  
  Seeing as how they were dictating the stories, I don't really see where this would have gotten them.
  [ link to this | view in chronology ]
  - Anonymous Coward, 25 Jul 2016 @ 8:24am
    
    Re: Re: Infecting reporters
    Seeing as how they were dictating the stories, I don't really see where this would have gotten them.
    It could have gotten them a "security review" that ultimately concluded they were extremely thoughtless, but that the hacking showed no evidence of criminal intent and did not warrant prosecution. ;)
    [ link to this | view in chronology ]
Anonymous Coward, 25 Jul 2016 @ 7:05am

With Autoplay turned off completely, is Bad USB that common already?
[ link to this | view in chronology ]
- That Anonymous Coward (profile), 25 Jul 2016 @ 7:40am
  
  Re:
  It can be.
  BadUSB works on screwing with the firmware so just plugging it in can own the machine. There is no way to see whats happening when you plug the drive in, and if you don't watch closely you might miss "extra" drivers being added.
  [ link to this | view in chronology ]
  - Anonymous Coward, 25 Jul 2016 @ 9:15am
    
    Re: Re:
    I would say this is the only reason why USB is really an issue now. Since the code is public, anyone can really create their own virus and upload new firmware: https://github.com/brandonlw/Psychson
    
    The fact that you can backdoor every O/S with it, makes it a pretty big deal that really should have been fixed with USB 3.1 or C. Anything from cheap thumb drives, to charges could create a huge botnet now.
    [ link to this | view in chronology ]
    - JoeCool (profile), 25 Jul 2016 @ 9:38am
      
      Re: Re: Re:
      That updates the firmware of the USB stick, not the computer. It's used to do things like forbid the stick from booting, even on a computer capable of booting from a USB stick. It is NOT capable of backdooring "every" OS... in fact, it probably can't backdoor any of them without a little help from the user (trojan horse, not a virus).
      
      It's fairly clear that most people have no idea how USB works in general, much less USB sticks. The danger is in people running apps that contain exploits, not viruses on the stick itself.
      [ link to this | view in chronology ]
      - Anonymous Coward, 25 Jul 2016 @ 10:16am
        
        Re: Re: Re: Re:
        What? You upload custom firmware to the USB stick which gets run on driver loading. So depending on what you want to hack Linux, Windows, or OSX, you create a program to do whatever you want. My personal opinion would be to install a Rubber Ducky payload on a hidden partition. http://usbrubberducky.com/#!index.md
        This is basically a keyboard emulator and scripting language, so you can pretty much do a lot. Some samples can even be generated quickly for windows: http://ducktoolkit-411.rhcloud.com/Home.jsp
        [ link to this | view in chronology ]
    - Anonymous Coward, 25 Jul 2016 @ 9:38am
      
      Re: Re: Re:
      The problem with bad USB is not the basic USN specs themselves, but rather the automatic loading and connection of the device to a driver for they type of device it identifies itself as. It is a case of convenience providing the loophole for security violations. The mitigation of this would be for the OS to query before connecting whenever it sees HID device being plugged in, except for reserved ports for mouse and keyboard. (It would be a bit difficult to authorize a keyboard when it is the keyboard you intend to use being plugged in).
      [ link to this | view in chronology ]
      - Anonymous Coward, 25 Jul 2016 @ 2:25pm
        
        Re: Re: Re: Re:
        The problem with only allowing ports for keyboard and mouse devices is, right now, the BEST way to use BadUSB is to install a fake keyboard to run whatever you want.
        
        Macs and Windows non-server OSs are, by default, very permissive with installing any device.
        [ link to this | view in chronology ]
        
        Anonymous Coward, 25 Jul 2016 @ 4:43pm
        
        Re: Re: Re: Re: Re:
        Actually, I would say Rubber Ducky is just most popular because you can easily create a backdoor for use later. The original program for badUSB was of course Stuxnet, which didn't use a keyboard, but just inserted it's own backdoor.
        [ link to this | view in chronology ]
- Anonymous Coward, 25 Jul 2016 @ 2:21pm
  
  Re:
  You slightly misunderstand what Bad USB actually is. Autoplay does not factor in the attack. Bad USB's problem is the firmware can do whatever it wants when a USB is plugged in waaaay before Autoplay is given a chance.
  
  There is nothing stopping USB firmware from being flashed so the usb stick automatically installs a fake keyboard device that will run whatever the attacker wants you to run; go to a web page, dump data to a specific ftp server, or just open a remote shell to the victim's system
  [ link to this | view in chronology ]
Jason Kraftcheck, 25 Jul 2016 @ 7:11am

Are thumb drives really a security issue?
Thumb drives were a huge issue for *Windows users* for a long time not because thumb drives (or any other media) are an inherent security issue but rather because of Microsoft's unfathomably stupid feature that auto-ran executables on media when the media was inserted. This issue existed for all media (e.g. CDs), not just usb devices. There was never an issue for Android, Linux, MacOS, etc. But I thought MS had fixed this back in Windows 7 or something such that Windows would at least ask first before running anything.
[ link to this | view in chronology ]
- John Fenderson (profile), 25 Jul 2016 @ 7:21am
  
  Re: Are thumb drives really a security issue?
  They are a security issue. Not as bad of one as when Windows had autoplay turned on by default, but it's still a pretty big deal.
  
  The main security problem with handing out thumb drives in a bulk way is that people will trust them, and are likely to go ahead and open risky documents or run programs they find on them.
  
  If the drive they have is the one given out, that's probably OK. But there's no way to be sure that's the case. If I'm handing out hundreds of drives to people attending an event, there are plenty of opportunities for hackers to leave identical-looking drives sitting around, to surreptitiously swap out good drives for bad, etc.
  [ link to this | view in chronology ]
  - Anonymous Coward, 25 Jul 2016 @ 8:22am
    
    Re: Re: Are thumb drives really a security issue?
    The main security problem with handing out thumb drives in a bulk way is that people will trust them, and are likely to go ahead and open risky documents or run programs they find on them.
    
    A secondary problem is that some people will collect them, modify what's on them, and re-hand them out (or just leave them sitting around where they're likely to be picked up).
    [ link to this | view in chronology ]
- David, 25 Jul 2016 @ 7:27am
  
  Re: Are thumb drives really a security issue?
  I seem to remember that another problem was that Windows wasn't proof against intentionally crafted inconsistent file system data, so thumb drives could be made to maliciously execute code at privileged level when they were merely inserted even when auto-run was turned off.
  
  Additional fun exploits requiring hard- and/or firmware modifications of the drive let the drive announce itself as a USB keyboard and/or talk with the actual USB keyboard in order to monitor it. Or a number of other devices that you don't want to see in a security-relevant context.
  [ link to this | view in chronology ]
- DigDuggery, 25 Jul 2016 @ 7:49am
  
  There's a physical danger now as well...
  There are now thumb drives that contain modified electronics that, once plugged in, start building up a charge inside of a capacitor, and once it's reached full charge, discharges it through the data links, and it keeps doing it until either removed or the USB port, and probably more of the motherboard, are fried.
  
  Sources:
  http://www.pcworld.com/article/2896732/dont-trust-other-peoples-usb-flash-drives-they- could-fry-your-laptop.html
  
  https://techcrunch.com/2015/03/12/this-usb-drive-can-nuke-a-computer/
  
  http: //arstechnica.com/security/2015/10/usb-killer-flash-drive-can-fry-your-computers-innards-in-seconds/
  [ link to this | view in chronology ]
- Whoever, 25 Jul 2016 @ 9:42am
  
  Re: Are thumb drives really a security issue?
  While malicious files on the thumb drives are the most obvious and common threat, thumb drives present a threat that is much harder to defend against, on any OS.
  
  The thumb drive can have modified firmware such that it tells the OS that it is a keyboard. Now, anything that can be done from the real keyboard can be done by the thumb drive. On a Linux system, it won't immediately have root privileges, but it could install a keylogger or other malicious tools to obtain root privileges.
  [ link to this | view in chronology ]
- Anonymous Coward, 25 Jul 2016 @ 10:11am
  
  Re: Are thumb drives really a security issue?
  Oh you poor sweet summer child.....
  
  See: Auto-install USB drivers.
  
  See Bonus: USB Rubber Ducky
  [ link to this | view in chronology ]
- Anonymous Coward, 25 Jul 2016 @ 10:19am
  
  Re: Are thumb drives really a security issue?
  A nickname for USB is universal security breach. Between hidden partitions, autoplay, and the fact you can attack the system before the drive is even enumerated, yes USBs from an unknown source are very bad.
  
  At least when you buy a drive you can put some (albeit little) faith into the drive being clean because the manufacturer wants to protect their reputation. However if it is plugged in and a virus gets on it you may not even know you just created a trojan horse for the next system you plug it into.
  [ link to this | view in chronology ]
  - Anonymous Coward, 25 Jul 2016 @ 2:27pm
    
    Re: Re: Are thumb drives really a security issue?
    BadUSB is not Autoplay. It's more dangerous and compromises all OS's equally including precious Macs
    [ link to this | view in chronology ]
- Anonymous Coward, 25 Jul 2016 @ 1:41pm
  
  Re: Are thumb drives really a security issue?
  Does your computer prompt you anytime you plug in a USB keyboard/mouse? Any flash drive can pretend to be a keyboard and then type commands into your computer. I would consider a USB drive from an unknown source to be a security threat on any system.
  [ link to this | view in chronology ]
- Anonymous Coward, 25 Jul 2016 @ 2:26pm
  
  Re: Are thumb drives really a security issue?
  BadUSB is not Autoplay.
  [ link to this | view in chronology ]
- Anonymous Coward, 25 Jul 2016 @ 5:25pm
  
  Re: Are thumb drives really a security issue?
  With things like "badUSB", USB drives can emulate a keyboard and mouse, and with some built in windows commands(winkey+R), they can quickly bypass any security measures you have in place to install malware.
  [ link to this | view in chronology ]
Anonymous Coward, 25 Jul 2016 @ 7:24am

I think you misinterpret what the guy is saying.
He is being flippant, not sarcastic. It is more like a Pompeiien saying: "Oh look, Mount Etna is errupting. Perhaps we should get a broom?"

Bitching about the I.T. guy when it comes to DNC infosec, is like bitching at the barkeep about a dirty whisky glass in a whore house.
[ link to this | view in chronology ]
- cpt kangarooski, 25 Jul 2016 @ 8:32am
  
  Re: I think you misinterpret what the guy is saying.
  It is more like a Pompeiien saying: "Oh look, Mount Etna is errupting. Perhaps we should get a broom?"
  
  That isn't a bad response, if that's the way the ash plume is going. Mount Etna is located on the island of Sicily. Pompeii is on the Italian mainland, about 200 miles away as the crow flies. The volcano that the Pompeians needed to worry about was Mount Vesuvius, about 5 miles away.
  [ link to this | view in chronology ]
  - David, 25 Jul 2016 @ 9:01am
    
    Re: Re: I think you misinterpret what the guy is saying.
    Man, we could be all the rage at parties together. Good job.
    [ link to this | view in chronology ]
  - Ninja (profile), 25 Jul 2016 @ 9:02am
    
    Re: Re: I think you misinterpret what the guy is saying.
    Maybe he was talking about earlier Pompeii, you know, when super volcanoes were a thing and Etna could actually do some damage 200 miles away? /derp
    [ link to this | view in chronology ]
  - Anonymous Coward, 25 Jul 2016 @ 5:38pm
    
    Re: Re: I think you misinterpret what the guy is saying.
    My bad,
    
    After watching the current Presidential race, one flaming pit starts to look pretty much like another.
    [ link to this | view in chronology ]
Norahc, 25 Jul 2016 @ 7:40am

If only
If only the smart people in Silicon Valley would try, they could come up with a solution for this huge security risk.

Oh wait, they already did. Best solutions in the world don't mean shit if you're not going to implement them.

And these are the people that want to backdoor and weaken encryption?
[ link to this | view in chronology ]
Anonymous Coward, 25 Jul 2016 @ 7:45am

I have a 100% effective defense against USB stick malware
Epoxy.
[ link to this | view in chronology ]
- Anonymous Coward, 25 Jul 2016 @ 8:34am
  
  Re: I have a 100% effective defense against USB stick malware
  And I have a Dremel. There goes your 100%.
  [ link to this | view in chronology ]
  - Anonymous Coward, 25 Jul 2016 @ 10:46am
    
    Re: Re: I have a 100% effective defense against USB stick malware
    You misunderstand.
    
    The epoxy is to keep your eyelids open so you have to look when he shows you what happened to the last user to disobey his security policy.
    [ link to this | view in chronology ]
  - nasch (profile), 27 Jul 2016 @ 7:33am
    
    Re: Re: I have a 100% effective defense against USB stick malware
    And I have a Dremel. There goes your 100%.
    
    OK, how about... blowtorch?
    [ link to this | view in chronology ]
Anonymous Coward, 25 Jul 2016 @ 8:42am

The problem isn't...
that a virus will "silently upload itself". The problem is that an operating system, running on the computer into which the USB is inserted will silently execute code on the USB. Nothing on a USB stick can force a computer to do anything until something on the computer causes the code on the USB stick to be executed.

I know that some will see this as pointless pedantry, but if we continue to misunderstand problems, we will keep coming up with bad non-solutions (like laws prohibiting USB sticks rather than fixing the (massive) security flaws in some operating systems and, even worse, accepting the poor trade-offs between security and convenience that some software companies make and then trying to fix the problems thus caused by policing that ignores basic civil liberties.
[ link to this | view in chronology ]
- David, 25 Jul 2016 @ 9:44am
  
  Re: The problem isn't...
  Your analysis is lacking in one point: you basically consider an USB stick a similar danger to a removable medium like a CDROM or a floppy disk (which may contain files for automatic execution). But a USB stick connects to a universal peripheral bus. It can present itself as a hub leading to a keyboard, a (possibly bootable) network device, a bluetooth stick and several other peripherals. That provides a whole lot more of attack vectors than just a medium would. Particularly since it can take over a bluetooth keyboard and announce itself as a USB keyboard, then log all the traffic.
  
  There is a lot more of malice a USB-connected peripheral can do than a mere medium in a drive.
  [ link to this | view in chronology ]
  - Eldakka (profile), 25 Jul 2016 @ 5:49pm
    
    Re: Re: The problem isn't...
    I think ACs point is that SOMETHING (whether it be the OS or the firmware of the host computer itself) on the host system has to initiate the running of whatever is on the USB stick, whether that be loading the USB sticks firmware or executing code on a filesystem on the stick (Autoplay), SOMETHING on the host computer has to initiate that. The USB stick's firmware isn't magical and can't just make the host computer start loading the USB stick firmware. The host computer has to in some way allow that to happen.
    
    So, the problem ISN'T the USB stick, it's the host system that allows a USB stick to run arbitrary code, whether in USB firmware or on a USB filesystem, without any sort of security checks.
    [ link to this | view in chronology ]
    - Anonymous Coward, 25 Jul 2016 @ 6:27pm
      
      Re: Re: Re: The problem isn't...
      There's multiple issues at play, first the OS has to support the USB standard, which allows for this sort of crap to happen, unsigned firmware. Second, USB vendor devices don't implement Certificate chains and signed firmware, yes a type of DRM to prevent hackers from manipulating the firmware on the USB device.
      Here's a link to the full specs: http://www.usb.org/developers/docs/usb_31_052016.zip
      
      So I would say it's a failure at the specification part, specifically:
      "All Enhanced SuperSpeed devices share their base architecture with USB 2.0. They are required to carry information for self-identification and generic configuration. They are also required to demonstrate behavior consistent with the defined Enhanced SuperSpeed Device States."
      
      Thus the firmware decides what to run, what device it is, and how it works. So anyone can create an unsigned firmware and make it run by default. There are of course limitation you can place on any OS, like root/admin permissions in Linux, OSX, and Windows to allow for network access, or access to specific files, but you might remember how well the Vista pop-ups went on desktop Windows, given Linux users usually are more forgiving on security prompts, and probably more likely to read it.
      [ link to this | view in chronology ]
      - Anonymous Coward, 25 Jul 2016 @ 6:40pm
        
        Re: Re: Re: Re: The problem isn't...
        I guess I should clarify, even with signed certs, I could still purchase applehardwarecompany.com, and probably fool 99% of the general public on a third party USB C charger that could ask for sudo rights when plugged in. Sadly, this is just the knowledge of the public, but at least I would probably get locked down quicker by Apple, Inc.
        [ link to this | view in chronology ]
Stosh, 25 Jul 2016 @ 10:41am

The DNC used the email security firm that Hillary recommended, what could possibly go wrong?
[ link to this | view in chronology ]
Anonymous Coward, 25 Jul 2016 @ 10:42am

USB flash disk with malware microcode
can present itself as USB HID (read *keyboard* and/or *mouse*) to *any* OS: Microsoft, Linux, Mac OS.

If you can come up with a string of characters to type that can hack all of these OS's, then you can take them all over.

So far, there is *no* fix for this, since there's no way for an OS to tell the difference between an actual keyboard/mouse or a hacked flash drive masquerading as a keyboard/mouse.
[ link to this | view in chronology ]
Anonymous Coward, 25 Jul 2016 @ 5:41pm

Mike,

Serious question, since Credit card details, SSNs, et al were included in emails, did the DNC violate any State laws for PCI? While I know there isn't any federal laws, I do know many state's have enacted further restrictions, and this is definitely pretty bad.

The USB deal is imho rather trivial, hell, IBM was noted to distributed malware to a security conference in 2010, and it's happened many times since then.
[ link to this | view in chronology ]
Anonymous Coward, 25 Jul 2016 @ 5:59pm

and we want to turn the operation of our vehicles over to a network. yee, boy.
[ link to this | view in chronology ]
TheirJustFollowingFBIAdvice, 25 Jul 2016 @ 8:17pm

They weren't hacked, the FBI recommends no encruption and backdoors
Perhaps it's time to redefine what being hacked means.
The FBI over the recent years says Encryption is bad, they recommend backdoor passwords for those in the intelligence business.

So by their own logic, the DNC wasn't hacked, it followed their own security recommendations.

I know, sassy response but it's the new reality that the DOJ-FBI suggest right? Right? AmIRight?
[ link to this | view in chronology ]