DNC Comms Guy Mocked Story Saying DNC Is Bad At Cybersecurity; Revealed Because DNC Is Bad At Cybersecurity
from the karma dept
Protip: maybe don't laugh off accusations that you're bad at cybersecurity in emails on a network that has already been infiltrated by hackers. That message did not make it through to one Eric Walker, deputy communications director for the Democratic National Committee. As you've heard by now, the DNC got hacked and all the emails were posted on Wikileaks. An anonymous user in our comments pointed us to a now revealed email from Walker brushing off a story in BuzzFeed, quoting cybersecurity professionals arguing that both the RNC and the DNC are bad at cybersecurity, mainly because they're handing out USB keys at their conventions.Reporters who registered for the Republican and Democratic National Conventions were given tote bags by convention organizers filled with instructions and logistical information. Buried inside the totes were thumb drives, also known as USB flash drives, with information on the upcoming events.That's a reasonable assessment. It's dumb to hand out USB keys these days and anyone should be aware of that by now. But Walker's email sarcastically mocked this:
“Who does that anymore? It’s just asking to get infected with any variety of malware,” said Ajay Arora, CEO of VERA, a cybersecurity firm. “Those thumb drives are the number one way to infect a computer… It is borderline stupidity to give them out to people, or for people to even think of using them.”
Thumb drives are known within the cybersecurity world for their fundamental security weaknesses, because when someone plugs a thumb drive into their computers they are opening up their system to anything on that drive — from the best hotels to stay in during the Republican National Convention to a virus that silently uploads itself onto the hard drive. Neither the Republican or Democratic National Committees replied to a BuzzFeed News inquiry about the thumb drives.
The thesis: we hand out thumb drives at events, which could infect the reporters/attendees' computers. So that means that we're bad at cybersecurity. Okay.Well, truth be told, there are many reasons why you may be bad at cybersecurity, including the fact that you apparently let a group of hackers sit on your network for a year or more. But also, handing out USB keys is a super bad idea too.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cybersecurity, dnc, dnc leak, eric walker, usb keys
Reader Comments
Subscribe: RSS
View by: Time | Thread
Just curious... whats the over/under on finding out the DNC hack was caused by a flash drive?
[ link to this | view in thread ]
[ link to this | view in thread ]
Are thumb drives really a security issue?
[ link to this | view in thread ]
Re:
There is likely more shit that happened that WILL be kept under wraps.
What IS entertaining about all of this is the faux surprise. Like the Emperors New Clothes, they were very open about their corruption, just DARED anyone to prove it, and now someone did.
Please raise your hand if you were the moron that thought the DNC were honest and upstanding folk. Congratulations, you make a terrible citizen.
[ link to this | view in thread ]
Re: Are thumb drives really a security issue?
The main security problem with handing out thumb drives in a bulk way is that people will trust them, and are likely to go ahead and open risky documents or run programs they find on them.
If the drive they have is the one given out, that's probably OK. But there's no way to be sure that's the case. If I'm handing out hundreds of drives to people attending an event, there are plenty of opportunities for hackers to leave identical-looking drives sitting around, to surreptitiously swap out good drives for bad, etc.
[ link to this | view in thread ]
I think you misinterpret what the guy is saying.
Bitching about the I.T. guy when it comes to DNC infosec, is like bitching at the barkeep about a dirty whisky glass in a whore house.
[ link to this | view in thread ]
Re: Are thumb drives really a security issue?
Additional fun exploits requiring hard- and/or firmware modifications of the drive let the drive announce itself as a USB keyboard and/or talk with the actual USB keyboard in order to monitor it. Or a number of other devices that you don't want to see in a security-relevant context.
[ link to this | view in thread ]
Re:
BadUSB works on screwing with the firmware so just plugging it in can own the machine. There is no way to see whats happening when you plug the drive in, and if you don't watch closely you might miss "extra" drivers being added.
[ link to this | view in thread ]
If only
Oh wait, they already did. Best solutions in the world don't mean shit if you're not going to implement them.
And these are the people that want to backdoor and weaken encryption?
[ link to this | view in thread ]
I have a 100% effective defense against USB stick malware
[ link to this | view in thread ]
There's a physical danger now as well...
Sources:
http://www.pcworld.com/article/2896732/dont-trust-other-peoples-usb-flash-drives-they- could-fry-your-laptop.html
https://techcrunch.com/2015/03/12/this-usb-drive-can-nuke-a-computer/
http: //arstechnica.com/security/2015/10/usb-killer-flash-drive-can-fry-your-computers-innards-in-seconds/
[ link to this | view in thread ]
Re:
Seeing as how they were dictating the stories, I don't really see where this would have gotten them.
[ link to this | view in thread ]
Re: Re: Are thumb drives really a security issue?
A secondary problem is that some people will collect them, modify what's on them, and re-hand them out (or just leave them sitting around where they're likely to be picked up).
[ link to this | view in thread ]
Re: Re: Infecting reporters
[ link to this | view in thread ]
Re: I think you misinterpret what the guy is saying.
That isn't a bad response, if that's the way the ash plume is going. Mount Etna is located on the island of Sicily. Pompeii is on the Italian mainland, about 200 miles away as the crow flies. The volcano that the Pompeians needed to worry about was Mount Vesuvius, about 5 miles away.
[ link to this | view in thread ]
Re: I have a 100% effective defense against USB stick malware
[ link to this | view in thread ]
The problem isn't...
I know that some will see this as pointless pedantry, but if we continue to misunderstand problems, we will keep coming up with bad non-solutions (like laws prohibiting USB sticks rather than fixing the (massive) security flaws in some operating systems and, even worse, accepting the poor trade-offs between security and convenience that some software companies make and then trying to fix the problems thus caused by policing that ignores basic civil liberties.
[ link to this | view in thread ]
Re: Re: I think you misinterpret what the guy is saying.
[ link to this | view in thread ]
Re: Re: I think you misinterpret what the guy is saying.
[ link to this | view in thread ]
Re: Re:
The fact that you can backdoor every O/S with it, makes it a pretty big deal that really should have been fixed with USB 3.1 or C. Anything from cheap thumb drives, to charges could create a huge botnet now.
[ link to this | view in thread ]
Re: Re: Re:
It's fairly clear that most people have no idea how USB works in general, much less USB sticks. The danger is in people running apps that contain exploits, not viruses on the stick itself.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Are thumb drives really a security issue?
The thumb drive can have modified firmware such that it tells the OS that it is a keyboard. Now, anything that can be done from the real keyboard can be done by the thumb drive. On a Linux system, it won't immediately have root privileges, but it could install a keylogger or other malicious tools to obtain root privileges.
[ link to this | view in thread ]
Re: The problem isn't...
There is a lot more of malice a USB-connected peripheral can do than a mere medium in a drive.
[ link to this | view in thread ]
Re: Are thumb drives really a security issue?
See: Auto-install USB drivers.
See Bonus: USB Rubber Ducky
[ link to this | view in thread ]
Re: Re: Re: Re:
This is basically a keyboard emulator and scripting language, so you can pretty much do a lot. Some samples can even be generated quickly for windows: http://ducktoolkit-411.rhcloud.com/Home.jsp
[ link to this | view in thread ]
Re: Are thumb drives really a security issue?
At least when you buy a drive you can put some (albeit little) faith into the drive being clean because the manufacturer wants to protect their reputation. However if it is plugged in and a virus gets on it you may not even know you just created a trojan horse for the next system you plug it into.
[ link to this | view in thread ]
[ link to this | view in thread ]
USB flash disk with malware microcode
If you can come up with a string of characters to type that can hack all of these OS's, then you can take them all over.
So far, there is *no* fix for this, since there's no way for an OS to tell the difference between an actual keyboard/mouse or a hacked flash drive masquerading as a keyboard/mouse.
[ link to this | view in thread ]
Re: Re: I have a 100% effective defense against USB stick malware
The epoxy is to keep your eyelids open so you have to look when he shows you what happened to the last user to disobey his security policy.
[ link to this | view in thread ]
Re: Are thumb drives really a security issue?
[ link to this | view in thread ]
Re:
There is nothing stopping USB firmware from being flashed so the usb stick automatically installs a fake keyboard device that will run whatever the attacker wants you to run; go to a web page, dump data to a specific ftp server, or just open a remote shell to the victim's system
[ link to this | view in thread ]
Re: Re: Re: Re:
Macs and Windows non-server OSs are, by default, very permissive with installing any device.
[ link to this | view in thread ]
Re: Are thumb drives really a security issue?
[ link to this | view in thread ]
Re: Re: Are thumb drives really a security issue?
[ link to this | view in thread ]
Re: Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Are thumb drives really a security issue?
[ link to this | view in thread ]
Re: Re: I think you misinterpret what the guy is saying.
After watching the current Presidential race, one flaming pit starts to look pretty much like another.
[ link to this | view in thread ]
Serious question, since Credit card details, SSNs, et al were included in emails, did the DNC violate any State laws for PCI? While I know there isn't any federal laws, I do know many state's have enacted further restrictions, and this is definitely pretty bad.
The USB deal is imho rather trivial, hell, IBM was noted to distributed malware to a security conference in 2010, and it's happened many times since then.
[ link to this | view in thread ]
Re: Re: The problem isn't...
So, the problem ISN'T the USB stick, it's the host system that allows a USB stick to run arbitrary code, whether in USB firmware or on a USB filesystem, without any sort of security checks.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: The problem isn't...
Here's a link to the full specs: http://www.usb.org/developers/docs/usb_31_052016.zip
So I would say it's a failure at the specification part, specifically:
"All Enhanced SuperSpeed devices share their base architecture with USB 2.0. They are required to carry information for self-identification and generic configuration. They are also required to demonstrate behavior consistent with the defined Enhanced SuperSpeed Device States."
Thus the firmware decides what to run, what device it is, and how it works. So anyone can create an unsigned firmware and make it run by default. There are of course limitation you can place on any OS, like root/admin permissions in Linux, OSX, and Windows to allow for network access, or access to specific files, but you might remember how well the Vista pop-ups went on desktop Windows, given Linux users usually are more forgiving on security prompts, and probably more likely to read it.
[ link to this | view in thread ]
Re: Re: Re: Re: The problem isn't...
[ link to this | view in thread ]
They weren't hacked, the FBI recommends no encruption and backdoors
The FBI over the recent years says Encryption is bad, they recommend backdoor passwords for those in the intelligence business.
So by their own logic, the DNC wasn't hacked, it followed their own security recommendations.
I know, sassy response but it's the new reality that the DOJ-FBI suggest right? Right? AmIRight?
[ link to this | view in thread ]
Re: Re: I have a 100% effective defense against USB stick malware
OK, how about... blowtorch?
[ link to this | view in thread ]