DNC Comms Guy Mocked Story Saying DNC Is Bad At Cybersecurity; Revealed Because DNC Is Bad At Cybersecurity
from the karma dept
Protip: maybe don’t laugh off accusations that you’re bad at cybersecurity in emails on a network that has already been infiltrated by hackers. That message did not make it through to one Eric Walker, deputy communications director for the Democratic National Committee. As you’ve heard by now, the DNC got hacked and all the emails were posted on Wikileaks. An anonymous user in our comments pointed us to a now revealed email from Walker brushing off a story in BuzzFeed, quoting cybersecurity professionals arguing that both the RNC and the DNC are bad at cybersecurity, mainly because they’re handing out USB keys at their conventions.
Reporters who registered for the Republican and Democratic National Conventions were given tote bags by convention organizers filled with instructions and logistical information. Buried inside the totes were thumb drives, also known as USB flash drives, with information on the upcoming events.
?Who does that anymore? It?s just asking to get infected with any variety of malware,? said Ajay Arora, CEO of VERA, a cybersecurity firm. ?Those thumb drives are the number one way to infect a computer? It is borderline stupidity to give them out to people, or for people to even think of using them.?
Thumb drives are known within the cybersecurity world for their fundamental security weaknesses, because when someone plugs a thumb drive into their computers they are opening up their system to anything on that drive ? from the best hotels to stay in during the Republican National Convention to a virus that silently uploads itself onto the hard drive. Neither the Republican or Democratic National Committees replied to a BuzzFeed News inquiry about the thumb drives.
That’s a reasonable assessment. It’s dumb to hand out USB keys these days and anyone should be aware of that by now. But Walker’s email sarcastically mocked this:
The thesis: we hand out thumb drives at events, which could infect the reporters/attendees’ computers. So that means that we’re bad at cybersecurity. Okay.
Well, truth be told, there are many reasons why you may be bad at cybersecurity, including the fact that you apparently let a group of hackers sit on your network for a year or more. But also, handing out USB keys is a super bad idea too.
Filed Under: cybersecurity, dnc, dnc leak, eric walker, usb keys
Comments on “DNC Comms Guy Mocked Story Saying DNC Is Bad At Cybersecurity; Revealed Because DNC Is Bad At Cybersecurity”
Not only are they bad at cyber security, they missed a golden opportunity to infect the systems of those covering them so they could see what stories were coming and get ahead of them.
Just curious… whats the over/under on finding out the DNC hack was caused by a flash drive?
Re: Re:
Does it really matter? It’s like having a drunk orgy and wondering which one got you off. It really does not matter how because the payload WAS delivered…
There is likely more shit that happened that WILL be kept under wraps.
What IS entertaining about all of this is the faux surprise. Like the Emperors New Clothes, they were very open about their corruption, just DARED anyone to prove it, and now someone did.
Please raise your hand if you were the moron that thought the DNC were honest and upstanding folk. Congratulations, you make a terrible citizen.
Re: Re:
they missed a golden opportunity to infect the systems of those covering them so they could see what stories were coming and get ahead of them
Seeing as how they were dictating the stories, I don’t really see where this would have gotten them.
Re: Re: Infecting reporters
It could have gotten them a “security review” that ultimately concluded they were extremely thoughtless, but that the hacking showed no evidence of criminal intent and did not warrant prosecution. 😉
With Autoplay turned off completely, is Bad USB that common already?
Re: Re:
It can be.
BadUSB works on screwing with the firmware so just plugging it in can own the machine. There is no way to see whats happening when you plug the drive in, and if you don’t watch closely you might miss “extra” drivers being added.
Re: Re: Re:
I would say this is the only reason why USB is really an issue now. Since the code is public, anyone can really create their own virus and upload new firmware: https://github.com/brandonlw/Psychson
The fact that you can backdoor every O/S with it, makes it a pretty big deal that really should have been fixed with USB 3.1 or C. Anything from cheap thumb drives, to charges could create a huge botnet now.
Re: Re: Re: Re:
That updates the firmware of the USB stick, not the computer. It’s used to do things like forbid the stick from booting, even on a computer capable of booting from a USB stick. It is NOT capable of backdooring “every” OS… in fact, it probably can’t backdoor any of them without a little help from the user (trojan horse, not a virus).
It’s fairly clear that most people have no idea how USB works in general, much less USB sticks. The danger is in people running apps that contain exploits, not viruses on the stick itself.
Re: Re: Re:2 Re:
What? You upload custom firmware to the USB stick which gets run on driver loading. So depending on what you want to hack Linux, Windows, or OSX, you create a program to do whatever you want. My personal opinion would be to install a Rubber Ducky payload on a hidden partition. http://usbrubberducky.com/#!index.md
This is basically a keyboard emulator and scripting language, so you can pretty much do a lot. Some samples can even be generated quickly for windows: http://ducktoolkit-411.rhcloud.com/Home.jsp
Re: Re: Re: Re:
The problem with bad USB is not the basic USN specs themselves, but rather the automatic loading and connection of the device to a driver for they type of device it identifies itself as. It is a case of convenience providing the loophole for security violations. The mitigation of this would be for the OS to query before connecting whenever it sees HID device being plugged in, except for reserved ports for mouse and keyboard. (It would be a bit difficult to authorize a keyboard when it is the keyboard you intend to use being plugged in).
Re: Re: Re:2 Re:
The problem with only allowing ports for keyboard and mouse devices is, right now, the BEST way to use BadUSB is to install a fake keyboard to run whatever you want.
Macs and Windows non-server OSs are, by default, very permissive with installing any device.
Re: Re: Re:3 Re:
Actually, I would say Rubber Ducky is just most popular because you can easily create a backdoor for use later. The original program for badUSB was of course Stuxnet, which didn’t use a keyboard, but just inserted it’s own backdoor.
Re: Re:
You slightly misunderstand what Bad USB actually is. Autoplay does not factor in the attack. Bad USB’s problem is the firmware can do whatever it wants when a USB is plugged in waaaay before Autoplay is given a chance.
There is nothing stopping USB firmware from being flashed so the usb stick automatically installs a fake keyboard device that will run whatever the attacker wants you to run; go to a web page, dump data to a specific ftp server, or just open a remote shell to the victim’s system
Are thumb drives really a security issue?
Thumb drives were a huge issue for *Windows users* for a long time not because thumb drives (or any other media) are an inherent security issue but rather because of Microsoft’s unfathomably stupid feature that auto-ran executables on media when the media was inserted. This issue existed for all media (e.g. CDs), not just usb devices. There was never an issue for Android, Linux, MacOS, etc. But I thought MS had fixed this back in Windows 7 or something such that Windows would at least ask first before running anything.
Re: Are thumb drives really a security issue?
They are a security issue. Not as bad of one as when Windows had autoplay turned on by default, but it’s still a pretty big deal.
The main security problem with handing out thumb drives in a bulk way is that people will trust them, and are likely to go ahead and open risky documents or run programs they find on them.
If the drive they have is the one given out, that’s probably OK. But there’s no way to be sure that’s the case. If I’m handing out hundreds of drives to people attending an event, there are plenty of opportunities for hackers to leave identical-looking drives sitting around, to surreptitiously swap out good drives for bad, etc.
Re: Re: Are thumb drives really a security issue?
The main security problem with handing out thumb drives in a bulk way is that people will trust them, and are likely to go ahead and open risky documents or run programs they find on them.
A secondary problem is that some people will collect them, modify what’s on them, and re-hand them out (or just leave them sitting around where they’re likely to be picked up).
Re: Are thumb drives really a security issue?
I seem to remember that another problem was that Windows wasn’t proof against intentionally crafted inconsistent file system data, so thumb drives could be made to maliciously execute code at privileged level when they were merely inserted even when auto-run was turned off.
Additional fun exploits requiring hard- and/or firmware modifications of the drive let the drive announce itself as a USB keyboard and/or talk with the actual USB keyboard in order to monitor it. Or a number of other devices that you don’t want to see in a security-relevant context.
Re: There's a physical danger now as well...
There are now thumb drives that contain modified electronics that, once plugged in, start building up a charge inside of a capacitor, and once it’s reached full charge, discharges it through the data links, and it keeps doing it until either removed or the USB port, and probably more of the motherboard, are fried.
Sources:
http://www.pcworld.com/article/2896732/dont-trust-other-peoples-usb-flash-drives-they-could-fry-your-laptop.html
https://techcrunch.com/2015/03/12/this-usb-drive-can-nuke-a-computer/
http://arstechnica.com/security/2015/10/usb-killer-flash-drive-can-fry-your-computers-innards-in-seconds/
Re: Are thumb drives really a security issue?
While malicious files on the thumb drives are the most obvious and common threat, thumb drives present a threat that is much harder to defend against, on any OS.
The thumb drive can have modified firmware such that it tells the OS that it is a keyboard. Now, anything that can be done from the real keyboard can be done by the thumb drive. On a Linux system, it won’t immediately have root privileges, but it could install a keylogger or other malicious tools to obtain root privileges.
Re: Are thumb drives really a security issue?
Oh you poor sweet summer child…..
See: Auto-install USB drivers.
See Bonus: USB Rubber Ducky
Re: Are thumb drives really a security issue?
A nickname for USB is universal security breach. Between hidden partitions, autoplay, and the fact you can attack the system before the drive is even enumerated, yes USBs from an unknown source are very bad.
At least when you buy a drive you can put some (albeit little) faith into the drive being clean because the manufacturer wants to protect their reputation. However if it is plugged in and a virus gets on it you may not even know you just created a trojan horse for the next system you plug it into.
Re: Re: Are thumb drives really a security issue?
BadUSB is not Autoplay. It’s more dangerous and compromises all OS’s equally including precious Macs
Re: Are thumb drives really a security issue?
Does your computer prompt you anytime you plug in a USB keyboard/mouse? Any flash drive can pretend to be a keyboard and then type commands into your computer. I would consider a USB drive from an unknown source to be a security threat on any system.
Re: Are thumb drives really a security issue?
BadUSB is not Autoplay.
Re: Are thumb drives really a security issue?
With things like “badUSB”, USB drives can emulate a keyboard and mouse, and with some built in windows commands(winkey+R), they can quickly bypass any security measures you have in place to install malware.
I think you misinterpret what the guy is saying.
He is being flippant, not sarcastic. It is more like a Pompeiien saying: “Oh look, Mount Etna is errupting. Perhaps we should get a broom?”
Bitching about the I.T. guy when it comes to DNC infosec, is like bitching at the barkeep about a dirty whisky glass in a whore house.
Re: I think you misinterpret what the guy is saying.
It is more like a Pompeiien saying: “Oh look, Mount Etna is errupting. Perhaps we should get a broom?”
That isn’t a bad response, if that’s the way the ash plume is going. Mount Etna is located on the island of Sicily. Pompeii is on the Italian mainland, about 200 miles away as the crow flies. The volcano that the Pompeians needed to worry about was Mount Vesuvius, about 5 miles away.
Re: Re: I think you misinterpret what the guy is saying.
Man, we could be all the rage at parties together. Good job.
Re: Re: I think you misinterpret what the guy is saying.
Maybe he was talking about earlier Pompeii, you know, when super volcanoes were a thing and Etna could actually do some damage 200 miles away? /derp
Re: Re: I think you misinterpret what the guy is saying.
My bad,
After watching the current Presidential race, one flaming pit starts to look pretty much like another.
If only
If only the smart people in Silicon Valley would try, they could come up with a solution for this huge security risk.
Oh wait, they already did. Best solutions in the world don’t mean shit if you’re not going to implement them.
And these are the people that want to backdoor and weaken encryption?
I have a 100% effective defense against USB stick malware
Epoxy.
Re: I have a 100% effective defense against USB stick malware
And I have a Dremel. There goes your 100%.
Re: Re: I have a 100% effective defense against USB stick malware
You misunderstand.
The epoxy is to keep your eyelids open so you have to look when he shows you what happened to the last user to disobey his security policy.
Re: Re: I have a 100% effective defense against USB stick malware
And I have a Dremel. There goes your 100%.
OK, how about… blowtorch?
The problem isn't...
that a virus will “silently upload itself”. The problem is that an operating system, running on the computer into which the USB is inserted will silently execute code on the USB. Nothing on a USB stick can force a computer to do anything until something on the computer causes the code on the USB stick to be executed.
I know that some will see this as pointless pedantry, but if we continue to misunderstand problems, we will keep coming up with bad non-solutions (like laws prohibiting USB sticks rather than fixing the (massive) security flaws in some operating systems and, even worse, accepting the poor trade-offs between security and convenience that some software companies make and then trying to fix the problems thus caused by policing that ignores basic civil liberties.
Re: The problem isn't...
Your analysis is lacking in one point: you basically consider an USB stick a similar danger to a removable medium like a CDROM or a floppy disk (which may contain files for automatic execution). But a USB stick connects to a universal peripheral bus. It can present itself as a hub leading to a keyboard, a (possibly bootable) network device, a bluetooth stick and several other peripherals. That provides a whole lot more of attack vectors than just a medium would. Particularly since it can take over a bluetooth keyboard and announce itself as a USB keyboard, then log all the traffic.
There is a lot more of malice a USB-connected peripheral can do than a mere medium in a drive.
Re: Re: The problem isn't...
I think ACs point is that SOMETHING (whether it be the OS or the firmware of the host computer itself) on the host system has to initiate the running of whatever is on the USB stick, whether that be loading the USB sticks firmware or executing code on a filesystem on the stick (Autoplay), SOMETHING on the host computer has to initiate that. The USB stick’s firmware isn’t magical and can’t just make the host computer start loading the USB stick firmware. The host computer has to in some way allow that to happen.
So, the problem ISN’T the USB stick, it’s the host system that allows a USB stick to run arbitrary code, whether in USB firmware or on a USB filesystem, without any sort of security checks.
Re: Re: Re: The problem isn't...
There’s multiple issues at play, first the OS has to support the USB standard, which allows for this sort of crap to happen, unsigned firmware. Second, USB vendor devices don’t implement Certificate chains and signed firmware, yes a type of DRM to prevent hackers from manipulating the firmware on the USB device.
Here’s a link to the full specs: http://www.usb.org/developers/docs/usb_31_052016.zip
So I would say it’s a failure at the specification part, specifically:
“All Enhanced SuperSpeed devices share their base architecture with USB 2.0. They are required to carry information for self-identification and generic configuration. They are also required to demonstrate behavior consistent with the defined Enhanced SuperSpeed Device States.”
Thus the firmware decides what to run, what device it is, and how it works. So anyone can create an unsigned firmware and make it run by default. There are of course limitation you can place on any OS, like root/admin permissions in Linux, OSX, and Windows to allow for network access, or access to specific files, but you might remember how well the Vista pop-ups went on desktop Windows, given Linux users usually are more forgiving on security prompts, and probably more likely to read it.
Re: Re: Re:2 The problem isn't...
I guess I should clarify, even with signed certs, I could still purchase applehardwarecompany.com, and probably fool 99% of the general public on a third party USB C charger that could ask for sudo rights when plugged in. Sadly, this is just the knowledge of the public, but at least I would probably get locked down quicker by Apple, Inc.
The DNC used the email security firm that Hillary recommended, what could possibly go wrong?
USB flash disk with malware microcode
can present itself as USB HID (read *keyboard* and/or *mouse*) to *any* OS: Microsoft, Linux, Mac OS.
If you can come up with a string of characters to type that can hack all of these OS’s, then you can take them all over.
So far, there is *no* fix for this, since there’s no way for an OS to tell the difference between an actual keyboard/mouse or a hacked flash drive masquerading as a keyboard/mouse.
Mike,
Serious question, since Credit card details, SSNs, et al were included in emails, did the DNC violate any State laws for PCI? While I know there isn’t any federal laws, I do know many state’s have enacted further restrictions, and this is definitely pretty bad.
The USB deal is imho rather trivial, hell, IBM was noted to distributed malware to a security conference in 2010, and it’s happened many times since then.
and we want to turn the operation of our vehicles over to a network. yee, boy.
They weren't hacked, the FBI recommends no encruption and backdoors
Perhaps it’s time to redefine what being hacked means.
The FBI over the recent years says Encryption is bad, they recommend backdoor passwords for those in the intelligence business.
So by their own logic, the DNC wasn’t hacked, it followed their own security recommendations.
I know, sassy response but it’s the new reality that the DOJ-FBI suggest right? Right? AmIRight?