The Dept. of Homeland Security and the FBI released a joint analysis on their investigations into Russian hacking of the Democratic National Committee and other political campaign targets on December 29. Having been involved in such investigations, I thought I’d give it a read and see what evidence they have.
In the summary of the report, two Russian hacking groups are called out by name APT28 and APT29 as having conducted an attack labeled as “spearphishing.” A phishing attack is when a hacker sends out spam containing attachments infected with malware or links to websites that download and install malware. A spearphishing attack is a targeted phishing attack – such as John Podesta was targeted, probably for the inside information to which he was sure to have access.
Having the attack called out as a spearphishing attack points to a serious, and general information security problem, and should be rather embarrassing for any of the victims in and of itself. Just because you have anti-virus installed on your laptop doesn’t mean you can or should click with impunity. I can’t recall how many times we have to tell people, “If it looks out of the ordinary – don’t click it, don’t open it. And for God’s sake, don’t install stuff from unknown sources no matter what it says it is.” No little widget you can download for free is important enough to risk information security. Obviously, somebody or multiple people did take that risk at least once.
Of course, this only addresses a problem with the users. There are many other architectural problems here. The political parties and campaigns should think about how secure they want to be, because if they store data they wouldn’t want published in a newspaper, information security with passwords alone won’t help them. Sensitive information should be behind at least one firewall and accessible only by authorized individuals via VPN with multi-factor or certificate-based authentication required so that if a hacker gains access to a user’s password information, they won’t get to the juicy stuff. They apparently didn’t use even data encryption to prevent information exposure related to password theft.
The long and short of it is that if you don’t take precautions commensurate with the negative consequences of information exposure, firewall the information away from known threats at the very least, you might as well just print it all out and thrown it in the middle of Times Square. If it had not been Russians, it would have been somebody else, and given the lax data security practices employed here, there were probably other security incidents involving other hackers that either haven’t been detected or are not mentioned anywhere. Who else has been sifting through all the skeletons in the closet is anyone’s guess.
So politically, with this report, the Obama Administration called out all of their party leaders for being idiot pea brains who certainly don’t know how to wisely spend the 100’s of millions of dollars donated to them annually. They probably deserved to lose because it says a great deal about how they would spend public money or their desire to protect government information. It isn’t about Russia. It’s about the stupidity and negligence revolving around DNC IT.