I don’t have any students who work for the State
this quarter. I hope someone who works with election computers reads
my blog. Lots of detail.
How they
did it (and will likely try again): GRU hackers vs. US elections
In a press briefing just two weeks ago, Deputy
Attorney General Rod Rosenstein announced that the grand jury
assembled by Special Counsel Robert Mueller had returned an
indictment
… The filing
[PDF] spells out the Justice Department's first official, public
accounting
… The allegations are backed up by data
collected from service provider logs, Bitcoin transaction tracing,
and additional forensics. The DOJ also relied on information
collected by US (and likely foreign) intelligence and law enforcement
agencies.
… After digging into this latest indictment,
the evidence suggests Trump may not have made a very good call on
this matter. But his blaming of the victims of the attacks for
failing to have good enough security, while misguided, does strike on
a certain truth: the Clinton campaign, the DNC, and DCC were poorly
prepared for this sort of attack, failed to learn lessons from
history, and ignored advice from some very knowledgeable third
parties they enlisted for help.
… The GRU operation had conducted wide-ranging
spear-phishing attacks against both Democrats and Republicans as far
back as October 2015 with limited success. Members of John McCain's
and Lindsey Graham's campaign staffs, as well as members of several
other Republican congressional campaign staffs, had
their emails stolen and later posted on the DCLeaks site. But as
the presidential field narrowed, the GRU began to focus on the
Democrats and Hillary Clinton's campaign.
… Unfortunately, few if any members of the
Clinton campaign staff, DNC, or DCCC used two-factor
authentication—despite advice from outside advisors
(Related) The government hasn’t realized how
important Computer Security is. They still consider IT as
unimportant to the strategic success of the organization (like
janitorial services). The results are similar to the failures of
ignorant politicians.
NSA Hasn’t
Implemented Post-Snowden Security Fixes, Audit Finds
The nation’s cyber spy agency is suffering from
substantial cyber vulnerabilities, according to a first-of-its-kind
unclassified audit overview from the agency’s inspector general
released Wednesday.
Those vulnerabilities include computer system
security plans that are inaccurate or incomplete, removable media
that aren’t properly scanned for viruses, and an inadequate process
for tracking the job duties of National Security Agency cyber
defenders to ensure they’re qualified for the highest-level work
they do, according to the
overview.
Perhaps most striking, the agency has not properly
implemented “two-person access controls” on its data centers and
equipment rooms.
This should be an obvious red flag.
State
Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China
Here’s a timely reminder that email isn’t the
only vector for phishing attacks: Several U.S. state and local
government agencies have reported receiving strange letters via snail
mail that include malware-laden compact discs (CDs) apparently sent
from China, KrebsOnSecurity has learned.
This particular ruse, while crude and simplistic,
preys on the curiosity of recipients who may be enticed into popping
the CD into a computer. According to a non-public alert shared with
state and local government agencies by the Multi-State
Information Sharing and Analysis Center (MS-ISAC), the scam
arrives in a Chinese postmarked envelope and includes a “confusingly
worded typed letter with occasional Chinese characters.”
More to come.
Britain's
Fake News Inquiry Says Facebook And Google's Algorithms Should Be
Audited By UK Regulators
British regulators should be given more control
over Facebook and Google to stop the spread of “fake news” —
including the power to audit their jealously-guarded algorithms —
an influential parliamentary committee will recommend.
The interim report from the House of Commons
Digital, Culture, Media and Sport Committee is due to be published on
Sunday, but on Friday afternoon a leaked copy was published in full
online by former Vote Leave campaign strategist Dominic Cummings.
Tools for summer reading.