How to make elections secure in the age of digital operatives

Former Facebook CSO Alex Stamos tells us what he learned in 2016 and what comes next.

Video by Chris Schodt, production by Justin Wolfson (video link)

In our latest episode of Ars Technica Live, we talk about election security. My guest was Alex Stamos, a researcher at Stanford who just happened to be the CSO at Facebook when the company discovered Russian operatives meddling in the US presidential election. He told us about that experience, and what's worrying him about the future of UU democracy.

It was odd for technical experts like Stamos and his team at Facebook to find themselves at ground zero of a political propaganda war. Stamos explained that infosec researchers are not typically trained to deal with things like weaponized memes. "We had ignored that the vast majority of human harm caused online has no interesting technical component," he said wryly. "It's a technically correct use of the products we build."

Read 26 remaining paragraphs | Comments

No, there’s no evidence (yet) the feds tried to hack Georgia’s voter database

Enlarge / Georgia politician Brian Kemp reads at a Holocaust remembrance ceremony in the state. (credit: Georgia.gov)
Accusations that the US Department of Homeland security tried to hack Georgia’s voter registration database are running rampant. B…

Enlarge / Georgia politician Brian Kemp reads at a Holocaust remembrance ceremony in the state. (credit: Georgia.gov)

Accusations that the US Department of Homeland security tried to hack Georgia's voter registration database are running rampant. But until officials from that state's Secretary of State office provide basic details, people should remain highly skeptical.

The controversy erupted after Georgia Secretary of State Brian Kemp sent and publicly released a letter addressed to DHS Secretary Jeh Johnson. In it, Kemp made a series of statements so vague in their technical detail that it's impossible to conclude any kind of hacking or breach—at least as those terms are used by security professionals—took place.

"On November 15, 2016, an IP address associated with the Department of Homeland Security made an unsuccessful attempt to penetrate the Georgia Secretary of State's firewall," Kemp wrote. "I am writing you to ask whether DHS was aware of this attempt and, if so, why DHS was attempting to breach our firewall."

Read 9 remaining paragraphs | Comments

McAfee Labs – McAfee 2016-10-03 03:08:11

Over the last several days, we’ve seen headlines on potential cyber-attacks on state voter registries, cybersecurity front and center in the Clinton-Trump presidential debate, and new revelations into the Yahoo! cyber-breach that appears to have …

Over the last several days, we’ve seen headlines on potential cyber-attacks on state voter registries, cybersecurity front and center in the Clinton-Trump presidential debate, and new revelations into the Yahoo! cyber-breach that appears to have compromised more than 500 million user accounts.

Intel Security CTO Steve Grobman fielded a number of questions on these events and revelations:

What do you make of the FBI and DHS announcements that the agencies have detected cyber-attacks on voter registration websites in more than a dozen states?

“These announcements certainly raise concerns. Elections are meant to be anonymous and not traceable back to the individual voter. Thirty-one states and DC offer the kind of online voter registration that the FBI says was targeted. The perpetrators are hacktivists. They probably seek to shake voter confidence in the American electoral system, and they only have to have one high profile attack to achieve this goal.”

What do you make of reports that cybercriminals are behind the theft of 500 million Yahoo! users’ accounts, not government-backed hackers, and these actors sold the data to a state actor?

“Some nation-states have the same cyber gap in their offensive operations as the rest of the world has in defensive operations. Moreover, they face the threat of kinetic repercussions resulting from the digital attribution of a cyber-attack. Therefore, it’s conceivable that these state actors could use a wide range of tactics to mitigate these issues. This could indeed include partnering with criminal or private organizations to achieve their strategic objectives.

Because of this, we need to be careful not to interpret what little we see as definitive proof of a conclusion.

For example, the fact that stolen data can be leaked through criminal underground networks could simply indicate that a nation-state is attempting to mask a cyber espionage operation as a standard cybercriminal breach. It may also be a side effect of a criminal actor acting on a nation state’s behalf. A similar deception can occur in reverse where a criminal or terrorist group can use tactics to falsely implicate a nation-state.”

What should we make of the possibility of a nation-state potentially hacking a U.S. corporation for user emails as an act of espionage?

“For state actors, the political or strategic incentives of orchestrating such a large breach are as real as the obvious financial ones for cybercriminals. A rival state’s intelligence services could find and access the messages of individuals with political, government, military, and even corporate public profiles.

Consider the recent compromise and disclosure of Former Secretary of State Colin Powell’s personal email messages. While probably more tame than the average citizen’s messages, the public disclosure of his communications revealed statements that proved controversial in political and other government circles.

The emails of the less tame or even reckless candidate, three-letter agency chair, general, or CEO could contain material sensitive enough to destroy careers, enable blackmail, endanger a mission, or influence high-level negotiations and decisions.”

Regarding Verizon’s planned acquisition of Yahoo!, is an analysis of a company’s computer security expected as part of the due diligence in a purchase?

“It is common practice for technology companies conducting due diligence of a potential acquisition to evaluate the cybersecurity posture of that target. This due diligence often includes requesting a list of IT breaches, reviewing the results of any security audits or certifications, evaluating the company’s policies and procedures for IT security, reviewing the company’s privacy policies, and assessing the nature of personal information held by the business, among others.”

Who generally performs such an analysis? Are they paid by the buyer or the seller?

“Security-related diligence is often conducted through a combination of internal teams employed by the acquirer, and, if needed, third-party specialists. The cost of any third-party evaluation is typically borne by the acquirer.”

Would such an analysis have picked up this breach?

“The due diligence process generally requires disclosure of known IT breaches. Security audits or other evaluations conducted during the course of diligence would attempt to assess the likelihood of future breaches or potentially undiscovered IT breaches.”

What was your reaction to the prominent mention of cybersecurity in the presidential debate between Hillary Clinton and Donald Trump?

“It’s refreshing to see cybersecurity at the forefront of the national security conversation during tonight’s debate. In just a few years, we’ve seen cybersecurity go from a function of the IT back office, to the nation’s Oval Office.

While events have tended to drive government into action, more and more of our nation’s top leaders understand the cyber battlefield is as critical as land, sea, air, and space. The prominence of cybersecurity in this week’s debate is tremendous progress, with the promise of further progress to come in the coming months and years.”

 

 

The post CTO Q&A: Campaign Hacks, Yahoo! and Clinton-Trump appeared first on McAfee.

New evidence suggests DNC hackers penetrated deeper than previously thought

Consultant’s Yahoo Mail suspected of being targeted by state-sponsored hackers.

The suspected hacking of a Democratic National Committee consultant's personal Yahoo Mail account provides new evidence that state-sponsored attackers penetrated deeper than previously thought into the private communications of the political machine attempting to defeat Republican nominee Donald Trump.

According to an article published Monday by Yahoo News, the suspicion was raised shortly after DNC consultant Alexandra Chalupa started preparing opposition research on Trump Campaign Chairman Paul Manafort. Upon logging in to her Yahoo Mail account, she received a pop-up notification warning that members of Yahoo's security team "strongly suspect that your account has been the target of state-sponsored actors." After Chalupa started digging into Manafort's political and business dealings in Ukraine and Russia, the warnings had become a "daily occurrence," Yahoo News reported, citing a May 3 e-mail sent to a DNC communications director.

(credit: Yahoo News)

It was one of more than 19,000 private DNC messages posted to WikiLeaks on Friday. The massive e-mail dump came five weeks after DNC officials said hackers with backing from the Russian government had breached its network and made off with opposition research into Trump and almost a year's worth of private e-mail. The airing on WikiLeaks, which included messages in which DNC officials derided Democratic candidate Bernie Sanders, has already led to the resignation of Chair Debra Wasserman Schultz. Now, the revelations about Chalupa's Yahoo account suggest the hack may have gone deeper than previously reported.

Read 3 remaining paragraphs | Comments