Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Leaked DNC Emails Show Lax Cybersecurity
Emails Suggest Officials Needed Basic Information Security TrainingThe WikiLeaks release of 19,252 emails stolen by hackers from the Democratic National Committee's computer systems has lurched the party into crisis, showing just how deep an impact data breaches can have on an organization. A look at the emails gives insight into the organization's cybersecurity practices, as well its view of the threat landscape.
See Also: Gartner Market Guide for DFIR Retainer Services
A hacker going by the nickname Guccifer 2.0 claimed to have stolen the emails and other material from the DNC's network (see Lone Hacker Claims to Have Breached DNC). But prior to his claim, the DNC's appointed cyber forensics firm, CrowdStrike, said two Russian hacking groups had access to the DNC's network for more than a year, through early June (see Report: Russia's 'Best' Hackers Access DNC's Trump Research).
Guccifer 2.0 published some of the stolen material on a WordPress site, and he said he'd passed it to WikiLeaks.
Hillary Clinton's campaign has charged that the information was released by Russia to cause discord in the Democratic Party, boosting Republican Donald Trump's electoral position, according to the Washington Post. It's unclear if Guccifer 2.0 was working with one of the Russian groups or represents a third intruder in the DNC's network.
The emails, some of which are alleged to show bias against candidate Bernie Sanders by committee officials, have already caused the resignation of Debbie Wasserman Schultz, the DNC's chairwoman, and more turmoil may be coming ahead of the party's convention, set to start July 25 in Philadelphia (see Analyzing Clinton's Positions on Cybersecurity, Privacy).
'We've Been Hacked! But It's OK'
WikiLeaks has made the correspondence of seven top DNC officials searchable by keywords. A search by Information Security Media Group finds many examples of personally identifiable information leaked, plus other emails that indicate a lack of basic knowledge about information security practices.
An attachment to one email contained a PDF of a letter from the IRS to a top DNC official notifying him of an overdue tax penalty. The notice includes the official's full Social Security number.
In another example, the DNC reminded participants scheduled to attend a June fundraising dinner with President Barack Obama that the Secret Service needed personal information ahead of the event. Participants were asked to send their full names, birth dates, occupations and current employers, addresses and Social Security numbers.
Many people replied by email. Ironically, recipients were advised by the DNC that they could supply their details over the phone if they "do not feel comfortable putting all of this information in an email."
Another email shows a general disregard for password security. It involves Factivists.democrats.org, a blog funded by the DNC that's designed to refute false campaign claims. Rachel Palermo, a press assistant with the DNC, sent an email on April 29 warning that Factivists had been hacked.
"We have been compromised!," she writes. "But it's all ok. Here is our new password: 'HHQTevgHQ@z&8b6'. It will now change every few weeks to prevent future issues. So as it is re-set, I will forward it along."
The DNC would get points for creating a strong, complex password. But a strong password is useless when it's sent to email accounts that have been compromised. Palermo sent the email to "regionalpress@dnc.org," a group email address.
What's Wrong with USB Drives?
Other emails provide clues to how the DNC viewed cybersecurity. The organization's deputy communications director, Eric Walker, sent an email on May 5 to another group email address for the organization's press unit.
The email - subject line: "The dumbest thing I've ever read" - included the headline of a Buzzfeed story, "These Experts Think The DNC And RNC Are Both Horrible At Cybersecurity." Cybersecurity experts criticized the Democratic and Republican National Committees for giving out USB drives at events.
Walker disparaged the story. "The thesis: we hand out thumb drives at events, which could infect the reporters/attendees' computers," he writes. "So that means that we're bad at cybersecurity. Okay."
In fact, handing out USB drives is a terrible idea, especially in retrospect for the DNC. One Russian group nickname Cozy Bear was apprently inside the DNC's network since mid-2015, according to CrowdStrike, which believes that Cozy Bear may be linked to the FSB, Russia's state security service.
CrowdStrike says the other group in the DNC's network, called Fancy Bear, gained access in April and focused on collecting the DNC's research on its opposition, including Donald Trump. By rooting around in the DNC's network, either group would have likely been able to learn if the DNC was loading USB drives for events and possibly try to corrupt the process by implanting malware.
If successful, that kind of attack could have allowed the hackers to diversify their range of compromised targets with minimal effort.
A variation of such an attack has been publicly described before. Kaspersky Lab discovered that CDs mailed to attendees of scientific conference in Houston containing conference material also contained two zero-day exploits and a rare type of malware back door. The plot came from the so-called Equation Group, a suspected NSA project.