DNC Comms Guy Mocked Story Saying DNC Is Bad At Cybersecurity; Revealed Because DNC Is Bad At Cybersecurity

from the karma dept

Protip: maybe don’t laugh off accusations that you’re bad at cybersecurity in emails on a network that has already been infiltrated by hackers. That message did not make it through to one Eric Walker, deputy communications director for the Democratic National Committee. As you’ve heard by now, the DNC got hacked and all the emails were posted on Wikileaks. An anonymous user in our comments pointed us to a now revealed email from Walker brushing off a story in BuzzFeed, quoting cybersecurity professionals arguing that both the RNC and the DNC are bad at cybersecurity, mainly because they’re handing out USB keys at their conventions.

Reporters who registered for the Republican and Democratic National Conventions were given tote bags by convention organizers filled with instructions and logistical information. Buried inside the totes were thumb drives, also known as USB flash drives, with information on the upcoming events.

?Who does that anymore? It?s just asking to get infected with any variety of malware,? said Ajay Arora, CEO of VERA, a cybersecurity firm. ?Those thumb drives are the number one way to infect a computer? It is borderline stupidity to give them out to people, or for people to even think of using them.?

Thumb drives are known within the cybersecurity world for their fundamental security weaknesses, because when someone plugs a thumb drive into their computers they are opening up their system to anything on that drive ? from the best hotels to stay in during the Republican National Convention to a virus that silently uploads itself onto the hard drive. Neither the Republican or Democratic National Committees replied to a BuzzFeed News inquiry about the thumb drives.

That’s a reasonable assessment. It’s dumb to hand out USB keys these days and anyone should be aware of that by now. But Walker’s email sarcastically mocked this:

The thesis: we hand out thumb drives at events, which could infect the reporters/attendees’ computers. So that means that we’re bad at cybersecurity. Okay.

Well, truth be told, there are many reasons why you may be bad at cybersecurity, including the fact that you apparently let a group of hackers sit on your network for a year or more. But also, handing out USB keys is a super bad idea too.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “DNC Comms Guy Mocked Story Saying DNC Is Bad At Cybersecurity; Revealed Because DNC Is Bad At Cybersecurity”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

Does it really matter? It’s like having a drunk orgy and wondering which one got you off. It really does not matter how because the payload WAS delivered…

There is likely more shit that happened that WILL be kept under wraps.

What IS entertaining about all of this is the faux surprise. Like the Emperors New Clothes, they were very open about their corruption, just DARED anyone to prove it, and now someone did.

Please raise your hand if you were the moron that thought the DNC were honest and upstanding folk. Congratulations, you make a terrible citizen.

Anonymous Coward says:

Re: Re: Infecting reporters

Seeing as how they were dictating the stories, I don’t really see where this would have gotten them.

It could have gotten them a “security review” that ultimately concluded they were extremely thoughtless, but that the hacking showed no evidence of criminal intent and did not warrant prosecution. 😉

Anonymous Coward says:

Re: Re: Re:

I would say this is the only reason why USB is really an issue now. Since the code is public, anyone can really create their own virus and upload new firmware: https://github.com/brandonlw/Psychson

The fact that you can backdoor every O/S with it, makes it a pretty big deal that really should have been fixed with USB 3.1 or C. Anything from cheap thumb drives, to charges could create a huge botnet now.

JoeCool (profile) says:

Re: Re: Re: Re:

That updates the firmware of the USB stick, not the computer. It’s used to do things like forbid the stick from booting, even on a computer capable of booting from a USB stick. It is NOT capable of backdooring “every” OS… in fact, it probably can’t backdoor any of them without a little help from the user (trojan horse, not a virus).

It’s fairly clear that most people have no idea how USB works in general, much less USB sticks. The danger is in people running apps that contain exploits, not viruses on the stick itself.

Anonymous Coward says:

Re: Re: Re:2 Re:

What? You upload custom firmware to the USB stick which gets run on driver loading. So depending on what you want to hack Linux, Windows, or OSX, you create a program to do whatever you want. My personal opinion would be to install a Rubber Ducky payload on a hidden partition. http://usbrubberducky.com/#!index.md
This is basically a keyboard emulator and scripting language, so you can pretty much do a lot. Some samples can even be generated quickly for windows: http://ducktoolkit-411.rhcloud.com/Home.jsp

Anonymous Coward says:

Re: Re: Re: Re:

The problem with bad USB is not the basic USN specs themselves, but rather the automatic loading and connection of the device to a driver for they type of device it identifies itself as. It is a case of convenience providing the loophole for security violations. The mitigation of this would be for the OS to query before connecting whenever it sees HID device being plugged in, except for reserved ports for mouse and keyboard. (It would be a bit difficult to authorize a keyboard when it is the keyboard you intend to use being plugged in).

Anonymous Coward says:

Re: Re:

You slightly misunderstand what Bad USB actually is. Autoplay does not factor in the attack. Bad USB’s problem is the firmware can do whatever it wants when a USB is plugged in waaaay before Autoplay is given a chance.

There is nothing stopping USB firmware from being flashed so the usb stick automatically installs a fake keyboard device that will run whatever the attacker wants you to run; go to a web page, dump data to a specific ftp server, or just open a remote shell to the victim’s system

Jason Kraftcheck says:

Are thumb drives really a security issue?

Thumb drives were a huge issue for *Windows users* for a long time not because thumb drives (or any other media) are an inherent security issue but rather because of Microsoft’s unfathomably stupid feature that auto-ran executables on media when the media was inserted. This issue existed for all media (e.g. CDs), not just usb devices. There was never an issue for Android, Linux, MacOS, etc. But I thought MS had fixed this back in Windows 7 or something such that Windows would at least ask first before running anything.

John Fenderson (profile) says:

Re: Are thumb drives really a security issue?

They are a security issue. Not as bad of one as when Windows had autoplay turned on by default, but it’s still a pretty big deal.

The main security problem with handing out thumb drives in a bulk way is that people will trust them, and are likely to go ahead and open risky documents or run programs they find on them.

If the drive they have is the one given out, that’s probably OK. But there’s no way to be sure that’s the case. If I’m handing out hundreds of drives to people attending an event, there are plenty of opportunities for hackers to leave identical-looking drives sitting around, to surreptitiously swap out good drives for bad, etc.

Anonymous Coward says:

Re: Re: Are thumb drives really a security issue?

The main security problem with handing out thumb drives in a bulk way is that people will trust them, and are likely to go ahead and open risky documents or run programs they find on them.

A secondary problem is that some people will collect them, modify what’s on them, and re-hand them out (or just leave them sitting around where they’re likely to be picked up).

David says:

Re: Are thumb drives really a security issue?

I seem to remember that another problem was that Windows wasn’t proof against intentionally crafted inconsistent file system data, so thumb drives could be made to maliciously execute code at privileged level when they were merely inserted even when auto-run was turned off.

Additional fun exploits requiring hard- and/or firmware modifications of the drive let the drive announce itself as a USB keyboard and/or talk with the actual USB keyboard in order to monitor it. Or a number of other devices that you don’t want to see in a security-relevant context.

DigDuggery says:

Re: There's a physical danger now as well...

There are now thumb drives that contain modified electronics that, once plugged in, start building up a charge inside of a capacitor, and once it’s reached full charge, discharges it through the data links, and it keeps doing it until either removed or the USB port, and probably more of the motherboard, are fried.




Whoever says:

Re: Are thumb drives really a security issue?

While malicious files on the thumb drives are the most obvious and common threat, thumb drives present a threat that is much harder to defend against, on any OS.

The thumb drive can have modified firmware such that it tells the OS that it is a keyboard. Now, anything that can be done from the real keyboard can be done by the thumb drive. On a Linux system, it won’t immediately have root privileges, but it could install a keylogger or other malicious tools to obtain root privileges.

Anonymous Coward says:

Re: Are thumb drives really a security issue?

A nickname for USB is universal security breach. Between hidden partitions, autoplay, and the fact you can attack the system before the drive is even enumerated, yes USBs from an unknown source are very bad.

At least when you buy a drive you can put some (albeit little) faith into the drive being clean because the manufacturer wants to protect their reputation. However if it is plugged in and a virus gets on it you may not even know you just created a trojan horse for the next system you plug it into.

Anonymous Coward says:

I think you misinterpret what the guy is saying.

He is being flippant, not sarcastic. It is more like a Pompeiien saying: “Oh look, Mount Etna is errupting. Perhaps we should get a broom?”

Bitching about the I.T. guy when it comes to DNC infosec, is like bitching at the barkeep about a dirty whisky glass in a whore house.

cpt kangarooski says:

Re: I think you misinterpret what the guy is saying.

It is more like a Pompeiien saying: “Oh look, Mount Etna is errupting. Perhaps we should get a broom?”

That isn’t a bad response, if that’s the way the ash plume is going. Mount Etna is located on the island of Sicily. Pompeii is on the Italian mainland, about 200 miles away as the crow flies. The volcano that the Pompeians needed to worry about was Mount Vesuvius, about 5 miles away.

Anonymous Coward says:

The problem isn't...

that a virus will “silently upload itself”. The problem is that an operating system, running on the computer into which the USB is inserted will silently execute code on the USB. Nothing on a USB stick can force a computer to do anything until something on the computer causes the code on the USB stick to be executed.

I know that some will see this as pointless pedantry, but if we continue to misunderstand problems, we will keep coming up with bad non-solutions (like laws prohibiting USB sticks rather than fixing the (massive) security flaws in some operating systems and, even worse, accepting the poor trade-offs between security and convenience that some software companies make and then trying to fix the problems thus caused by policing that ignores basic civil liberties.

David says:

Re: The problem isn't...

Your analysis is lacking in one point: you basically consider an USB stick a similar danger to a removable medium like a CDROM or a floppy disk (which may contain files for automatic execution). But a USB stick connects to a universal peripheral bus. It can present itself as a hub leading to a keyboard, a (possibly bootable) network device, a bluetooth stick and several other peripherals. That provides a whole lot more of attack vectors than just a medium would. Particularly since it can take over a bluetooth keyboard and announce itself as a USB keyboard, then log all the traffic.

There is a lot more of malice a USB-connected peripheral can do than a mere medium in a drive.

Eldakka (profile) says:

Re: Re: The problem isn't...

I think ACs point is that SOMETHING (whether it be the OS or the firmware of the host computer itself) on the host system has to initiate the running of whatever is on the USB stick, whether that be loading the USB sticks firmware or executing code on a filesystem on the stick (Autoplay), SOMETHING on the host computer has to initiate that. The USB stick’s firmware isn’t magical and can’t just make the host computer start loading the USB stick firmware. The host computer has to in some way allow that to happen.

So, the problem ISN’T the USB stick, it’s the host system that allows a USB stick to run arbitrary code, whether in USB firmware or on a USB filesystem, without any sort of security checks.

Anonymous Coward says:

Re: Re: Re: The problem isn't...

There’s multiple issues at play, first the OS has to support the USB standard, which allows for this sort of crap to happen, unsigned firmware. Second, USB vendor devices don’t implement Certificate chains and signed firmware, yes a type of DRM to prevent hackers from manipulating the firmware on the USB device.
Here’s a link to the full specs: http://www.usb.org/developers/docs/usb_31_052016.zip

So I would say it’s a failure at the specification part, specifically:
“All Enhanced SuperSpeed devices share their base architecture with USB 2.0. They are required to carry information for self-identification and generic configuration. They are also required to demonstrate behavior consistent with the defined Enhanced SuperSpeed Device States.”

Thus the firmware decides what to run, what device it is, and how it works. So anyone can create an unsigned firmware and make it run by default. There are of course limitation you can place on any OS, like root/admin permissions in Linux, OSX, and Windows to allow for network access, or access to specific files, but you might remember how well the Vista pop-ups went on desktop Windows, given Linux users usually are more forgiving on security prompts, and probably more likely to read it.

Anonymous Coward says:

Re: Re: Re:2 The problem isn't...

I guess I should clarify, even with signed certs, I could still purchase applehardwarecompany.com, and probably fool 99% of the general public on a third party USB C charger that could ask for sudo rights when plugged in. Sadly, this is just the knowledge of the public, but at least I would probably get locked down quicker by Apple, Inc.

Anonymous Coward says:

USB flash disk with malware microcode

can present itself as USB HID (read *keyboard* and/or *mouse*) to *any* OS: Microsoft, Linux, Mac OS.

If you can come up with a string of characters to type that can hack all of these OS’s, then you can take them all over.

So far, there is *no* fix for this, since there’s no way for an OS to tell the difference between an actual keyboard/mouse or a hacked flash drive masquerading as a keyboard/mouse.

Anonymous Coward says:


Serious question, since Credit card details, SSNs, et al were included in emails, did the DNC violate any State laws for PCI? While I know there isn’t any federal laws, I do know many state’s have enacted further restrictions, and this is definitely pretty bad.

The USB deal is imho rather trivial, hell, IBM was noted to distributed malware to a security conference in 2010, and it’s happened many times since then.

TheirJustFollowingFBIAdvice says:

They weren't hacked, the FBI recommends no encruption and backdoors

Perhaps it’s time to redefine what being hacked means.
The FBI over the recent years says Encryption is bad, they recommend backdoor passwords for those in the intelligence business.

So by their own logic, the DNC wasn’t hacked, it followed their own security recommendations.

I know, sassy response but it’s the new reality that the DOJ-FBI suggest right? Right? AmIRight?

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...