Lessons Learned Trying to Secure Congressional Campaigns

Really interesting first-hand experience from Maciej Cegłowski.

Posted on June 5, 2019 at 6:40 AM • 10 Comments

Comments

Clive RobinsonJune 5, 2019 9:07 AM

I think that,

    I want to now hand over to you, the next person willing to take a swing at this piñata of futility.

Might just rate as the political quote of this closing decade, and might be good enough for the opening of the next decade of lunacy in the executives of the West.

rJJune 5, 2019 10:44 AM

If one eliminates the specifically political stuff, this could almost be any security education situation. People at the top must buy into the security efforts or the rest of the team will just ignore the whole thing and go about their business they way they always did. The class should be a tutoring session for that top person. It is not so mmuch to educate him as to how to do it, but why to do it. Scare him to death with the potential consequences of a security failure.

markJune 5, 2019 11:40 AM

On the one hand, the way he describes getting into a campaign works absolutely just as well for a mole.

He also seems to be an Apple junkie. Yep, let's spend a hell of a lot more for very overpriced commodity hardware. And there are a lot of people attached to their Android... so, how about a whole thing on how to secure it? Nahh, just force Apple on them.

There's also his slowly developed approach, without some obvious suggestions to get people's attention. For example, one of my manager's lines - and I'm a sr. Linux sysadmin - is "we do not EVER want to be on the front pages of the Washington Post." If you're working on a non-GOP campaign, I'd think in terms of "we do NOT want to be a story on Faux News."

Oh, and stand up, and force everyone to go through setting up, an automated "forgot my password/locked myself out" system.

Personally, I'd also add the DO NOT EVER USE HTML EMAIL!!!!! You're sending information, you can type it in plain text.

EvanJune 5, 2019 3:00 PM

@rJ:

In my experience buy-in from the top is a necessary but insufficient condition. People at all levels but especially line management need to adopt a security-first posture, because a) that's how you minimize security-usability tradeoff friction, and b) otherwise the people towards the bottom are going to cut corners.

JG4June 5, 2019 7:20 PM


File under "further evidence of the author's thorough understanding, willingness and ability to communicate same."

JG4 • April 3, 2018 8:22 PM
https://www.schneier.com/blog/archives/2018/03/friday_squid_bl_618.html#c6773372

@albert - I think that you'll get some entertainment from this excerpt. The whole article is insightful and well written.

Class Warfare
“Notes from an Emergency” [Maciej Cegłowski, Idle Words].
http://idlewords.com/talks/notes_from_an_emergency.htm

Yves Smith from NakedCapitalism comments:

This is really a must-read; it’s an angle on the tech world (and Haygood’s Five Horsemen) that we rarely see. Here’s a sample, and save us from squillionaires with bright ideas:

Given this scary state of the world, with ecological collapse just over the horizon, and a population sharpening its pitchforks, an important question is how this globalized, unaccountable tech industry sees its goals. What does it want? What will all the profits be invested in?

What is the plan?

The honest answer is: rocket ships and immortality.

I wish I was kidding.
...

DroneJune 5, 2019 7:48 PM

"You have to accept the fact that computers are broken, software is terrible, campaign finance is evil, the political parties are inept, the DCCC exists, politics is full of parasites, tech companies are run by arrogant man-children, and so on."

Man, it must be horrible to be Maciej Cegłowski (the Author of the piece). His article left me with a very dark world view that took around fifteen minutes to wear off.

I've worked in and around political campaigns before and the impression I came away with was overall quite positive. I encountered good honest people who believed they where doing something beneficial for their society and country. For the most part they followed instructions and acted responsibly. The IT systems were reasonably secure and well maintained. There were no servers stashed in someone's basement - no thousands of lost Emails - no Russians in your monitor staring back at you.

I dunno, maybe I just got lucky. Or maybe it's the company I choose to keep.

Petre Peter June 6, 2019 7:50 AM

I agree that security training and dentistry have a lot in common. It's also true that getting punched in the face ruins your plans. However, you never get hit if you see it coming. Therefore, anticipation is one of the most important aspects of security.

A90210June 6, 2019 3:16 PM

From the OP: "Things that went badly ...

Attempts to work with the DNC and DCCC. The national party was so unhelpful that in the end I had to treat them as part of the threat model. Particularly vexing was their addiction to sending email attachments.

To cite one small example: on August 22, the DNC had a phishing scare, where they mistook a vulnerability assessment for an actual attack. The next day, DCCC Executive Director Dan Sena sent an email to all campaings with the subject line "Reminder About Cybersecurity". That email included three attachments, including a file evocatively titled "2—20170712—Falcon.docx".

I can't think of a more efficient way to compromise every campaign in the country than blasting security alerts with dodgy attachments from the DCCC email account.

The DCCC sent out attachments constantly. It drove me nuts. And I was never able to get a meeting with anyone there to slug it out."

A90210June 6, 2019 3:30 PM

https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html

"WASHINGTON — When Special Agent Adrian Hawkins of the Federal Bureau of Investigation called the Democratic National Committee in September 2015 [ 2015 ] to pass along some troubling news about its computer network, he was transferred, naturally, to the help desk.

His message was brief, if alarming. At least one computer system belonging to the D.N.C. had been compromised by hackers federal investigators had named “the Dukes,” a cyberespionage team linked to the Russian government. [IIRC SVR here (Cozy Bear) [1,2]]

The F.B.I. knew it well: The bureau had spent the last few years trying to kick the Dukes out of the unclassified email systems of the White House, the State Department and even the Joint Chiefs of Staff, one of the government’s best-protected networks.

Yared Tamene, the tech-support contractor at the D.N.C. who fielded the call, was no expert in cyberattacks. His first moves were to check Google for “the Dukes” and conduct a cursory search of the D.N.C. computer system logs to look for hints of such a cyberintrusion. By his own account, he did not look too hard even after Special Agent Hawkins called back repeatedly over the next several weeks — in part because he wasn’t certain the caller was a real F.B.I. agent and not an impostor.

“I had no way of differentiating the call I just received from a prank call,” Mr. Tamene wrote in an internal memo, obtained by The New York Times, that detailed his contact with the F.B.I. ..."

[1] https://www.cbsnews.com/news/dutch-intelligence-us-fbi-russian-hacking-cozy-bear-democratic-national-committee/

[2] https://en.wikipedia.org/wiki/Cozy_Bear

[3] https://www.forbes.com/sites/thomasbrewster/2017/02/16/dnc-fancy-bear-russia-hackers-mac-malware-hacking-team-fbi-fsb/ - IIRC later, 2016, GRU, Fancy Bear

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Security.