First, I would like to thank you for reading this blog post. It is the first of two, maybe more, parts. Before we get started, read the three disclaimers below.
Disclaimer 1: The opinions and ideas expressed in this blog post are mine and mine alone. They do not represent those of my employers: past, present, or future.
Disclaimer 2: The purpose of this blog post series is to shed light on the issues of Cybersecurity & the US 2016 Presidential Election. This is not a venue to bash or endorse one candidate or another. Any statement of a candidate being in support of or in opposition to a measure or topic will be associated with cited evidence.
Disclaimer 3: I am writing this blog to explore the interrelation of Cybersecurity and the Election and vice versa; nothing more.
Cybersecurity & the US 2016 Presidential Election Relevant Events
This is bound to be a historic election, no matter what. While I make it a point to avoid politically biased discussions on this forum, I wanted to take a minute and reflect how Cybersecurity will impact this election. This is from the sense of how will online activities, breaches, hacks, (D)DoS attacks, Social Engineering, etc. play into the election itself.
We are already starting to see part of this via the dumps of the DNC emails (CAUTION: Browse at your own risk) and Clinton emails (CAUTION: Browse at your own risk) on WikiLeaks (CAUTION: Browse at your own risk). At the time of this writing, there are about 12,000 emails from the DNC (Democratic Nation Committee) and 30,000 emails from Hillary Rodham Clinton’s (HRC) clintonemail.com mail server. Those from HRC’s server allegedly contain emails of various US Government Data Classifications up to (and presumably) “Above Top Secret.” I will come back to this.
Trump Hotel Breach
While Hillary is at the forefront of the issues with Cybersecurity with her server, Donald Trump’s team is not immune. In October 2015, Trump’s hotel chain was breached. Here is Trump Hotel Collection’s statement. This was also listed in a July 2015 report by Brian Krebs that stated that Luxury Hotels were being breached.
Is that as damning as the 30,000 emails? No. But, it does illustrate that both candidates of the traditional two parties have had their share of cyber blunders.
Attempts to find any cyber attacks or other information relative to their businesses or interest on the accord of Gary Johnson and Jill Stein were unsuccessful. In other words, I am not saying that they weren’t attacked in some way, shape, or form; but rather if they were, I could not find it.
Clinton Email Scandal
The FBI found in their investigation that she did not have “malicious intent” but was extremely negligent in handling of classified material. In Director Comey’s statement, he is quoted on the record as saying the following:
- “…when one of Secretary Clinton’s original personal servers was decommissioned in 2013, the e-mail software was removed. Doing that didn’t remove the e-mail content…”
- From the group of 30,000 e-mails returned to the State Department, 110 e-mails in 52 e-mail chains have been determined by the owning agency to contain classified information at the time they were sent or received. Eight of those chains contained information that was Top Secret at the time they were sent; 36 chains contained Secret information at the time; and eight contained Confidential information, which is the lowest level of classification. Separate from those, about 2,000 additional e-mails were “up-classified” to make them Confidential; the information in those had not been classified at the time the e-mails were sent.
- Because she was not using a government account—or even a commercial account like Gmail—there was no archiving at all of her e-mails, so it is not surprising that we discovered e-mails that were not on Secretary Clinton’s system in 2014, when she produced the 30,000 e-mails to the State Department
- Although we did not find clear evidence that Secretary Clinton or her colleagues intended to violate laws governing the handling of classified information, there is evidence that they were extremely careless in their handling of very sensitive, highly classified information.
- There is evidence to support a conclusion that any reasonable person in Secretary Clinton’s position, or in the position of those government employees with whom she was corresponding about these matters, should have known that an unclassified system was no place for that conversation.
- With respect to potential computer intrusion by hostile actors, we did not find direct evidence that Secretary Clinton’s personal e-mail domain, in its various configurations since 2009, was successfully hacked. But, given the nature of the system and of the actors potentially involved, we assess that we would be unlikely to see such direct evidence.
DNC Email Scandal
The Democratic National Committee have certainly [unintentionally] embarrassed themselves. The troves of 12,000 emails from various players in the DNC: Debbie Wasserman-Schultz, Luis Miranda, and Erik Stow to Kanye West’s agent. Much of the emails include innocuous banter about various day to day functions. However, many include evidence of “stacking the deck” to ensure that Hillary won the primary. Examples include omission of Sanders nominations for various committees and sub-committees, a campaign to question Sanders’ religion in southern states, and previewing and requesting modification to stories on various sites. There is evidence that the DNC communicated with Politico, Washington Post, Sky Advisory Group, and Debbie Wasserman-Schultz via her gmail account (which is not hard to spot if you look).
Apple versus the FBI
I am sure you remember the debacle of Apple versus the FBI. After an act of terrorism, the FBI took Apple to court to demand that they help them gain access to the phone, to which Apple obliged. When the FBI demanded that the method to gain access be a modification to the actual operating system thus creating a back door to ALL iOS devices: iPhones and iPads, Apple denied the request. The case was at the forefront of national attention with Microsoft, Google, and Facebook supporting Apple. This was further compounded by Comey’s testimony to Congress saying that the FBI needed access to all cryptosystems used in the United States.
My Analysis of Cybersecurity & the US 2016 Presidential Election
Clinton Email Scandal
Back to HRC: I am not necessary buying the “ignorance card.” She signed the same SF-312 that everyone being read into a security clearance level must sign. While it is written in “Legal-ese,” she is a lawyer and should be able to comprehend the verbiage better than most of us. There are numerous briefings required for each clearance level that is written at about the 4th or 7th grade level, so these issues [theoretically] do not happen [often] and so the “ignorance card” is Trumped (while not a Trump supporter, pun intended.)
So, from a FISMA perspective, the CIO, SISO (CISO), and almost any GS-14 to SES employee in the Acquisition, IT, or Cybersecurity chain of command should also be on the chopping block. There were plenty of people with the opportunity to blow the whistle or propose an alternative, but (seemingly) none did. Government employees (and even contractors) go through rigorous training to let them know all the things they can and cannot do. Personnel in positions that could either perform the actions to set up clintonemail.com or authorize their subordinates to do so are not immune to that training. In fact, they have additional training requirements.
In looking through the dump, it appears as if the server has been up and running (through various iterations and physical servers) since 2009. This circumvents any record retention as may be required by National Archives and Records Administration (NARA), except for those sent to/from state.gov and other government email domains. This is also illegal.
Director Comey stated that there was no evidence of any cyber attack. While that seems like the silver lining, it is not. That means that anyone that gained access to the system was that good. Rookies leave evidence all the time. That’s why people (like me) are certified as Incident Handlers and Incident Responders. If the FBI’s forensic team didn’t find anything, that (to me) indicates a nation state level of sophistication and complexity in the attacks. It is highly improbably that a server running WITHOUT security monitoring for 7 years over a commercial Internet Service Provider (ISP) was never breached. I would venture to say you have a better chance of being hit in the head with space debris.
DNC Email Scandal
I will use the previous statement of improbability of cyber attack over 7 years as a segue to the DNC emails. A hacker by the name of Guccifer 2.0 (Twitter: GUCCIFER_2) is taking credit for the breach of the DNC email breach. Crowdstrike believes that there were two sets of Russian intelligence teams in the DNC servers as well, but that does not necessarily negate that Guccifer 2.0 was first or the one that leaked the emails. The Crowdstrike theory is logical when paired with Director Comey’s statement about no traces of attack when assessed as a possible pivot from Clinton’s email server.
The attack itself is not surprising, but the content of the emails certainly worries many people. The supporters of Sen. Sanders are able to openly see the betrayal of them from their own party, how the very thing that Bernie and his supporters campaigned against is the very thing happening. Frankly, it’s sickening. Seeing the openly racist conversations mocking Trump using the the term “Cinco de Mayo Taco Bowl” further shows the party alienate their constituents.
When compounded with HRC not facing charges for the classified material on the email server, faith in the democratic system is diminishing. If someone or a group of people are willing to go to those lengths to ensure nomination, how far will they go to ensure they win? I would rather not know/find out the answer.
Apple versus the FBI
We have our theory about how Apple “helped” the FBI. It appears as if Apple quietly released an unsigned update that was not forced to users that allowed the FBI and other agencies to capitalize off a lock screen vulnerability to the targeted systems. This, in my opinion, was an attempt to set a precedent strong arming businesses into coding back doors into software at the request of governments. As we’ve seen with the (check out our archive) IRS, OPM, DNC, HRC, and so on, the federal government is not the best at security; giving them access to a backdoor will likely allow malicious foreign attackers access nearly immediately. If the good guys have the back door, the bad guys probably do too.
The long term effect of this is that people were able to comprehend the issue at hand and understand the over reach. Comparatively, this was not complicated (in principle) like other controversial topics (i.e. SCOTUS ruling on Gay Marriage – 1st and 15th amendments) of early 2016. People saw this as government over reach and it caused a rift of distrust in the government and their spying efforts (as uncovered by Snowden and others). While it could be a separate sub-topic, this was compounded by the FBI’s use of warrants issued by judges outside their jurisdictions, especially in child pornography cases.
NOTE: I WILL NEVER SPEAK ILL OF THOSE CYBERSECURITY AND LAW ENFORCEMENT PROFESSIONALS THAT APPREHEND AND INVESTIGATE CHILD PORNOGRAPHY. I could never do that.
Announcements and Resources
Advanced Persistent Security has partnered with the EC-Council to provide a discounted EC-Council Training Event to our readers and listeners. The codes are only good for the Hacker Halted event in Atlanta, GA September 11-14 and 15-16, 2016. Below are the codes, if you have any questions, Contact Us:
SEPTEMBER 11TH-14TH, 2016
$1,999 Courses if you register using discount code: HHAPSTRN
Choose one of the following courses and exams:
- Certified Ethical Hacker (C|EH)*
- Computer Hacking Forensic Investigator (C|HFI)*
- Certified Security Analyst (E|CSA/L|PT)*
- Certified Chief Information Security Officer (C|CISO)*
All courses include:
- Official Courseware
- 1 Complimentary Exam Voucher
- Certificate of attendance
- Lunch and coffee breaks throughout the duration of the training
- Complimentary Pass to Hacker Halted – Atlanta conference (September 15 & 16)
*Individual conference passes can be purchased for $35 (down from $199) Use code: HHAPSCON
Instructions for registration:
1) Click here
2) Fill in all the necessary info
3) Enter Qty (1) for conference pass – public
4) Enter promotional code HHAPSCON (for $35 Conference Passes) HHAPSTRN (for $1,999 Courses)
Other APS Posts
Change Your Email Password Now!
Qatar Bank Breached After Bangladesh
Bangladesh Bank Loses 80 Million USD
Ransomware Infects Android 4.x
Spotify Allegedly Hacked…Again
MedStar Health Cybersecurity Fails to Prevent Attack
Ransomware Locks MBR
Iranian hackers hit with Federal charges
Spear Phishermen Target Corporate W-2 Data
4 Things to Know About Ransomware
Ransomware Hits Mac Computers
Thanks for stopping by and checking out our podcast. We would appreciate if you could subscribe (assuming you like what you hear; we think you will). This is meant to be informative and to provide value to anyone who listens – regardless of their knowledge and/or understanding of IT/Cybersecurity. To learn more about us, check out our “About Us” page.
DNC emails (CAUTION: Browse at your own risk)
Clinton emails (CAUTION: Browse at your own risk)
Trump Hotel Collection’s
FBI Director’s Statement
Guccifer 2.0’s Website
GUCCIFER_2 on Twitter
If you have ANY Cybersecurity needs, please contact us and a member of our staff with promptly reply to your question or concern.