Many campaigns still have a naivety about cybersecurity despite a rash of high-profile hacking incidents, experts tell C&E.
From the federal government to Sony to Ashley Madison to the UCLA Health System, 2015 has seen security breaches that resulted in financial blows and damaged reputations. With free software and training widely available, black hat hackers are growing in ranks and campaigns, with troves of sensitive information, are prime targets.
“On a daily basis on our network we see evidence of attack attempts,” said Gabe Hammersmith, a systems administrator with Revolution Messaging, a Democratic digital firm consulting for Bernie Sanders. “Information security is no longer the realm of nerds with neckbeards; it’s a problem that everyone has to be invested in.”
Hammersmith said having a strong email or network password is a good start, but campaigns need to think beyond just individuals. “I can have the strongest password in the world protecting, say, my campaign finance platform, but that doesn’t matter if I share that password with a colleague over email and he has a weak password on his email or no password on his cellphone that could be left in the back of a cab.”
Campaigns, parties and candidates have been grappling with information security since before the Watergate break-in. But in the email age, the theft of sensitive information doesn’t require a team of burglars.
For instance in 2008, Sarah Palin’s Yahoo email account was hacked by David Kernell, then a 20-year-old University of Tennessee student who was able to reset her password using publicly available biographical information. In 2012, President Obama and Mitt Romney’s campaigns both said they were victims of cyber attacks from domestic and international hackers.
Despite these incidents, many campaigns still retain their default or insecure configurations on technology ranging from desktops to servers to smartphones, according to JB Lee, whose firm Sphinx Solutions, is a cybersecurity contractor for the federal government.
“The biggest trigger for any type of cyber attack is a lack of situational awareness of basic information security: Users who have weak passwords, giving adversaries a pass into brute force password cracking,” Lee said. “Network devices, such as routers, switches, and firewalls come with default settings and some folks don’t change the manufacturer-provided admin username and password. Make sure you have strong passwords or have difficult security questions, same goes for personal accounts such as Facebook or Google Plus.”
In addition to practicing “cyber hygiene,” downloading patches, software updates and tracking changes made to the server, Lee recommends training staff to be aware of spear-phishing attacks. In Verizon’s 2015 Data Breach Investigations Report, the telecommunications giant found that 80 percent of security incidents in the public sector were attributable to human error or intentional abuse of access.
“Typical spear-phishing attacks are delivered with a malicious attachment or a hyperlink directing to a duplicitous website intended to capture user data. In most cases, attachments are embedded with an executable payload, allowing attackers an easy method to gain remote access when a user downloads and opens such a file” Lee said.
Hackers, he added, “will weaponize the email with an attachment. Someone may be talking about a candidate and say, ‘can you review this article about this person’s social history?’ [The recipient] opens up the email, it’s a Word doc or PDF, it looks benign, but guess what? The payload has executed and your system is now compromised, [allowing] arbitrary commands to run on the user’s machine.”
That gives a hacker lateral movement in an organization’s network. “And lateral movement is really the idea. The attacker wants to acquire certain target machines. They want to get to the mail server or the main directory server that houses everyone’s credentials or they could use credentials to log into the email server as a legitimate privileged user and then they can extract every email on that server,” said Lee. “That information can now be used to blackmail that individual or employee.”
Lee said there’s been an uptick in cybercrime — data thefts, email hacking or Denial of Service (Dos) attacks — and that it’s coming from inside and outside the United States. He recommends campaigns, or their IT departments, look for secure configuration guidance from the Center for Internet Security, a non-profit focused on global Internet security, or consider hiring an outside expert to assess their vulnerabilities.
Some candidates are aware of the risk, said Vincent Harris, a digital consulting working with Rand Paul’s presidential effort.
“Security is a very real worry,” Harris said in an email. “[Campaigns] need to ensure they've created multi-device authentication on databases and emails, that passwords are unique and protected, and that information isn't easily accessible. On the Paul campaign we've hired a chief technology office in part to help us beef up the security apparatus of our systems infrastructure.”
Scott Goodstein, CEO of Revolution Messaging, said he’s glad the issue is getting more attention in the industry.
“We are one of the few creative agencies out there that has our own security protections in-house,” he said in an email. “Sure our clients pay a little more, but they sleep better at night knowing that their online efforts are being monitored.”
While the worst fear of many candidates is a career-ending cascade of emails getting into the public domain, even a small breach can be embarrassing. For instance, Hammersmith noted that a national client recently came to the firm after the client's WordPress website was hacked and the page used to advertise Cialis and Viagra sales.
“That website wasn’t being monitored or maintained so that allowed the hackers to use an off-the-shelf exploit to get in and change the content,” Hammersmith said. “That’s easily preventable if you have the right protections.”