Thursday, November 6, 2008

Obama's and McCain's campaigns hacked

You've probably seen this elsewhere, so I won't go very much into what happened.
The computer systems of both the Obama and McCain campaigns were victims of a sophisticated cyberattack by an unknown "foreign entity," prompting a federal investigation, NEWSWEEK reports today.
What I do want to spend some time on is how this happened, who might have done it, and why this isn't something that is likely to happen to you.

Most malware is untargeted. It goes out in spam, or is planted on compromised web servers. While there's tons of old worms still sloshing across the Internet, it's all from compromised computers where nobody's paying attention. If you have your firewall turned on, and if you follow some basic security hygene, you'll be moderately well off.

But not if you're a high visibility target.

This really shouldn't be surprising. An average person can have very good real world security by being careful where he or she goes (no bad neighborhoods or dark parking garages), and maybe getting a concealed carry license. The President needs Secret Service bodyguards.

More folks are interested in the POTUS than are interested in little old me, and more folks would be willing to invest resources into an attack on POTUS than on me (hopefully that number is zero for me; I don't expect it is for POTUS). As a result, my security precautions are way, way less rococo. The same thing applies in Cyberspace.

Suppose you were able to break into the high security cyber compound that is Chez Borepatch. Other than #1 Son's stash of MP3s, and the stash of Dr. Who fan fiction, there's not a whole lot you'd get for your trouble. Now imagine that you could break into the Obama or McCain campaign networks. Think that there's something more interesting there?

As the value of the target goes up, so does the amount of resources that a Determined Adversary (DA) is willing to invest. This is why NSA is air-gapped: the NSA network isn't actually attached to the Internet (well, it's not supposed to be). is a marketing portal; hacking it won't make you Hacker Jesus, although it likely will get you some up close and personal attention from the Men In Black. Remember, kids, they know how to shoot.

To defend a high visibility site (like the Obama or McCain campaigns), you need a serious security budget. You get hardware and software (corporate firewalls, Virtual Private Networks, Intrusion Detection Systems, etc), but you also get smart people to set it up and run it. Or you should, anyway. Just like safeties on firearms, the best computer security tool sits between your ears.

But even with all of this, it's very possible for your Determined Adversary (DA) to penetrate your defenses, and that's what occurred here. Note that I have no idea whether either campaign had an adequate computer security plan; there's a good chance that they didn't, but it may not have mattered much.

Consider the different classes of DAs. There are several, of differing levels of danger.
  1. Non-determined Adversaries. These are people who stumbled across some exploits but really don't understand how to attack anything (script kiddies), or people who know how to attack you but have better things to do*.
  2. DAs who are afraid to do so. These are people who know how to attack you but are deterred from doing so (no FBI work, thank you very much). There are an awful lot of prople involved in cyber crime who won't touch this sort of work, because those that do find themselves in a world of hurt.
  3. DAs that are Foreign Governments. Which is basically all of them (Governments are DAs, not the other way around). These have several advantages: they are geographically remote, politically beyond our jurrisdiction (that's the definition of "foreign", Scooter), and (relatively) well funded. Even "friendly" governments ([cough] France [cough]**) have a long history of this. As the Intelligence Service folks like to say, "There are friendly governments, but there are no friendly Intelligence Agencies."
My opinion is that, excluding grotesque incompetence, #1 is out. The fact that both campaigns were hacked means that this wasn't accidental. I also believe that scenario #2 is out. There's a ton of organized crime behind hacking activity, but there's so much money to be made that the big fish don't want anyone peeing in the punchbowl. As the current VP might say, somone took a leak, Big Time.

This means that what we're looking at is international espionage, folks. And it could be anyone from the Usual Suspects (Russia, China, Iran) to the Unusual Suspects (UK, France, Israel).

So the story is juicy, but you're not very likely to be a target of this sort of thing. Me, I think that's a Very Good Thing Indeed.

So why did I say that it didn't make much difference whether the campaigns did a lot of electronic security? Because if the KGB FSB wants to break in to your stuff, they are likely to succeed. This doesn't excuse negligence, but at this point you're playing in a league that only governments can win in. The best that the Obama and McCain campaigns could have done is a better job of detecting that they got hacked.

* While I have some knowledge of attack techniques, I'm a lousy hacker. Besides, I Only Use My Powers For Good.

**Lest you think that I'm France-bashing, the French Secret Service famously bugged the first class seats in Air France.

No comments: