Former Facebook security chief says creating election chaos is still easy

As someone who’s had a years-long front row seat to Russia’s efforts influence US politics, former Facebook Chief Security Officer Alex Stamos has a pretty solid read on what we can expect from the 2018 midterms. Stamos left the company last month to work on cybersecurity education at Stanford. “If there’s no foreign interference during […]

As someone who’s had a years-long front row seat to Russia’s efforts influence US politics, former Facebook Chief Security Officer Alex Stamos has a pretty solid read on what we can expect from the 2018 midterms. Stamos left the company last month to work on cybersecurity education at Stanford.

“If there’s no foreign interference during the midterms, it’s not because we did a great job,” Stamos said in an interview with TechCrunch at Disrupt SF on Thursday. “It’s because our adversaries decided to [show] a little forbearance, which is unfortunate.”

As Stamos sees it, there is an alternate reality in which the US electorate would be better off heading into its next major nationwide voting day but critical steps haven’t been taken.

“As a society, we have not responded to the 2016 election in the way that would’ve been necessary to have a more trustworthy midterms,” he said. “There have been positive changes, but overall security of campaigns [is] not that much better, and the actual election infrastructure isn’t much better.”

Stamos believes that it’s important to remember that foreign adversaries can’t dictate the outcome of an election with any kind of guarantee. What they can do — and what he calls his “big fear” — is that they can still mess everything up in a way that calls the entire system into question.

“In most cases, throwing an election one way or another is going to be very difficult for a foreign adversary but throwing any election into chaos is totally doable right now,” he said. “That’s where we haven’t moved forwards. ”

Stamos gave examples of attacks on voter registration sites that lose voter data or denial-of-service attacks on the day of elections.

“With a disinformation campaign at the same time, you can make it so that you have half the country that thinks the election was thrown,” he said.

To a foreign adversary seeking to undermine US democracy, creating that kind of doubt isn’t very technically difficult. Even with no votes changed and no voting systems breached, a little doubt goes a very long way toward accomplishing the same goals as a more sophisticated hacking campaign.

Stamos cites new ad funding disclosures as one substantive change that will help make US democracy healthier, but more efforts need to be taken.

“Russian interference or not, we do not want a future where campaigns and candidates are cutting up the electorate into smaller and smaller pieces — so I think ad transparency is the first step there,” he said.

In some cases, those efforts will require a major shift in the way both the US government and private social media companies have conducted themselves. For one, as he wrote in Lawfare, the US needs “an independent, defense-only cybersecurity agency with no intelligence, military or law enforcement responsibility” rather than a patchwork of agencies each partially responsible for cybersecurity defense.

The news may not be great for 2018, but a strong dose of realism now will amplify the clarion call to do better before 2020.

Attempted DNC voter database hack was a false alarm, security chief says

An apparent hacking attempt on the Democratic National Committee’s voter database was a false alarm, the organization has said. CNN and the Associated Press reported on Wednesday, citing an unnamed party official, that the political organization was warned of an attempt on its systems. DNC officials contacted the FBI after Lookout, a security firm, detected and reported […]

An apparent hacking attempt on the Democratic National Committee’s voter database was a false alarm, the organization has said.

CNN and the Associated Press reported on Wednesday, citing an unnamed party official, that the political organization was warned of an attempt on its systems. DNC officials contacted the FBI after Lookout, a security firm, detected and reported a phishing page that replicated a login page for NGP VAN, a technology provider for Democratic campaigns.

But the party’s security chief quickly reversed its position Thursday, confirming that the phishing page was “simulated.”

“The test, which mimicked several attributes of actual attacks on the Democratic party’s voter file, was not authorized by the DNC… or any of our vendors,” said Bob Lord, DNC’s chief security officer, in a statement.

Just a day earlier, he briefed Democratic officials on the apparent incident in Chicago on Wednesday.

It’s believed that the Michigan Democratic Party asked a third party to conduct the test without clearance or authorization from the DNC, according to one reporter.

In the case of phishing attacks, hackers attempt to obtain the username and password for sensitive internal systems by tricking staff into entering their credentials on spoofed sites. Hackers can then reuse those credentials to log in themselves.

Mike Murray, Lookout’s vice president of security intelligence who originally informed the DNC of the phishing page, said in a tweet that, “you don’t know that they’re false until you’ve showed up to investigate.”

It’s not uncommon for political parties to store vast amounts of information on voters. Political parties and national committees often use the data to target voters with political messaging.

In recent years, several voter databases have leaked or were exposed on unprotected servers for anyone to find.

Earlier this week, Microsoft said it thwarted an attempt by a Russian-backed advanced persistent threat group known as Fancy Bear (or APT28) to steal data from political organizations.

Updated on August 23: with new information from the DNC. This story and its headline have been updated.

Russian hackers already targeted a Missouri senator up for reelection in 2018

A Democratic senator seeking reelection this fall appears to be the first identifiable target of Russian hacking in the 2018 midterm race. In a new story on the Daily Beast, Andrew Desiderio and Kevin Poulsen reported that Democratic Missouri Senator Claire McCaskill was targeted in a campaign-related phishing attack. That clears up one unspecified target […]

A Democratic senator seeking reelection this fall appears to be the first identifiable target of Russian hacking in the 2018 midterm race. In a new story on the Daily Beast, Andrew Desiderio and Kevin Poulsen reported that Democratic Missouri Senator Claire McCaskill was targeted in a campaign-related phishing attack. That clears up one unspecified target from last week’s statement by Microsoft’s Tom Burt that three midterm election candidates had been targeted by Russian phishing campaigns.

The report cites its own forensic research in determining the attacker is likely Fancy Bear, a hacking group believed to be affiliated with Russian military intelligence.

“We did discover that a fake Microsoft domain had been established as the landing page for phishing attacks, and we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for elections in the midterm elections,” Burt said during the Aspen Security Forum forum. Microsoft removed the domain and noted that the attack was unsuccessful.

Sen. McCaskill confirmed that she was targeted by the attack, which appears to have taken place in August 2017, in a press release:

“Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable. While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated. I’ve said it before and I will say it again, Putin is a thug and a bully.”

TechCrunch has reached out to Sen. McCaskill’s office for additional details on the incident. McCaskill, a vocal Russia critic, will likely face Republican frontrunner and Trump pick Josh Hawley this fall.