[LACryptoparty] Security Trainers + Campaigns

[Tim Schwartz]

All,

There is a nice op-ed by a security trainer on the road with a few campaigns. It's worth a read and highlights why digital security evangelism is important. Also has a few baselines to making your life more secure.
https://www.washingtonpost.com/outlook/2018/09/04/im-teaching-email-security-democratic-campaigns-its-bad/?utm_term=.2c4f243836cf

For those of you that don't have a washington post account, I've included the full text below. 

Cheers,
Tim

--------------------------------------------

I’m teaching email security to Democratic campaigns. It’s as bad as 2016.
Someone — the government or Silicon Valley — needs to step in to help.

By Maciej Ceglowski
Maciej Ceglowski is a security trainer and the founder of Tech Solidarity, a San Francisco nonprofit.
September 4 at 6:00 AM

For the past eight months, I’ve been traveling the country in a sometimes quixotic attempt to train congressional campaigns about email security. On one recent trip, I asked a Democratic campaign manager how he was keeping track of his personal passwords. When he hung his head, I knew what was coming.

“I use the same password for every site,” he confessed. He told me about a moment of panic when a college friend who shared his password on a sports site logged in to his Gmail account as a joke. Google noticed the out-of-state login and sent him a security alert. In the minutes before the friend admitted to the prank, he saw his career flash before his eyes.

A manager on a different campaign told me he was still using Yahoo for his personal email, even though the company was famously breached in 2014 by hackers linked to Russian intelligence. When I pressed him on this, he said he was aware of the breach but figured Google would now be the bigger target. He fancied himself to be hiding in plain sight.

Anyone who works in IT can tell stories about inventive ways people use and misuse computers. Political campaigns are no different. What truly shocked me after talking to over two dozen campaigns was that no one else was coming to talk to them about security.

I never expected to find myself playing the role of security trainer. My involvement with politics started shortly after the election, when I began visiting rural congressional campaigns to help progressive candidates with fundraising. As a self-employed programmer, I was able to travel and serve as a kind of political truffle pig for tech workers who wanted to donate to candidates but didn’t know where to begin.

Being a nerd, I couldn’t resist asking how the campaigns I visited were defending against the kind of online threats we had seen in 2016. That’s when I discovered just how little information was getting through to the people who needed it most.

Why are campaigns still struggling with basic security after two years of constant news reports about the dangers of political hacking?

[Here's how to keep Russian hackers from attacking the 2018 elections]

One problem is that campaign security isn’t anyone’s job. The Department of Homeland Security offers training through its National Cybersecurity and Communications Information Center (NCCIC) in theory, but it has shown little appetite for the topic in practice. The NCCIC’s audit and assessment services are targeted at large federal agencies, not small groups of people driving around Iowa. Campaigns that reach out to NCCIC get an email outlining options like a “six-week phishing vulnerability assessment” or an “audit of internal network security,” neither of which is much help to a campaign working off personal devices, seven weeks before an election.

The Democratic Congressional Campaign Committee, deeply anxious about campaign security, distributes a nonpartisan tech playbookdeveloped in conjunction with the Harvard Belfer Center. The playbook is meant to be a basic guide that any campaign can follow, and from a technical point of view, it is unimpeachable.

But it focuses almost entirely on protecting campaign data, such as financial reports or opposition research. When it comes to safeguarding staffers’ personal accounts, the handbook only suggests that they “enlist professional input from credentialed IT and cybersecurity professionals as needed.” This is as useful as telling a potential cholera victim to hire a microbiologist.

With no IT staff and with no budget for hiring consultants, most campaigns need specific and positive advice about locking down personal accounts, the digital security equivalent of “wash your hands, boil your water.”

We know from 2016 that personal accounts, not campaign accounts, present the most inviting target. The 50,000 emails Russian intelligence harvested from Hillary Clinton adviser John Podesta’s personal Gmail account were a mix of work-related correspondence, strictly personal notes to friends and family, administrivia, communications with reporters and the occasional funny forward. Russian hackers put those emails to devastating political use, releasing them in dribs and drabs over a period of weeks to stay in the news.

Having seen how successful these attacks were, our adversaries have every incentive to try them again.

[Why the FBI wants you to reboot your router, and why that won't be enough]

This knowledge gives us an advantage, though: We know who could be at risk, where those attacks are likely to come from, even the techniques our adversaries will deploy against us. The grand jury indictment of 12 Russian intelligence officers this summer on charges related to the 2016 election hacking as a result of special counsel Robert S. Mueller III’s investigation shows that the government already understands the threat in detail.

The threat we face is not some exotic cyberweapon, but the bane of IT departments everywhere: phishing and malicious email attachments. Effective countermeasures against both these types of attacks exist. But too few people know about them, and no one is showing working campaigns how to use them.

The best protection against phishing is a device called a security key, a small plastic tab that resembles a thumb drive. The key can’t be tricked by impostor websites the way the human eye can, and there’s no way an attacker can log in to a protected website without it, even if they learn your password. Google embraced the technology after its own engineers became the target of state-sponsored attacks, and it’s extremely effective. The keys cost less than $20.

But I have yet to meet a campaign that uses security keys. I carry a sack of them, like Johnny Appleseed, and ask staffers to put one on their keychain in hopes that others will ask about them.

The best countermeasure against malicious attachments is to avoid using attachments at all, and share links to cloud-hosted documents instead. Like all abstinence advice, though, this is easier to give than to follow. Two weeks ago, after a hacking scare, the DCCC sent an urgent email to all campaigns titled “Reminder About Cybersecurity.” That email included three attachments, one of them advising not to send or open email attachments. This is the digital equivalent of getting a ticking package from the FBI to warn you about the danger of letter bombs.

The DCCC is not alone in its attachment addiction. All the campaign security training I’ve seen, from any source, has been delivered via email attachment.

Since attachments are unavoidable, campaigns have to learn to open them safely by uploading them to a cloud service like Microsoft OneDrive or Google Drive. Viewing files on those services is like performing a dangerous experiment behind bulletproof glass — the user still has a chance to see the results, but if something blows up, it can no longer hurt them.

Setting campaigns up with security keys and training them on safe attachment handling are the most effective steps we can take to prevent a repeat of the Podesta attacks. Those in the best position to help in the weeks before the elections may be the big tech companies, which have the necessary resources and are used to acting quickly.

Someone — the government, the political establishment, Silicon Valley — needs to send trainers to campaigns in person. Firms like Google and Microsoft should also set up a dedicated phone support line that can resolve issues quickly. Knowing that such help is available will make it easier for campaigns to adopt new habits.

Google, which runs much of the nation’s email infrastructure, can take unilateral measures to protect candidates and their staff. In particular, it should set up a list of accounts that need heightened scrutiny and converts all incoming email attachments to Google docs, and let campaigns submit names of staffers for the extra protection.

Microsoft could help by expeditiously adding support for security keys in Outlook and its cloud document service. This feature is already scheduled to roll out next year, but making it available to campaigns today would make any political organizations that rely on Microsoft services significantly safer.

Taken together, these efforts could shore up every House, Senate and gubernatorial campaign in the country in a matter of weeks. The total cost of such a program would be in the hundreds of thousands of dollars — negligible compared to the sums already pouring in to political campaigns. The situation is an emergency, but it need not become another disaster.

The 2018 midterms will decide many things — the political direction of the country, who oversees the 2020 Census, perhaps even the fate of the presidency. Protecting the integrity of those elections protects our democracy. It needs to be our top priority.