Friday, August 24, 2018

Michigan Democrats Screw Up Hacking Test

We're at DEFCON 1 people!!! This is not a drill!!!! This is not a drill!!! Abandon Ship! Damn the torpedoes! Full Speed Ahead!!! I'm in charge here!!! Oh everything's ok? Never mind...

I work in the information technology profession. I am attached to financial and legal systems. When you are testing such systems or processes ideally you should ensure that your test is coordinated or completed in a separate environment than production. Additionally, you should inform the relevant people know that you are testing, what you are testing and how long you will be testing. Your test should be imperceptible by your business partners and stakeholders. But in case it's not, you should communicate that any anomalies users may experience are part of a test. 

If you skip these steps then your customers and business partners may experience or see changes and lose their religion. They may call your boss in a panic, escalate the "problem" to department heads or on-call production support, or worst of all, contact serious people like CIO's, partners, executive vice-presidents, the IRS or other law enforcement. It's probably better that the last group of people doesn't know your name, if it's being mentioned along with some sort of production meltdown, legal lapse, or apparent criminal activity. 

So again, to avoid all of that unpleasantness, you should let people know what and when you're testing and what the expected results are. Unfortunately the Michigan Democratic Party forgot this basic concept in its zeal to do battle against hacking.

Lansing — The Michigan Democratic Party on Thursday acknowledged it enlisted friendly hackers for a simulated phishing test that prompted the Democratic National Committee to alert the FBI to a suspected attempt to infiltrate the party’s voter file. "We have taken heightened steps to fortify our cybersecurity — especially as the Trump administration refuses to crack down on foreign interference in our elections," state Chairman Brandon Dillon said in a statement. "In an abundance of caution, our digital partners ran tests that followed extensive training. Despite our misstep and the alarms that were set off, it’s most important that all of the security systems in place worked."

The DNC said Tuesday it had thwarted what it to believed to be a hacking attempt two years after Russian operatives sent the party into disarray by hacking into its computers and facilitating the release of tens of thousands of emails amid the presidential election.

But Chief Security Officer Bob Lord said Thursday the suspected cyber attack that sparked fears now appears to be part of a test created by a third party that "mimicked several attributes of actual attacks on the Democratic Party's voter file" without party authorization.

The Michigan Democratic Party's involvement was first reported by The Washington Post. A source confirmed to The Detroit News the state party gave the "green light" for a group called DigiDems to conduct the test without authorization from the DNC or its vendors. A web security firm using artificial intelligence uncovered the unusual activity. The DNC was notified Tuesday, it said.

The party's voter file contains information on tens of millions of voters. The attempt was quickly thwarted by suspending the attacker’s account, and no information was compromised, a party official said earlier this week.
Full Story

I have had some bosses who micromanage more than I like. On the other hand you can't just go do whatever you want in systems that are shared and monitored by people outside your little group. Always touch base to let your team know what you're doing. You can avoid minor (and major) embarrassments.
blog comments powered by Disqus