The report, to be released Tuesday, was written by SecurityScorecard, a New York-based risk analysis firm that monitors the IT infrastructure of more than one million entities worldwide. For this report, researchers explored networks operated by 29 political parties in 11 countries in the first quarter of this year. In general, they found that the smaller parties, both within the EU and in the United States, pose the greatest risks.
In the United States, their analysis included the Democratic National Committee, the Republican National Committee, the Green Party and the Libertarian Party. They found that although the DNC and the RNC have strengthened their defenses since 2016, the two main parties have cybersecurity hygiene issues that could still make them targets for dedicated opponents. Another US party, which refused to report, remained a searchable tool, revealing voters' names, date of birth and address, information that is not publicly available in most states. This flaw has since been corrected after the researchers contacted the party.
In Europe, researchers have detected active malware on a network registered in the EU.
According to Jasson Casey, SecurityScorecard's chief technology officer, the results underscore the magnitude of the challenge for political parties, which often lack resources, but nonetheless collect data sets that organized criminals and foreign opponents would find useful. "The obvious question is: is it possible for these political parties to defend themselves effectively?" Said Casey. "If big business is having trouble with that, how can small political organizations do it?"
SecurityScorecard used a standard checklist to evaluate the security rules of the parties on a scale of 1 to 100 anchor points, depending on the severity of the problems discovered. Typically, a score of 80 or more is considered good, with an organization less likely to experience a violation.
In the United States, the DNC and the RNC have been working to strengthen their technical infrastructure since 2016 and, according to the 2016 SecurityScorecard findings, it shows, says Casey. That year, the firm's authors gave Republicans a score of 84, after discovering a large number of expired security certificates on NCR-affiliated websites. The Democrats, meanwhile, received an 80 in 2016, thanks to malware operating on the DNC system. These problems now seem resolved, bringing the scores of the parties to 87 and 84 respectively. And yet, there are still loopholes in the armor of every organization.
The DNC, for example, started using a two-factor authentication tool called Okta, which is usually a good thing. But the researchers discovered that a calendar tool using two-factor authentication was used over an HTTP connection, instead of the more secure one. HTTPS, which encrypts data as it moves between a browser and a web server. In an unencrypted connection, a dedicated hacker could organize what is called a "man-in-the-middle" type attack, redirecting the traffic from there to the next. Initial URL to a fake Okta site. There, an attacker could recover the login credentials of the DNC staff member without the latter noticing it.
Bob Lord, DNC Cybersecurity Manager, said this address is not used by any DNC staff and his team is looking into its origins. After being contacted by WIRED, the DNC closed the URL for security reasons. "It's a good thing to clean up." "It's good to make sure things are done, whatever the purpose, that they are obsolete and suppressed," Lord said. "I love the fact that we could get people to warn us when they detected something that was wrong or could be improved."
The RNC scored slightly higher than the DNC on the SecurityScorecard test, but it was not perfect either. The researchers were able to detect subdomains for an internal mapping tool that appeared to be related to RNC operations in Arizona. Although this is hardly overwhelming, it could give an attacker an indication of the types of tools used by the RNC and where, according to Paul Gagliardi, a threat researcher at SecurityScorecard. "Not disclosing information about products and services is the best current practice because it only increases the cost of a person who targets that part of the business," he said. said Gagliardi.
The researchers also discovered an unencrypted login page for an RNC-related API, which would also leave RNC staff open to theft of credentials. It is not known if this API is still used. A spokesman for RNC declined to comment on the results, but said in a statement: "Our team is constantly working to stay ahead of emerging threats, data security remains a priority for the RNC, and we continue to work proactively with leading IT vendors to stay open and monitor potential risks. "
None of these problems have been compared to what researchers have discovered by looking for vulnerabilities among smaller US and European parties. It was found that some domain names affiliated with the Libertarian Party lacked so-called SPF records, which validate that an email from a given domain is actually affiliated with that domain. This helps protect organizations from spoofing, in which attackers make sure that emails seem to come from people and that their targets are recognized. "One of the easiest ways to attract malware to a target system is to simply send that email and make it look like it's coming from someone in your company," says Casey. .
Dan Fishman, the new executive director of the National Libertarian Committee, told WIRED that its goal is to strengthen the party's technical infrastructure. This includes the resolution of this vulnerability. According to Fishman, since he came to power last month, his staff have already captured and reported fraudulent emails allegedly emanating from him asking for sensitive information.
Entering the Libertarian Party may not seem as lucrative as entering one of the two main political parties in the United States, but Fishman says that libertarians collect large amounts of data that still need to be protected . "We are, like all the other political parties, accumulating as much as possible about our members but about our potential voters," he said.
A major breach even of a smaller political party could still degrade American confidence in the security of the election. "It's really a question of trust in the system, and as such, it's starting to erode, it's causing other problems," Casey said. "Even the smallest parties […] deserve an adequate level of protection that they certainly have not yet."
That said, in the United States, the Green Party outperformed other political organizations in the SecurityScorecard test with a score of 93 out of 100. But party media co-chair Holly Hart refused to give more details about the cybersecurity operations of the party. . "The Green Party is always concerned about cybersecurity, privacy and accessibility," Hart said. "Beyond that, we do not think it's appropriate to publicize the plans we've put in place."
SecurityScorecard researchers will not say which political party disclosed voters' names, dates of birth and addresses via a searchable API, except that they were neither Democrats nor Republicans. However, in the 10 minutes following the discovery of the flaw, Gagliardi said he called the party and left a message to the receptionist, using the main phone number I found on Google. Mr. Gagliardi never had any news, but he stated that the problem had been resolved within 12 hours of the call.
"Obviously, the message has been received," he says.
Of the 11 countries surveyed, the United States ranked fifth overall. Sweden scored best with a score of 94 out of 100. The least advanced country is France, whose political parties "systematically display lower security ratings" than all the others. In particular, the Democratic Movement, a centrist party launched after the 2007 French elections, has a login system that sends unencrypted user names and passwords to a server in the end. of life, which means that he no longer receives security updates. . The Democratic Movement did not respond to WIRED's request for comment.
"If you were connected to the Wi-Fi network at Starbucks, other users, even just technical, could observe these passwords," says Gagliardi. "It's blatant."
Perhaps the most worrying thing for Gagliardi and Casey is that their team was able to detect these flaws in such a short time. All the researchers spent about two days looking for bonuses. If the 2016 presidential election has taught us anything, it is that countries like Russia have set up much more sophisticated and well-funded operations. "Someone with more intent, who does not care about breaking the laws, would probably come back with a bigger treasure chest," Casey says.
At a news briefing on Friday, Facebook officials said that to protect "the integrity of elections", they would crack down on online advertising against foreign interference. All EU political advertisers now need to get permission in the country where the ads are shown.
To obtain this authorization, political groups in Europe will have to submit identity verification documents, said Richard Allan, vice president of global political solutions for Facebook. "We ask them to submit documents and we use technical controls to confirm their identity and location," Allan said.
"We recognize that some people may still try to work around any system, but we are confident that this will be a real barrier for anyone thinking of using our ads to interfere in a foreign election," he said. -he adds.
Allan said that one of the risks presented by the election would be "someone would create an organization in an EU country to direct advertising to influence an election. in another EU country ".
Facebook has also confirmed that banned groups and people without a platform will remain banned even if they run for office. This means that the rightmost figure Tommy Robinson, who stands as an MEP in elections, will remain banned from Facebook and Instagram.
The United Kingdom to hold elections to the European Parliament at the end of May after British Prime Minister Theresa May set at Brexit until 31 October 2019. During European elections, voters from EU Member States can elect members of the European Parliament (MEP).
Facebook also acknowledged being aware that the upcoming elections will be held in 28 countries and in 24 official languages, according to what Nick Clegg – the former British vice-premier and current vice-president of Global business and Facebook communication – described as an "increased atmosphere".
Also noted that political ads will now have to be clearly labeled on Facebook and Instagram. "To increase transparency, all advertising related to the policy and problems on Facebook and Instagram in the EU must now be clearly labeled, including a" paid by "advisor's top ad disclosure," said Allan. You will be able to see who is paying for the ad as well as any relevant contact information.
Hopefully, these measures will prevent the recurrence of the disaster caused by the elections in the United States in 2016. election
Of course, we have already explored some of those with a ranking of each 404 error page on each candidate's site, but there are a few fun things to discover when you dig a little more.
Developers sometimes hide small fun surprises in the source code of the websites they create, and the 2020 candidates are no exception. After diving into mountains of html, we found three fun examples of ASCII art on the sites of John Delaney, Eric Swalwell and Amy Klobuchar.
Swole The Springsteen fan, Delaney, has a very simple source code for his site: "GO JOHN GO!" We will not blame them for the lack of commas because, hey, they did everything they could to get started.
An example similar to Delaney's is Swalwell's, which also has a fairly simple but neat example on his site.
But perhaps the best example we discovered belonged to Sen. Klobuchar whose site does not just spell his name. It's a bit more complex, it has emojis, and it has pizazz!
It is to highlight that both Swalwell and Klobuchar used the services of a web design company. Scotch Digital.
Even though there is still time for other applicants to add Easter eggs to their sites, we think that Cory Booker should invest in Hot pocket ASCII art, Beto O 'Rourke in something punk rock or Whataburger, and Pete Buttigieg in – what else? – the Vermont Phish.
As you may remember, Biden served as Vice President of Barack Obama for eight years and the two men were exceptionally close. Their "bromance"We talked constantly, they friendship bracelets exchangedand even Obama awarded by Biden the medal of freedom. But because they were real friends, Obama is in a rather strange place right now.
On Thursday, a reporter asked Biden why Obama had not yet approved his candidacy for the presidency, which the former vice president said: "I asked President Obama not to not support and he does not want to … should win on their own merits ". It is there that things have become clumsy.
As a former president, it makes sense that Obama does not want to meddle in the race – all the more so as there is currently 20 Democratic candidates. But because of his past relationship with Biden, many people were expecting some kind of comment.
While Obama continues to remain neutral, Twitter users have taken the initiative to troll "I request him not to approve, "comparing it to other classic and false excuses.
Biden: "I asked President Obama not to approve"
– Shane Goldmacher (@ShaneGoldmacher) April 25, 2019
BIDEN: Vote for me! I'm friends with Barack Obama!
ELECTORS: Does it approve you?
BIDEN: here's a picture of us on a ferris wheel!
– Jesse McLaren (@McJesse) April 25, 2019
When announcing his candidacy on Instagram Thursday morning, Biden included a photo of himself and Obama. Photos with the former president are already included in the tweet ads promoted for Mr. Biden's campaign.
Even a former White House photographer turned pilgrim / Instagram author, Pete Souza, shares photos of the two men.
So, even if Obama does not publicly approve Biden during his campaign, it seems like he'll have a very difficult to escape its association with the 2020 candidate.
While Sanders was good to host a group of children (mostly children from the White House press corps), she did not hold a press conference for journalists serving for 45 days, which is new record.
Perhaps unsurprisingly, this year's event was mainly "out of the record. "
Some of the children present were clearly children of the staff members; Check out the kids in the MAGA net hats below.
Sanders was prepared for what should have been some softball issues, but things did not go as planned.
This though, of course, not quite true. L & # 39; administration achieved the policy of separation of families for a moment before moving back. Even now, despite refusal of the administration, he is reported talking about by reporting it in a revised form.
Of course, the journalists were not happy that Sanders is avoiding them again, especially because of the wide range of information about members of the Trump administration in recent weeks, such as the publication of the Mueller report. At least one journalist is assured that Sanders is aware of his dissatisfaction.
Vice President Mike Pence is rubbed off to greet the press.
.@VPPence joined@PressSecSarah Sanders for a surprise visit during a briefing with children brings your children to work. Sanders did not hold a regular briefing with White House journalists in the briefing room for more than 40 days. pic.twitter.com/Jgq5Qk8SPF
– Jeff Mason (@ jeffmason1) April 25, 2019
President Trump himself will have a chance to speak to a group of children later on Thursday when he will make an appearance at the White House to mark the same event. Should be interesting, considering how Trump has technical interactions with children in the past.
Ok, I'm sorry for this nursery rhyme. But sometimes you have to deploy the welcome mat of your shady and friendly government agency with a problematic legacy, right?
Thursday, the CIA officially joined Instagram with the handle – wait – @CIA. It's good for CIA Director Gina Haspel announces a little improvised earlier in April that the agency had an account in preparation.
Haspel said at the time that the presence of an agency on social media was aimed at increasing transparency – a difficult task for an agency dedicated to collecting secrets.
"Joining Instagram is another way to share CIA stories and recruit talented Americans to serve here," CIA spokeswoman Nicole de Haay said in a statement to Mashable.
How did the CIA debut? With a cheeky image of "eye spy".
Until now, Mashable's journalists / intelligence agents have noticed:
Here is closer.
Hey, the CIA can be responsible interference in foreign wars install pro-American governments, but at least he knows how to have fun on social networks!
"Thanks to the report, we will give a glimpse into the life of the agency, but we can not promise selfies from secret locations," said de Haay. LOL!
"We seek to spark the curiosity of Instagram users about the many ways in which the CIA's global mission takes us where others can not go and do what others can not do."
It looks cool! Follow to follow, CIA?