first_img In what may come as one of the most (and yet least) surprising revelations on the US’ presidential election last year, it seems that an arm of the Russian military intelligence used spear-phishing campaigns and malware to attempt to manipulate parts of the American electoral system. There’s no evidence that the attack directly influenced the outcome.The Intercept broke the story alongside the supporting, albeit classified, NSA documents, but it was quickly overshadowed by an announcement from the Department of Justice, which had brought up 25-year-old Reality Winner with “removing classified material from a government facility and mailing it to a news outlet.” While that might not sound like a sure connection at first, the DoJ’s full statement is telling.“Winner is a contractor with Pluribus International Corporation assigned to a U.S. government agency facility in Georgia,” the release reads. “She has been employed at the facility since on or about February 13 and has held a Top Secret clearance during that time. On or about May 9, Winner printed and improperly removed classified intelligence reporting, which contained classified national defense information from an intelligence community agency and unlawfully retained it. Approximately a few days later, Winner unlawfully transmitted by mail the intelligence reporting to an online news outlet.”While it’s weird that the statement says “approximately” and then “a few,” it’s pretty clear. Winner appeared in federal court yesterday as well, where she admitted that she had taken the classified documents off-site. The outlet is widely presumed, although not yet confirmed, to be the Intercept.That situation — who Winner was and who, if anyone she sent classified documents to — is still developing, and we may know more as time goes, but for now this is yet another bit of evidence in US campaign interference. The report states “unequivocally” that the Russian General Staff Main Intelligence Directorate (GRU) conducted the attack. Specifically, GRU targeted election software and hardware and gather bulk data to conduct a “voter registration-themed spear-phishing campaign targeting US Local government organizations.”We don’t get too far into politics here at Geek, and I won’t change that now. Instead, I’ll largely use this to reinforce the point that humanity has broadly ignored the importance of cyber security. These kinds of things will keep happening.The NSA documents suggest that while not vote tallying machines were breached, GRU targeted more than 100 people responsible for voter registration. Spear-phishing, a phishing attack that attempts to maximize success by posing as someone the target knows personally, is fantastically effective at this scale. By focusing on a large, but manageable, number of individuals, hackers were able to leverage information about each person and attempt to trick them into installing malware. Spear-phishing, while relatively new, is good ol’ social engineering in all but name. Many of Russia’s now globally infamous cyber-attacks use a variant of phishing, and that’s because they’re actually very simple. Phishing isn’t nearly as complicated as actually attempt to crack systems. It’s far easier to trick someone into giving you their password (or clicking a link, as the case may be) than it is to find and exploit software vulnerabilities.That doesn’t mean those aren’t still problems. These issues compound. With an incredible number of Internet of Things devices with default security settings are flooding the market, loads of insecure software, a massive grey market for data and knowledge on vulnerabilities, AND ALSO loads of people who don’t understand the most basic best practices for information security, you have a recipe for disaster.The era of relatively low-risk cybersecurity has ended. We are entering a new one dominated by chaos. We well-organized state hackers standing shoulder-to-shoulder with lone wolves who can dramatically magnify their power and influence with botnet-based attacks.We can now no longer rely on major internet backbones to always be functional. We will soon no longer be able to rely on many vital services. Unless there’s a cultural shift in how we approach security, it’s not unreasonable to expect the rise of dystopic cyberpunk-esque societies. We will soon enter an age when we can’t rely on banking software or social media or email any more than we can the weather. There are activists out there, digital vigilantes who have tried to force larger shifts towards technical literacy, but so far, it hasn’t helped.For now, people are still the weakest link in this chain. People are easy to manipulate, and it’s tough for us to come up with, much less remember decent passwords. Take this as a giant wake-up call. Secure. Your. Shit. Right. Now. Don’t give out information to people who don’t’ absolutely need it — even if you know them. Be careful. Get a password manager. Turn on two-factor authentication. Change the factory settings on all of your devices. Yes, it’s a lot of work. But this really matters.We’re going to need more than that, unfortunately. Even if everyone followed that advice, computer systems would still be breached. We’d still have at least some of these problems. But we could severely dent modern botnet attacks and prevent anyone breach from affecting too much of your life. In any case: secure your shit. For the love of god. Trump Expected to Sign Bill Renewing Internet Surveillance ProgramEdward Snowden’s Back, With an App Stay on targetlast_img read more