Archive for July 2016
The Clinton campaign has been thrown a lot of curve balls in its attempts to win the 2016 United States presidential race; now, just one week after almost 20,000 embarrassing Democratic National Committee emails and voice mails were leaked to an outraged public, the campaign has been hacked again.
The United States Federal Bureau of Investigation has recently confirmed its investigation of a hack and correlated cyberbreach of the servers belonging to the Democratic Congressional Campaign Committee, an organization that acts as the official campaign arm of Democratic candidates for the House of Representatives. Among other factors, the FBI will be attempting to discover whether the DCCC breach is related to the DNC breach.
“The DCCC can confirm that we have been the target of a cybersecurity incident,” stated Meredith Kelly, DCCC national press secretary. “Upon discovering the issue, we immediately took action and engaged with CrowdStrike, a leading forensic investigator, to assist us in addressing this incident.”
According to Kelly, the information available so far seems to indicate that the breach is fairly similar to the prior hacking incidents with the DNC.
“With the assistance of leading experts, we have taken and are continuing to take steps to enhance the security of our network in the face of these events,” she added. “We are cooperating with the federal law enforcement with respect to their ongoing investigation.”
Crowdstrike has been working with the DNC, turning up a fair amount of evidence that implies Russian state-sponsored hackers may be the culprits.
“We can confirm that the DCCC has hired CrowdStrike following the DNC breach and we are investigating the matter,” reported spokesperson Ilina Dimitrova. “This is an ongoing investigation and we’re not able to provide further comments.”
The FBI has also issued a fair amount of statements revealing that it was working to determine the accuracy of allegations that “multiple political entities” are involved in the cyberintrusions. The bureau noted that it takes these allegations very seriously and plans to hold anyone who poses a threat to cyberspace accountable for their actions.
It’s also worth noting that Republican presidential nominee Donald Trump started up a veritable firestorm after calling for those same hackers that hacked the DNC to look for Hillary Clinton’s missing emails.
According to Mark Rotenberg, president of the Electronic Privacy Information Center, the breaches raise a fair amount of troubling questions regarding the security systems of the public agencies:
“EPIC said at the outset of this election year that data protection is the most important, least well understood issue in the country today,” he explained. “All across the U.S., consumers confront issues of identity theft, data breach and financial fraud. Yet Washington has been unwilling to update U.S. privacy law or back strong security techniques.”
“The consequences are growing more severe,” Rotenberg concluded.
Andrea Castillo, technology expert and program manager for the Technology Policy Program at George Mason University’s Mercatus Center, added that the United States can’t rely on its adversaries playing by the rules.
“There’s been a lot of speculation, but I think the takeaway is more about our generally poor cybersecurity. A hack like this was more a matter of when, not if.”
A US appeals court recently ruled that it is illegal for people to share passwords for accounts.
The case in question involved a man who had been convicted of using another person’s login information to access the database of a workplace where he was no longer employed.
A dissenting judge wrote that the legal implications of such a decision could be far wider than those intended for the specific case; people sharing the passwords for their Netflix or Amazon Prime accounts, for example, may now be liable.
The American press has speculated that such a ruling could certainly throw common practices revolving around paid account sharing into question, though another judge who was for the decision stated that the precedent being set in the case in question was more limited than the dissenting judge feared it would be.
The case in question dealt with defendant David Nosal’s decision to use an ex-colleague’s password to gain access to his former recruitment firm Korn/Ferry in 2004. Nosal was hoping to use the information from the Korn/Ferry database to aid him in his work at his new firm. In 2008, Nosal was charged with hacking under the Computer Fraud and Abuse Act (CFAA) and ultimately convicted in 2013.
The case found that the company that issued the password must be the authorizing entity for there to be legal access; even if an individual chooses to share his or her password with someone of their own volition, the outside entity who then enters the account is still hacking.
What remains to be determined is whether the password sharing that was deemed to violate federal law in this specific case will then create a precedent for future cases brought to American courts.
According to Judge Reinhardt, who dissented with the majority ruling, the case was “about password sharing” rather than hacking and “the CFAA does not make the millions of people who engage in this ubiquitous, useful, and generally harmless conduct into unwitting federal criminals.”
“The majority does not provide, nor do I see, a workable line which separates the consensual password sharing in this case from the consensual password sharing of millions of legitimate account holders,” Reinhardt added,” which may also be contrary to the policies of system owners… There is simply no limiting principle in the majority’s world of lawful and unlawful password sharing.”
Judge M. Margaret McKwoen wrote the majority opinion and disagreed with Judge Reinhardt’s take on the situation, positing that the case bore “little resemblance to asking a spouse to log in to an email account to print a boarding pass.”
According to Kuan Hon, a consultant lawyer at Pinsent Masons, UK law does not define password sharing as a criminal offence unless the individual is aware that they are not authorized to access the company’s program or data:
“You have to know that the access is unauthorized. If you give your password to your child, they might not necessarily realize that the ultimate service doesn’t warrant it,” she explained. “The question of what is unauthorized or authorized is different under the UK’s Computer Misuse Act.”