In a week that's seen Microsoft, Facebook, and Twitter shut down influence operations from Russia and Iran, it seemed late yesterday that there'd been another election hack, this one a phishing campaign directed against the US Democratic National Committee (DNC). The DNC's CSO briefed party leaders, informed the FBI, and took a whack at the Administration for not doing enough to protect voting infrastructure.
It emerged over night, however, that there was, in fact, no hack. It was a poorly coordinated phishing awareness exercise. Lookout reported a fake login page for VoteBuilder that appeared to be after credentials for the DNC's voter database. The DNC ran with the false alarm. As Lookout has since tweeted (correctly) you don't know an alarm is false until you investigate. But the cock-up ("SNAFU," as CNN calls it) is embarrassing. It's good to be aware of security, but it's also good to be aware of it in ways that don't turn a fire drill into a Federal case.
No one's quite sure yet who ordered up the phishing test, but several people are pointing, on background, at Michigan's state branch of the Democratic Party.
Apache Struts has been found vulnerable to remote code execution. Semmle described the issue, which the Apache Foundation is addressing.
Surveillance tool maker Spyfone left "terabytes" of data exposed in a misconfigured AWS S3 bucket.
Cisco's Talos unit reports that Breaking Security's Remcos remote admin tool is exploitable by hackers.
Kaspersky Lab finds North Korea's Lazarus Group pushing Mac malware.