Research Saturday 5.9.20
Ep 134 | 5.9.20

The U.S. campaign trail is actually quite secure.

Transcript

Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:25] And now a word from our sponsor, Juniper Networks. It goes without saying that we are in an ever-changing world and the change keeps going faster and faster. This ever-accelerating pace is not new, but we find ourselves in an environment where we must respond to this change at the same speed as it comes at us. But we, as we all know, have a hard time keeping up. For security professionals, the need to keep up is essential. Juniper Connected Security is responding to what is happening in the market, the convergence of infrastructure, and traditional security, and this puts Juniper in a unique position to solve customers' needs. Connect with Juniper during a virtual summit on May 14th, 2020. To learn more, visit summit.juniper.net. That's summit.juniper.net. And we thank Juniper Networks for sponsoring our show.

Dave Bittner: [00:01:19] Thanks to our sponsor Enveil, whose revolutionary ZeroReveal solution protects data while it's being used or processed – the 'holy grail' of data encryption. Enveil delivers privacy-preserving capabilities to enable critical business functions. Organizations can securely derive insights, cross-match, and search third-party data assets without ever revealing the contents of the interaction or compromising the ownership of the underlying data. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.

Paul Gagliardi: [00:01:57] We did a report about six months prior, where we looked at the cybersecurity of all the political parties, both small and large, domestic and abroad.

Dave Bittner: [00:02:06] That's Paul Gagliardi. He's the Head of Threat Intelligence and CISO at SecurityScorecard. The research we're discussing today is titled, "2020 Democratic Presidential Candidates Get Smart to Cybersecurity: A Detailed Investigation by the SecurityScorecard Threat Intelligence Team."

Paul Gagliardi: [00:02:25] We got really good coverage with that, especially following the well-reported interference attempts at the election in 2016, we wanted to make sure that we're seeing some changes both in the political parties and the candidates themselves as it relates to their cybersecurity posture.

Dave Bittner: [00:02:41] So, give me an idea of what you were setting out to examine here.

Paul Gagliardi: [00:02:46] So, with the political party report, we really just wanted to assess their maturity level on how seriously they seem to be taking cybersecurity from an external-only perspective, and without being intrusive or needing permission to necessarily pentest. In that report, we were somewhat disappointed in the parties themselves. There were some glaring holes in some minor parties and especially those abroad. The two main parties in the US seem to have their act together to a degree, but there was certainly room for improvement.

Paul Gagliardi: [00:03:16] So, when we took a glance at the specific candidates, I was anticipating sort of the same results – that we'd have varying quality of defense systems or maturity in place. To our surprise, they seemed to be well positioned. We used our tool to sort of start off the interrogation, and we really dug into the entire external footprints of these candidates. And after looking at the parties, I was anticipating some large holes or flaws in their software or their defense mechanisms, and that really wasn't the case. So, you know, as an American voter, I was proud to say that it does seem that the candidates themselves are taking cybersecurity and the hygiene of that quite seriously.

Dave Bittner: [00:03:59] Can you give us some insights – I mean, what is the setup of a typical political campaign that's being run at this level, in terms of the types of things that would require their attention when it comes to cybersecurity?

Paul Gagliardi: [00:04:11] I mean, at this point, a campaign is almost completely digital. And to reach their constituents from email, to marketing, to now virtual campaigns, to accepting donations, to, you know, just organizations – it requires a litany of different technical resources and types of offerings. So, to properly – seemingly, to properly stand up a campaign, you have to leverage quite a few different technical disciplines, in terms of being able to accept donations securely, being able to maintain a list of all those voters or potential voters that you're trying to market to. It's probably matured quite a bit since thirty years ago where it was, you know, paper and pencil and door knocking. It's now primarily, I would guess, a digital exercise.

Dave Bittner: [00:05:03] And I suppose it's fair to say these are basically high-velocity small businesses.

Paul Gagliardi: [00:05:10] Yeah, exactly. It's akin to, like, almost a startup. Like, they have very specific goals and they are focused primarily on that. And we've seen in other startups, that to get that product out to market, they'll sometimes be lackadaisical about other things. And that's not necessarily their fault – it's just that their business requirements are to get the product or get their offering out there. Just as with these political campaigns, their objective is to get their message and to reach voters. And we were initially anticipating that perhaps that, blinded by that objective only, they might be lax about cybersecurity. And, you know, I'm happy to say it doesn't seem like that was the case, that they balanced their objectives with also promoting cybersecurity defenses and proper hygiene in balance with those objectives. Which is the job of any CISO – my job is to implement defense or policy, but also balance that with how that's going to impact my business or my primary objective.

Dave Bittner: [00:06:10] Well, let's walk through the research here together. What were some of the areas that you examined?

Paul Gagliardi: [00:06:17] So, our product – you can think of it sort of like a credit rating. Here at SecurityScorecard, we offer a credit rating, except it's representative of your cybersecurity posture. So, it's an A through F letter rating, and it's often used in third-party risk or vendor risk management. So, the grade's updated every single day, and if I'm a Fortune 500, I might want to know, of all the ten thousand vendors that I use, which ones of those are risky or having some signs that are indicators of compromise that might be reflective of a future breach.

Paul Gagliardi: [00:06:48] So, we put that tool and we pointed it towards all of the – I think at the time there were fifteen or so candidates, and sort of let it do its thing and create a risk rating. On top of that, the research team really dug into the specific findings to contextualize them, to maybe expand on the types of things that our product doesn't do at scale. And part of that is sort of defining a digital footprint. So, you know, if I look at Bernie Sanders, what are all of his digital assets that are public-facing on the Internet? And that's sort of the foundation of what we call a "scorecard." So, if we can define all those assets and then start to look for hygiene issues as it relates to how they're configured or how they were purchased or how they were deployed – that's sort of what starts the process.

Paul Gagliardi: [00:07:36] On top of that, we then – we're really digging into maybe more in-depth types of findings, without being intrusive or requiring permission – we obviously never stepped over any legal boundaries. But, you know, we had X pentesters that were making sure everything within those offerings – say, the website that accepts donations, et cetera – all the I's were dotted and T's were crossed.

Dave Bittner: [00:07:59] Well, let's go through some of the specifics together. Can you share some of the specific things that you took a closer look at?

Paul Gagliardi: [00:08:07] I think one thing that was really interesting where we found some egregious findings were applications that are not necessarily sanctioned by the campaign manager or by the candidates, but they do represent potentially the user base of that voter. So, for Andrew Yang, there was a – sort of a website where you can organize with other constituents and plan events or just communicate. It's not an officially sanctioned Andrew Yang website, but to your common voter, it might not be clear that it's not. And we went through that same rigorous testing, and with that application, it was just completely void of any security controls. We were able to quickly show a cross-site scripting error where if we were, you know, malicious in nature, we could have exploited quite a number of users. We did disclose that to the creators of the website. We never heard back. I actually tried to reach out to Andrew Yang's campaign as well, just to let them know that, you know, even though you're not officially developing this application, it is impacting, potentially, your voters. I didn't hear back from him either.

Paul Gagliardi: [00:09:10] But that's one example of sort of the egregious findings that we did see. I was hoping from a research perspective we'd find more of examples like that. Luckily, as an American voter...

Dave Bittner: [00:09:22] (Laughs)

Paul Gagliardi: [00:09:22] ...We didn't find many of those on their official campaign applications or product offerings.

Dave Bittner: [00:09:30] There's some interesting things you dig in here. One of them is you looked at the top hosting platforms that they were using, and it seemed like one organization stood out from the crowd. Can you take us through what your research found here?

Paul Gagliardi: [00:09:43] Yeah, so, we quickly deemed that it seems like when you set up a digital campaign, you're not writing any of this software or your applications yourself. You're leaning on third parties that provide an offering that does that specifically. And I think, with my CISO hat on, I think that's the right approach. I don't want to necessarily write my own donation acceptance software or my mass emailing campaign. Like, those are well, tried-and-true products that have been vetted by security professionals, are used across industries, and that's the approach, seemingly, that these candidates took. I wouldn't be surprised, even though I haven't verified it, but I would guess that the DNC or some other organization like that likely offered a, hey, if you're going to set up a campaign, here are some vendors that we at least recommend. I'm sure it wasn't mandated, but if I had to guess, it was sort of like the DNC offered a candidate-in-the-box, and here is the vendors that you can go to.

Paul Gagliardi: [00:10:43] And there's a litany of them. They offer different types of services, from ActBlue to MobilizeAmerica, ActionKit. They offer different types of either platforms or services to those candidates. And we applied the same rigorous testing to those vendors. So, our product is designed to assess the risk of using a vendor, so we just pretended I was the CISO of the DNC, and it's like, OK, let's assess all these third parties that people seem to be recommending to our candidates. And again, luckily, there wasn't any glaring holes. We were – I was anticipating to find some large security vulnerabilities or just really poor hygiene in these vendors, and they also have their act together. You know, I look at a lot of other companies in different sectors or different parts of this world, and that's just not true. Like, just a basic pentest or basic security assessment will find glaring holes. With the candidates and their third parties that they chose, they are taking cybersecurity seriously, from what we can see externally. I obviously have no insight into necessarily their policies or their training of employees, but from what they expose externally, I would say that it does seem like they learned their lessons from 2016.

Dave Bittner: [00:12:01] Yeah, and looking at your results here, I mean, pretty much across the board, I think it's fair to say, overall, they got high marks.

Paul Gagliardi: [00:12:10] Yeah. You know, there were some lower or higher ones. I always caveat our grading with a B or an A is actually quite good. We've proven that if you have a C, D, or F, you're five times more likely to be breached. We've validated that internally and had an insurance underwriter validate that as well. So, the difference between a ninety-seven and ninety-four, I generally don't pinpoint on that much. All the candidates were within the high B to A range. The same can be said about their third parties. If there was like a C, D or F, that's where I would really raise the alarm. But I don't necessarily consider that much of a difference between a ninety-seven and ninety-four. But we did define that in the report.

Dave Bittner: [00:12:51] Were there any particular areas where they needed some attention?

Paul Gagliardi: [00:12:56] It's a lot of, like, general web security application development hygiene, like how you redirect from an HTTP to an HTTPS site. There's a really secure way to implement that. For some of these candidates, they might have been missing old tags, especially if you view it in an outdated browser. Again, like, the exploitability of that at scale, or the importance of that is maybe not as impactful as, say, having a database open on the Internet or something like that. Again, the findings were rather hygienic. If you really wanted to get in the weeds, there were some, basically, Web application development processes that they could improve on slightly. And we're also happy to share this for any candidate that wants to join this platform. I guess they're sort of ceasing their campaigns at this point, but we're happy to share that and let them access the platform and have the full details of one of those hygiene findings that we're showing them.

Dave Bittner: [00:13:54] You know, obviously, one of the things that takes place in any political campaign is fundraising. You got a lot of money exchanging hands there, and that could put a target on your back. What sort of stuff did you see when you looked at the various platforms that these candidates use for fundraising?

Paul Gagliardi: [00:14:12] So, we didn't necessarily know how they're storing that money or accounting for it. It does seem like they're leaning on third parties such as ActBlue or ActionKit or Blue State. These are sort of platforms that are able to take in money via either PayPal or some other sort of point-of-sale system to securely transact that. I'm happy to say that no campaign attempted to implement that themselves. That's not an easy task to properly, you know, securely parse credit card information, enact the transaction, and follow through with that. So they leaned on third parties, which is exactly what, if you or I were developing a website to try to accept donations, you wouldn't write it yourself. And the candidates heeded that recommendation.

Dave Bittner: [00:15:00] So, I mean, is it one of the take-homes here that in this era, after some of the things we went through in 2016, I guess the campaigns have taken notice and they've adopted so many of these best practices. It seems like, overall, they're up to speed.

Paul Gagliardi: [00:15:17] Yeah. I would say that, you know, a year ago the parties were getting there, but they weren't there yet. Especially the minor ones – they were not taking cybersecurity as seriously as I'd hoped. In this 2020 election, late 2019 candidates, I would say, overall, the message was sent quite clearly to them. And I would think that the DNC, who we've worked with in the past, had a lot to do with that. I'm guessing there's legal reasons that they can't mandate exactly how you implement it, but they probably had strong recommendations of how to set up a campaign in a modern digital era.

Paul Gagliardi: [00:15:52] With that said, we certainly don't conclude or assert that these campaigns are invulnerable to attacks, especially sophisticated attacks. You know, it's my opinion that a Fortune 5 bank that invests billions of dollars into cybersecurity defense cannot necessarily declare their defenses are risk-free of a very sophisticated actor. It's impossible, as a CISO, to ever think that you've defended that level of attack and sophistication that varies from physical access to zero days to, you know, in-person human intelligence. And that is potentially an attack vector for these campaigns. So, they do need to be aware that that's an attack vector. I don't think anyone can ever conclude that they're safe from that. But all signs point to – I can't necessarily test that level of attack – all signs point to that they are taking it seriously. And they – you know, they're as well-defended potentially as someone could be to that level of sophistication. But by no means am I saying that there's not going to be a successful attack in the following primary or general election.

Dave Bittner: [00:17:02] But I suppose, in general, as you mentioned, for American voters, this is good news – that at least the things you were able to look at, the proper attention is being paid.

Paul Gagliardi: [00:17:16] Yeah, I would say from my research side and my offensive side, I wanted to find stuff just to, you know, appease our curiosity and fun. But, yeah, when I think about being an American and a voter, I am relieved that it seems that the heat has been called by the candidates to take this seriously. And, you know, the scrutiny – we, as voters, and those of us in the cybersecurity realm, need to continue applying that pressure for these parties and candidates to continue to take that seriously. I think a lot of that came from the individual voter and those of us in the industry applying that historically, and asking questions about cybersecurity in debates and making that a first order citizen in a modern campaign.

Dave Bittner: [00:18:08] Our thanks to Paul Gagliardi from SecurityScorecard. The research we discussed was titled, "2020 Democratic Presidential Candidates Get Smart to Cybersecurity." We'll have a link in the show notes.

Dave Bittner: [00:18:19] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.

Dave Bittner: [00:18:28] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com. 

Dave Bittner: [00:18:35] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team working from home is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.