back to article US Democrats call in Feds: There's something phishy going on with our voter database

The Democratic National Committee (DNC) has called in the FBI after uncovering an apparent attack against its internal voter database system. CNN reported that the DNC learned of the attempted phishing attack from cloud service provider DigitalOcean via Lookout, a mobile security firm that detected the malfeasance. Miscreants …

  1. Anonymous Coward
    Anonymous Coward

    Did somebody tape over the door handle ?

    And they say lightening doesn't strike twice ....

    1. Anonymous Coward
      Anonymous Coward

      Re: Did somebody tape over the door handle ?

      Truth is lightning is more likely to strike the same place twice or close by. Path of least resistance . But nope now one is trying to interfere with US elections . Collusion is not a crime . This is all just an illusion.

      /Snark

  2. ivan5

    They would say that wouldn't they if only to draw attention away from what happened to the republicans.

  3. stiine Silver badge
    Stop

    an ex Yahoo! exec?

    Surely that's why they've got security problems.

  4. Pascal Monett Silver badge

    "This fake website was spam-vertised using bogus emails"

    What is it about the human mind that pushes people to a) blindly accept what a completely unknown person sends them, and b) click on a link that they haven't the faintest idea where it will end up.

    Especially at work.

    Okay, this time it was a test. Fine. There will be a next time. And a next.

    Until we all, collectively, understand that if someone you don't know sends you a mail, the only proper thing that can be in that mail is either a request for information or an introduction from a work colleague that has just taken his post, so you know you'll be working with him.

    And you should check to be sure.

    Anything else is spam and should just be binned.

    The only person who can legitimately send you a URL is someone you already know. And that person had better have a good reason.

    1. Yet Another Anonymous coward Silver badge

      Re: "This fake website was spam-vertised using bogus emails"

      Ever worked in a large organisation - or a government one with layers of local,provincial and federal management? One with outsourced IT?

      Where you get emails to update your "team foundation customer management experience portal gateway" password every month because of "security". Of course the link to where to change it changes every month depending on which cloud provider is cheapest.

      Where because of a bunch of mergers, depts not talking to each and ancient outsourcing deals you have umpteen different accounts and passwords on different bits to do your job.

      And you naively assume that if an email gets through all that corporate security and appears to come from your own IT dept it is their job to look through the headers and detect the real origin - not the job of cathy on reception.

      Saying it's the "users job to be careful" is like saying it's the passengers job to check the maintenance logs and type approval on their holiday flight's aircraft =- not the airline's

      1. J.G.Harston Silver badge

        Re: "This fake website was spam-vertised using bogus emails"

        Sorry, but I *would* expect users to notice that the URL was not votebuilder.michigan.democrat.org (or whatever) and at corporate level users should be expected to notice that the URL was not wotsit.mycompanyurl and governmental users should be expected to notice that the URL was not foobar.subsection.gov.uk exactly as I have the responsibility to check that the URL for my party's database is not thingy.myparty.org.uk.

        1. Yet Another Anonymous coward Silver badge

          Re: "This fake website was spam-vertised using bogus emails"

          But what if instead of companyname.sharepoint.com it is companyname.sharepoint-microsoft.com as in some of the Russian sites MSFT shut down ?

          If it is an email with a from line of admin@company.com but a sender header of evil-russian-hacker.ru goes to everyone in the company I expect the corporate security to notice.

          Ironically Microsoft are the worst at doing this themselves. Authorisation on Office365 can be to x.sharepoint.com, x.outloook.com, x.live.com or outlook.live.com. The site for developers downloading official test ISOs of Microsoft OSes was the spammiest url you could imagine

          1. Scott 53

            Re: "This fake website was spam-vertised using bogus emails"

            You nearly had me with "outloook.com" but I'm savvy enough not to click on links like that.

            1. Anonymous Coward
              Anonymous Coward

              Re: "This fake website was spam-vertised using bogus emails"

              To think that as recently as ten years ago we used to take great pains to wrap dodgy looking, and outright impossibly long, urls for 3rd party servives into more human friendly and company owned ones using reverse web proxies. That's all done for now, Microsoft and others have made it impossible to pull it off -- even where a vestige of in-house IT with the requisite talents survive. The single most frequent complaint I hear from nontechnical corporate bureaucrats about using O365 resources is about how unweildy links to those resources are. To which I have to resist replying, "Well, I'm not the one who couldn't stand the fact that skilled techs were making as much as unskilled executives: you should have thought about that before you jealously gutted the knowledge base." Or something like that.

        2. Miss Config
          Boffin

          Re: "This fake website was spam-vertised using bogus emails"

          votebuilder.michigan.democrat.org ?

          As opposed to votebullder.michigan.democrat.org ?

          ( Depending on the the reader's font, that 'l' could look very much like 'i'.)

  5. doublelayer Silver badge

    A security test?

    Well, that seems very weird to me. I trust that it happened, but what has to go through one's mind to come up with the plan of action: "Let's run up a fake website for a security test for someone we don't work for, who hasn't asked us for one, and by the way we won't tell anyone about it." I have a feeling that, if I did that to someone, I'd be sued and/or arrested almost immediately.

    1. Mark 85 Silver badge

      Re: A security test?

      My guess would be some PHB came up with this brilliant idea, waved it in front of some higher level and then did it. All he/she was looking for was brownie points. He probably had some poor web person on staff (or even a contractor) that got pushed into doing this.

      So instead of being a hero, the PHB is a self centered clown. Hopefully it's the PHB that gets fired for not communicating this upward and not the poor schmuck at the bottom of the food chain who actually did the work.

      1. Anonymous Coward
        Anonymous Coward

        Re: A security test?

        Wasn't it Napolean who wrote: "Never ascribe to knowing subordinate ass-kissing that which can be explained by the sociopathic arrogance of an executive?"

    2. John Brown (no body) Silver badge

      Re: A security test?

      From the article:

      an anti-phishing security test run by officials in Michigan,

      This implies to me that a local or state part of the DNC did this without the DNC proper's knowledge. It was an "inside job".

  6. Zwuramunga

    Corruption.

    When you reach a certain level of corruption you can't tell lie from real anymore.

    1. fm+theregister

      Re: Corruption.

      just burn after reading

  7. Wellyboot Silver badge

    Left hand .. Right hand

    >>an anti-phishing security test run by officials in Michigan, unbeknown to the national organisation<<

    Neatly demonstrating the ability of most political party organisations to find their a**e with both hands.

    1. HellDeskJockey

      Re: Left hand .. Right hand

      Will Rodgers said it best "I'm not a member of any organized political party. I'm a Democrat."

  8. lglethal Silver badge
    Paris Hilton

    Officials of what?

    Are we talking Democratic Party Officials from Michigan that did this test? That would seem to be countered by the last comment that it wasnt someone from the DNC (or at least not authorised by them). Was it Michigan Electoral Office officials (or whatever its called over there)? Can someone clarify exactly who these officials were?

  9. Claptrap314 Silver badge

    Federalism--it's not just for government.

    The fact that the US has a federal system of government (with sovereignty vested both in the States and in the Federal government) means that all of the major lobbying groups (especially the political parties) are likewise organized. In this case, the state party spent state money to run a test of state systems. But those systems are heavily linked to the national (DNC) systems, so there was spillover.

    The news happened because no on in the IT department at the state level expected this.

  10. Anonymous Coward
    Anonymous Coward

    Don't be Russian to conclusions.

    Syria's fake news Israeli illusions.

  11. Anonymous Coward
    Anonymous Coward

    If I was a haxor

    working for either (R or D) I would most certainly VPN into RU to do my hax, keep that trail to me on the down low. Now ain't that a fancy bear....

  12. Herby

    Emily Litella test...

    ..."Never Mind".

  13. Anonymous Coward
    Anonymous Coward

    Turns out...

    .. it's fake news.

    Who could have guessed that politicians don't know anything about the cyber

  14. David Roberts
    Black Helicopters

    How do you effectively test security?

    (1) Send a memo to all departments nationally well in advance so that they can brief all their staff that there is a test scheduled, when and what the test will be, and how to identify and pass it. Noting that a secret is safe if only two people know it and one of them is dead.

    (2) Run the test like a real attacker with no prior warning.

    Perhaps a bit like the difference between a scheduled and unscheduled quality audit. Noting of course that in quality audits the aim of both auditors and auditees is to pass the test so the company can pay for the fancy accreditation.

    I would be interested to know how many people they caught before they were shut down. It did test their national security team who managed to identify the phishing attempts. So one positive benefit.

    Noting also that a variant of option (1) could be to notify everyone that there was going to be a major phishing attempt in the next 3 months and instant dismissal including line management if anyone was caught. Then close the office and go fishing secure in the knowledge of a job well done.

  15. A Dark Germ

    We don't need to talk more crap about this subject, it's been solved years back.

    Quote

    "

    In 2017, the company began giving out physical security keys to all 85,000 employees. And since then, no employees have reported any confirmed takeovers of work-related accounts, Google said

    "

    https://uk.pcmag.com/pcmag-uk/116538/news/to-stop-phishing-google-gave-security-keys-to-all-employees

    Stop talking crap people wake up!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020