Technical security experts: DNC vulnerable to cyber attacks
The Democratic National Convention in Denver this month could be the site of a series of attacks — cyber attacks, that is. According to security experts, the event is a perfect occasion for computer hackers to attempt a wide range of break-ins, from accessing delegates’ credit card information to cutting off cell phone service in the convention sites, sending out fake news releases and planting porn in an unsuspecting politician’s laptop.
"[Law enforcement tends] to think about physical security," says Chris Nickerson, CEO of Lares Consulting, a Boulder-based security consulting firm. "In this particular climate, there is more information and technology than at any other time. The electronic threat is way more important." Nickerson and others predict that the convention — with its host of powerful and wealthy attendees — will be a prime event for malefactors to wreak havoc. And though they say that computer hacking likely won’t precipitate a bombing or terrorist attack, a cyber security breach could mean financial devastation or the loss of reputation for delegates, not to mention a number of other possibilities.
"From a criminal point of view, there are going to be a lot of people there," says Gene Spafford, executive director of Purdue University’s Center for Education and Research in Information Assurance and Security. "These people will be partying; they are going to be enthusiastic. They are not going to be as careful as they should be. Many of them will be on laptops that are not well-protected. In terms of planting information, this could be a real opportunity."
With 50,000 journalists, protesters and delegates hitting Denver in less than three weeks for the Aug. 25-28 event, the city has pledged to keep everyone safe and secure. Denver has spent $50 million in federal grant money to beef up its police presence against violent protesters, terrorists and others. But not a cent of that grant has been allocated to technical security. Meanwhile, the DNC promises to be an incredibly sophisticated media event with Level 3 Communications providing video streaming, Qwest providing telecommunications and AT&T providing wireless service to the convention sites. The aforementioned companies refuse to comment on their plans for technical security at the event, referring questions to the Secret Service and the Democratic National Convention Committee. Both organizations say they are prepared to prevent cyber attacks at the DNC.
Ron Perea, the special agent in charge of the Secret Service’s Denver field office, says his agency has addressed cyber crime. The Pepsi Center’s security perimeter, a zone where entrants will be subject to screening, he says, was conceived in part to protect against technical security breaches. (One common hacking method is for cyber criminals to get close enough to a business to access its wireless system from the outside.) "Cyber crime mitigation is certainly part of everything we do now," he says.
Perea would not provide specific details as to how the Secret Service plans to block cyber criminals.
The DNC Committee, for its part, announced last week that Symantec Corp. has been named the official information security software provider for the convention. Symantec will provide more than $1 million worth of donated anti-virus security during the convention, making sure that the volunteers’ and employees’ laptops — most of which will be hooked to the Internet through wires, rather than wireless (wi-fi) systems — are well-protected. DNC Committee spokesman Damon Jones says that delegates likely won’t bring their own computers into the event, thus minimizing their risk.
"We don’t anticipate delegates’ bringing laptops to the convention," he says. "They may bring them, but they will use them in the hotels to surf the Internet. They aren’t trying to connect to the convention hall."
But security experts suspect that DNC organizers have not done enough to safeguard convention-goers, especially in light of the fact that electronic breaches can occur all over the city — basically wherever there is Internet access. Spafford and others have identified a number of risky scenarios, many of which involve hackers creating "rogue" access points. Here a hacker might set up a powerful wireless network outside the convention or in a hotel, or even bribe someone inside the convention to plug in a wired network. These "rogue" networks seek to mimic the official DNC network, featuring an identical log-in screen. A convention-goer might be tricked into thinking that he or she is logging into an official site. In reality that person is falling right into the hands of a hacker, who can then plant viruses, porn or whatever onto that person’s laptop.
"[Hackers] could seek to plant incriminating information on selected machines and use that to frame individuals," says Spafford. "For instance — and this is well within the range of dirty tricks that have been played in the past — one could find ways to gain access to a prominent person’s laptop and plant stolen software or kiddie porn and arrange with authorities to have that seized or investigated at the convention or later. It could be very embarrassing. It would create the wrong kind of public image."
Or, Spafford says, a simpler approach is for a hacker to simply send out a spam e-mail with a virus that would plant itself into the recipients’ computers.
"[Hackers] could get an attendant’s information and send out things that look like they are officially from the DNC, like ‘Here is a map to the reception.’ The recipient clicks to open and all sorts of things could happen."
Hacking could also take place at restaurants in Denver, should delegates and other convention-goers venture out with their Blackberries or Bluetooths. "You can hack a Blackberry or a Windows wireless phone quickly," says Nickerson. "You can find a coffee shop or go to a nice hotel restaurant or hang out at Ellington’s restaurant at the Brown Palace. The high-profile guys will want to eat there because it looks pretty. You can figure out where they are going to be; most of their schedules are well-known. To hack someone’s Bluetooth while they are at Ellington’s, I could sit in my room at the Brown Palace or do it at my truck. I could be well outside of anyone’s view. You have to think that those delegates are not confined to the security perimeter. Once they get outside, they do not have the technical wherewithal or the knowledge of how to secure themselves."
Even so, a hacking victim might not be aware that he or she has been had until months after the fact. A target of identity theft, for instance, might not realize that he or she is losing money for a long period of time, and it would be difficult to trace the original breach to the convention.
Nickerson is also skeptical of technical security inside the convention, saying that Symantec’s products have a variety of vulnerabilities and that a sophisticated and determined hacker could easily figure out these weak spots or buy the information from another hacker in order to access the DNC network.
Even Chris Paden, Symantec spokesman, admits that there are unresolved risks. "I don’t think anyone would be foolish enough to say that anyone has come up with the most perfect and foolproof security measures," he says.
Nickerson says that the only way for convention-goers to protect themselves is to play it safe wherever they are in Denver.
"They should make sure they don’t have wireless devices turned on, make sure they don’t have their Bluetooths turned on and that they are very aware of their surroundings," he says. "We are one of the worst countries in the world in terms of information theft. While [politicians] can claim that no one has set foot on U.S. soil to attack us, they can’t claim the same for electronics. Two-thirds of our population has been attacked. That is huge. If two-thirds of our population was punched by someone else from another country, we’d be the laughingstock of the world."