SAN FRANCISCO — Keeping America safe from the armies of hackers at the shores, has come up a lot in the 2016 election cycle but if the Republican and Democratic National Conventions are anything to go by, whichever party wins the race for president has not studied up on their cybersecurity basics.
Reporters who registered for the Republican and Democratic National Conventions were given tote bags by convention organizers filled with instructions and logistical information. Buried inside the totes were thumb drives, also known as USB flash drives, with information on the upcoming events.
“Who does that anymore? It’s just asking to get infected with any variety of malware,” said Ajay Arora, CEO of VERA, a cybersecurity firm. “Those thumb drives are the number one way to infect a computer… It is borderline stupidity to give them out to people, or for people to even think of using them.”
Thumb drives are known within the cybersecurity world for their fundamental security weaknesses, because when someone plugs a thumb drive into their computers they are opening up their system to anything on that drive — from the best hotels to stay in during the Republican National Convention to a virus that silently uploads itself onto the hard drive. Neither the Republican or Democratic National Committees replied to a BuzzFeed News inquiry about the thumb drives.
Jason Haddix, director of technical operations at Bugcrowd, a security-testing startup, said that in the past he would help private companies test their internal security by dropping random USB sticks around their building and parking lot.
“We would drop them off or even hand them out as freebies to see who would fall for it and use the thumb drives. We had them install a program where we could show the company exactly which employee was using it and how we easily we could track their computers,” Haddix said. It’s the kind of trick hackers might use if they were trying to infect a company’s internal system, and it shows how easy it is to move malware from a thumb drive onto a computer.
Arora said it’s been at least five years since he’s seen a thumb drive handed out at a conference in the U.S., though he admits he normally attends cybersecurity events where “no one is dumb enough to do this anymore.”
“These politicians are saying they want to decide what to encrypt, and what to regulate and give back doors to, are these same people who are turning around and saying here, take this piece of hardware which is proven to be the worst thing security wise, and put it into your computer,” said Arora. “They turn around and do a 1.0 mistake, which shows just how unqualified they are being able to talk about security and cybersecurity, let alone legislate on it.”
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.