It sounds as though the National Republican Senatorial Committee has a problem with its email servers, too. Let me shorten this somewhat: if you’re putting Microsoft Exchange on an internet-facing server, and you’re not managing it fairly carefully, you’re snack food for hackers.
TL;DR form: it’s hardly news-worthy. Just another example of poor system administration resulting in a security breach. The “Russia” angle is irrelevant; the attack appears to be basic credit card fraud, which knows no politics. As far as a target goes, the NSRC was – sorry NSRC people if you’re reading this – a blip. There are groups of hackers that make a very good living going after “mom and pop” websites that don’t invest the time and administrative resources necessary to keep a site secure. NSRC appears to be a “mom and pop” bunch of amateurs.
In system administration there’s an observation that “there is no such thing as a ‘temporary’ server” – once things go into production, it gets difficult to take them out, or to move them. The corollary to that is “if it’s not broken, don’t fix it.” Those two things, taken together, are behind a great deal of the computer security problem – someone sets something up, it works, and then they don’t want to touch it. Meanwhile, new exploits and vulnerabilities are discovered and published and the software/system, which hasn’t changed at all, is now easy for someone to walk right into. Software rots over time! It’s extremely counter-intuitive but it’s true: the exact same code’s security properties change over time because of nothing in the code itself except the discovery of latent bugs. I’m not sure how to describe this phenomenon in terms of entropy, but: the system remains unchanged; what changes is the hackers’ collective knowledge about it.
The compromised system was one of thousands that had been compromised using the same technique, and had the same type of skimming software installed. Given the number of sites, the attack was almost certainly automated; the attackers probably didn’t know or care who they had broken into. The Ars Technica article offers a fairly typical estimate that that site may have netted the hackers on the order of $600,000. Multiply that by thousands and you’re dealing with real money.
Many of us security types used to be highly critical of cloud computing or software as a service (SAAS) – the reason being that it presupposes that an organization is going to push its critical information assets into someone else’s hands. For example, I still run my own email server rather than using google mail or Yahoo! mail, for reasons that ought to be obvious: pushing your email into the cloud means that you’re automatically sharing it with the NSA/FBI. If the reason you’re keeping data is because it’s sensitive, pushing that data to the cloud appears to be irresponsible.
Unless you’re incompetent.
If your security sucks, pushing your data to the cloud is a great idea because it’s a tremendous improvement over poorly managed local servers. In one of my other postings, on Hillary Clinton’s email server, I responded to the question:
What do you think of the notion, given the incompetence of the government in keeping hackers out of their computer systems, that The Secretary’s private email system might actually been no worse than the State Department’s system, which, apparently, is known to have been hacked into?
In the case of the NSRC server, putting it in the cloud would have been a huge improvement. It appears that someone set that server up, saw that it worked, and went off and did something else. Hillary Clinton, who claims to be technologically inept, retained some reasonably good system administration. The question there is whether Clinton’s personal server was better or worse than the US State Department’s email security system.
Today, if you want an email server in the cloud, Amazon web services offers a cloud-hosted Exchange compatible system for about $4/user/month. If your systems administration capability is nil, then that’s a great deal, because the alternative is freighted with unseen costs in the form of security downside. The reason so many people get this wrong is because the cost/benefit analysis is skewed by our inability to project the costs of the unknown downside that occurs unpredictably.
Hat-tip to lorn for encouraging me to comment on this bit of news.
Ars Technica on the hack
Gwillem on online skimming