Tuesday, April 9, 2013

Mitch McConnell's leaked strategy recording has staff crying "bugged"

Today, Mother Jones magazine features a leaked recording of Senate Minority Leader Mitch McConnell's private strategy session, in which his insiders discuss ways to beat Ashley Judd should she run for his seat. Aside from the Nixonian element to the story, and the frankness with which they discussed using Ashley's mental health issues against her in a campaign, there is an interesting security-related angle here.

The meeting consisted only of a small group of loyal insiders, and all deny having recorded the session. Sen. McConnell's office is asking the FBI to investigate: "Obviously a recording device of some kind was placed in Senator McConnell’s campaign office without consent."

Joan Goodchild writes in her blog for CSO Magazine "McConnell’s campaign all adamantly deny any involvement in the recording of the sessions (and its consequential leaking). They are working with the FBI on an investigation into how it happened. But my gut tells me they need to look inward again and evaluate the people they consider allies and consider who may be a potential insider threat."

Eric Wemple from the Washington Post blogs "Let’s just roll with the bug scenario. For the sake of some legal entertainment, suppose that someone, in the wee hours of Feb. 2, broke into this secure location via ductwork, expertly fiddled with ceiling tiles and planted a pea-size device in one of the room’s grommets."

I wonder whether anyone is considering a simpler scenario. Did the room contain a Polycom conference phone system? Back in 2012, my colleague HD Moore published his research into conference phone vulnerabilities, which was covered widely by the mainstream press. There were several scenarios which allowed anyone with a telephone or web browser to silently call into the Polycom and use it to listen to the room and to watch video (for camera-enabled systems) without anyone knowing. It's not too much of a stretch to think that -- it's certainly more plausible than a Watergate-style bugging of a secure room in the capitol.