What follows should serve as a cautionary tale for politicians and private citizens alike. Investigations determined John Podesta — chairman of Hilary Clinton’s 2016 presidential campaign — was the conduit through which Russian hackers gained access to the campaign’s Gmail account.
Many people agree this was a significant factor in her loss to Donald Trump.Let’s take a look at what happened, as well as what it may bode foremail, the 2020 presidential campaigns and you.
The Oldest Trick in Hackers’Arsenals
The existence of phishing scams is fairly common knowledge to anyone even remotely aware of how hacking works. However, for the uninitiated, here’s how they function.
A seemingly helpful email message arrives in your queue, appearing to have originated from a trusted source. In Podesta’s case, the message looked like it was coming from Google’s Gmail account services. Podesta was advised his account password had been compromised and he was encouraged to change it before interlopers exploited his account.
Being duly cautious, Podesta forwarded the message to the campaign’s computer security people, who also recommended Podesta change his password. They advised him to be certain his account was protected by two-factor authentication as well.
They sent Podesta a message containing a genuine Gmail password reset link to accomplish this task. Unfortunately, he inexplicably clicked the original link instead — and the rest is history.
Could It Happen Again?
As sophisticated as we’d all like to believe we are, human nature remains a key factor when it comes to breaches of cybersecurity. The most secure email gateway in existence is only as resistant to unauthorized entry as the protocols its users follow.
In other words, the security apparatus functioned properly in the instance above. However, human error was the ultimate failure, which is a difficult opening to defend.
According to Business Insider, there were two rather obvious red flags in the message Podesta received. The first was a googlemail.com URL. While the company does indeed own the GoogleMail domain, it isn’t used for correspondence.
The second one was a Bit.Ly URL in the password change link. Bit.Ly compresses URLs, so it can be used to disguise them as well. Podesta was taken to a site controlled by the hackers when he clicked that link. Inputting his “old” password in order to “change it,” he inadvertently gave them everything they needed to wreak havoc upon Secretary Clinton’s campaign.
And yes, it absolutely could happen again.
What Are They Doing About It?
As you might well imagine, precise campaign email security details are kept close to the chest, lest the information provide an exploitable opening. However, as Ian Sams — press secretary for the Kamala Harris campaign — told The Atlantic, the campaign insisted all staffers use encrypted messaging services and two-factor authentication.
A spokesperson for the Beto O’Rourke campaign said they ensured staffers were trained extensively in cyber fraud detection as part of the hiring procedure. They also insisted upon the usage of complex passwords and secure messaging channels to safeguard against unwanted attention.
The Biden campaign added a chief technology officer position to its staffing requirements, while the Pete Buttigieg organization similarly announced the hiring of a chief information security officer.
The Trump campaign, when approached for information, declined to comment, as it did not want to risk exposing its defenses. However, Tim Murtaugh, the communications director for the president’s reelection campaign, told The Atlantic, “We take cybersecurity very seriously.”
Three years after Mr. Podesta was duped into handing over the keys to the kingdom, security has indeed become more robust in terms of email and the 2020 presidential campaigns. However — and here’s the takeaway for everyone, politicians and private citizens alike — security is only as strong as its weakest link.
If this story proves anything at all, it is that link is almost always a human being.
Don’t let it be you.