On Dec. 13, the New York Times published a now widely shared 8,000-word full statement of the email hacks that targeted people around Hillary Clinton’s presidential campaign.
Similar to the Washington Post story from four days prior, it gives little to no evidence on who hacked these accounts or for what purpose, but at least it does not rely on anonymous sources making outrageous claims.
(Photo credit: Shutterstock)
It does, however, add a great number of details to the question of how hackers were able to obtain their sensitive information, opening a window on the fascinating world of how the world’s political heavyweights, including police and cybersecurity companies, use and misuse technology.
In fact, it is such a fascinating opportunity for people in Hong Kong and elsewhere that I would like to take the opportunity to reflect on a few key passages and pass on a bit of information security advice applicable to political figures, journalists, and everyone else.
In Asia, spearfishing is also the dominant tool to target politicians, activists and journalists for their personal information. Ahead of the Taiwanese presidential election, Bloomberg reported Chinese state hackers have targeted politicians and journalists with phishing mail.
Malware used in an attack on the website of the president of Myanmar also arrived via phishing mail.
Other emails, too, can be damaging. In 2013, Surtr surfaced, targeting the Tibetan community in particular.
These incidents highlight how important it is to be able to assess risks in your inbox accurately and independently. Often such emails mimic legitimate security alerts, such as the one sent to Hong Kong political activist Joshua Wong
Powerful politicians use technology just the way you and I do
Despite a $1.2 billion campaign, senior campaign staff and party leadership did not have access to, or bother with, specialized equipment for securing their communications. No dedicated, hardened smartphones or computers, no hardware keys or end-to-end encrypted satellite phones. In fact, no sign of encryption, whatsoever.
Specialized hardware tokens like the YubiKey is used for advanced authentication solutions. They are far more difficult to circumvent than regular SMS-based authentication tokens. Photo: Yubico
Such equipment is not uniquely effective, but it can limit users to pre-approved actions that are unlikely to leave data and communications vulnerable.
It is understandable why someone would want to use regular consumer hardware for work, no matter how sensitive. You can use the applications you are already familiar with and being in full control of your communications makes you usually more productive.
However, if you use general off-the-shelf consumer products for anything sensitive, it is very important to know exactly what you are doing.
Campaign staff generally had no idea what they were doing
Billy Rinehart, previously regional field director for the Democratic National Committee and working on Clinton’s campaign, received the following email:
A phishing email sent to DNC staffer Billy Reinolt. Screenshot: The New York Times
“Mr. Rinehart was in Hawaii at the time. He remembers checking his email at 4 a.m. for messages from East Coast associates. Without thinking much about the notification, he clicked on the “change password” button and half asleep, as best he can remember, he typed in a new password,” said the New York Timesarticle.
It’s not completely out of the question that whoever sent this phishing email knew Rinehart would likely be tired when opening it. But it doesn’t matter—the email is a relatively standard phishing attempt that stands out for its subtleness, yet still plays into to the same fears the NYT article does: The Russians are trying to hack you.
However, this email should pose no threat to somebody who casually checks what URLs they visit, and who uses basic two-factor authentication by SMS. Additionally, in the Gmail web interface, you can reset your password by clicking on your profile picture in the top right, then my account > sign in & security > password. In any application it is preferable to reset the password from a link in an email.
In another instance, the FBI warned the DNC by phone, telling an uninformed and low-level staffer about a system compromise. The agent also informed them the hack came from a Russian group called “the Dukes.”
A likely result of what somebody would have encountered after searching for “the Dukes” on Google.
“His first moves were to check Google for “the Dukes” and conduct a cursory search of the D.N.C. computer system logs to look for hints of such a cyberintrusion,” the NYT article said.