BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

What The DNC Email Hack Can Teach Asia's Activists And Politicians About Cybersecurity

This article is more than 7 years old.

On Dec. 13, the New York Times published a now widely shared 8,000-word full statement of the email hacks that targeted people around Hillary Clinton’s presidential campaign.

Similar to the Washington Post story from four days prior, it gives little to no evidence on who hacked these accounts or for what purpose, but at least it does not rely on anonymous sources making outrageous claims.

It does, however, add a great number of details to the question of how hackers were able to obtain their sensitive information, opening a window on the fascinating world of how the world’s political heavyweights, including police and cybersecurity companies, use and misuse technology.

In fact, it is such a fascinating opportunity for people in Hong Kong and elsewhere that I would like to take the opportunity to reflect on a few key passages and pass on a bit of information security advice applicable to political figures, journalists, and everyone else.

In Asia, spearfishing is also the dominant tool to target politicians, activists and journalists for their personal information. Ahead of the Taiwanese presidential election, Bloomberg reported Chinese state hackers have targeted politicians and journalists with phishing mail.

Malware used in an attack on the website of the president of Myanmar also arrived via phishing mail.

Other emails, too, can be damaging. In 2013, Surtr surfaced, targeting the Tibetan community in particular.

These incidents highlight how important it is to be able to assess risks in your inbox accurately and independently. Often such emails mimic legitimate security alerts, such as the one sent to Hong Kong political activist Joshua Wong

Powerful politicians use technology just the way you and I do

Despite a $1.2 billion campaign, senior campaign staff and party leadership did not have access to, or bother with, specialized equipment for securing their communications. No dedicated, hardened smartphones or computers, no hardware keys or end-to-end encrypted satellite phones. In fact, no sign of encryption, whatsoever.

Such equipment is not uniquely effective, but it can limit users to pre-approved actions that are unlikely to leave data and communications vulnerable.

It is understandable why someone would want to use regular consumer hardware for work, no matter how sensitive. You can use the applications you are already familiar with and being in full control of your communications makes you usually more productive.

However, if you use general off-the-shelf consumer products for anything sensitive, it is very important to know exactly what you are doing.

Campaign staff generally had no idea what they were doing

Billy Rinehart, previously regional field director for the Democratic National Committee and working on Clinton’s campaign, received the following email:

“Mr. Rinehart was in Hawaii at the time. He remembers checking his email at 4 a.m. for messages from East Coast associates. Without thinking much about the notification, he clicked on the “change password” button and half asleep, as best he can remember, he typed in a new password,” said the New York Times article.

It’s not completely out of the question that whoever sent this phishing email knew Rinehart would likely be tired when opening it. But it doesn’t matter—the email is a relatively standard phishing attempt that stands out for its subtleness, yet still plays into to the same fears the NYT article does: The Russians are trying to hack you.

However, this email should pose no threat to somebody who casually checks what URLs they visit, and who uses basic two-factor authentication by SMS. Additionally, in the Gmail web interface, you can reset your password by clicking on your profile picture in the top right, then my account > sign in & security > password. In any application it is preferable to reset the password from a link in an email.

In another instance, the FBI warned the DNC by phone, telling an uninformed and low-level staffer about a system compromise. The agent also informed them the hack came from a Russian group called “the Dukes.”

A likely result of what somebody would have encountered after searching for "the Dukes" on Google.

“His first moves were to check Google for “the Dukes” and conduct a cursory search of the D.N.C. computer system logs to look for hints of such a cyberintrusion,” the NYT article said.

This FBI involvement raises so many question, it is hard to condense the issue in a single article.

• How did the FBI find out that the email account was compromised in the first place? Were they monitoring the account themselves or did they have somebody inside of the organization they eventually blamed for it?

• Yet, why are they unable to reach out to someone competent, or walk over to the office to authenticate themselves?

• The Secret Service is typically involved with the security of all presidential candidates and their campaigns. Does such an arrangement cover information security? If not, does an arrangement exist that does?

• Why would the FBI call the D.N.C.’s office on an unsecure landline, knowing that their systems have been compromised? Why do they namedrop the organization they suspect of currently actively listening?

Nothing makes sense, unless:

Outside experts are just as clueless

The thinking at the DNC and the Clinton campaign demonstrates two common lines of thought:

  1. The state will protect us
  2. We are not cybersecurity experts and will outsource this

“This is not a mom-and-pop delicatessen or a local library. This is a critical piece of the U.S. infrastructure because it relates to our electoral process, our elected officials, our legislative process, our executive process.”

The sad reality is that, likely, no outside party is able to mitigate those risks without hugely crippling the efficiency of the organization. If you want to open up any website you like, click on links or use email at all, you will need to bear responsibility for your own actions, and learn about threats like phishing, hacking or social engineering.

All an outside consultant is good for is excuses, such as wrongly identifying a phishing mail as “legitimate.”

“This is a legitimate email,” Charles Delavan, a Clinton campaign aide, replied to another of Mr. Podesta’s aides, who had noticed the alert. “John needs to change his password immediately.”

“Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an “illegitimate” email, an error that he said has plagued him ever since.”

unverified information

“Within a day, CrowdStrike confirmed that the intrusion had originated in Russia”

as well as additional costs:

“During this second wave, the hackers also gained access to the Democratic Congressional Campaign Committee, and then, through a virtual private network connection, to the main computer network of the D.N.C.”

This virtual private network (not to be confused with a VPN Service) is a complicated setup that allows devices in multiple locations to appear as if they were in the same location, and in this case, make them all vulnerable at once.

Secure yourself now

Luckily, not all is lost. Especially individuals (as opposed to organizations) have the option to a wide range of tools that allow you to secure your data and communications against even well sophisticated hackers.

1. Activate two-factor-authentication on all your relevant accounts, such as your webmail, social media and cloud storage. Make sure that all your accounts are using a unique password (a password manager will be essential), and that the email address used to sign up for them is one you have secured well. The more addresses you have to maintain, the harder.

If you consider yourself a high value target, SMS based two-factor-authentication is not enough, as these can be rerouted with enough skill and effort. Use an authenticator app or a hardware security token.

2. Use end-to-end encryption whenever possible. Chat on Whatsapp instead of Facebook, and try out GPG to encrypt email attachments or entire documents. Don’t speak on the phone, but use apps like Signal instead.

3. Educate yourself about information security, for example here, here or here. Show a healthy amount of suspicion towards websites, programs and emails. When in doubt about risky file formats such as .docx or .exe, ask for a pdf or an explanation from the sender.

Never compromise security for convenience, such as sharing passwords with co-workers. Instead, try to figure out how to responsibly share accounts or co-edit emails, for example by reaching out to tech support.