Politics

The DNC Could Have Prevented The Email Hack For $18

(Photo by Ethan Miller/Getty Images)

Daily Caller News Foundation logo
Eric Lieberman Managing Editor
Font Size:

The massive breaches that occurred in the DNC and then-Clinton campaign chairman John Podesta’s email system could have been prevented with the purchase of a piece of tech that costs as little as $18 in some places.

The price is significant because while the DNC spent $369 million this election cycle, they later wailed about their nonprofit status when Scott Shane of The New York Times asked about an information security budget. While very little is considered technically unhackable, a cyber security expert pointed out Wednesday that a simple piece of gear would have made it much, much harder to cull Podesta’s emails.

Two-factor authentication (2FA), the cybersecurity mechanism of having required log-in credentials secured on a separate electronic device, seems to be the best means of protecting users from such breaches. The security keys for 2FA are relatively affordable and usually priced around $20.

“There was never enough money to do everything we needed to do,” Andrew Brown, the technology director at the DNC, told The NYT.

Having strong cybersecurity, though, probably wasn’t due to insufficient funds like Brown professes, since the DNC raised a total of $369,374,155 during the 2016 election cycle, according to OpenSecrets.

The DNC and Podesta would have benefitted from such a security key if they wanted to severely limit the chances of their emails becoming public. Several security experts have since come out to say that political campaigns are regular targets for state and non-state actors looking to gather information on incoming administrations. (RELATED: The Cascading Blunders Of The DNC, FBI, And White House Invited Hacking)

In emails obtained by WikiLeaks, Podesta was asked to change his password by a user who was simulating an authentic Google account.

The email, which said “Someone has your password,” was an apparent attempt to feign caution and urge Podesta to click the “CHANGE PASSWORD” button. The link then goes to a highly deceiving page where Podesta typed in his password upon request.

It was fairly apparent, though, that the link was infected or fraudulent. After hovering over the button requesting Podesta to change passwords, a link management platform called “Bitly” appeared, not an authentic Google web address.

“Generally speaking, if you receive an account reset email from Google or another service provider, you should be able to hover over the link and it should indicate that the URL address it directs you to is the service provider’s own domain (google.com for Google, etc.),” Ryan Hagemann, the technology and civil liberties policy analyst at the Niskanen Center, told The Daily Caller News Foundation (TheDCNF).

“This is a legitimate email,” Charles Delavan, a Clinton campaign aide, wrote in an email to Podesta, specifically referencing the original message asking him to change his password. “John needs to change his password immediately.”

Delavan, though, says he meant to write “illegitimate” and not “legitimate” to warn Podesta that the original email asking him to change his password was likely a scam, according to The New York Times.

“This just goes to show that cybersecurity failures are usually the result of human error,” Hagemann said.

It was also probably highly confusing that Delavan advised Podesta to change his password, which is what the original counterfeit email was suggesting. Aside from the typo, Delavan should have been more thorough with his own electronic communications to elaborate on how (or on which online page) Podesta should change his security credentials. (RELATED: Reminder: John Podesta Wasn’t Hacked, He Was Duped Just Like The DNC)

So not only should Podesta have become suspicious himself, but the IT team for Clinton’s presidential campaign should have done better to expand on instructions and in general further stress the importance of strong cybersecurity.

The breach wasn’t the only example of the Clinton campaign and the DNC having poor cybersecurity. One of the passwords used for the party’s press email (dncpress#dnc.org) was “obamain08,” a password that could easily be cracked in less than an hour with easily available software tools, according to Business Insider. (RELATED: Advanced Cybersecurity: The Simple Password May Soon Be Obsolete)

Not all “two factor” authentication is created equal though, Hagemann emphasized. The kind that simply asks for more personal information is easy to spoof.

“Two-factor authentication is mostly valuable as a means of preventing unauthorized access of devices after they’re stolen or misplaced. Given that Mr. Podesta was in full possession of his devices, it likely wouldn’t have protected him against the phishing scam,” Hagemann said. “The link Mr. Podesta clicked on, for example, could have required him to input the secondary information in order to ‘confirm’ his identity, giving that information directly to the hackers.”

 

Follow Eric on Twitter

Send tips to eric@dailycallernewsfoundation.org.

All content created by the Daily Caller News Foundation, an independent and nonpartisan newswire service, is available without charge to any legitimate news publisher that can provide a large audience. All republished articles must include our logo, our reporter’s byline and their DCNF affiliation. For any questions about our guidelines or partnering with us, please contact licensing@dailycallernewsfoundation.org.