John Podesta and the Clinton Campaign’s Security Nightmare

Overview

The Clinton Campaign’s Chief, John Podesta, is having a really bad month. Last week, Wikileaks began to publish a series of email dumps from Podesta’s accounts. If you want to read a comprehensive breakdown of what occurred, I suggest this article from Ars Technica.

For my purposes, I want to attempt to explain Podesta’s apparent mistakes clearly and then show how to properly secure your communications. The big takeaway should be that this is the result of incompetence and what can happen when you don’t take security best-practices seriously.

What Happened?

1) In May of 2015 John Podesta had his Apple ID login credentials sent to him via email from a 3rd party. From the time of that email until October 2016 that password had not been changed.

What's the point of Podesta having a ridiculously weak password if he can't even remember it? pic.twitter.com/OiphAQuuFC

— Dan Goodin (@dangoodin001) October 12, 2016

2) Wikileaks publishes the hacked emails, which includes the email containing his Apple ID credentials.

3) Shortly after these emails become public on Wikileaks, screenshots of the email including Podesta’s Apple ID credentials appeared on 4chan.

4) Then Podesta’s Twitter account posted saying “I’ve switched teams. Vote Trump 2016. Hi pol.” (the last bit is a reference to 4chan). The Clinton campaign has acknowledged that his account was hijacked.

How Does This Happen?

Researchers are speculating that Podesta’s Twitter account may have been protected by the same weak password that was disclosed in the WikiLeaks dump. Another possibility is that the password reset feature for Podesta’s Twitter account was linked to his iCloud account and was activated once the iCloud account was hijacked.
Ars Technica

It appears that either he was using the same password, without Two Factor Authentication (2FA), for Twitter that he had been using for iCloud or that there was a rolling effect where a single compromised account lead to other accounts being compromised.

What Should He Have Done?

Specifically

• Never send login credentials over SMS or Email if you can help it. If you have no choice, at least change those credentials soon after. If someone ever gets access to those messages, they should not be able to log into any of your accounts.
• Change Passwords Regularly: It appears that his password was the same for roughly a year and a half between the date of the email and the time of the hack. That is unacceptable for someone in such a high-risk field who is not using Two Factor Authentication.
• In response to his emails being dumped online, he apparently did not go and change his passwords. Anyone reading through the Wikileaks dump could have come across that information. If ever you have reason to believe one of your accounts have been compromised, it is probably a good idea to make sure to change the passwords for anything connected to that account. This is especially true if he was using the same password for multiple accounts.
• As an organization, the Clinton Campaign needed to have proper policies put in place by security professionals to secure the devices of people who would be sending and receiving sensitive information.

Generally

• Use complex passwords. “Runner4567” is very simplistic. Find out what length and characters (numbers or symbols) a service supports for passwords. Simply put: use the strongest password a service will allow.
• Use a different password for every account. Don’t let convenience get in the way of security. If you can’t remember your new, complex passwords because you are a human being, that’s ok. You can use a password manager such as LastPass to secure and carry your passwords with you wherever you go.
• Use Two Factor Authentication. A cracked password still shouldn’t be enough to let an attacker hijack your accounts.
• As an organization, make training and support available to your employees so that you can insure that your policies are put into practice.

Conclusion

You don’t have to become a security expert to stay safe online. Just follow simple best-practices and don’t chose convenience over strength when it comes to passwords.