Wednesday, December 14, 2016

The Hacking of John Podesta's Email and Security Lessons Learned

I happened to fly back with John Podesta back in May of this year after attending Dr. Dave Patterson's retirement weekend.  The photo is a little blurry because the plane was moving around a little bit.  The point of the photo, before talking about the security around John Podesta's email, is that this is a very smart and nice man and this could happen to most people.  He was in the middle seat because he had to make a last second flight.  I did not recognize him immediately, but then when I did I said, "you know, I thought you were somebody."  To which, he just laughed.  Also, we did not talk about email :-)

It came out yesterday reported at The Hill:

"The hack and eventual release of a decade’s worth of Hillary Clinton campaign chairman John Podesta’s emails may have been caused by a typo, The New York Times reported Tuesday in an in-depth piece on Russian cyberattacks.

Last March, Podesta received an email purportedly from Google saying hackers had tried to infiltrate his Gmail account. When an aide emailed the campaign’s IT staff to ask if the notice was real, Clinton campaign aide Charles Delavan replied that it was “a legitimate email" and that Podesta should “change his password immediately.”

Instead of telling the aide that the email was a threat and that a good response would be to change his password directly through Google’s website, he had inadvertently told the aide to click on the fraudulent email and give the attackers access to the account.

Delavan told the Times he had intended to type "illegitimate,” a typo he still has not forgiven himself for making"

While this brief article makes one feel very bad for Charles Delavan, John Podesta, and most likely the world as we know it (but I digress :-) it does bring out one very solid piece of advice, but leaves out a even more important security suggestion from my perspective. 

The solid piece of advice is what I highlighted in bold above:

  •  "A good response would be to change his password directly through Google’s website."
 I would argue that the first advice that the security people on Clinton's team should have insisted upon would be two-factor authentication for EVERYONE's email and communication systems.

Just as a reminder, two-factor authentication or 2FA, is when the ability for you to login requires two different methods to authenticate or ensure who someone really is. In other words, just knowing the login and password is NOT enough.

The most popular for 2FA is using your phone with a token.  For example, you are traveling and you sit down at computer in your hotel to print out your boarding pass and you decide to check your email.

With single factor authentication, only your login and password are asked for to allow you in to your email.  With 2FA, the email service would essentially state, "you have not logged in here before, please send me the 6 digit token I just sent to your smartphone." 

If you have your phone, you see the 6 digit token come up, you then enter it in.  At that point you are asked, "do you want to trust this computer going forward?"  In other words, you will NOT have to put in a new token each time you login.  If this is a hotel computer, you would NOT want to trust this computer, whereas if it was your new MacBook Pro you just purchased, then you would say "yes."  By saying yes, you will not have to enter in the 6 digit token again.

Certainly the advice on going directly to your email provider or going directly to your bank's login (if you received an email from your bank that wanted you to change your password) is the correct advice. BUT, I would argue that ANY online service that offers 2FA, take advantage of it!

So far we have not seen too much in the area of triple-factor authentication:

  1. Something you know - your password.
  2. Something you have - your smartphone where a one-time token can be sent.
  3. Something you are - a biometric such as a fingerprint or retina scan.
Triple-factor authentication is used in intelligence agencies and areas where information protection is at a premium.

An area where many companies could do a much better job is account recovery.  Too often, 2FA might be used for login but NOT for account recovery - which is obviously brain-dead.


No comments:

Post a Comment