Who hacked Clinton campaign chairman John Podesta?
…and the Democratic National Committee (DNC)?
…and the US election?
Back in July, security firm SecureWorks pointed the finger at Russia: over the course of the past year, it’s been tracking the Russian hacking group Fancy Bear and its spearphishing attacks, launched with shortened Bit.ly URLs to trick victims into giving over their Gmail credentials to fake login pages.
Over the past few months, the Feds have come to agree. In October, officials formally identified the Russian government as the source of intrusions into DNC systems. Those intrusions set off a political firestorm after a trove containing 10 years’ worth of Hillary Clinton’s emails were leaked and published on WikiLeaks.
How could John Podesta and others have fallen for the phish?
Earlier this week, in an in-depth report on Russian cyberattacks, the New York Times revealed how Podesta’s credentials were given up because of the simplest of errors: a mere two missing letters: he was caught out by a typo.
Not his typo, mind you. Rather, an aide forwarded a phishing email sent to Podesta, sending it to the campaign’s IT staff to ask if the notice was for real. The email, purportedly from Google, said that hackers had tried to infiltrate Podesta’s Gmail account.
Clinton campaign aide Charles Delavan replied that yes, the message was “a legitimate e-mail” and that Podesta should “change his password immediately”.
There were two missing letters – “i” and “l” – that should have preceded the word “legitimate”.
As Delavan told the NYT, he knew the email was a phishing attack, given that the Clinton campaign was getting a steady stream of them. He meant to reply that the email was “illegitimate”.
What he should have told the aide was that the password should be changed immediately, directly through Google’s site and not by clicking on the link in the phishing email.
But instead, he inadvertently told the aide to click on the phishing link, and that’s how the attackers got Podesta’s Gmail login, enabling them to get into Podesta’s account and to about 60,000 emails stored therein.
The simple error has tormented him ever since, Delavan told the newspaper.
In October, SecureWorks identified a Bit.ly account and the WikiLeaks-released email that appeared to have been used to attack Podesta’s account.
Using a short URL to target individuals and their logins is a surprisingly effective tactic, and neither Bit.ly nor any other shortening service is to blame. The service itself remains secure, but the short URLs can mask potentially nefarious HTML code behind their innocent-looking strings.
Here’s how it can go: a target gets a “security alert” from what looks like Google. “Someone has your password,” it says at the top, in a do-not-ignore-this red banner warning that someone has just tried to sign into your Google account.
The message provides realistic-looking details: the date the password was used, the IP address of the supposed culprit and a source location from which your account was accessed.
“Google stopped this sign-in attempt,” it informs you, “but you should change your password.” Of course, there’s a button to do just that. “Change password,” the text reads, over a reassuring safety-blue background.
How can you protect yourself from falling for such carefully crafted, well-disguised attacks? As it is, screenshots of the Bit.ly link used against Podesta show that even the links hiding behind the Bitly links can be made to look, to an untrained eye, like they’re legitimate.
You can pick proper passwords, for one thing. Even though strong passwords don’t help if you’re phished (the crooks get the strong password anyway), they make it much harder for crooks to guess their way in.
Use two-factor authentication whenever you can. That way, even if the crooks phish your password once, they can’t keep logging back into your email account.
Consider using Sophos Home. The free security software for Mac and Windows blocks malware and keeps you away from risky web links and phishing sites.
OK, all well and good.
But how do you stop yourself from making typos? Particularly typos that can lead to the crippling of security at a major political party? Unfortunately, there’s no such thing as anti-typo-ware, at least not that we’ve heard of. Spellcheck will probably pick up actual spelling errors, but it can’t save you from typing the wrong word.
The only tool we’ve got to avoid an error like this – not to rub it in, Mr Delavan – is plain old proofreading.
Billy Reuben
This is bunk.
Q: Is this notice for real?
A: Yes, it’s not real. Change your password.
Why would a security professional instruct someone to change their password because they received a common phishing email?
BTW – still searching in vain for even one Clinton supporter who was escorted to the polls by a commie in a red-starred hat and forced to vote for the other side.
David Pottage
The typo theory has been debunked, e.g. on slate.com.
The journalist investigated further, and Charles Delavan’s excuse that he made a simple typo does not stand up to scrutiny.
Put yourself in his shoes, if your boss forwards a suspicious email and asks if it is OK, and you thought it was a dangerous phising attempt, would you just reply back and say that it was not legit, risking that your reply would not be seen in time? I know that if I where in that situation, I would first pick up the phone to my boss and make it absolutely clear that the email was fake, and then I would follow up with a blanket email to all staff warning of an active phishing attack.
The conclusion has to be that Delavan was fooled by the phishing email, and is now trying to cover up his mistake as a typo.
Dward Fardbark
So Charles Delavan lied .. tried to cover up??? /s Say it isn’t so !!! Guess congress will have to initiate another Watergate style investigation. /s
Podesta and DNC compounded all this by refusing to pay for (or install) software to protect against hacking or phishing schemes.
Rookie mistake layerd on top of rookie mistake.
Anon
Just goes to show, never blame a conspiracy when user stupidity is more likely the cause. Especially not a “Russian Hacker” Conspiracy.
Check your links and always navigate to the website directly.
A mouse
Um, did you read the article or just the headline? It was user error insofar as they were fooled by a spearphishing email, but the emails themselves came from the Russian hacking group Fancy Bear that were targeting the DNC directly. Having your password compromised by phishing is still hacking when they used the login credentials to get into the computers unauthorized and access the data.
Wevy
3 letters missing “a(n il)legitimate”.
Earl Hook
Am I the only one asking what the hell they are doing using Gmail accounts? We as a country really need to step it up in the cyber security field. The fact that a phishing email using gmail could cause this just shows how lacking we are in this field. Time to step it up USA
Jim
Sounds like Podesta did exactly as he should have: ask his IT people whether it’s OK or phishy.
It’s the tech support that was at fault. Interestingly, the tech culture is at least partially to blame as well:
Tech support people who are really good are also really smart. That means they use big words a lot. If he had used “bad” instead of “illegitimate”, no typo or brain burp could screw it up. It takes a long time to learn to use a vocabulary that isn’t nerd-speak. If he misspelled “bad” as ba or bd or ad or bba or whatever, Podesta would have replied with “What?”.
Tom
When I get requests like this from our staff, I use the Shakespeare technique of writing the message high and low, as in Macbeth: “this my hand will rather the multitudinous seas incarnadine, making the green one red.” So if you don’t understand “the multitudinous seas incarnadine,” I’ll rephrase it to “making the green one red.” In this case “the link is illegitimate. Don’t click on it. You can preview the link by moving the mouse over it to see where it will take you. [redacted] is bad.”
Jeff
It would have helped too if the tech would have given specific instructions in plain English, and said to NOT click on the link, but to go to the site directly to change the password. It never hurts to insure that the correct steps are listed, rather than assuming that the reader knows them.
Paul R
It wasn’t a typo. See below.
Bob Gustin
Jim gives the one sensible reply. Cograts!
Tom
Still seems to me (by the way I am not a R or a D) that had the people behind the emails not done the things they didn’t want exposed that this would not be an issue. Seems like a blame the whistle-blower. For example do we blame the FBI when they surreptitiously trick pedophiles online then arrest them? If someone got my emails there is nothing in them that could be used to negatively effect me. Anyway that’s how it seems to me.
Anonymous
who cares how? the real issue is the what, ie the fact that the DNC, Podesta, and Clinton have been lying through their teeth for years, taking dodgy money, lining their own pockets, starting wars, killing people, etc etc. And now they have lost, largely due to the fact of serial lies and distortions, its divert the blame to “its all Putin’s fault”, Grow up yanks, no one believes a word you or your media (or its foreign poodles) says anymore.
Arnold Layne
Read the actual e-mail exchange, and it becomes clear that the aide is thought the phishing e-mail was real, and is now covering his butt with the typo excuse. Had he thought the e-mail was fake, his reply should have:
“It’s an illegitimate e-mail. John needs to delete it. Also, this is a good time to make sure he has two-factor authentication turned on, if he doesn’t already. If you or he has any questions, please reach out to me at xxx.xxx.xxxx.”
Instead it said:
“This is a legitimate email. John needs to change his password immediately, and ensure that two-factor authentication is turned on his account. He can go to [actual Google link] to do both. It is absolutely imperative that this is done ASAP. If you or he has any questions, please reach out to me at xxx.xxx.xxxx.”
Paul Ducklin
To me, the first email sounds weird (I have never heard or seen the word “illegitimate” used in that context). The second email reads much like what I would expect, contains the real Google link, doesn’t beat around the bush, except that the word “not” is missing.
The word “illegitimate” is an anachronism and anyway used pretty much exclusively to mean “born of unmarried parents.”
Paul R
Obviously it’s not a typo. The a/an distinction is the key. If he meant to write “illegitimate” he would have it wrote that it was “AN illegitimate email,” not “A illegitimate email.”
Publius
The Russians also hacked the RNC; they are waiting to make the president elect their poodle. They will release those e-mails if he does not follow their wishes. This is not a game. The US is about to fall to the Russians. The Russians see the opportunity. Here’s the thing, our dear leader elect has zero skill in dealing with world politics; Putin is pure KGB. You don’t get to where Putin is without being a master at manipulating people. Right now, 37% of Republicans think Putin is a good leader. Putin can trick easily the other 63% soon. The Republicans will fold like the proverbial cheap suit when Russia releases the first batch of hacked RNC/Trump e-mails to WikiLeaks.
Gene Michelsen (@Genewm)
It’s surprising how this ‘hack’ story has progressed and is accepted so quickly taking the attention off the real issues. The content off the email is what we should be cowered with. There has been no argument or any evidence that these emails were tempered with. We are not under any law that tells us we cannot research these things to find out if they are real. I have looked into it myself. I didn’t follow what a CNN reported stated on camera that we can only get this infomation from them. He said that looking at them is illegal for us to do, but it is legal for them (CNN) to read them android that they would tell us what they say.
I’m sorry, I don’t buy that.
Researchers have checked many of the emails and found them to be from who they say they were and sent to whom they say they were without tampering. There are simple tools to do this with.
Let’s get back to the main issue: the emails were turned over to Wikileaks by a DNC insider and they are legitimate. Certain statements made in the emails were verified by the people who wrote the email to be true on recorded video that was on national TV. Now, even if the leak came from some other person, that doesn’t make the emails any less important. They show us things that no one has or can deny about the DNC, Podesa, the Clinton’s and the Clinton Foundation that are illegal and disturbing. So, what do we, the American people, do about these things?
I have a suggestion, Let’s investigate these people named in these emails and prosecute the ones who have done wrong in the eyes of the constitution and the law. Let’s agree to do this together and put aside all this obvious garbage that keeps trying to take our attention away from the real issues.
Donald isn’t the problem. The lies and deception is. Go research it yourself by looking deeply into both sides of this. Not just listening to what people say from MSM or individuals you happen to like. Go find the truth with an open mind and heart. See where these things lead. Then let’s work together to stop this junk from trying to change this country into a wasteland of deception.
Wilderness
Well said!
Dward Fardbark
The actual phishing email thread, sent Podesta from two Hillary aides (from Hillary’s personal email server by the way), can be viewed on Wikileaks .. it shows one aide sending warning to another aide who then sent it to Podesta .. both aides clearly thought the phishing email was real.
Read it and make up your own mind .. but was clear to me all thought it was real warning from Google that Podesta’s credential had already been hacked and used … rookie mistakes all around.
Gene Michelsen (@Genewm)
So, the emails that tell about the leaks were included in the thousands of emails Wikileaks released. Why would a Russian operative (if it was a Russian operative) have those emails enclosed with the rest implicating Russia and himself?
Again, the issue isn’t who gave them to Wikileaks. It is: What is our response to the legitimate and damning statements made by the DNC, Hillary and even Obama?
I have no doubt both Russia and the US are involved in cyber espionage. I am sure most all of the countries in the world have this capability and use it to their own advantage. That isn’t the issue, though we should be concerned and watchful. Dealing with the elephant in the room that keeps becoming swept under the rug but cannot be hidden is.
Rufo Guerreschi
They should be using tech that are typo proof, of course …
Richard Eisenman
RE: ‘Clinton campaign aide Charles Delavan replied that yes, the message was “a legitimate e-mail”’ Actually, it takes 3 letters to go from “a legitimate e-mail” to “an illegitimate email”.