Our political leaders set a sorry security example

I am constantly amazed by how much cyber-security effects our 21st century lives every day, and by how clueless our leaders on both sides of the political isle are about all of it.

Let’s start with Hillary and the Democrats.  I’ll dump on Trump and the Republicans in a minute.

First up is Hillary’s email server.  I’ve said over the years that I have no problem with Hillary running her own email server.  And, given what we’ve since learned about US Government security with stories like the OPM breach, I might have run my own email server if I were in her position.  One difference – I know more about running an email server than Hillary.

Whether or not what she did is criminal is still being argued, but we all learned she was, at minimum, wildly careless handling sensitive information.  A United States Secretary of State should know better.  Her reaction?  Double-down on ignorance.  Check out this piece from The Daily Beast here.  Another link to the embedded Youtube video here.  At around the 1:05 mark, the reporter asks Hillary about wiping her email server.  Her reply – “You mean, like with a cloth or something?”  Arrogant, ignorant, and proud of it.  A dangerous combination.  The FBI report came out this summer (2016).  I posted thoughts about FBI Director Comey’s announcement here.

Check out FBI Director Comey’s announcement, where he describes how an army of FBI professionals needed a year to painstakingly comb through that server hard drive to recover thousands of deleted messages.  Why were they deleted?  Only one explanation holds up: Hillary must have ordered her email administrator to uninstall Microsoft Exchange and delete the datastore, but nobody wiped the deallocated space.  A rookie mistake?  Or a bungled coverup?  How much would an enemy of the United States pay for a copy of the discarded hard drive from the Secretary of State’s email server?  So, yeah, wildly reckless is a charitable characterization.

Although there is no evidence Hillary’s email server was ever penetrated, apparently the Russians did penetrate the Democrats’ email server. And now the whole world sees a daily barrage of  embarrassing, private messages, courtesy Wikileaks.  And in the process, we’ve now legitimized Wikileaks, even though its leader is currently holed up in the Ecuadorian Embassy to block extradition for sexual assault.  Full disclosure here – I have personal experience with Wikileaks.  Here are details.

And that leads to Donald Trump, chief Wikileaks legitimizer.  The Donald, maybe our next President, who fires apprentices for making weenie excuses for failure.  So how did Trump Industries handle its data breach last year, when it exposed thousands of its own customers to credit card fraud?

Like virtually every other company these days, we have been alerted to potential suspicious credit card activity and are in the midst of a thorough investigation to determine whether it involves any of our properties,” the statement reads. “We are committed to safeguarding all guests’ personal information and will continue to do so vigilantly.”

I added the italics for emphasis because it was a weenie excuse.  Read the July, 2015 krebsonsecurity.com story here, and the Krebs followup October, 2015 story here.

It gets worse.  Krebs reported a second data breach in April 2016.  Article here.

That’s right.  Anyone who stayed in a Trump hotel through most of 2014, 2015, and early 2016 should consider calling their bank and requesting a new credit card.

And now, the ultimate in irony.  “We’re so obsolete in cyber,” Trump told The New York Times. “We’re the ones that sort of were very much involved with the creation, but we’re so obsolete.”

Donald said that in March, 2016.  Now it’s October, 2016 and we all recently learned how right Donald was.  Although not in the way he intended.

The news broke on Monday, Oct. 17 when security researcher, Kevin Beaumont, did some simple probes of publicly available data and found that the Trump organization uses Windows 2003 with Exchange 2003 as its email server.  Here is a ZDNet article with details.  Here is a Vice News article with more.

IT professionals’ jaws should be dropping right now.  For the uninitiated, as of October, 2016, Windows 2003 really is 13, count ’em, 13 years old.  Which means today’s 7th graders weren’t born yet when Windows 2003 first became available.  Microsoft no longer supports Windows 2003 and no longer issues security updates.  Which means the Trump public facing email server is the Internet equivalent of a large rob me sign taped to the front doors of all Trump properties.  Which may explain why criminals were able to so easily steal thousands of customer credit card numbers from Trump Industries, not once, but twice.

And it gets worse.  Trump’s response is nonsense.

“The Trump Organization deploys best in class firewall and anti-vulnerability technology with constant 24/7 monitoring. Our infrastructure is vast and leverages multiple platforms which are consistently monitored and upgraded using current cyber security best practices.”

Defending the choice to continue operating a hopelessly obsolete email server because it’s behind a firewall is like changing the car oil to compensate for bad tires.  The Trump response demonstrates an amazing lack of basic understanding about what firewalls do – and don’t do.

I wonder if Trump will still be a Wikileaks supporter when his private emails start showing up in newspaper headlines?

And finally, we learn that Republicans and Democrats do share some common ground in this divisive election year.  They’ve both been breached.  The Democrats lost emails and the Republicans lost credit card numbers.  Anyone who purchased anything from the Republicans between March 2016 and the first week of October should contact their bank and ask for a new credit card.  Details here.

If you’re a political candidate or an organization decision maker, listen up.  Based on what I’ve seen, you probably don’t know nearly as much as you think you know about cyber-security.  So accept my shameless book plug and consider buying a copy of “Bullseye Breach,” right here.  You’ll be entertained and you’ll learn how this stuff really works and what you can do to stop it.

I’m also looking for an agent and publishing partner for book #2, where a nation-state really does attack the United States.  More news on that as it gets closer to publication.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.