SE Labs

Special Edition
Computer security testing comment and analysis from SE Labs

How The Clinton Campaign Was Really Hacked

hillary-clinton-3961580The 2016 US Presidential Election may not be the first held in the shadow of Wikileaks, but it is the most entertaining.

When John Podesta received an email apparently from Google in March this year warning that someone had used his password to sign into his account, events began to resemble an episode of Veep, with Chinese whispers quickly replacing information.

Not knowing any better, Podesta forwarded the email to a member of staff to deal with. After a hop or two, the email was passed to the Clinton campaign’s IT Helpdesk Manager. He in turn made the rookie mistake of not inspecting the message’s header or checking the Bit.ly  link it contained. Both would have shown this to be a phishing attack. 

phish-5291731

Instead, the Helpdesk Manager concluded that the email was real, and Mr Podesta should change his password right away. However, the reply also contained the advice that Podesta should ignore the email and log in directly to Google. He even supplied the correct URL to do this and explicitly said that Podesta should turn on 2-factor authentication at the same time.

The Helpdesk Manager has since been somewhat unfairly vilified in the press. The fact is that his explicit advice was lost in favour of a simpler message as his reply began to filter back up the chain of command.

podesta-it-email-1-8250640

According Wikileaks, Sara Latham seems to have been the person who actually contacted the helpdesk on Podesta’s behalf. She also received the Manager’s reply, and added her own endorsement of the phishing link.

Having been told it was real, it seems that either Special Assistant Milia Fisher or Podesta himself then clicked on the original phishing link and attempted to change the password. The rest has been pundit fodder ever since.

reply-2589288

You can bet that the Clinton campaign  spent money on insurance, health and safety training, and other measures to ensure a safe working environment, so why not basic cybersecurity training? Maybe it did, and the people concerned simply didn’t attend. It seems sensible that in future campaigns, no one should get access to devices without first demonstrating that they can spot a simple phishing email, IT helpdesk Managers included.

About

SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.

Contact

SE Labs Ltd
Hill Place House
55A High Street
Wimbledon
SW19 5BA

020 3875 5000

info@selabs.uk

Press