The hacking of Clinton Campaign Chairman John Podesta’s email provided a lesson for us all. It was an amazingly simple phishing email that caused his password to be revealed. An email was sent to Podesta’s gmail account saying someone had used his password to login to his account from the Ukraine and he should change his password. It included a link to change the password.
The link to change the password used a url shortening service bit.ly. This by itself is not a complete giveaway. The url shortening takes a long url and reduces it to a much shorter url — in this case it was https://bit.ly/1PibSU0. When the shortened url is clicked on it redirects to the longer url.
IT Technician Charles Delavan told The New York Times that the hack was partially his fault. He used the word “legitimate” instead of “illegitimate” in referring to the the emails by mistake and mentioned that it was probably a good idea in any case to change the password. He included a link to change the email since he did not trust the link in the email.
The staff member clicked the link in the phishing email — not the one added by Delavan — when they went to change the password thus providing the phisherman with the the password to Podesta’s emails. He also instructed that they should enable two-factor authentication. If this had been done, the password would not let the phisherman in.
The phisherman then downloaded Podesta’s emails and uploaded them to Wikileaks. These emails provided an unvarnished look into the Clinton campaign and proved to be very damaging during the election.
What we need to understand from all this is that it is simply not enough to have an IT specialist. Everyone needs to be involved in security. Sometimes the IT specialist will mistype an instruction. If the staffer is well trained, they will know better than click a link in an email to change a password. If staff had enabled two-factor authentication or gone directly to gmail to change the password, hacking would have been prevented.
It is important that everyone should be trained on security procedures as part of their duties and responsibilities at work.