Cyber security · Email

What's with all these hacked emails?

Richard Pridham Investor, President & CEO at Retina Labs

October 11th, 2016

My question has nothing to do with politics so much a technology and data security. We're hearing about all these "hacked" emails during this US election cycle. How is this possible? Are email systems so easily compromised? You'd figure that, with the latest in security, encryption. firewall, messaging platform technology, it would be a lot harder to penetrate these networks and servers. I'm guessing that they're not using Google or Yahoo accounts but perhaps MS Exchange which is robust and secure. How are these hackers getting in? Are they using phishing techniques or are they actually hacking into the messaging server and gaining access to the message stores? Is no one in politics using 2-factor authentication? I would think that it should not be this easy. How do they know the hackers are Russians? My suspicion is that these might not actually be hacking incidents but internal leaks. In past elections I don't recall any hacked emails. You'd think that security would be far better in 2016.

Just curious...

Gabor Nagy Founder / Chief architect at Skyline Robotics

October 11th, 2016

"Are email systems so easily compromised?"
Yes. (And thank goodness for tech-incompetent politicians)
Sending unencrypted emails is like mailing post cards.
No company with a half-competent IT staff allows sensitive information to be sent through unencrypted email.
Even my former employer had strict requirements for using PGP for such emails.
And it was "just" a video game console manufacturer.
And, putting Microsoft (Exchange) and "robust" and "secure" in the same sentence...
You are not serious, are you?

JP Harvey Helping Secure Businesses via Virtual Information Security Teams

October 11th, 2016

It's possible that the emails were internally leaked and that the DNC was not hacked, however based on the evidence it's unlikely. Any system can be hacked, and if the information given by the FBI and Crowdstrike who discovered and stopped the hack are to be believed, the DNC was targeted by two of the most advanced hackers on the planet.

Using a particular technology is not a silver bullet against getting hacked, and to use the provided examples Google accounts (set up the right way) can be more secure than MS Exchange accounts. It's not necessary to compromise the server itself to obtain the emails, and yes most of these kinds of hacks start with a highly targeted phishing attack - "spear phishing".

The exact details about how they got in have not been released, however it does not happen overnight. Hacks like these can, and usually do, take weeks or months as the attacker starts with a tiny foothold and over time escalates privileges, moves sideways between systems, and exfiltrates data. Think of it like a stranded special forces soldier crawling through enemy territory by themselves for weeks to get to the border. One of the hackers had been in the DNC for nearly a year according to reports

To get an idea about how these kinds of hacks happen, there's a good killchain analysis of the Target breach from 2013 here:

Since anything is hackable, it's not so much how "easy" it is, just that someone had the time and resources to beat the security controls that were in place

JP Harvey Helping Secure Businesses via Virtual Information Security Teams

October 12th, 2016

Richard: "right" was a poor choice of words, there is no intrinsically "right" way to set up a Gmail account, it depends on the value of the data being protected and what aspect of security is most important for that use case (confidentiality, integrity, or availability). That aside, the point was that the technology used is not necessarily relevant, everything has vulnerabilities. With 2FA turned on for GMail, for example (and apart from a multitude of other ways to bypass or hack 2FA), 2FA would be irrelevant if malware allowing remote control of a computer logged in to the GMail account by a malicious user had been installed. Note this is not referring to John Podesta's case specifically, it's just a hypothetical example.

Believing one is safe by choice of technology is a security vulnerability in itself. Believing "if only they had done X like we do, they would have been fine" is also dangerous since it creates the same blind-spot. What we see when a hack is successful (if we're lucky) is the sequential dots joined into a nice neat kill chain. What is not usually seen is the much larger scatterplot of failures by the hacker to get around other security controls surrounding those sequential dots. Security is ultimately management of risk, not the specific bits and bobs that get put in place to mitigate threats. It's just as important to have a response plan as it is to have preventative controls.

The link above works ok for me, if it's not working google "target killchain analysis" and it should be the first result

Richard Pridham Investor, President & CEO at Retina Labs

October 12th, 2016

Gabor: "And, putting Microsoft (Exchange) and "robust" and "secure" in the same sentence... You are not serious, are you?"  I'm curious to know what more robust and secure messaging platforms you think are better? Not trying to be sarcastic here but Microsoft often gets bashed for these things when the alternatives are no better.

JP: In the latest incident, John Podesta's Gmails were evidently hacked. They say 10 years of his emails were exposed. So when you say "Google accounts (set up the right way) can be more secure than MS Exchange accounts", what are you referring to? What is the "right way" to set up a Goggle email account? I use 2-factor authentication but are there more settings?  BTW: Your Target breech link does not work.

Duane Blanchard Impassioned Senior Information Security Engineer

October 13th, 2016

The link works for me as well, but note that it is to a PDF, so you may simply not be seeing a confirmation message at the bottom of your browser's window, or it may be in your downloads directory.

While there is no single "right" way to configure your gmail, or any other technology, there are "best practices" which are really just best available, or best currently known practices. One of these is two-factor authentication for webmail, or for computer session logon, or both. Even on my social engineering accounts (accounts for fictional personas) I still use 2FA. The cost in time is extremely small, and the gain is enormous.

The response plan is critical, and for email, it should include changing your password(s) immediately, as well as your "security questions" e.g. what is your favorite sports team.

Spearphishing is a genuine and sizable risk, but if that doesn't work quickly enough, and the motivation is great enough, attackers will work up other vectors. Almost always, we see coordinated efforts against single target organizations that include one or more social engineering attack vectors (phishing, vishing [voice calls to elicit info], even in-person social engineering [usually away from the office, but sometimes on-site]) as well as some technical attack activities (targeted scans against specific hosts and/or applications [exposed through social engineering attacks or through Open Source Intelligence [OSINT] gathering], wateringhole attacks). These are sometimes combined by a social engineer physically delivering payloads via USB drives and/or "Rubber Duckies" (

The point is that many paths lead to any given set of valuable data, and one can't rely on "best practices" alone. Identifying the value of the assets, modelling the threats, estimating the risks, and finally managing the risks (either through additional security controls, insuring against compromise, or accepting given risks). If you don't know the value of what you hold, or you don't know the threats against it, you will not successful defend it. Simply elevating your security practice above those of your competitors, or those of similarly sized companies, is not enough. Even though your group may not the be the lowest-hanging fruit, if you have something that other enterprises don't, you won't face the same threats they do.

Gabor Nagy Founder / Chief architect at Skyline Robotics

October 13th, 2016

Great points!
When I assess security, I start from my adage:
The only secure computer is one that is physically disconnected from any network, is a mile under ground, buried in 10 feet of concrete, with an embedded Faraday cage.

Then, I work my way up from there, evaluating every compromise I make, whether it's absolutely necessary.
Security measures will greatly depend on the organization, but here are some of the things I do (besides the obvious: not clicking on email links, not responding to "Nigerian princes", encrypting sensitive emails, etc.):

I turn off my cable modem when I go to sleep, or leave the house for more than 15 minutes. I have a convenient foot-switch attached to it, that I call the "ECH switch". I'll let you guess what it stands for. :)
My firewall logs show a break-in attempt every few minutes (port scans etc., mostly from Chinese and Russian IP addresses).
My computers are behind several layers of firewalls, but physically disconnecting my LAN from the internet for hours, greatly reduces the window of vulnerability.

If everyone did this one simple thing, we could greatly increase the down-time and cost for the bad guys installing / running their botnets! Even if someone's computer is already compromised and the person is completely incompetent, at the very least, it would cause an 8-16 hour downtime per bot ("zombie"). Millions and millions of botnet agents would be down for 8-16 hours, every day! This would be a huge blow for botnet operators.

2) Disabled WiFi in my modem.

3) The most sensitive computers (the ones controlling our robot prototypes, CNC machines, etc.) are physically disconnected from all networks, with their RJ45 jacks (Ethernet) disabled / desoldered and with no wireless hardware.

4) I don't allow any computer with any Microsoft software, on the local network. Period.

5) I obsessively back up my data and keep those off-site (encrypted), even in other countries when I travel. When I leave the house, or after working for more than an hour, I back up all my recent work.
This helps with regression testing, it protects me from my own potential stupidity (accidentally deleting important files) and from any kind of break-in + ransom demand to release my data: I don't care. In the worst case, I can just pull the plug, reinstall the OS and get my data back from the backups.

For always-online servers, you should have one or more non-internet connected fail-over systems ready to go, in case of an attack on the primary system, and a "honey pot" for luring away / catching break-ins.

Do some of these measures sound draconian to many people? Sure. It all depends on how much security you need.