{"id":10431,"date":"2017-11-12T04:45:38","date_gmt":"2017-11-12T12:45:38","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/11\/12\/news-4204\/"},"modified":"2017-11-12T04:45:38","modified_gmt":"2017-11-12T12:45:38","slug":"news-4204","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/11\/12\/news-4204\/","title":{"rendered":"Donald Trump\u2019s Taxes Have Probably Already Been Hacked"},"content":{"rendered":"<p><strong>Credit to Author: John Powers| Date: Sun, 12 Nov 2017 12:00:00 +0000<\/strong><\/p>\n<p><span class=\"lede\">A private investigator <\/span>named Jordan Hamlett <a href=\"https:\/\/www.politico.com\/story\/2017\/05\/22\/man-charged-look-up-trumps-tax-records-238671\" target=\"_blank\">is heading to trial<\/a> next month in Louisiana for allegedly attempting to illegally obtain President Trump\u2019s income tax returns. Hamlett&#x27;s defense attorney says he\u2019s a well-intentioned white hat hacker engaged in ethical acts, who was trying to notify the IRS that its system was vulnerable. He now faces up to five years in prison.<\/p>\n<p name=\"inset-left\" class=\"inset-left-component__el\">John Powers (<a href=\"https:\/\/www.twitter.com\/johnpowerspi\" target=\"_blank\">@johnpowerspi<\/a>) is president of <a href=\"https:\/\/www.asset.expert\/\" target=\"_blank\">Hudson Intelligence<\/a>, an investigative firm in New York specializing in complex fraud and financial investigations.<\/p>\n<p>Whether his motivation was good or bad, Hamlett&#x27;s hacking skills apparently weren\u2019t great. Court records suggest he disregarded basic lessons of Hacking 101: First, don\u2019t use your personal cell phone when penetration-testing the federal government; and second, don\u2019t immediately confess when FBI and IRS agents engage you in a conversation in the lobby of an Embassy Suites hotel in Baton Rouge. Despite his rookie mistakes, Hamlett reportedly came close to getting the president\u2019s personal tax information. And that says a lot.<\/p>\n<p>Considering Trump\u2019s <a href=\"http:\/\/www.bbc.com\/news\/business-35828747\" target=\"_blank\">risk profile<\/a>, the determination of his detractors, and the current state of cybersecurity, it\u2019s almost inconceivable his tax returns haven\u2019t been hacked\u2014successfully\u2014by someone with more experience and expertise.<\/p>\n<p>After all, American taxpayers should assume their personally identifying information is already\u00a0in the hands of criminals and then act accordingly, as former IRS commissioner John Koskinen <a href=\"https:\/\/nakedsecurity.sophos.com\/2017\/10\/19\/irs-chief-assume-your-identity-has-been-stolen\/\" target=\"_blank\">recently told<\/a> reporters.<\/p>\n<p>For Trump, this is a no-brainer. After he declined to disclose his tax filings during the presidential campaign, the hacker collective <a href=\"https:\/\/www.aol.com\/article\/2016\/03\/17\/trumps-social-security-phone-numbers-released-by-anonymous-h\/21329514\/\" target=\"_blank\">Anonymous<\/a> released his (unconfirmed) Social Security Number, birth date, and cell phone number and vowed to expose his financial entanglements. Would-be whistleblowers were rallied by WikiLeaks, while one high-profile Democrat offered a <a href=\"http:\/\/www.washingtonexaminer.com\/clinton-ally-david-brock-offers-5m-for-trumps-tax-returns\/article\/2617395\" target=\"_blank\">$5 million reward<\/a> for anyone who legally leaked Trump\u2019s financials.<\/p>\n<p>The IRS isn\u2019t an impenetrable fortress. Hamlett, the private investigator in Louisiana, allegedly targeted a vulnerability in an online IRS tool for students applying for financial aid. Fraudsters used the same system to <a href=\"https:\/\/www.cnet.com\/news\/hackers-used-college-student-loans-tool-to-steal-30-million\/\" target=\"_blank\">steal the data<\/a> of up to 100,000 taxpayers. Previously, vulnerabilities in the IRS&#x27;s Get Transcript service led to unauthorized access to 724,000 taxpayer accounts. After these security lapses the IRS awarded a no-bid contract (now suspended) to <a href=\"https:\/\/www.wired.com\/tag\/equifax\">Equifax<\/a> for fraud protection services, soon after the credit bureau <a href=\"https:\/\/www.wired.com\/story\/how-to-protect-yourself-from-that-massive-equifax-breach\/\">breached data<\/a> of 145 million people.<\/p>\n<p>Any sophisticated hacking operation would also focus on affiliated companies, associates, and third parties. Trump\u2019s tax filings have passed through many, many hands\u2014and every contact represents an attack vector. Consider the number of accountants, lawyers, ex-wives, banks, lenders, and business partners Trump has had in the past 20 years. How many have requested and inspected a portion of his personal finances? Those records may now be stored unencrypted in the cloud; they may be sitting on an insecure email server, or locked in a drawer and available for review by an after-hours cleaning crew.<\/p>\n<p>As that fellow from <a href=\"https:\/\/www.wired.com\/2012\/07\/ff_anonymous\/\">Anonymous<\/a> in the Guy Fawkes mask put it: \u201cInformation doesn&#x27;t\u00a0vanish, it is all out there.\u201d So why hasn\u2019t it been leaked?<\/p>\n<p class=\"article-list-item-embed-component__title\">Equifax Deserves the Corporate Death Penalty<\/p>\n<p class=\"article-list-item-embed-component__title\">He Perfected a Password-Hacking Tool&#8212;Then the Russians Came Calling<\/p>\n<p class=\"article-list-item-embed-component__title\">Yahoo&#39;s 2013 Email Hack Actually Compromised Three Billion Accounts<\/p>\n<p>Conspiracy theorists have suggested Putin\u2019s cyberbullies hacked the returns, and are using them as <em>kompromat<\/em>\u2014compromising material\u2014for\u00a0<a href=\"https:\/\/www.quora.com\/Can-Russian-Hackers-get-Trumps-tax-returns\" target=\"_blank\">blackmail<\/a>. But if you\u2019ve already given the information to the IRS, in writing, what\u2019s left to expose? It\u2019s not as if Trump prepared his returns by turning on TurboTax and rummaging through a shoebox of crumpled receipts. His filings have been professionally prepared and vetted by teams of accountants and attorneys. His tax counsel <a href=\"https:\/\/www.nytimes.com\/2017\/05\/12\/us\/politics\/trump-russia-tax-returns.html\" target=\"_blank\">issued a memorandum<\/a> earlier this year stating a review of Trump\u2019s tax returns for the past decade did not show income from Russian sources, save for a few exceptions.<\/p>\n<p>Of course, the same boilerplate assurance probably could have been made for commerce secretary Wilbur L. Ross Jr., until his financial ties to Putin\u2019s family and associates were leaked in the\u00a0<a href=\"https:\/\/www.icij.org\/investigations\/paradise-papers\/donald-trumps-commerce-secretary-wilbur-ross-and-his-russian-business-ties\/\" target=\"_blank\">Paradise Papers<\/a>, revealing connections previously obscured by a chain of offshore companies in the Cayman Islands.<\/p>\n<p>If foreign intelligence services have obtained Trump\u2019s financial records, we might never learn what they found. Cyberattacks of the <a href=\"https:\/\/www.wired.com\/2016\/10\/inside-cyberattack-shocked-us-government\/\">US Office of Personnel Management<\/a> lasted a full year before being detected in 2015. By then, hackers had obtained confidential records on 19.7 million applicants for security clearances, required for the most sensitive jobs in the federal government. US officials have privately blamed China, but the stolen information was never publicly leaked. The perpetrators didn\u2019t design and deploy an advanced persistent threat because they wanted to publish their findings.<\/p>\n<p>In the end, how damaging could Trump&#x27;s taxes be? Among the few scoops on the subject,\u00a0The <em>New York Times<\/em>\u00a0last year <a href=\"https:\/\/www.nytimes.com\/2016\/10\/02\/us\/politics\/donald-trump-taxes.html\" target=\"_blank\">published pages<\/a> from his state tax returns from 1995, which showed a $916 million loss. Hardly a stellar year\u2014but not a secret, either. Trump\u2019s wealth spiral was well documented in the 1990s, when four of his businesses filed for <a href=\"http:\/\/www.politifact.com\/truth-o-meter\/statements\/2016\/jun\/21\/hillary-clinton\/yep-donald-trumps-companies-have-declared-bankrupt\/\" target=\"_blank\">bankruptcy<\/a>. His supporters aren\u2019t bothered by the revelation that he\u2019d lost nearly a billion dollars, because they admire his huge appetite for risk.<\/p>\n<p>And when Rachel Maddow released a summary of Trump\u2019s federal tax filing from 2005\u2014showing he paid $38 million in taxes on income of more than $150 million\u2014the MSNBC journalist was <a href=\"http:\/\/www.slate.com\/blogs\/browbeat\/2017\/03\/15\/rachel_maddow_s_trump_taxes_scoop_was_a_cynical_self_defeating_spectacle.html\" target=\"_blank\">lambasted<\/a> by liberals and conservatives for overhyping an inconsequential story. There was no sign of anything improper or illegal. No company names in Cyrillic, no income recorded in rubles. Maybe the tax returns just aren\u2019t that juicy.<\/p>\n<p>WIRED Opinion <em><!-- -->publishes pieces written by outside contributors and represents a wide range of viewpoints. Read more opinions <a href=\"https:\/\/www.wired.com\/opinion\">here<\/a>.<\/em><\/p>\n<p class=\"related-cne-video-component__dek\">Phishing scams are getting more and more sophisticated, to the point where they\u2019re fooling even security experts. Here&#39;s how to avoid them.<\/p>\n<p><a href=\"https:\/\/www.wired.com\/story\/trumps-taxes-have-probably-already-been-hacked\" target=\"bwo\" >https:\/\/www.wired.com\/category\/security\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: John Powers| Date: Sun, 12 Nov 2017 12:00:00 +0000<\/strong><\/p>\n<p>Opinion: The IRS isn\u2019t an impenetrable fortress. Someone has Trump&#8217;s taxes; the question is, who?<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10607],"tags":[234,714],"class_list":["post-10431","post","type-post","status-publish","format-standard","hentry","category-security","category-wired","tag-opinion","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10431","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10431"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10431\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10431"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10431"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10431"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}