{"id":6857,"date":"2017-03-03T17:45:10","date_gmt":"2017-03-04T01:45:10","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/03\/news-648\/"},"modified":"2017-03-03T17:45:10","modified_gmt":"2017-03-04T01:45:10","slug":"news-648","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/03\/03\/news-648\/","title":{"rendered":"The Golden Age of Email Hacks Is Only Getting Started"},"content":{"rendered":"

<\/p>\n

Credit to Author: Brian Barrett| Date: Sat, 04 Mar 2017 00:59:53 +0000<\/strong><\/p>\n

\n

As governor of Indiana, Mike Pence conducted state business using\u00a0his personal email account. An AOL account. So\u00a0of course someone hacked it. With\u00a0a phishing scam.<\/p>\n

This story offers no end of rolling punchlines, the kicker being the\u00a0vitriol the vice president showed during the campaign\u00a0toward Hillary Clinton’s use of a private email server. More importantly, as the Indianapolis Star<\/em> first reported<\/a>, it represents a troubling\u00a0security lapse by a high-ranking public official. The batch of emails released by the state of Indiana reveals that Pence\u2019s AOL inbox hosted plenty of sensitive material, up to and including the arrests of terror suspects.<\/p>\n

You can pull any number of threads here, split all kinds of hairs about the relative vulnerabilities of private servers and personal accounts, and crack endless “you’ve got mail” jokes.\u00a0But the biggest thing to remember has little to do with Pence: From a security standpoint, email is fundamentally broken. Until that changes, expect email hacks and scandals aplenty.<\/p>\n

Hack Attacks<\/h3>\n

You’ve heard about so many email hacks that recapping them feels redundant. The Democratic National Committee got hacked<\/a>, of course, and so did the Democratic Congressional Campaign Committee. And try finding someone who hasn’t read at least one of the 20,000 pages of private emails from Clinton campaign chairman John Podesta’s inbox dumped online just before the election.<\/p>\n

Security experts largely agree Russia perpetrated those\u00a0hacks in a bid to derail\u00a0Clinton’s campaign. But beyond Russia’s involvement, the hacks aren’t unusual. Sarah Palin\u2019s Yahoo account leaked in 2008. Someone hacked the Bush family\u2019s AOL accounts in 2013. Sony Pictures saw all manner of internal communications stolen in 2014. You don’t have to be a politician or multinational company to get hit, either. Countless people find themselves targeted by\u00a0hackers and phishers every day.<\/p>\n

If anything, Pence got off easy. The attackers, who ultimately used their access to try scamming money out of Pence\u2019s contacts, may not have realized the trove they’d accessed—or, more likely, saw more value in the cash than the political gamesmanship. Their\u00a0motives are beside the point. What matters is hacks like these aren’t the exception to the rule, but the rule: If you use email, you will get hacked eventually.<\/p>\n

Human Nature<\/h3>\n

Let’s start with the obvious: Personal email has no place in government business. Legally speaking, all state and federal employees must maintain a record of their communications. Transparency demands it. A government email account provides a digital paper trail, and something the public, or journalists, can demand access to. Personal accounts do not, because you may not even know they exist.<\/p>\n

Equally important, they don’t offer the security of a .gov account. From a basic security perspective, no one earning a government paycheck should use Yahoo, or Gmail, or AOL, or anything else because, honestly. Despite this, public officials continue using personal email. So do you. So do I, switching back and forth between work Outlook and personal Gmail. We all do it, for the same fundamental inalienable reason: We find it so much easier.\u00a0That\u2019s doubly true for people toiling away in tightly controlled environments, where draconian restrictions on access and attachments can make logging onto work emails literally more trouble than it\u2019s worth.<\/p>\n

\u201cIf I make it very difficult to access work email, or I make it difficult to send large files or sensitive files, there\u2019s a pretty good chance that as a savvy user I\u2019ll just use my Gmail account, or I\u2019ll forward it to myself.\u201d says Forrester Research security analyst Joseph Blankenship. \u201cNow you\u2019re outside the security policies\u2014and you\u2019re also outside protections that are there.\u201d<\/p>\n

VPN? No thanks. New password every three months? Nah. Mandatory two-factor? You\u2019re kidding. Are you kidding? It feels like you\u2019re kidding. The\u00a0motivation for ditching a work-sanction email system rises in direct proportion\u00a0to the security measures in place. And so human nature takes its course, for CEOs, politicians, and regular Joes alike.<\/p>\n

So, sure, you can see why politicians hop onto Gmail and Yahoo and, yes, even AOL. And once that happens, the risk rises exponentially.<\/p>\n

You\u2019ve Got Hacks<\/h3>\n

Gmail and Outlook and all the rest employ the latest tools and sharpest minds to protect you from hackers. They do a good job, too, even as\u00a0Yahoo’s breaches highlight their limits. But the excellent record of, say, Gmail, can also provide a false sense of security.\u00a0Individual users can face immense risk, especially high-profile users. Like, say, a\u00a0governor.<\/p>\n

\u201cTake any of the free email platforms out there. They all have a web interface. For the most part, they don\u2019t require any sort of authentication beyond user name and password,\u201d says Blankenship.<\/p>\n

For a dedicated hacker or social engineer, a user name and password presents only the slightest hassle. And they have no trouble finding plenty of password fodder for\u00a0public figures—names of family members, favorite sports team, birthdays, and so on. And however secure a platform like Gmail is on the back end, its ready accessibility from any web browser means anyone can take a crack at invading anyone else\u2019s account.<\/p>\n

Yes, many services offer optional two-factor authentication. Remember, though, that the\u00a0main appeal of a personal email account lies in the looser\u00a0restrictions they offer over official channels. And politicians too often know woefully little about infosec.\u00a0Trump’s press secretary Sean Spicer even inadvertently\u00a0tweeted<\/a> what appeared to be his password. Twice.<\/p>\n

And all before you even get to the even easier ways hackers can compromise an email account. In a sophisticated phishing attack, you can mistake a malicious email for something from a trusted friend. Your entire security posture might\u00a0depend on whether you click that link. In a rush, you might click it.<\/p>\n

Oops.<\/p>\n

For all these reasons, don’t expect to see the flood of hacked email accounts slow to a drip anytime soon. Public figures will always use email. And email will always be a rich target. So yes, call Pence out for his hypocrisy. Giggle at his using an email provider best remembered for its CD-ROMs. But remember that the age of the email hack is only getting started, and won’t end until we fix email. Or fix ourselves.<\/p>\n

https:\/\/www.wired.com\/category\/security\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Brian Barrett| Date: Sat, 04 Mar 2017 00:59:53 +0000<\/strong><\/p>\n

\"The<\/div>\n

Mike Pence joins an ever-growing list of public figures whose email account fell to hackers. It only gets worse from here. The post The Golden Age of Email Hacks Is Only Getting Started<\/a> appeared first on WIRED<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10607],"tags":[11222,7093,2782,11051,714],"class_list":["post-6857","post","type-post","status-publish","format-standard","hentry","category-security","category-wired","tag-email","tag-hacks","tag-mike-pence","tag-national-affairs","tag-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6857","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6857"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6857\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6857"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6857"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6857"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}