Three Kinds of Governmental Hacking
In this briefing, we will look at 3 separate news items and the trends connected to them:
Further email leaks targeting the DNC, the official US government response to the initial DNC hacks and the fallout from the Yahoo hack.
The Second Wave of DNC Leaks
After a brief announcement last week, Wikileaks has started to release additional files allegedly stolen from the DNC. The emails appear to come from the private email account of Clinton’s campaign chairman John Podesta. We shall focus merely on the impact and implication of the hack and shall purposefully ignore the contents of the leaked materials for this briefing.
While the security of private email accounts has increased in recent years, it is still nowhere near that of professional corporate or governmental systems. The Yahoo hack (detailed below) is a good example to prove the point.
First and foremost, free private email systems are not designed to hold classified or critical information. For example, depending on the provider, emails may be cached locally, images and scripts loaded remotely and emails scanned for keywords.
Secondly, private email accounts provided globally by large companies lack a means of easy user-identification. Passwords to services are commonly reset by sending an email to the account owner. In the case of email accounts themselves however, this approach is not practical. Email accounts are therefore usually secured by some form of security questions. (E.g. “What was the name of your first pet?”)
Alas, in the case of public figures, security question answers are often trivial to look up online. Furthermore, even without knowing the right answer to a security question, attackers skilled in social engineering can often trick support staff into unlocking an account anyway.
The Official US Government Response to DNC Hacks
The Obama administration has released a statement publicly blaming Russia for the DNC hack earlier this year and vowed a “proportional response”. No new evidence was released together with this announcement. While it is possible that the US government possesses conclusive evidence pointing towards Russia and simply chooses to not disclose it, for an outside observer the case remains hard to judge.
Publicly naming Russia as the attacker makes sense for the current US administration as several media reports have - rightfully or not - linked current presidential nominee Donald Trump to the Russian administration.
This follows the strategy we discussed earlier this year: When targeted by a hack, the victim can choose a convenient attacker to mitigate damage.
The contents of a proportional response are unclear at this point as no precedent exists. While calls for sanctions or counter-hacking are all potential options, we don’t have enough information to make an educated guess.
The confirmation of the hack of 500 million Yahoo user accounts earlier this year would be newsworthy enough by itself. However it helps to illustrate several broader trends.
First of all, as we mentioned in our first paragraph, the security of public email services is not high enough to handle classified or governmental information. While attacks against specific accounts are most common, this incident illustrates that even broad hacks of millions of customers can happen.
Secondly, it was revealed during the aftermath of the hack that Yahoo had been scanning emails of customers and providing related information to US authorities. While there is a lot of outrage about this particular case, we are forced to believe that this behavior is somewhat common among email providers globally.
If the email provider used is not merely public but also under the legislation of a different government, the use of private email accounts for classified or sensitive information moves from being merely careless to being grossly negligent as stored information could easily be subpoenaed.