We’ve learned a lot about Hillary Clinton and her team this year. Thanks to leaked emails, we now have evidence of DNC bias against the Bernie Sanders campaign, possible media collaboration with the Clinton campaign, and transcripts of Hillary Clinton’s private speeches to powerful groups (among other salacious tidbits). Some critics say these leaks are simply more evidence that the Clinton dynasty is a well-connected and unstoppable force.
In terms of information security, however, the opposite is true. For all their supposed power and clairvoyance, Clinton and her aides were little better at securing their data than most technologically illiterate grandparents. Indeed, these leaks are perhaps most illuminating in showing just how incompetent the Clinton team is when it comes to basic operational security practices.
Here are a few of their biggest security blunders—and some tips on avoiding those same mistakes.
1. Password Security Really Does Matter.
One of the simplest ways to protect your information is to practice good password security. The basic rules: Have a strong password. Use a different password for every service you sign up for. Keep these passwords private, and never share them over online communications.
Clinton and her advisors did not do this—in fact, they pretty much broke every rule in the book.
Take Clinton campaign chairman John Podesta. While it is still unclear exactly how Podesta’s email archives were obtained by Wikileaks, if his revealed password practices are any indication, it very well may have been his own lax security. Podesta’s Apple ID password was “Runner4567.” This is a composite of one of his well-known hobbies—running—and a common string of numbers used in passwords. A dedicated hacker could very well have guessed this on their own by trying out popular password combinations.
But Mr. Robot didn’t extract this password—4chan did. How? They found it within the text of Podesta’s leaked emails. Apparently, Podesta asked someone to email his own (super easy) password to him… because he forgot it. Anons were then able to use his password to log into Podesta’s own Apple account.
To make matters worse, it looks like Podesta used that same weak password for multiple services. His Twitter account was shortly thereafter compromised to send out the message “I’ve switched teams. Vote Trump 2016. Hi pol.” Other emails suggest that this password is connected with yet more accounts.
Unfortunately, bad password management appears to be a structural problem within the Clinton camp. Many of Clinton’s aides, such as Huma Abedin, apparently had access to Clinton’s account logins, thereby multiplying the potential vulnerability vectors. As the number of people that know your login information—and the number of times they share this information over insecure channels—increases, the risk that this information will fall into the hands of unwanted parties increases exponentially.
There’s a reason that people, even really smart people, make poor decisions when it comes to their passwords. It seems too hard to keep track of dozens of unique, difficult passwords for all of our online activities.
But there are tools to help. LastPass, for example, is a browser extension that automatically generates tough passwords and keeps track of login information for your many online services. And if you don’t trust LastPass to protect your encrypted password cache, you could try an open source version like KeePass. Improving your password techniques will keep you safer than Clinton’s most trusted advisors.
2. Don’t Pass Sensitive Information Through Insecure Channels.
Encryption and discretion should be important elements of every person’s online security—particularly people serving in the United States State Department. Alas, this was not the case with Hillary Clinton’s private email server.
Many have criticized Clinton for appearing to hide official email correspondences from the public using a private, unknown server. There are certainly transparency questions there. But perhaps more important are the security vulnerabilities this arrangement created.
Clinton did not just get caught using a secret Gmail account. She hired a lone State Department IT employee to operate her own email server for certain communications from her home. And that server was apparently unencrypted for months at a time.
Encryption prevents communications from being read by anyone but the sender and the intended recipients. Without such protection, it is possible that foreign enemies of the United States could have accessed Clinton’s communication. If her critics’ charges are correct, and Clinton stored sensitive information among her yoga emails, then that lax security could have created serious national security risks.
Very few people run their own email servers, of course. But there are lessons here for average people, all the same. As the recent hack of Yahoo demonstrates, even big corporations with major IT budgets can be hacked. We should always be mindful of what we write in our emails. Never send sensitive or private information like Social Security numbers or financial information over unencrypted emails or chats. To the greatest extent possible, try not to put any information online that you would not have comfortable being made public. Discretion is always a good policy.
3. Don’t Blame the Bad Guys For Your Security Negligence.
One of the weakest deflections of the Clinton campaign has been to blame “the Russians” for their many damaging leaks. Hillary Clinton herself directly accused Russian intelligence services of hacking into the DNC earlier this year, and Podesta quickly blamed the Russians for his recent email woes as well.
Attribution is a notoriously difficult process. It’s hard to say exactly who is responsible for each of the Clinton camp’s several security failures. Russian-backed hackers may very well have been involved in some or all of these incidents, as some U.S. officials have suggested—particularly those that required sophisticated techniques.
That said, sometimes people get slapped down by their own mistakes. For example, a “400 lb. hacker sitting on his bed” very well could have been behind Podesta’s Twitter “hack.” And it is possible to extract valuable data using relatively unsophisticated techniques. Any one of Clinton’s army of assistants could have clicked on a script kiddie phishing link and inadvertently turned over information that could have led to a substantial leak. A hack doesn’t have to be as fancy as Stuxnet to have a major impact.
But for the rest of us, the point remains: None of us can expect the bad guys not to hack us. Especially the former Secretary of State and her handlers. In the FBI investigation of Clinton’s sketchy private email server, it is clear that her staff consistently prioritized convenience over good security.
“The Russians” didn’t force Clinton to ignore basic email security. She did that all on her own, and may have played into the hands of foreign powers in the process.
Don’t Be Like Hillary. Keep Your Information Safe.
At the very least, this episode in Clinton’s history provides us with a cautionary tale about the perils of bad information security practices.
Don’t behave like Clinton’s team. Don’t rely on the good graces of bad people to keep you safe online. Take ownership of your own security, and take proactive measures to make yourself safer online. Think carefully about your Internet activity. Practice good password hygiene. Try your best not to share any information that you wouldn’t want to be exposed to the public. And when you do need to share sensitive information online, be sure that you are using the appropriate encryption techniques to keep private data private.