BY DUNCAN OSBORNE | When John Podesta, Hillary Clinton’s campaign manager, clicked on a link in a phishing email and entered his user name and password on the spoof Google page the link took him to, he gave up thousands of emails he had sent and received to what US intelligence agencies have said were Russian hackers.
Those hackers gave those emails and thousands more that were hacked from the Democratic National Committee, US intelligence agencies said, to the WikiLeaks website, which published them prior to the November 2016 election.
The extent to which those emails may have altered the results of the 2016 races for the White House and Congress is unknown. They were certainly embarrassing and troublesome for Clinton and the Democrats. And that could have been avoided if Podesta had been just a little more suspicious.
“The weakest link in the chain is the person who doesn’t understand these issues,” said Alan Klein, a consultant who offers public relations and technology consulting services.
Klein, who is a colleague and friend of this reporter, has teamed up with Macktez, a technology consulting firm, to launch a joint venture called Digital Safe Space to educate activists, LGBTQ non-profits, and other organizations on how to protect themselves from hackers, government spies, and others who may want to steal or ransom their data or launch attacks that are intended to monitor or squelch their advocacy.
While software, hardware, and the use of tools such as multi-factor authentication can reduce the threat hackers pose to the systems used by individuals and organizations, it is ultimately the operators of those systems who are most likely to let hackers in and are most in need of training. Users have to be taught to recognize suspicious emails and websites, to use complex passwords, and to understand that there are crooks and worse trolling the Internet.
“In large part, education is really the key,” said Michael Horst, vice president at Macktez during an interview at the company’s Grand Street offices. “Being armed with that knowledge is very effective.”
These concerns are not theoretical. On the day that Gay City News sat down with Horst and Klein, the New York Times reported that the Mexican government had been using software from an Israeli company to illegally monitor the activity of anti-corruption activists and journalists in that country. It is not clear that activists in this country are subject to this kind of surveillance, though many assume they are.
“Even if that’s not the norm, people need to understand how to protect themselves,” Horst said.
Separately, the FBI’s Internet Crime Complaint Center reported in December that just one type of scam that relies on email accounts that are compromised by hacking or phishing to arrange fraudulent wire transfers cost businesses around the world $5.3 billion between October 2013 and December 2016.
Keeping data secure has grown more complex as larger numbers of people are accessing the Internet with different devices and that access has gone from being intermittent to an “always on Internet” status, as Klein said.
Organizations that have secured their records may discover that employees are viewing those records with phones, laptops, or tablets that are not secure or they may be transferring those records to a device that is not secure. These practices demand a policy and training that implements that policy.
“Suddenly, we have access to data with devices that are not owned by the organization,” Horst said. “It’s not fair or responsible to leave that up to individual employees.”
Even organizations, such as health clinics, law firms, and financial and educational institutions, which are required by federal laws or industry regulations and ethics to guard the confidentiality of certain records in their possession, may find that their protections are incomplete.
“There’s often a misconception that if I’m using a system that is secure, I’ve protected everything,” Horst said. In discussions with clients, Horst said that vulnerabilities became apparent only after conversations about how the clients use their systems and data.
“In almost every case, there was an aspect of security that was not considered until we started talking about it,” he said.
The roughly two-hour Digital Safe Space seminar, which this reporter has taken, is designed to supply the basic tools for protection on the Internet and to make participants aware that they have to actively guard their privacy and their data on every device that they own. The risks that some participants were taking only became apparent during questions.
“By spreading the gospel of digital security, we eliminate as many of those risks as possible,” Klein said.