The media has been making reference to alleged Russian hacking efforts as if advanced cyber weapons were used that only a State actor could possibly possess, thereby elevating this whole affair into something akin to an act of war. The truth, as far as I can tell, is something quite different.
Instead of cracking the encryption algorithm or deploying specialized malware bots, the hackers used a much more low-tech approach: they tricked the holders of the email accounts that were hacked into giving up their passwords. It really was that simple.
The technique, called phishing, involves sending out spoof emails that look, for all intents and purposes, like they are coming from a legitimate source. Typically, they warn you that your personal information is in danger and that you should log in immediately and change your password. However, the link that they provide is actually to a webpage that is owned by the hacker, not the host you think you are accessing. As soon as you provide a new password the hacker then logs in to the actual account with your old password, updates your password to the new string you selected, and begins to download your email archives in bulk. You, on the other hand, walk away feeling smug, thinking you have defeated a nefarious attempt to gain access to your email account.
We know that this is the way that John Podesta's email was hacked because the Clinton campaign has admitted as much, and I suspect that the other accounts were compromised in a similar fashion.
I know what you are thinking. "Wait, I get those fake emails all the time! I know better than to click on those!" And, yes, these sorts of exploits are all too common. Fortunately, they are very easy to detect and block using common security software and two-step verification procedures.
So, is this really a matter that deserves a court of inquiry and a global cyberwar? If this needs a court of inquiry it should be an inquiry into how Hillary Clinton, the State Department, and the Clinton Campaign could have all been so stupid as to let this happen.
No comments:
Post a Comment