Hacking Politicians — So Hot Right Now. Here’s How Not To Get Burned.
French presidential election candidate for the far-right Front National party, Marine Le Pen, left, and French presidential election candidate for the En Marche ! movement, Emmanuel Macron (Eric Feferberg/Pool Photo via AP)
Another contested election, another hacking scandal. It’s a pattern that’s become disturbingly common nowadays, and in France, it was taken to a whole new level last night. By French election law, all candidates have to maintain a 44 hour media blackout before the polls open. No more ads, last minute interviews, or campaign activity of any kind. And just as soon is this blackout began ahead of a tumultuous run-off election center-left candidate Emmanuel Macron is expected to win with over 60% of the vote against the Russian-backed, populist-right Marine Le Pen, WikiLeaks linked to over 9 GB of his hacked e-mails in what is technically known as a dick move.
How badly will this hurt Macron? It’s hard to say. Despite a massive trolling campaign against him, he managed to beat Le Pen in their last debate, and widen his lead in the polls. Unless there’s something horrific contained in a trove of e-mails and attachments that will take time to comb through, there might not be much impact at the ballot box. So far, the French polls pretty accurately predicted the outcome of the first round of the elections, just like the polls in America accurately predicted the popular vote, so Macron has to lose an awful lot of ground within the span of only a day for Le Pen to have a real chance at beating him.
Of course, ultimately, we have to wait and see what happens since there’s no such thing as psychics, so let’s set the prognostication aside to focus on the core issue at hand here. If you’re a pro-trade, moderate politician, there’s an internet troll army coming after you. Notice how populists never seem to get hacked despite the odds of their security being impenetrable being roughly as good as your chances of being invited to study wizardry at Hogwarts. And consider Assange’s rush to publish Clinton’s emails, but ignore Medvedev’s, even though they contained bombshells that led to an expose about how he was able to embezzle over ₽70 billion through a web of fake charities.
Unless you declare Russia to be a friend and ally, say that you’re willing to shatter decades-long international alliances and agreements, and ridicule the West for crimes real and imagined, you’re going to have a big target on your back. So that’s the bad news. The good news is that you don’t have to be a victim and there are steps you can take to really tighten your security, and while no digital defense is perfect and could ever guarantee you won’t get hit, there are basic “opsec” practices that will make you a much tougher target for hackers. Some of them will be inconvenient and complicated, but consider the downside of your private information scrutinized for anything they can use to reveal or manufacture something damaging to you.
Assume every e-mail will eventually become public
One of my first bosses used to say “before you send that e-mail, imagine it on the front page of a newspaper and think how it will sound.” This advice really needs to be repeated daily because the best defense against giving an opponent something to use against you is to have nothing to be used in the first place. E-mails are not the place for snarky jokes, jabs, personal issues, or your malevolent manifesto for world conquest. Just like the James Bond villains who were killed as they crowed about their complicated plans, you might hoist yourself on your own petard by not watching what you put in your e-mail. Or more likely, give something to be misconstrued into nasty, juicy scandals the media won’t let go and you can’t put behind you.
E-mail encryption is hard, but it works
One of the biggest reasons very few people encrypt e-mail is because it’s an inconvenient, complicated thing to do. Even simple guides could make your head spin if you’re not a techie. But encryption really, really works, so you have no excuse not to use it for confidential data and protect it with a long password that’s exceptionally strong, then guard it as if your bank account depended on it. Which it will if you end up out of a job after a major hack. The good news here is that many major e-mail providers are really trying to make e-mail encryption easier to use, so you’ll have fewer excuses not to use it from day one. However, you don’t have much of an excuse not to protect a treasure trove of proprietary data from hackers now, so the sooner you start encrypting your e-mail and devices, the better.
Always enable 2FA for all your accounts
Hey, you’re only human and chances are, you might forget your passwords once in a while. This is why programmers add that handy option to reset it should you fail to remember it. But anyone posing as you can try it, which presents a big problem. People often reuse passwords, and if your e-mail is ever compromised because you may have been logged in or someone did a little social engineering (that is pretended to be you on the phone and got someone to reset your passwords for you), they can lock you out and gain access to your confidential data. So make sure you always enable two factor identification to add an extra step for would-be hackers. It’s not always the perfect defense, but it adds that extra level of difficulty that makes hacking you twice as involved right off the bat.
Institute a LYOD (Leave Your Own Device) policy
Remember when you really wanted to use your iPhone for work but the evil IT guy handed you a lame BlackBerry with a stony expression? Not only did you not get the phone you wanted, but you couldn’t download the apps you felt like downloading without their say-so. Were they trying to annoy you for their own amusement? In my experience on the other side of this exchange, probably yes. But we also wanted to protect the employer’s data and assets by making sure it wasn’t on devices we could be reasonably sure are secure and encrypted. It’s so easy to download a compromised app or file, then get infected when it makes it into the network everyone uses, and can proceed with its infestation and exfiltration. Spend the money, issue encrypted and locked down devices, and insist on using them every single time.
Treat external storage media like dirty needles
In an experiment that made security experts bury their heads in their hands and weep uncontrollably, researchers at University of Illinois found that half of all people will plug a random USB they found laying around on the street into their computers. In computer security terms, that like using a needle in the nearest gutter for a blood draw at the doctor’s office. If you didn’t buy a USB or external hard drive at the store, unpack it yourself, then encrypted it on a secured computer, treat it like a radioactive biohazard. Encryption has been a common theme so far, and it’s even more important when it comes to data you can take with you and lose, or have stolen from you. Making sure it would be useless to anyone who happens to acquire it is a must.
Just say no to email attachments and random links
By far the most successful hacks are done by phishing, i.e. tricking key users into installing viruses by opening a legitimate-looking attachment or link to something seemingly important. Instead of sending files, start putting them on a secure shared network drive. Rather than click a link, go to the site you want to access directly and do what you need to do. Assume the worst with every attachment, link, and share you’re not completely sure about, or which starts asking for any sort of username or password when you click on it. You mindlessly clicking through on a busy morning is exactly what hackers rely on, and they only have to catch you off guard once. When they do, you will have your e-mails dumped before election night, links to them distributed by an awful lot of Twitter bots with weird names and/or Pepe avatars.
When in doubt but in need, reach for a VM
Virtual machines today take minutes to set up and isolate your main system from whatever is running on it. In the security world, they’re used to study viruses in a fairly safe sandbox, so much so, advanced virus writers began to write code to detect if their nefarious payload is running in a VM so it won’t unpack itself and start doing its damage. If you need to examine a file, open it in a VM that doesn’t have access to any other devices on your network, or the web, so it can’t dial home if it contains a virus. Think of it like studying potentially dangerous creatures in a plexiglass case. You want to be sure the case is properly sealed and you don’t take anything out of it. So make sure to disable copying or pasting in and out of the VM , as well as block any access to the outside world just in case it tries to extract itself.
Antivirus won’t help you outside very obvious threats
Hold on a second, you might say, I have encryption enabled and antivirus. I should be fine. No, you won’t. Commercial antivirus is only effective half the time and protects you only from the obvious threats, like downloading well known malware that’s been around for years from obvious scam sites. Even built-in operating system security does a slightly better job by asking you to verify your downloads and flag code without security certificates. You won’t be protected from new threats and custom tailored viruses that know how to conceal their behavior from your antivirus package, and hide their chatting with command and control servers.
Sometimes, the biggest threat is from the inside
Finally, and perhaps most importantly, the most dangerous hackers already have all the access keys, all the passwords, all the tokens, and all the data in the first place. How? Because they’re insiders who have reason to hurt you, or give others the tools to impersonate you to hijack your accounts and any juicy, damaging data inside for leaks. As convenient as it may seem to give out access to everyone for everything instead of setting up tiered access that seems as if it was on loan from a spy agency, you can’t afford to do it. You need to make sure your users have only the access they need to do the job and nothing else, and keep detailed access logs that are constantly synced to secure backup locations where they can be studied for anomalies. And keep an ear out for angry critics who know your phone number or private details useful for someone to pretend to be you with a customer service rep.
Keep all this in mind and you can frustrate even the most professional and experienced hackers by giving them little to work with and demand a whole lot of effort. Unfortunately, when it comes to political campaigns, you’ll find your opponents very determined, much more than ones motivated solely by commercial gain. But if you put up enough hurdles, you might minimize the size of the leaks and the damage they might do, and in turn, give you tools to help identify who may have been complicit, why they did it, and expose them right back so they can’t keep doing their work in the shadows. And if key elections are any indication of what’s going to happen in the future, we will be seeing a lot more hacks, so we need to learn how to fight back.
