There is probably no one more acutely aware of the importance of good cybersecurity right now than Hillary Clinton’s campaign chairman John Podesta, whose emails have been laid bare by WikiLeaks, are being mined for news by journalists (including at The Intercept), and are available for anyone with internet access to read.
So as a public service to Podesta and everyone else on Clinton’s staff, here are some email security tips that could have saved you from getting hacked, and might help you in the future.
There’s a method for coming up with passwords that are mathematically unfeasible for anyone to ever guess by brute force, but that are still possible for you to memorize. I’ve written about it before, in detail, including an explanation of the math behind it.
But in short: You start with a long list of words and then randomly select one (by rolling dice), then another, and so on, until you end up with something like: “slinging gusty bunny chill gift.” Using this method, called Diceware, there is a one in 28 quintillion (that is, 28 with 18 zeros at the end) chance of guessing this exact password.
For online services that prevent attackers from making very many guesses — including Gmail — a five-word Diceware password is much stronger than you’ll ever need. To make it super easy, use this wordlist from the Electronic Frontier Foundation.
So if that’s a strong password, what does a weak password look like? “Runner4567.”
— Phil Kerpen (@kerpen) October 12, 2016
The same day that WikiLeaks published Podesta’s email, his Twitter account got hacked as well. How do you think that happened? I have a guess: He reused a password that was exposed in his email, and someone tried it on his Twitter account.
Even if you use a strong password, it quickly becomes worthless if you use it everywhere. The average person has accounts on dozens of websites. For those who reuse passwords, all it takes is for any one of those sites to get hacked and your password to get compromised, and the hacker can gain access to your accounts on all of them.
You can avoid this by using different strong passwords for every account. The only way this is possible is by using a password manager, a program that remembers all your passwords for you (in an encrypted database) so you don’t have to. You should secure your password manager with an especially strong password. I recommend a seven-word Diceware passphrase.
There are many password managers to choose from: KeePassX, LastPass, 1Password, and more. Shop around for whichever one fits your organization the best. It doesn’t so much matter which you use, so long as you use strong, unique passwords for each account. Password managers also help you generate secure random passwords.
Last year, when I asked National Security Agency whistleblower Edward Snowden what ordinary people could do to improve their computer security, one of the first pieces of advice he gave was to use two-factor authentication. If Podesta had enabled it on his Gmail account, you probably wouldn’t be reading his email today.
Google calls it “2-Step Verification” and has an excellent website explaining why you need it, how it works, and how it protects you. In short: When you log in to your account, after you type in your password you’ll need one more piece of information before Google will allow you to proceed. Depending on how you set it up you might receive this uniquely generated information in a text message, a voice call, or a mobile app, or you could plug in a special security key into your USB port.
Once you start using it, hackers who manage to trick you into giving up your password still won’t be able to log in to your account — at least not without successfully executing a separate attack against your phone or physically stealing your security key.
Google handles all of the email for hillaryclinton.com. If you’re a Clinton staffer, you should immediately stop what you’re doing and make sure you’ve enabled 2-Step Verification for your email. You should also enable two-factor authentication for all of the many other services that support it, including Twitter, Facebook, Slack, and Dropbox, to name just a few. (If Podesta had enabled it on his Twitter account, that probably wouldn’t have gotten hacked either.)
How did these prominent political figures get their emails hacked in the first place? It appears that Russian hackers used “spear-phishing” attacks against many high-profile political targets, and some of them bit.
Spear-phishing works like this: The attacker sends a target a carefully crafted email, something that looks legitimate but is actually a fake. The target clicks a link in the email and ends up at what looks like a login page for their bank, or an online store, or, in this case, the Google login page. But it’s not. If they carefully examined the URL of the website, they would see that it doesn’t begin with https://accounts.google.com/ and therefore isn’t a real Google login page.
But they don’t notice, so they go ahead and enter their username and password. Without realizing it, they just gave their Google password to the attacker. Now the attacker can use this password to log in to the target’s Gmail account and download all of their email (assuming they are not using two-factor authentication, that is).
Well-crafted spear-phishing emails can be incredibly hard to spot, but if you ever end up on a website asking you for a password, you should be skeptical. Check the URL and make sure you’re at a legitimate login page before typing in your password, or navigate to the login page directly.
All of the previous tips are aimed at keeping your email account secure. But even if you follow all of the security best practices, it’s still possible that your email could get compromised. For example:
Or maybe you just don’t trust Google, or anyone who can compel the company with legal requests for data, with the contents of your email.
For any or all of those reasons, it’s probably worth using encrypted email.
Using encrypted email is more complicated than using a strong password and using two-factor authentication — which are really easy — but it’s simple enough that everyone at The Intercept, including all of the non-nerds, uses it. An important caveat is that everyone needs to be ready to use encrypted email before you can start using; you can’t send an encrypted email to someone who doesn’t have an encryption key yet. (You can find our encryption keys on our staff profiles if you want to send us encrypted emails.)
To get started, check out the Electronic Frontier Foundation’s Surveillance Self-Defense guide for using email encryption for Windows, Mac OS X, and Linux. If enough people in your organization use encrypted email, consider using our newly released tool GPG Sync to make it somewhat simpler.
Had Podesta, or anyone in the Democratic National Committee — or really anyone who’s had their email leaked in recent years — used encrypted email, a lot more of the emails would look something like this:
If a hacker steals all of your encrypted email and then wants to decrypt it, they’ll need to hack into your computer and steal your secret encryption key. That is a whole level of difficulty higher than just getting your password. If you choose to keep your secret encryption key on a physical USB device, such as a Yubikey, the hacker has even more hoops to jump through before they have any hope of decrypting your emails.
If encrypting your email sounds too hard, it might make sense to just use email less, in favor of easy-to-use encrypted message apps such as Signal. The Clinton campaign is reportedly already using Signal for its mobile communications about Donald Trump. Now the iPhone version of the app has desktop support, too. So if you need to send a quick, but sensitive, message to a colleague, why not type it into the Signal app instead of sending an email?
Hillary Clinton’s policy on encryption is dubious, even to the point of calling for the government to commission a “Manhattan-like project” to figure out how to create strong, unbreakable encryption that nevertheless has a back door for law enforcement to access. This idea is firmly in the realm of fantasy, because a back door is definitionally a weakness.
And no matter what U.S. policy is in the future, the email encryption I described above will not contain a backdoor and will be available to everyone in the world, because it’s open source software developed largely outside of the United States.
The obvious conclusion is that Clinton simply doesn’t understand cybersecurity, in theory or in practice.
On the practical level, she needs better in-house technical expertise.
On the theoretical level, she should listen to the unanimous consensus of cryptography experts and take a firm stance in support of strong encryption without back doors. This will improve the cybersecurity of both government and private businesses, protect the constitutionally protected privacy rights of Americans — and maybe even save herself from similar embarrassments in the future.