Paul Holston/AP

Featured eBooks
How The Federal Government Plans To Better Serve Citizens
What's Happening in Health Tech
The Future of Cybersecurity
Management

How Not to Get Hacked by Russians (or Anyone Else): Lessons From the DNC’s Disastrous Cyber Strategy

When the FBI calls, call them back.

Mike Murphy and Heather Timmons,
Quartz

|
By Mike Murphy and Heather Timmons,
Quartz

The US FBI told the Democratic National Committee in September of 2015 that its computer network had been breached by hackers linked to the Russian government. But nothing concrete happened about the cyber break-in for seven months, according to an exhaustive report on Dec. 13 in the New York Times (paywall).

Instead, DNC workers committed a sequence of jaw-dropping blunders. Combined with tech practices that ignored even the most basic rules of cyber safety, this allowed hackers to rummage through the DNC’s server, downloading tens of thousands of private emails which were ultimately published on Wikileaks. (The FBI agent tasked with warning the DNC was also strangely lackadaisical about it, doing little more than leaving a series of voicemails after speaking to an IT temp, though the DNC’s headquarters are just a half mile from the FBI’s own.)

It is impossible to tell whether the hack, and a related one that breached the email account of Hillary Clinton campaign chairman John Podesta, played a significant part in Clinton’s election defeat. But the situation certainly hobbled Democrats, sidelining some “at the height of the campaign,” as the Times notes, while also potentially affecting “congressional races in a dozen states.”

Russian hackers are suspected of having targeted everyone from NGOs to consumer tech companies like LinkedIn and Dropbox in recent months. But even if you or your company think you aren’t important enough to be in their sights, many of the techniques they use are common to hackers everywhere. Here’s how to protect against them.

How to not get phished

The hackers first gained access to the DNC computer network using the commonest weapon in a hacker’s arsenal: a phishing attack.

A Clinton campaign official received an email that looked like it was from Google with the subject line “Someone has your password.” It claimed someone had tried to log into his account from an IP address in Ukraine. The official clicked on a link in the email that said CHANGE PASSWORD, and did so. In fact, the link led to a server controlled by the hackers, letting the Russians into his email.

Many other DNC and Clinton campaign staff were similarly targeted. Podesta fell victim when a staffer sent an email warning that the phishing email was illegitimate, but accidentally typed “legitimate” instead, causing Podesta to click on the password link. The mistake, the aide told the Times, had “plagued him ever since.”

Google tends towards less dramatic language than “Someone has your password,” such as “New sign-in from iPhone” or “Review blocked sign-in attempt.” The links or buttons in its emails will usually tell you to review information, rather than shouting CHANGE PASSWORD.

Here’s what one of the fake emails looked like:

Here’s a real Google notification:

There are many potential clues that an email may be a phishing email, but the simplest and safest way to spot one is to check any link in it before you click—hover your mouse over it, or on a phone, press and hold your finger on it—and make sure it’s actually to a URL from the company that supposedly sent it.

And when you look, look closely. Often hackers will substitute one or two characters so a URL looks similar—goog1e.com or app1e.com, for instance. Sometimes, an email will display one URL but the underlying link will be different, like in this case: apple.com.

If you run a big company

Make sure your IT department is empowered, and capable of monitoring hacks. The DNC was relying on a part-time contractor for much of its tech support. When the FBI first called to tell him it suspected there was malware on the DNC systems, he thought it might be a prank. Left mostly on his own to figure out how to respond, he checked the DNC’s systems for the malware, but couldn’t find it. The DNC also lacked tools that let tech staff watch for suspicious activity on the network, a telltale sign that hackers have paid a visit.

Any company with more than a few employees that uses the internet should have people on staff with experience and resources for dealing with cyber threats. These staff also tend to be pretty good at the more basic IT tasks like making your printers work.

When the FBI calls, call back. The DNC’s part-time contractor didn’t return subsequent follow-up calls from the FBI agent, because he wasn’t sure he was real. But the FBI has a main switchboard you can call. It can’t be that hard to check.

If you run any size company, or work alone

Use two-factor authentication. Even if you fall for a phishing scam, there’s a safeguard. Many of the most popular apps on the web, from Gmail to Slack to Facebook, have an optional second layer of security. When you log in from a new device (or often a new place), they ask you to enter an extra code, which is sent by text message or generated by an app on your phone. That way, even if hackers have your password, they can’t get in unless they’ve also stolen your phone. Here’s how to turn on two-factor authentication.

Use a password manager. You probably use dozens of websites and services that require a password. Most people use the same password on many (or all) of them. This is a terrible idea. Apps like 1Password or LastPass create and store long, complicated passwords for each service you use that are far harder to crack than any password you’re likely come up with. You then have to remember just one (also long, but you can make it easy to remember) password to log into the app. This also allows teams to securely share logins between teammates. 

Use more secure messaging systems than email. If you’re very paranoid, SpiderOak, recommended by clandestine whistleblower Edward Snowden, has multiple encrypted tools to help businesses or political candidates run their operations. SpiderOak’s synonymous tool is a cloud-based document-sharing service, similar to Dropbox. It also produces Signal, a secure WhatsApp-like messaging app, and Semaphor, an encrypted group chat service similar to Slack.

Have important conversations in person or over the phone. One of the most telling revelations from the DNC emails was just how much behind-the-back sniping was going on, embarrassing staffers and causing rifts between party members. If nasty things really need to be said about your colleagues or your boss, don’t say them in communications channels that come with permanent records. Say them over coffee in the break room, or a beer after work. And if you can’t, many chat apps, such as WhatsApp and Signal, also let you hold secure, fully encrypted voice or video calls. 

NEXT STORY: NASA Ranked Best Place to Work in Government For Fifth Consecutive Year

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.