Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Hackers Broke Into John Podesta and Colin Powell's Gmail Accounts (vice.com)

Posted by BeauHD on from the how-it's-made dept.

An anonymous reader quotes a report from Motherboard: On March 19 of this year, Hillary Clinton's campaign chairman John Podesta received an alarming email that appeared to come from Google. The email, however, didn't come from the internet giant. It was actually an attempt to hack into his personal account. In fact, the message came from a group of hackers that security researchers, as well as the U.S. government, believe are spies working for the Russian government. At the time, however, Podesta didn't know any of this, and he clicked on the malicious link contained in the email, giving hackers access to his account. The data linking a group of Russian hackers -- known as Fancy Bear, APT28, or Sofacy -- to the hack on Podesta is also yet another piece in a growing heap of evidence pointing toward the Kremlin. And it also shows a clear thread between apparently separate and independent leaks that have appeared on a website called DC Leaks, such as that of Colin Powell's emails; and the Podesta leak, which was publicized on WikiLeaks. All these hacks were done using the same tool: malicious short URLs hidden in fake Gmail messages. And those URLs, according to a security firm that's tracked them for a year, were created with Bitly account linked to a domain under the control of Fancy Bear. The phishing email that Podesta received on March 19 contained a URL, created with the popular Bitly shortening service, pointing to a longer URL that, to an untrained eye, looked like a Google link. Inside that long URL, there's a 30-character string that looks like gibberish but is actually the encoded Gmail address of John Podesta. According to Bitly's own statistics, that link, which has never been published, was clicked two times in March. That's the link that opened Podesta's account to the hackers, a source close to the investigation into the hack confirmed to Motherboard. That link is only one of almost 9,000 links Fancy Bear used to target almost 4,000 individuals from October 2015 to May 2016. Each one of these URLs contained the email and name of the actual target. The hackers created them with with two Bitly accounts in their control, but forgot to set those accounts to private, according to SecureWorks, a security firm that's been tracking Fancy Bear for the last year. Bitly allowed "third parties to see their entire campaign including all their targets -- something you'd want to keep secret," Tom Finney, a researcher at SecureWorks, told Motherboard. Thomas Rid, a professor at King's College who studied the case extensively, wrote a new piece about it in Esquire.

116 comments

  1. Phishing, not hacking. by Anonymous Coward · · Score: 2, Informative

    Truly, only Vladimir Putin himself could have phished some cluser's Google password.

    1. Re:Phishing, not hacking. by Archangel+Michael · · Score: 5, Informative

      This is SpearPhishing, a highly targeted personalized attack.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    2. Re:Phishing, not hacking. by Xenographic · · Score: 1

      > On March 19 of this year, Hillary Clinton's campaign chairman John Podesta received an alarming email that appeared to come from Google.

      This part is funny, because Google puts a giant flag on messages that claim to be from Google saying "THIS IS NOT FROM GOOGLE DO NOT GIVE OUT PERSONAL INFO" or something like that. I probably have a dozen phishing scams in the trash at any given time.

    3. Re:Phishing, not hacking. by whoever57 · · Score: 1

      Sometimes I click on the links, and put fake, abusive usernames and passwords into the fields on the resulting web page.

      --
      The real "Libtards" are the Libertarians!
    4. Re:Phishing, not hacking. by Xenographic · · Score: 3, Funny

      Yeah, I love doing that kind of thing.

      I also convince the telemarketers that I'm putting them on hold and never come back. For example, the computer repair scam? Try -

      "Oh, I'm so glad you called! I have a HUGE virus problem and my computer is REALLY slow. Yeah, I'll turn my computer on for you. Just wait a few minutes, it can take 15 minutes to boot up with all those viruses. Do you mind if I put you on hold while we wait for it to finish? I'll be right back...."

      Now put them on hold or mute and wait for them to hang up.

    5. Re:Phishing, not hacking. by whoever57 · · Score: 2

      Oh, yes, my favourite: "Yes, I'll get ", or "Hold on, there's someone at the door". Then I see how long before they realize and hang up.

      Some idiots even call back, at which time I usually explain that I was purposefully wasting their time.

      --
      The real "Libtards" are the Libertarians!
    6. Re:Phishing, not hacking. by rholtzjr · · Score: 1

      Been there, done that. :P

    7. Re:Phishing, not hacking. by guruevi · · Score: 1

      I get those all the time. Phishers do include your e-mail address in e-mails, encoded or not. Spearphishing is actually targeted at a specific private app within a company, not an open, public e-mail system.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    8. Re:Phishing, not hacking. by BoogieChile · · Score: 2

      I like to put on my foggy old codger act to coddle them along;

      "Start...run....event....viewer.....Oh, it's not good, I'll never remember all this. Do you want me to go to the computer and you can talk me through it? Oh, that's so good of you. It takes so long to start up, my grandson built it for me, but I don't know how to use it, really.....Oh, I think it's stuck, I'll have to turn it off and turn it on again, that what he always tells me to do, hee-hee-hee...etc, etc..." ...While I fire up my here's-one-I-prepared-earlier VM that they can (usually) finally figure out a way to get me to let them connect to before they eat their own headsets out of sheer frustration.

      Then WireShark tells me their IP address and I tell /b/ chan what that IP address is. It's usually around then that some civic-minded soul out there fires up the low-orbit ion cannon and then they usually have to find another ISP. It's always entertaining to watch what happens to their website until that happens

    9. Re:Phishing, not hacking. by terjeber · · Score: 2

      Got a call from "Microsoft" a little while back. The original caller informed me my PC was in trouble and then transferred me to my Scandinavian representative, Mr Gundersen (I kid you not). Mr Gunderson spoke English with a heavy Indian accent (why he didn't speak any of the Scandinavian languages was never explained). Anyway, me, being a really dumb user, took a long time to accomplish what Mr. Gundersen wanted me to do: download and install TeamViewer.

      After a good hour I finally "managed to install TV" so Mr. Gundersen asked me for the ID and password. I gave him a random number and the password was f-u-c-k-y-o-u. He tried it several times, but our connection was going bad, so I kept saying "hello", "hello", "hello" and hung up. After a few minutes a rather angry Mr Gundersen called me back and explained in some detail how I could have a sexual encounter with my mother. I didn't really take him up on that. It was a fun hour or so, and I needed an hours break at the time :-) Two colleagues monitoring our conversation also had a good time. I was a really stupid computer user. Just finding the TeamViewer website (which turned out was not on my local computer and therefore not accessible from my Explorer) took a good 15-20 minutes.

    10. Re:Phishing, not hacking. by Anonymous Coward · · Score: 0

      I wouldn't call it "highly targeted" I would call it "specific" since Pedestal was just one of 4,000 to receive an emailed URL - there is no telling how many others did what he did but who may have far less interesting email accounts.

    11. Re:Phishing, not hacking. by eric_harris_76 · · Score: 1

      One had the gall to cuss me out for wasting his time. He's trying to scam me, and *I'm* the bad guy?

      --
      There's no time like the present. Well, the past used to be.
  2. I'm here too early! by Bigjeff5 · · Score: 2

    I was looking for the big argument about how Phishing isn't Hacking, and these guys shouldn't be called hackers!

    Guess I'll have to wait...

    --
    Security is mostly a superstition... Avoiding danger is no safer in the long run than outright exposure. - Helen Keller
    1. Re:I'm here too early! by Tablizer · · Score: 1

      Compromise: "phacking"

      --
      Table-ized A.I.
    2. Re:I'm here too early! by MDMurphy · · Score: 1

      Then how about the summary being incorrect? Clicking on the link did not give the attackers access, going to a fake site and giving them the current password did. If this was Gmail, how did the users not get all sorts of alerts about a new machine being logged into their account?

      If the attackers did it one time, they'd only have access to past email messages. If was a recurring thing, then they'd have to access it all the time, leaving more clues that someone else was in the victim's ( chump's?) email.

      If nothing else this points out the risk of having email accounts that are not professionally managed when the users are technologically clueless. Otherwise things like 2 factor authentication and enforced password security could have helped protect them from themselves.

    3. Re: I'm here too early! by Anonymous Coward · · Score: 0

      Spear phappers

  3. Basement theory by Tablizer · · Score: 3

    The hackers created them with with two Bitly accounts in their control, but forgot to set those accounts to private

    A state-sponsered hack group wouldn't make that mistake, would they? Maybe Trump is right and it's just a 400-pound dude in his mom's basement.

    --
    Table-ized A.I.
    1. Re:Basement theory by kangsterizer · · Score: 1

      states hide as other states all the time.
      china and russia are the top ones.

      happens all the time. Basically you have no way to know for sure who did it in many, many cases.

    2. Re:Basement theory by Anonymous Coward · · Score: 1

      I can see them making this mistake... hell just look at all the cluster f*cks the US governments does on a regular basis. But I'm not convinced by the evidence that everyone is throwing out that this is a state sponsored agency.

      They targeted government and military targets! Obviously independent hackers would never go after these types of targets.

      Guccifer 2.0 said he's in the Ukraine but there are documents in Russian! Russian is the native language for ~30% of Ukrainians. And, anyone over a certain age in a former Soviet state will speak Russian... most often fluently.

      A Word document had the author set as Dzerzhinsky (founder of the Cheka, the precursor to the KGB). This seems like a reason to believe it's NOT the KGB. Are you telling me everyone at the CIA has Word set to use Donovan (founder of the OSS, the precursor to the CIA) as the author? Bullsh*t.

      I'm not saying it's not the KGB but a lot of the "evidence" is very, very circumstantial.

    3. Re:Basement theory by Archangel+Michael · · Score: 1

      but the whole "bear" thing is a give away! Only Russia knows about the "bear" thing.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    4. Re:Basement theory by rholtzjr · · Score: 1

      I would start looking at who the Dems have ticked off the most. Oh wait, never mind, that list would be endless.

    5. Re:Basement theory by MightyMartian · · Score: 5, Insightful

      Circumstantial may mean there's a question mark, but it doesn't mean "no evidence at all". Certainly Russia would gain greatly from a President who was less willing to stand behind the US's European allies, and who, all in all, would likely represent a more inward-gazing US. Russia has no hope in hell of ever militarily dominating the West, but if it can divide, then it gains a great deal of strategic space.

      Clinton's victory means the general policy towards Russia that has, by and large, been the US's strategy since the Truman Administration, remains intact, so it is clearly in Russia's interest to try to help the person that at least might represent a break with that strategy.

      Yes, it is circumstantial, and there is a possible counterargument that not even Putin actually would want someone as potentially unpredictable as Donald Trump in the White House, but I still lean towards Russia wanting a more isolationist Administration in the White House, much as it wants the European Union and NATO to be weakened. These three entities; the US, the EU and NATO represent significant checks on Russia's ability to project its power, and if any or all of them can be weakened or eliminated, it is of enormous strategic advantage to Russia.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    6. Re: Basement theory by Anonymous Coward · · Score: 0

      I believe that what the russians want is to create uncerteinty and doubt. I.e they don't care if either Hillary or Trump gets elected. Pushing the US close to civil war however...

    7. Re: Basement theory by MightyMartian · · Score: 2

      There's no more likelihood of civil war come November 9th than there was eight years ago when Obama became President. Yes, there will be some miserable losers, and this time they'll have a miserable loser in Donald Trump, but they'll do what they did eight years ago, be assholes on the Internet and get on with their lives.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    8. Re: Basement theory by Cro+Magnon · · Score: 1

      My crazy, "deplorable" side almost hopes there is a conflict just so I can say "Trump's people are revolting!".

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    9. Re:Basement theory by Anonymous Coward · · Score: 0

      Hell, if I was to do something like this, I'd use the name 'Biden'.

  4. fucking russians man im telling you by Anonymous Coward · · Score: 0

    imagine this, you are there in the internets and you go to your freaking gmail and WHAAAAAAAAAM!!!!! you get run over by a freaking lada (virus) and then the dashcam video surfaces on the wikileaks and that asshole assange laughs at you from a piece of exotic ecuador that SOMEHOW is in the middle of london

  5. tl;dr by Anonymous Coward · · Score: 1

    Phishing.

    Looks like it's probably FancyBear hacking group that is responsible.

    Therefore "it can only be Russians". There's no other possibility, not even aliens. /s

    You can't handle the truth and you can't see the possibly classified evidence that may or may not exist. Trust us.

    1. Re:tl;dr by HornWumpus · · Score: 2

      1000 shortened URLs/month is a single 'targeted' phishing group?

      Nonsense. 1000 shortened URLs/month is an open account being used by many interested parties.

      lets see the other 9000 targets. Bet they are clearly from all over the map. I'll further bet CNN will tell us it's illegal to look for ourselves.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    2. Re:tl;dr by AHuxley · · Score: 1

      It gets better AC, only FSB or GRU.
      "How Russia Pulled Off the Biggest Election Hack in U.S. History" (OCT 20, 2016 )
      http://www.esquire.com/news-po...
      '... the firm said, worked in a way that suggested affiliation with the GRU. Cozy Bear was linked to the FSB."
      All that 'immediately discovered", 'several sloppy mistakes" and emoji litter got left.
      Such an easy trail of litter for "unprecedented open-source counterintelligence".

      --
      Domestic spying is now "Benign Information Gathering"
  6. This is proof by reboot246 · · Score: 1

    Idiots shouldn't use email. They'll click on any link in front of them. I see people like that every day and it makes me wonder how they even tie their shoes in the morning.

    1. Re:This is proof by Tablizer · · Score: 2

      Idiots shouldn't use email. They'll click on any link

      An "education" link from Goatse U will fix 'em.

      --
      Table-ized A.I.
    2. Re:This is proof by Anonymous Coward · · Score: 0

      Are you kidding? Send a goatse link to highly-placed officials in Washington, and they'll reply asking where it came from, and can they please have some more.

  7. How does clicking one link compromise gmail? by Anonymous Coward · · Score: 0

    Is it a flaw in gmail?

    Is it a flaw in the user's browser?

    For IT geeks, that's the real question!

    1. Re:How does clicking one link compromise gmail? by Anonymous Coward · · Score: 0

      $20 says the email said something like "your account is of being the attacked! To be pro-tected, make click on link and input the pass word to save account!" and the link went to mail.gooogle.com or something like that.

    2. Re:How does clicking one link compromise gmail? by Anonymous Coward · · Score: 0

      I can confirm.
      I get about 1 of those emails per week.
      Usually it's something like
      "Your inbox is full, please click this link to verify or your account will be deleted."
      It's a fucking work account you idiots. It's not going to be deleted, and if it was it wouldn't be my fucking problem.
      Another nice one:
      "There has been suspicious activity with your credit card. Click this link to verify or you could be charged for these purchases."

    3. Re:How does clicking one link compromise gmail? by Anonymous Coward · · Score: 0

      Also, what kind of 'security' features were installed on their machines?

  8. Ignores the issue by s.petry · · Score: 2, Insightful

    If the DNC, Podesta, and Media, State Department, DOJ, FBI, and Hillary camp did nothing wrong there would be nothing to expose.

    It really truly matters little "who" did the hacking. DNC colluded with media to install a candidate of their choosing. Super-PACs are colluding with the DNC. Clinton Foundation is mostly a front for pay-for-play and benefiting Hillary. Hillary is not the mild tempered person the media has been trying to portray her as, lies to the public, and is in it for personal power. Nothing we didn't already believe but now we have validation.

    It does not matter if it was Russia, a 400lb guy in the basement, or a disgruntled staff member (still my most likely suspect) the actions described in the emails are illegal.

    Russia, guilty or not, is being used as a way to white wash the conversation.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:Ignores the issue by Archangel+Michael · · Score: 5, Insightful

      Well, there are two issues here, and people love to conflate them together.

      1) Spear Phishers got to Podesta, and gained access to his account. The media calls it "hacking" but it wasn't, it was social engineering. One requires expert skills in computers, the other requires basic knowledge of psychology. THIS is all on Podesta for not using 2 Factor authentication.

      2) The other bit about collusion with Media, DNC, Hillary Campaign and it even ties into Project Veritas "Bird Dogging" tapes.

      These are TWO separate issues, and should be addressed as such. Trump could have flipped the whole "Trump and Putin are buddies" bit by Clinton by saying "I condemn the hack. But that doesn't eliminate the horrible dirty politics of the DNC, Media and Hillary Clinton that was exposed. Hillary, how do you justify Bird Dogging my campaign?"

      But Trump is an idiot. He'll never get how to flip attacks back onto the attackers. It requires a kind of mental judo he can't perform.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    2. Re:Ignores the issue by Xenographic · · Score: 3, Insightful

      BTW, the first batch of Obama emails are out: https://wikileaks.org/podesta-...

      They're boring, though. Wait for later dumps.

      Also, please remember that it may be illegal to view the emails unless you have CNN authorization. You can learn a lot from CNN, like the fact that we already have congressional term limits. Someone might want to let Wikipedia know about that.

    3. Re:Ignores the issue by MightyMartian · · Score: 1

      Phishing is a tool that can be used by scammers or hackers. In this case, yes, it was hacking.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    4. Re:Ignores the issue by rmdingler · · Score: 2

      These are TWO separate issues, and should be addressed as such. Trump could have flipped the whole "Trump and Putin are buddies" bit by Clinton by saying "I condemn the hack. But that doesn't eliminate the horrible dirty politics of the DNC, Media and Hillary Clinton that was exposed. Hillary, how do you justify Bird Dogging my campaign?" But Trump is an idiot. He'll never get how to flip attacks back onto the attackers. It requires a kind of mental judo he can't perform.

      Pretty much this, with a side of, How do two candidates with such glaring deficiencies get this close to the Oval Office?

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    5. Re:Ignores the issue by Xenographic · · Score: 1

      It might be "used by hackers" but that doesn't make it hacking per se. Otherwise you muddy the terms. Phishing is exploiting human weakness. Hacking is exposing computer weakness.

      It's probably a totally lost cause to get people to use the words in a meaningful way, but for those who don't subscribe to the Humpty Dumpty theory of semantics, it's important to use words correctly.

    6. Re:Ignores the issue by s.petry · · Score: 2

      Haha, that CNN authorization line was the funniest thing I have heard in a long time.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    7. Re:Ignores the issue by MightyMartian · · Score: 5, Insightful

      Ah yes, the real damaging ones are just around the corner...

      It's less than three weeks away, and no modern presidential candidate has ever come from this far behind at this late a date, so if Assange and Friends really are interested in tanking the Clinton campaign, to wait until this late date, AFTER millions have already cast their ballots, would be idiotic.

      The alternative explanation is that there really isn't anything there so odious that it's going to make a difference, and this is just Assange's latest "Look at me!" bid.

      Probably his last, too, if the rumors that Ecuador is in discussions to kick his ass out of the embassy.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    8. Re:Ignores the issue by Anonymous Coward · · Score: 0

      The October surprise will be that there was no October surprise. Trump did his Trump things, Hillary did her Hillary things, the Libertarians couldn't find a solid candidate that could be bothered to pretend they were in the running this year (gotta give props for not nominating the person dancing naked on stage or the guy who wears a boot for a hat though), and the Greens are even further behind the Libertarians. And there was not one surprise despite a flood of leaks showing Trump being Trump and Hillary being Hillary and Johnson not bothering to be aware of the world around him or at least having the "mental judo" (as another poster mentioned) skill to flip foreign policy questions on their head and use them to promote the Libertarian platform.

    9. Re: Ignores the issue by Anonymous Coward · · Score: 0

      Part of it is idiots crossing party lines to vote for the "easiest to beat" candidate in the party they don't plan to actually vote with in the general.

      I get the idea of "strategic" voting, but for the love of freedom, please only do that by voting for "least bad" in the general, rather than sabotaging All of us In the primaries.

    10. Re:Ignores the issue by Anonymous Coward · · Score: 0

      If the DNC, Podesta, and Media, State Department, DOJ, FBI, and Hillary camp did nothing wrong there would be nothing to expose.

      You don't need privacy because you should have nothing to hide? This is one forum such an argument should be laughed out of the room.

    11. Re:Ignores the issue by Anonymous Coward · · Score: 0

      So if there was no "October surprise" what the hell where those Trump tapes? Just happened to come up 2 days before the last debate IN OCTOBER mind you...

      Personally, I believe the *real* "October Surprise" will be forth coming in about a week. Where the previous "Hot Mic/dirty talk" incident was intended to bury Trump just before the debate and goad him into attacking Clinton during the debate so they could spin the "He hates women" yarn into a nice sweater for him to wear, the REAL powder keg is yet to come. They will cook something up on the Clinton side, trust me, they had this all planned out and there is no way they would fire their best ammo at T-6 weeks. The only way a humdinger of a October Surprise doesn't happen in about a week is if somebody slipped up in the Clinton campaign and they accidently let the cat out of the bag too soon, giving 6 weeks and 2 debates to Trump to overcome it. Clinton is ruthless and has an experienced staff running her campaign who are NOT stupid.. They have something else to drop... And they will.

      My only question really is, what on earth are they going to drop? They set up the "he hates women" narrative for months... Surely they have been prepping for the last salvo too... Hmmm... Any ideas?

      Modding today so posting as AC

    12. Re:Ignores the issue by Anonymous Coward · · Score: 0

      He can't play it like that or he's 'being mean to that poor woman' which would hurt him.

    13. Re:Ignores the issue by Anonymous Coward · · Score: 1

      Simple. Decent folks generally don't have the desire to rule over others. Creative and intelligent people find they can make more money or achieve happiness in other sectors. The few decent ones don't have the animal instinct and get chewed up and spit out or identified as a threat to the system and filtered out long before they make any headway into the political apparatus.

      What you're left with are the semi-intelligent, selfish, power-hungry control freaks.

    14. Re:Ignores the issue by darkharlequin · · Score: 1

      Simple. The media picks the easiest to beat Republican and the democrats force on us the biggest shit sandwich that they can because they owe him/her favors.

      --
      i am so very tired....
    15. Re:Ignores the issue by rmdingler · · Score: 1

      If it were possible to measure, what would the biggest shit sandwich be, in some common form of measurement reference such as Olympic swimming pools?

      --
      Happiness in intelligent people is the rarest thing I know.

      Ernest Hemingway

    16. Re:Ignores the issue by rtb61 · · Score: 0

      'ER' cough , cough, even Hillary Clinton doesn't believe that and I quote "At The State Department We Were Attacked Every Hour, More Than Once An Hour By Incoming Efforts To Penetrate Everything We Had. And That Was True Across The U.S. Government', yet she choose to ignore her own words to keep secret from the rest of the US government what she was doing on her server, knowing full well of hourly attacks on the State Department, she must have had a pretty powerful reason to ignore her own words. Just to confirm 'They're trying to find out about what a lot of companies do and they were going after the personal emails of people who worked in the State Department' (well, hint, hint right there). Now I am sure FBI and NSA agents would be pretty pissed to know she full well knew the risks," And we knew it was going on when I would go to China, or I would go to Russia, we would leave all of our electronic equipment on the plane, with the batteries out, because this is a new frontier" and yet had sufficient motivation to set up unsecured servers, purposefully hidden from other US government agencies.

      Now based upon her own statements and knowledge she was knowingly criminally negligent is securing US government secrets, no excuses, full pre knowledge of risk, did not care and long as she could do her secret wheeling and dealing well away from the mostly watchful eyes of the FBI. That is a major crime wilfully negligent in maintaining the security of the US government.

      --
      Chaos - everything, everywhere, everywhen
    17. Re:Ignores the issue by rtb61 · · Score: 1

      Just as a by the by, it is really bad form to "leave all of our electronic equipment on the plane, with the batteries out", for security services. Proper action is basically honey pot burner phones, given just prior to exit in a known track able state, with the user instructed, that every communication on that device will be recorded by foreign and as well as US agents and ensure all incoming communications to the device are routed for auditing to ensure no accidental leaks. As a temporary device communications access channels should be pre-limited. The reason why, obviously, you can now scan the device for hacks because every time a hack is used it risks full exposure and enables counter measures to be taken (this is the direct failure of combining offensive and defensive security operations, something that would be definitely done by defensive only service). What would be better than a mobile honey pot wandering about foreign government facilities. You will also want to pop the battery as soon as possible so a scan can be done in a safe state. I would consider a daily phone swap for analysis to be sound, even changing brands (you might think that well, they know what is going on and ignore the phone but when it comes to the professionally paranoid, they can't, they just can't resist, it might not be a honey pot, it might be an accident, it might capture something anyhow, we need to test hacking methods to see if they can discover them).

      --
      Chaos - everything, everywhere, everywhen
    18. Re: Ignores the issue by Jeremi · · Score: 1

      Why would the Clinton campaign risk doing anything now, when they're already cruising towards a landslide victory? Trump did a fantastic job of disqualifying himself at the debates; now all they have to do is run out he clock. To try some "October surprise" at this point would gain them very little, but if it went wrong somehow it could hurt them greatly.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    19. Re:Ignores the issue by Anonymous Coward · · Score: 1

      "Also, please remember that it may be illegal to view the emails unless you have CNN authorization."

      lolcnn: https://popehat.com/2016/10/17/no-it-is-not-illegal-to-read-wikileaks/

    20. Re:Ignores the issue by Anonymous Coward · · Score: 0

      Should that not be red washing?

    21. Re:Ignores the issue by misexistentialist · · Score: 1

      But Trump is an idiot. He'll never get how to flip attacks back onto the attackers. It requires a kind of mental judo he can't perform.

      If you are so smart you should have offered to work as a consultant for $$$

    22. Re:Ignores the issue by camg188 · · Score: 1

      Assange did say that he thought Clinton could be prosecuted with some of the upcoming leaks...
      but he also hinted at something big being released at the wikileaks 10th anniversary broadcast which turned out to be absolutely nothing.

    23. Re:Ignores the issue by avgapon · · Score: 0

      If the goal is to weaken the presidential authority than any time is still a good time.

    24. Re:Ignores the issue by Anonymous Coward · · Score: 0

      "The media" most certainly did not pick Trump.
      Trump and Cruz were the only candidates from any party that promised to enforce our southern border. That's what got the ball rolling.

    25. Re:Ignores the issue by gumbi+west · · Score: 2

      Trump has great consultants--you can see them on TV and they obviously write great scripts.

      He just doesn't listen to them.

    26. Re:Ignores the issue by meta-monkey · · Score: 0

      I was surprised by Hillary getting full questions from CNN and topics from Fox before debates. I mean, I should know it's all just a sham. The media, the government, and the DNC are just a puppet show. Lies, brainwashing and propaganda. And democrats are totally fine with this because go blue team go.

      --
      We don't have a state-run media we have a media-run state.
    27. Re: Ignores the issue by luis_a_espinal · · Score: 3, Insightful

      Part of it is idiots crossing party lines to vote for the "easiest to beat" candidate in the party they don't plan to actually vote with in the general.

      I get the idea of "strategic" voting, but for the love of freedom, please only do that by voting for "least bad" in the general, rather than sabotaging All of us In the primaries.

      Bullshit. Intra-party results in closed primary states mirrored those of the country as a while. There is a lot to debate how Clinton won over Sanders, but there is no debate there were a whole bunch of idiots on the other side of the fence who ENTHUSIASTICALLY went for Trump, hook, line and sinker.

      One has to wonder the type of bubble one must live in to buy into that kind of tripe.

    28. Re:Ignores the issue by Archangel+Michael · · Score: 1

      What you're left with are the semi-intelligent, selfish, power-hungry control freaks.

      Best summary of why we need limited governance and a libertarian philosophy. Everything else leads to despotism.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    29. Re:Ignores the issue by Archangel+Michael · · Score: 1

      Why would I support a candidate that is opposed to the ideals of Liberty? Trump is an easy foil, mainly because he is an island. Hillary on the other hand, is surrounded by other like minded despots wanting a bit of whatever rule she can hand them once she is in power. The WikiLeaks emails kind of prove this point.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    30. Re:Ignores the issue by Anonymous Coward · · Score: 0

      oh my, the scandal. this changes everything

    31. Re: Ignores the issue by vandamme · · Score: 1

      The problem was the crowded Republican field, and the noisiest got a higher percentage, egged on by the media who not only supports Hillary but sold lots of newspapers and air time.

    32. Re:Ignores the issue by ebvwfbw · · Score: 1

      He brought up her campaign sending thugs in to beat up people, close down highways, other potentially deadly dirty tricks. Right away Hillary's campaign fired those people and she has no knowledge of any of that. Yea, right and Bill Clinton has never violated a woman.

      Media spotlight? Bulb is out, socket is broken, wires to the spotlight are cut, generator was destroyed and the fuel is contaminated. Nope, nothing to see here, move along..la la la can't hear you... la la la can't year you...

      But boy, look at Trump and being a cad. We have a nice new spotlight for anything bad about Trump. Even made up stuff. In fact, they'll even make up stuff as the e-mails show.

      Seriously, they media would have buried that too. Trump is no Reagan. At least not yet.

      There are very serious scandals in the last e-mail dump. I believe around 18 more. Probably ahead of the very corrupt Obama administration.

    33. Re: Ignores the issue by luis_a_espinal · · Score: 1

      The problem was the crowded Republican field, and the noisiest got a higher percentage, egged on by the media who not only supports Hillary but sold lots of newspapers and air time.

      As a life-long Republican (not for long, I send an voter update to change to independent), I don't buy this. The noisest got a higher percentage because a higher percentage of the constituency are stupid. This is not kindergarten when the teacher ask who can scream "me!" the loudest.

      This is a replay of what I saw in 2012, but just worse. Whatever I used to identify myself in the GOP, that's gone, gone for good, eaten inside out by a cancer since 2008, but with cysts growing all over it for the last 20 years.

      There is nothing there to salvage, and the constituency has become stupider (or they were stupid all along, but now they have found their voice via the Donald.) Like dodos marching off a cliff, good riddance!

  9. "Legitimate" URL Shortening in email is stupid by WoodstockJeff · · Score: 4, Interesting

    We have most URL shortening services blocked on our email system. It's a policy that has been in place for years - in email, it does not matter how long or ugly the URL is, it should be fully there.

    If a service has a way to view the destination without actually going there, we MIGHT let it through. But even that policy needs review. Maybe we just need to crank up the SpamAssassin score by 10.0 for each one found...

    1. Re:"Legitimate" URL Shortening in email is stupid by Anonymous Coward · · Score: 2, Interesting

      URL shortening is stupid everywhere. What is the point? Do people actually type out a shortened URL (vs. copy/paste).
      What is the purpose of this "technology", other than accommodating Twitter?

    2. Re:"Legitimate" URL Shortening in email is stupid by mythosaz · · Score: 1

      Sometimes, you have to type them - among their legitimate uses.

    3. Re:"Legitimate" URL Shortening in email is stupid by Anonymous Coward · · Score: 0

      Sometimes, you have to type them - among their legitimate uses.

      Really? I can't remember the last time I typed in a deep link (shortened or otherwise).

    4. Re:"Legitimate" URL Shortening in email is stupid by Anonymous Coward · · Score: 0

      Yes. I regularly actually type out shortened URLs. It can come in handy when someone, for example, texts you a URL and you want to view it on a desktop. Unless you're a real moron you can tell if the site you're visiting at the end is legitimate or not.

    5. Re:"Legitimate" URL Shortening in email is stupid by xvan · · Score: 1

      This, I use them on (probably printed) documents like CVs

  10. The Russians did it! by fustakrakich · · Score: 1

    Next we're going to hear they have weapons of mass destruction. We must attack now!

    --
    “He’s not deformed, he’s just drunk!”
  11. Did they use a zero day? by Anonymous Coward · · Score: 0

    So the guy clicked on a link... that shouldn't constitute an entire hack of his account.
    Did the link trigger a zero-day? What was the actual vulnerability they used?

    1. Re:Did they use a zero day? by Man+On+Pink+Corner · · Score: 1

      What was the actual vulnerability they used?

      Human stupidity. 99% of the time, it works every time.

    2. Re:Did they use a zero day? by will_die · · Score: 1

      From what I have seen it went to a fake site for "google-account". It showed his google email address,passed via the bitly URL, and prompted for the password. He entered his password and he used the same password for other sites so they now had those.

  12. Speculation by Glith · · Score: 5, Informative

    That they sent a couple of bit.ly links that got clicked on a couple of times isn't surprising. The source claiming it's all the Russians is the same NSA source that perjured himself in front of congress.

    Podesta uses the same password across every service he's on, and didn't even start changing it once his emails started pouring to the public by the thousands. It was likely exposed by a dozen other hacks.

    1. Re:Speculation by iggymanz · · Score: 1

      shocking news: those with desk jobs nowadays actually need a minimum level of tech knowledge to not do incredibly stupid things

      who knows, maybe someday people who hold such jobs will actually have to prove a minimum level of desktop computer skills, to keep dumb-asses such as Podesta off company machines. Those of us in IT could then focus on important projects instead of wiping the ass of lusers

    2. Re:Speculation by Anonymous Coward · · Score: 0

      Not really. They just need someone to tell them that they can't conduct business with a service such as gmail, and must use a trusted server that checks and sanitizes links. The only expertise they need is to know they need someone who actually has expertise. Thus, they are not stupid, they are extremely stupid.

    3. Re:Speculation by iggymanz · · Score: 1

      rather than building expensive attempts at an idiot-proofed infrastructure (futile, I've seen bean counter idiots mess up dedicated air gapped dumb terminal finance systems), be cheaper to just not hire them.

  13. Russian Government? Why use a contractor? by mveloso · · Score: 2

    If the Russian Government is as good at this shit as they say, why would they outsource it to a Russian firm? That's stupid.

    It's like someone wanted a big sign that said RUSSIA DID IT.

    Do the TLAs really thing that the Russian Government is going to fake them out by using a Russian firm? How incompetent are our cyber investigators?

    1. Re:Russian Government? Why use a contractor? by HornWumpus · · Score: 1

      Incompetent? No. Corrupt!

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    2. Re:Russian Government? Why use a contractor? by guruevi · · Score: 3, Insightful

      I would say they're both as are most people in computer security these days. You cannot identify a state-level attacker, only guess. The Stuxnet is a great example, it's "probably" the US or Israel but you can't say for certain because it leaves no trace.

      I must assume given the transparency of the attack this is just a corporate-level hacking group that happened to stumble upon the motherload and probably didn't even realize for months what they had.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
    3. Re:Russian Government? Why use a contractor? by XanC · · Score: 1

      That's "mother lode".

    4. Re:Russian Government? Why use a contractor? by HornWumpus · · Score: 1

      Stuxnet was Isreal. They 'let it slip' * at the retirement party of the general in charge.

      Whoever this is, they're having the time of their lives watching the chaos. I'd buy them a beer. If is was Russians, they would have just extorted the Democrats. This is someone doing it for the luls.

      * Could be psych ops.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  14. Believe???? by Anonymous Coward · · Score: 0

    so they 'Believe' it was Russia.

    I guess it goes with their religiosity..

    An acceptance of bunk as truth to justify a mindset.

  15. This AC really wants us to believe by AHuxley · · Score: 2, Informative

    How many stories have we had on this topic?
    Lets go back down the stories and their new Bear related findings, spies, moles, data diodes and the private sector.
    Starting with "How Hackers Broke Into John Podesta and Colin Powell’s Gmail Accounts"
    https://motherboard.vice.com/r...
    "It’s unclear why the hackers used the encoded strings, which effectively reveal their targets to anyone."
    and finally "None of this new data constitutes a smoking gun that can clearly frame Russia"
    So the first hint of something that is not very spy like?
    Lets try the other link:
    https://theintercept.com/2016/... (September 14 2016)
    "https://theintercept.com/2016/09/13/colin-powell-emails/"
    has "a hacker that many allege to have ties with Russian intelligence." and thats all.
    Finally past the two slashdot links and down at
    "How Russia Pulled Off the Biggest Election Hack in U.S. History" (OCT 20, 2016 )
    http://www.esquire.com/news-po...
    Lets keep reading past the 56k modems and 1950's see whats new.
    "immediately discovered two sophisticated groups of spies" They are not great spies if they are "immediately discovered" by the private sector.
    "soon able to reconstruct the hacks and identify the hackers." If the entry was so easy to reconstruct, it could be anyone with the skills.
    "each of the attackers seemed unaware of what the other was doing" so more than one group used methods out in the wider public at random times?
    Sounds like a few different groups are active.
    So groups with "immediately discovered" methods must be the GRU and KGB?
    "But several sloppy mistakes"... Do spies make so many "sloppy mistakes"? Use of their own language and emoji?
    The Germans added their support to 'Fancy Bear" from years ago. Well understood methods by "different" groups that the private sector was well aware of?
    The "hackers forgot to set" - that sounds like spies? Such a "rapid public reconstruction" and in public so the media could follow along?
    Then onto the NSA, data diodes, and a small hint at a real spy could be in play with "an old-fashioned mole passed on the tools."
    How did the other data get out? "Using commercial cloud services to "exfiltrate" data out"
    So we are back to ip ranges? "Confident" in URL's and all that code litter that expert "spies" left for the media, private sector and "open-source counterintelligence" to find. Don't forget the easy to find emoji as part of the litter :)

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:This AC really wants us to believe by Anonymous Coward · · Score: 1

      So... how's the weather in Moscow, comrade?

  16. So you're not worried about Brexit 2.0? by Xenographic · · Score: 1

    > It's less than three weeks away, and no modern presidential candidate has ever come from this far behind at this late a date

    I can't help but note how carefully this was worded so as to evade both Dewey vs. Truman and Brexit.

    1. Re:So you're not worried about Brexit 2.0? by MightyMartian · · Score: 2

      Which, as Nate Silver pointed out, is a very poor example considering the lack of polling at the time, and the fact that even with the limited data, there was some indication of Truman pulling ahead.

      http://fivethirtyeight.com/fea...

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    2. Re:So you're not worried about Brexit 2.0? by Xenographic · · Score: 1

      See also: http://fivethirtyeight.com/fea...

    3. Re:So you're not worried about Brexit 2.0? by Anonymous Coward · · Score: 0

      nate is a clown, who has completely corrupted his claim to fame with punditry by injecting it into his opaque models andeven using it to overrule his data. sam wang on the other hand, is the one true poll aggregator. the transparent, median based statistical king

  17. So this was the fault of.... by Anonymous Coward · · Score: 0

    a short between the display and the keyboard or mouse.... Short of brains, short of operating security sense, and short of being clued in to any kind of security mindedness, but long on hubris.

    And this from the people who ran a private E-mail server to do government business and are pretty close to winning the election for president.... Heaven help us...

  18. Going To Happen More Often by Anonymous Coward · · Score: 0

    This is only going to get worse due to ICANN's greediness. Is search.google valid? What about google.search, com.google, com.google.www, google.google, etc... We might end up being forced back into indexed-based search sites like when the web was young. If a search turns up all those URLs and they all have very similar looking content, there's no way for you to know which one is the site you want.

  19. Spy vs Spy by Anonymous Coward · · Score: 0

    "he hackers created them with with two Bitly accounts in their control, but forgot to set those accounts to private, according to SecureWorks, a security firm that's been tracking Fancy Bear for the last year."

    I does SecureWorks know whether they "forgot" or chose not to? This is Spy vs Spy stuff where nothing may be what it appears.

  20. Inside jobs more likely. by Anonymous Coward · · Score: 0

    I'm skeptical; there are many gigs of emails, the upload would have taken quite a while. Our cyber security/network admins must really suck at the highest levels of government to not pick this up during that time. It's much more likely to be an inside job.

  21. I bet the Russians are behind this by Anonymous Coward · · Score: 0

    Listen and believe.

  22. idiots by ooloorie · · Score: 3, Interesting

    These are the idiots who are likely going to win the election, start a cyber war with Russia, and be privy to the innermost secrets of our government. And instead of resigning, Hillary goes on whining about it's all Trump's fault.

    For Hillary, it's never Hillary's fault, it's always a Russian conspiracy, or a vast right wing conspiracy, or bad luck, or "I didn't do it", or ... WDATPDIM?

    It's sickening.

    1. Re:idiots by Anonymous Coward · · Score: 0

      It's ok, for Trump nothing is ever Trump's fault.

    2. Re:idiots by Anonymous Coward · · Score: 0

      How many politicians set a better example? Besides, to the Republican mind, taking responsibility is a sign of weakness, hence the often repeated but ludicrously inaccurate stories of Democrats going all over the world saying America is to blame for everything.

  23. You need to by Anonymous Coward · · Score: 0

    ..be THIS tall to use the fucking int4rw3bz0rz. idjits.

  24. The Links Only Worked by Anonymous Coward · · Score: 0

    Because the target was running WINDOWS!

  25. In the long run by Max_W · · Score: 2

    Even though these revelations may hurt certain politicians or parties, in the long run I think it is beneficial for everyone. In the past we would hear about a candidate like D.Trump that he helped poor women and children all his life untiringly, or that a competing candidate of the DNC, remarkably selfless one, is selected via popular vote, that our e-mails and browsers are secure, etc.

    Now we know the truth. Yes, it is a bitter stunning truth, probably harmful truth, but it is the truth. And we could start to figure out what to do about it as grown up people, as opposite to deluded children.

    In the Japanese language there are two words for reality. On is a reality as it seems, and another is the reality as it actually is. We need more of the latter and not only from the US.

    I do not believe these were pure hacks. I am almost sure that there were inside helpers, individuals who want us to know the reality as it is.

  26. How oblivious do you have to be? by No+Longer+an+AC · · Score: 1

    The phishing email that Podesta received on March 19 contained a URL, created with the popular Bitly shortening service, pointing to a longer URL that, to an untrained eye, looked like a Google link.

    I can sympathize with Podesta for not knowing much if anything about how the internet works, but is he so oblivious that he's never heard you shouldn't click any old link that lands in your Inbox?

    Maybe Podesta and many other people just zone out when they hear the multitude of stories over the years about not trusting e-mail and not clicking on links you're unsure of.

    He should at least realize that he's a high value target for hackers. He should at least have someone on his staff who would make sure he understands a few basic things to not fall prey so easily and it appears one of those things should have been to forward any e-mail relating to any computer-related issue no matter how legitimate looking to that person.

    Maybe whoever set up his computer for him told him it was totally secure and he believed them.

    Can we ever develop a kind of "herd immunity" from phishing attacks?

    1. Re:How oblivious do you have to be? by ebvwfbw · · Score: 1

      All he had to do is ask the inventor - Al Gore.

      I know, I know... Couldn't resist.

  27. Two Form Factor Authentication by Anonymous Coward · · Score: 0

    especially if your a public figure....

  28. NOT Russians by Anonymous Coward · · Score: 1

    > ...believe are spies working for the Russian government.

    Stop saying this. There is no proof, let alone any compelling evidence, that the Russians are orchestrating these hacks. If you believe this then you also believe North Korean hacked Sony, and a shitty anti-Mohammed movie sparked riots in Benghazi. They are lying to you.

  29. Next up for Dipshit Podesta: by frankenheinz · · Score: 1

    White House Chief of Staff. yay

    --
    The law is not an ass. No really.
  30. I really don't care how they did it. by NoSalt · · Score: 1

    I really don't care how they did it, I'm just glad they did. The government is saying that Russia is interfering in the 2016 elections. Where the government says "interfering" I say "informing". I, for one, am glad they are letting us know just what kind of crap Clinton is trying to pull on us. I am glad that we finally have a first-hand peek at the underhandedness of our elected officials. I mean, if she tried this stuff before the election, just think about what she would feel privileged enough to try if she gets elected.

  31. An informed observer's comment on Podesta leak by Joe+Branya · · Score: 1

    I hesitate to post this. Last week I was at a small meeting here in Austin, TX. The speaker was a former senior U.S. intelligence official. The meeting was open and I heard nothing that I thought was classified or very surprising.

    In the question period a person asked if the Podesta email leak was done by the Russians and was Putin trying to elect Trump. The speaker's answer was that the intelligence community consensus is that the Podesta leak was probably Russian in origin (I’m not sure he said “Russian government”, which is an important distinction). To the “Elect Trump?” question, he said he thought electing Trump was probably not the goal. More likely the aim was to further reduce the American public’s already limited trust in U.S. governmental institutions.

    Again, the meeting took place a week ago, I took no contemporaneous notes and I’m paraphrasing what the speaker said from memory, so take it for what it’s worth

  32. Solution is so easy by ebvwfbw · · Score: 1

    All Podesta had to do is run his own e-mail server then none of this would have happened. No G-mail to hack.

    Heh