This past week, the subject of hacking and the fallout from released DNC e-mails is hot on the lips of the media. Being the media, very few people understand how this hack might have happened, or the resources required to do it. This is a purely speculative look on how the DNC hack might have happened. I have no special knowledge that would lead this to being particularly accurate. I’m computer-savvy and have heard my share of horror stories and stories of unsuccessful attempts, so I have some idea of what kinds of attacks might have occurred.
The important thing in this, is that people within the DNC did not seem to take security very seriously. People shared simple passwords, and personal information like social security numbers over unencrypted e-mail. These kinds of dumb mistakes are things that even the most secure servers cannot protect against. These egregious lapses in basic security measures uncovered in the e-mails lead me to believe that the DNC was the victim of a social engineering attack.
The person attacking the DNC might have crafted a simple e-mail that caused DNC personnel to reveal passwords to the hacker. They would find the e-mail address of a DNC employee, let’s say Jane Doe, and send a message like this to her:
We are doing maintenance on our e-mail server right now, could you send us your password so that we can update your settings?
If this was sent from an e-mail address that looked legitimate, and it made it past their mail server spam filters, Jane might reply with her password in the e-mail. Once that happens, all the hacker needs to do is figure out where to login, and he’s got access to her e-mails. This is a relatively simple spear-phishing attempt.
This won’t work on many people, but in an organization as lax about security as the DNC was, this very well might have worked on a few people at the DNC.
As I mentioned, people at the DNC were e-mailing passwords back and forth. Anyone whose password was in a compromised account would then be compromised themselves, and so on and so forth.
Now, if the DNC had been forcing people to change passwords regularly, the leak would not have been able to spread very far. Considering the short, simple, passwords allowed, I doubt this was the case.
At this point, how this might have created a large leak is readily apparent. A few people falling for a simple spear-phishing attempt, combined with poor organizational security measures could have wreaked havoc, all without performing an actual attack on their mail server.
That’s my best guess for what happened: a few people gave out their password to a hacker and compromised their accounts. Meanwhile, the information in the accounts compromised more accounts.
If this was the case, some simple IT measures could have been taken to help prevent this type of attack:
- More aggressive e-mail filtering to detect fraudulent e-mail
- Employee training to recognize threats
- Password complexity and time limits