About 20 years ago, my life was in transition. I’d worked full time for a nonprofit agency for a couple of years. The work was grueling and involved a lot of traveling. My boss was a supremely driven man who had little interest in life outside work and expected the rest of us to be the same.
I wasn’t. I had finished university, written a book, ended a bad relationship and felt genuinely free for the first time in a long time. I wanted to work for the property rights of poor South Africans, but I also wanted to play guitar.
About that time, I started listening to a popular British band called Radiohead. I recall telling a date — a teacher — that I was into them. She said, “Oh, yeah. My eighth-graders are, too.” That was our last date.
One of the band’s great songs, which includes a blistering solo by the peerless guitarist Jonny Greenwood, contains the following lyrics:
You do it to yourself, you do
And that’s what really hurts
Is you do it to yourself, just you
You and no one else
I’d like to dedicate that song to Hillary Clinton, her campaign chairman John Podesta and the Democratic National Committee…
Hacked to Pieces
Hillary Clinton’s email problems are legendary.
First there was the private server in the basement. Then the DNC’s emails got hacked, costing Chair Debbie Wasserman Schultz her job. And this month, the whistle-blowing journalism organization WikiLeaks — which, contrary to press reports, isn’t pro-Trump, just rabidly anti-Clinton — got hold of
John Podesta’s personal emails.
Whatever you think of the content of these leaks (which frankly seems ho-hum to me), the fact that these powerful people were hacked so easily is astounding. What were they thinking? Didn’t they realize that email is about as secure as snail mail, if a determined hacker is after you?
Clearly not. Like Colin Powell, whose own private emails were hacked a while back, Podesta was using a commercial email provider — Gmail.
For a famous person, using a free ad-driven email service like Google or Yahoo is like a platoon of Marines driving through Mosul in a VW minibus. Somebody’s gonna poke holes in you.
The Obama administration blames Russia for these hacks, which suits Hillary just fine — she can deflect all questions by focusing on the alleged threat to our national security and electoral sovereignty. But if a Russian did do the hack, he might have been a 10-year-old kid … because the technique used was the simplest, oldest trick in the book.
The cybersecurity firm SecureWorks says the hacking method used to obtain access to Podesta’s email account involved a link in an innocent-looking email doctored to look like it came from Google. The email asked Podesta to log in to his Google account by clicking on a hyperlink, which he did. The hyperlink itself probably looked just like this — colored text with an underline.
When Podesta clicked on the link, he was taken to a fake Google landing page where he entered his username and password. With those, the hacker then had access to his entire email history.
It’s called “phishing.” Instead of a sophisticated brute force attack to crack Podesta’s password, the hacker tricked him into giving up his login details voluntarily.
In other words, Podesta did it to himself. Just him and no one else.
Avoiding the Email Phishing Hook
How can you avoid the same fate? It’s easier than you think:
- When you get an email that asks you to login to a website, make sure you examine the link. All you must do is hover your mouse cursor over the link. Here’s a screenshot of me doing that on an email. You’ll note that the link contains the root address www.kiplinger.com, which is the correct one. But the link Podesta clicked on was “myaccount.google.com-securitysettingpage.tk.” The real Google address ends in .com. That’s the last bit of text before the first backslash in the link you see when you hover over it. This one ended in “.tk”, which refers to the island of Tokelau in the South Pacific: a dead giveaway — if you’re looking, that is.
- If you do click on a link like Podesta’s, check the URL in the address bar of the Web page you land on before you do anything else. If it ends in anything other than the actual domain name of the correct publisher (i.e., Google.com), you’re being phished. Podesta’s phishing link ended in “com-securitysettingpage.tk,” the last part of the address before the first backslash. That would have been plainly visible on the address bar of his Web browser — again, if he was paying attention.
- Don’t use free email for anything sensitive. No Google, Outlook, Yahoo, AOL or Mail.com. Besides being ridiculously easy to hack, all of them mine your personal emails for information about you that can be used to target ads at you.
Go the Last Mile
To be supersecure, sign up for a secure email service like Protonmail or Tutanota. Besides being securely encrypted and unreadable to the companies that host them, they are both run by privacy freaks and based in Europe, outside the easy reach of U.S. spies.
So, there you have it. When it comes to email hacking, there’s absolutely no need to do it to yourself.
Editor, The Bauman Letter