Chip Somodevilla via Getty Images
John Podesta: SOmeOne has your passwOrd
Haystack #2-John Podesta
When someone apparently clicked on the fake re-set password link in the phished Gmail account of Mr. John Podesta, all hell broke loose, to say the least. The American Presidential campaign of 2016 was about to change in an unprecedented manner. This one click, an obvious No-No, was a major security blunder. And it’s still unclear who actually hit the return key and sent the hackers a treasure trove of emails.
Since Mr. Podesta’s Gmail account access was shared with other people, a second big No-No, one wonders why the hacker script in the subject line above slipped by multiple people. An IT person who had access apparently vouched for the Phish authenticity and included a real Google security link for a password re-set. But an aide for Mr. Podesta, or Mr. Podesta himself, ignored this good link and must have clicked the fake security re-set link in the original Phish? It’s unknown who actually clicked the bad boy link. So one might ask why none of these people saw this unconventional subject line with hacker script? Was Google getting goofy with their character sets and security notifications?
When Julian Assange opined with a “14 year old” could have hacked Mr. Podesta, we disagree. To us, that script looked more like 15 or 16 year old toying lingo. And that’s not to say the teenage hacker could have worked for some state sponsored team. They do contract youngsters!
As WikiLeaks released upwards of 60,000 emails of Mr. Podesta, one contained an account password sent from an aide containing his Apple ID, a third No-No, the emailing of sensitive passwords. So we decided to use this password, Runner4567, to start a password progression test on Mr. Podesta using our PitchFork database of ~4 billion compromised accounts. Was John Podesta already exposed before the so-called phish attack?
OK, two accounts with that exact password. Might be him. But we're betting John changed his Apple ID password after the hackers allegedly wrecked havoc. So we know he’s an avid runner. Lets run a variation.
Wow. Lots of runner passwords here. He could be in here. Next step would be to peruse the account permutations and look for running, law, Georgetown, cooking, politics, anything from his personal profile. A few leads look promising. We know he tinkers with UFO beliefs. So we try this:
Again, we look for signs, possibly extraterrestrial, of John’s presence in the permutations. Some really weird people here, but hey, we’re not judging. Nothing really shows up. Then we try the obvious:
In defense of John, he could have lots of relatives. And of course the hackers could be mocking his demise at this point.
As we looked through our data and the WikiLeaks emails and drilled down a bit further, it led us into an abyss of unsecure people and domains. Why would a man who probably had the highest security clearance in the land share his Gmail account, have lousy password habits, and forward upwards of ten other email accounts into this one single repository of approximately 60,000 emails over a ten year period (fourth Non-No)? Here are just some possible accounts that may have forwarded emails to his Pandora’s Gmail Box:
After we turned over a few rocks and looked at a few of these domains, some passwords caught our attention. They clearly point to the “weakest link” within Hillary Clinton’s campaign and President Barack Obama’s White House. With account analysis, it’s not hard to see where these people have been or where they are going. Clearly, the hackers would target these weak links.
Someone in the White House likes to go to the mall.
Once the hackers prey on these weak passwords, they could establish a beachhead within the subject's email contacts and continue phishing inside the target organization. Only this time the fake email comes from a trusted colleague, truly “phishing” in a barrel.
“Perfect Storm” to go Phishing
So how did a Georgetown lawyer who probably once had the highest clearance in the government get “phished?”
The simple answer is he’s a busy dude. Mr. Podesta, who we appreciate for his public service, appears to be 24/7 guy who works in many entities and is from a non-technical generation. Add the many email accounts above into the equation and you have a cocktail ripe for phishing.
We have seen some extremely high level people get phished. One was the head of a three letter intelligence agency. Yes, you read that right. Another was a President of a major news organization and a third was a C level executive at a major entertainment company. When we say “extremely” high level, we aren’t kidding. Bagging the elephant does happen!
John Podesta, an over extended high achiever, compiled his own big data, ~ 60,000 emails in his insecure Gmail account over a ten year period. He then didn’t take the necessary security precautions to safe guard that data, violating some issues he personally authored in a Big Data report for President Obama in 2014. His lack of computer security mindfulness was a significant factor in the 2016 elections. But then again, as we pointed out, Hillary’s campaign server and Mr. Obama’s White House could also have been one click away from disaster.
(Stay tuned for our “Weakest Link” corporate story. Every company or organization needs to run password progression test on their employees before they give away the farm.)
Join Us. We are waiting for you!Sign Up Today!
We welcome you to our community where you can gather and share information on debts and issues which may have your life unsettled. Together we thrive!