Trump and his team made a great deal of the campaign about Hillary Clinton’s email security (including gleefully exploiting hacked emails stolen by Russia and released by Wikileaks), so one might think their own email security practices would be stellar. Alas, like so many of Trump’s criticism of Hillary, his team’s own security efforts are much, much worse.
To prove this point, tech site Gizmodo created a “test” to see how well Trump’s staff handles email security. Adding even more fuel to the fire, they also included James Comey — who had played a central role in perpetuating lies about Hillary Clinton’s emails in the days leading up to the election.
Three weeks ago, Gizmodo Media Group’s Special Projects Desk launched a security preparedness test directed at Giuliani and 14 other people associated with the Trump Administration. We sent them an email that mimicked an invitation to view a spreadsheet in Google Docs. The emails came from the address security.test@gizmodomedia.com, but the sender name each one displayed was that of someone who might plausibly email the recipient, such as a colleague, friend, or family member.
Disturbingly, a number of Trump associates fell for it.
Some of the Trump Administration people completely ignored our email, the right move. But it appears that more than half the recipients clicked the link: Eight different unique devices visited the site, one of them multiple times. There’s no way to tell for sure if the recipients themselves did all the clicking (as opposed to, say, an IT specialist they’d forwarded it to), but seven of the connections occurred within 10 minutes of the emails being sent.
Even more disturbing, both Newt Gingrich and (now former FBI director) James Comey seemed to buy into the premise, while remaining slightly skeptical. Comey, for instance, asked the sender to explain to him what was in the attached document. Surely a better response than just clicking on it, but still dangerous. By asking a potential hacker to explain him or herself, the (former) FBI director only opened the door to further chances to be hacked. He also appeared to believe the email was really from a friend based solely on the name attached the the email account.
Is it legal to do this? Some journalists were skeptical.
@ashleyfeinberg Did…did Gizmodo send the FBI director a spoofed email and then confess to the federal crime at the FBI director’s expense on Gizmodo?
— Brian Beutler (@brianbeutler) May 9, 2017
However, Gizmodo’s defense is pretty solid. For starters, they never collected any actual passwords or contact information for any of the recipients (regardless of whether the marks took the bait). Secondly, they slapped so many disclaimers on the emails that you would have to be extremely oblivious to not understand what was happening — a test which, it turns out, some of Trump’s friends seem to have failed.
For journalistic reasons it provides a lot of insight into just how susceptible some of Trump’s closest advisers are to being hacked. Far from having the moral high ground to lecture Democrats, it turns out that Trump’s team is comprised of technology-challenged suckers capable of exposing a lot of sensitive information to would-be hackers. If Gizmodo can trick them with an email containing numerous disclaimers that this was a potential hack, a real hack — infinitely more subtle — could be a serious threat.
Comey himself acknowledged that it appears Russian attempts to hack America’s democracy appears to be ongoing and warned that it would likely rear its ugly head in 2018 and 2020. He should be extra cautious.
Meanwhile, it’s unlikely that Trump will be able to appropriately respond to this threat. He may not even recognize it exists. He talked a mean game about Hillary’s email security, but the closest he ever came to commenting on his own understanding of cyberwarfare was claiming his 10-year-old son Barron was good with computers. Given that level of ignorance, Trump isn’t likely to start leading by example.
Yikes.
Featured image via Andrew Harrer-Pool/Getty Images
