Yesterday my boss - who isn't the most net savvy guy in the world - got an email from Paypal claiming that there was a problem with his credit card, so he logged into his account and updated his information.
Today he discovered an unexplained withdrawal for $2,600 from his Checkcard account. This is just minutes after I'd taken a look at this suspicious email and discovered that it didn't come from Paypal at all and instead directed the user to a domain called http://dancesforlifes.com which featured a facimile of the paypal login and html code that then sent his Id, Password and credit card information to a Gmail address.
Oh shit!.
All of this I mention just to point out that email security is not a joke and that many people will go to great lengths to get at the sensitive information we'd prefer to protect. Oh, and it appears that some of the staff of the White House have switched from the secure wh.gov server to using not just the RNC, but personal email accounts!.
From Thinkprogress.
Via Muckraker, U.S. News reports that "just a week after E-mails in the U.S. attorneys case became a main focus of congressional Democrats probing the firings, several aides said that they stopped using the White House system except for purely professional correspondence."
"We just got a bit lazy," said one aide. "We knew E-mails could be subpoenaed. We saw that with the Clintons but I don't think anybody saw that we were doing anything wrong."
But rather than use RNC accounts, "they have subsequently bought their own private E-mail system through a cellular phone or Blackberry server. When asked how he communicated, one aide pulled out a new personal cellphone and said, ‘texting.’"
As was pointed out in the Recommended Diary by citizen92 earlier this week, allowing their communications to be stored on unsecured non-government servers is a major security threat simply waiting to be exploited. All someone needs to do is crack the password and they're in.
The White House is a huge target for electronic espionage by friendly and hostile foreign powers. For those of you who may have visited Washington, this may be evident when you stroll by the various embassies scattered around the city -- with their unusual sculptures of antennas and wires on their roofs. The Russians have a compound just three blocks north of the White House.
The US Government spends undisclosed amounts on countermeasures to protect its critical information and its secure networks. And it has the experts to make sure that those countermeasures are working.
But what if someone in the White House chooses to not use those counter-measures (simply to avoid leaving a subpoena-able trail of bread-crumbs) and as a results gets their password jacked?
I personally know how easy this is to accomplish. Not simply because of what happened to my boss yesterday, but because once upon a time one of best friends was a hacker. Not just any hacker - The Hacker. Kevin Mitnick and I went to High School together (he later spent several years on the run from federal authorities, I - after realizing I didn't want to go Kevin's way, went on to work for the IT department at Northrop-Grumman). Way back in the late 70's I got to see first hand how he used to create password phishing programs just like the one I described at the top of this post to access LAUSD, USC and UCLA logon accounts.
Ah, the classics never fade away it seems.
Besides the security issues, this also may blow WH claims of extended executive priviledge completely out of the water. From Josh Marshall.
"[T]his may have been too clever by half. If the president’s aides were using RNC emails or emails from other Republican political committees, they can’t have even the vaguest claim to shielding those communications behind executive privilege."
And they certainly can't use that claim to protect emails on their personal blackberry and cell phone now can they?
Oh, and by the way - other federal agencies have banned this practice for security reasons.
A reader who has a security role at a federal agency writes, "On the issue of using outside/unofficial e-mail address from official sites, the CIO at [redacted] has expressly forbade the practice for security reasons as it is all too easy to put sensitive information in an e-mail. ... Needless to say, hearing that the WH does not mandate that practice and lets [Rove] do 95% of his e-mailing from a blackberry, presumably with access to an unofficial address, is quite shocking. Still find it absolutely amazing that his clearance has not been revoked."
"Amazing" simply isn't the world for it.
Getting zapped for a couple grand is pretty bad, but just imagine how much of the nation's assets are being put a risk by these WH jackasses?
I think Fraking Criminally Negligent is a good set of words for it - how 'bout that?