The Trump Administration's Cyber Hubris
Trump uses an insecure Android phone and his press secretary tweets passwords. What could possibly go wrong?
Cyber security helped elect Donald Trump. During the presidential campaign, hackers cracked open all of the Democrats' secrets and splayed them out for everyone to see, while Hillary Clinton was raked over the coals for using an insecure server for her own personal email. Republicans' communications, meanwhile, stayed out of the public eye.
But success can breed hubris, and there are some worrying trends in the first few days of the Trump administration. Nobody hacked Trump, but he's acting like nobody can.
Why nobody should use a Galaxy S3
The S3 is susceptible to the worst Android bug ever discovered, Stagefright. Cured in Android 5.1.1, Stagefright lets hackers gain full access to your phone with some specially crafted MMS messages. There haven't been a ton of confirmed Stagefright-related hackings in the U.S., but most of us aren't as high value a target as the President of the United States. The Galaxy S3 never got an upgrade beyond Android 4.3. It's horrendously insecure.
Of course, just because he's using a Galaxy S3 for tweeting doesn't mean he's accessing classified data on it. But arbitrary code vulnerabilities like Stagefright can, for example, turn on a phone's microphone to use it as a spy device, even if the phone has no access to anything more sensitive than a public Twitter account.
About those email accounts
According to Wired and Newsweek, influential White House staffers including Sean Spicer and Jared Kushner maintain email accounts on RNC servers; and, for a while, the official POTUS Twitter account pointed back to a Gmail account. Also, Spicer appears to have randomly tweeted things that looked like passwords.
Keeping email on non-government servers can be a good way to keep it out of the public eye, as long as your servers are secure. (Remember all of those deleted Hillary Clinton emails?) Of course, those servers often aren't secure. (Remember all of those Wikileaked DNC emails?)
In any case, it's not a good idea for government officials to outsource their information security to consumer email providers. While Trump famously doesn't use email -- rendering him as secure as possible -- staffers could still be sending around messages with information they'd prefer not make it into the hands of foreign governments.
The good news is that the staff seem to be adapting. Just today, the password reset address for the POTUS Twitter account shifted from Gmail to a White House address. Hopefully, that's a sign of how things are getting cleaned up behind the scenes.
But the tweeted passwords show another vulnerability: it doesn't look like a lot of the White House's communications are being edited or double checked before they go out.
Does Trump need to worry?
Trump's operation has been blessed in the information security realm. Even when the RNC was hacked, the information wasn't released in a way that could damage the organization. So it would make sense that the President feels his operation is impregnable.
The question is when, and if, competent opposing forces will attack the White House in a cyber-spying assault. Those could be a foreign government, such as China, trying to secretly collect data to predict and anticipate Trump's moves, or vigilante hackers trying to embarrass the administration by releasing play-by-plays of how the policy sausage is made.
We haven't seen that happen yet but, come on, it's only been a week. Trump personally may not care much for the nuts and bolts of cyber security, but his staff needs to put their feet down, and keep locking down their electronic hygeine. The fate of the world is actually at stake.