The 2016 Election, Lessons Learned in Cybersecurity, 1

It was 40 years ago this past Sunday, June 11, that I received my BA in Computer Science.  A relatively new academic discipline, even in 1977, it was hard to imagine then that 39 years later computing, and its ubiquitousness, could have any effect on a national political campaign.  While politicians and investigators try to determine what cyber-meddling (and perhaps, cyberwarfare) was performed by Russia during the 2016 election campaign, there are several lessons to be learned by all individual users, the first related to access control.

Userids and passwords.  We all hate them, and yet we all can’t live without them.  They provide access to our most important personal secrets, whether those secrets are in our bank accounts, our credit card accounts, our Facebook posts, our online trove of photos, or, our e-mail accounts.  We should change them frequently, although there are many different theories on how frequently they should be changed.  However, we should be careful about changing them when just arbitrarily prompted to, which was the case for several staffers and senior advisers to the Hillary Clinton campaign.

As described in the New York Times article The Perfect Weapon: How Russian Cyberpower Invaded the U.S., these advisers, including senior adviser John Podesta, were presented with an e-mail, purportedly from Google, imploring them to change their password.  Naturally, those e-mails were not from Google, they were from Russian hackers, and once the user changed the password, it was harvested by those hackers, who now had access to all of the e-mails in the affected account, including e-mails from other Clinton campaign staffers who had not changed their gmail password.

So what’s the lesson here? Without getting into the politics of the situation, the fact is that, as I teach my students, there are several things the average user should do regarding changing their passwords.

  1. If presented with an e-mail as those campaign staffers received, ask yourself, “am I expecting such an e-mail?”   “Why would I be getting such an e-mail?”
  2. “Mouse over” the link to the sender (the sender’s e-mail address) and the link to the password change page.  It shouldn’t display a legitimate gmail administrative address, or the address of your organization’s e-mail administrator.  It’s not always easy to “mouse over” a link on a smartphone (depends on your phone), so the you have to take the attitude that the world is not going to come to an end if you don’t change it immediately – wait til you can get to a laptop or desktop computer to do this.
  3. And most importantly, don’t ever change the password from a link in an e-mail.  Sign into your e-mail account, click on the settings, and change it there.  As I stated in point 2 above, the sky isn’t going to fall if you don’t change your password immediately.

You aren’t running for President – but you DO have valuable private information that you don’t want compromised.  Don’t fall into the same trap that the HRC campaign staffers did – apply proper, simple Cyber Security methods and hygiene when changing e-mail passwords.  You’ll save yourself a lot of grief and perhaps even money.