During the first presidential candidates’ debate late last month, Republican nominee (and now President-elect) Donald Trump listed the endorsements of over 200 generals and admirals, and 16,500 Border Patrol agents as qualifications for why he would keep America safe from cyber threats. A recent exposé of his own email servers, however, appears to show that Mr. Trump is better at talking the talk than walking the walk. And he spoke too soon.
In a campaign waged through unprecedented mud slinging, a departure of rhetoric from partisan to perverse, and near-constant flagrant falsifications of facts, Trump seems unable to let go of what, in any other election, would have been a throw-away topic: Hillary Clinton’s emails. Following a series of hacks on the Democratic National Committee’s (DNC) servers this summer and the subsequent release of their contents by Wikileaks, Clinton has come under heavy fire for her use of a private email server while in office and poor sportsmanship towards Bernie Sanders. While a sore point for Democrats, it has helped thrust cyber security beyond the presidential campaign, and into popular culture and conversation.
Clinton’s (mis)fortunes on the issue may soon be turning around, however. According to Motherboard, researcher and security architect Kevin Beaumont found a number of email servers belonging to the Trump Organization’s TrumpOrg.com, are using end-of-life software including the operating system Windows Server 2003 and the built-in Internet Information Server 6 web server. Microsoft cut off support to these programs in July of 2015, meaning they have gone unpatched for approximately 15 months.
“During an election where cybersecurity is such a big issue, I was a little amazed at what I saw,” Motherboard quotes Beaumont as saying. “Running outdated software and operating systems for your publicly facing email infrastructure is problematic, especially when you’re a high profile organisation.” Shockingly, this information was all public; Beaumont made his discoveries on Outlook Web Access. Furthermore, he found that not only were Trump’s servers not receiving security updates, but they do not employ two-factor authentication (i.e. requiring a secondary login code) and cannot extend protection to mobile devices. If Russia would like to hack Trump’s campaign too, this may serve as a starting point.
This isn’t the first time Trump’s cyber security and computer skills have been called into question recently. He failed to renew a number of key domain names related to his brand. Not only has this paved the way for parody and pranksters, but he has opened himself, his employees, customers and supporters to phishing attacks from hackers who can hop onto www.Trump.whatever.
The Register also reports that Trump’s online store wasn’t using an HTTPS-secured server, essentially laying out customers’ personal and financial data out for the world to see.
Trump’s personal selling point is that he runs his businesses to massive profit and will have similar positive returns as President of the United States. However, any business that believes cyber security is of value knows that you need at least two factor authentication for email servers, the latest software with frequent updates, protection across devices, and email and customer data encryption.
If this is his understanding of cyber security, he’ll be announcing a firewall with Mexico any day now.