June 25, 2017 Disclaimer: Please read.
Statements and opinions expressed in articles are those of the authors, not Truthdig. Truthdig takes no responsibility for such statements or opinions.
Any Half-Decent Hacker Could Break Into Mar-a-Lago
Posted on May 18, 2017
By Surya Mattu, Jeff Larson and Julia Angwin / Gizmodo & ProPublica
Square, Story page, 2nd paragraph, mobile
This story was co-published with Gizmodo. Report written by Surya Mattu of Gizmodo, and Jeff Larson and Julia Angwin of ProPublica.
Two weeks ago, on a sparkling spring morning, we went trawling along Florida’s coastal waterway. But not for fish.
We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of The Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained.
Square, Site wide, Desktop
Square, Site wide, Mobile
We have also visited two of President Donald Trump’s other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Virginia. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.
The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises.
“Those networks all have to be crawling with foreign intruders, not just ProPublica,” said Dave Aitel, chief executive officer of Immunity, Inc., a digital security company, when we told him what we found.
Security lapses are not uncommon in the hospitality industry, which — like most industries and government agencies — is under increasing attack from hackers. But they are more worrisome in places where the president of the United States, heads of state and public officials regularly visit.
U.S. leaders can ill afford such vulnerabilities. As both the U.S. and French presidential campaigns showed, hackers increasingly exploit weaknesses in internet security systems in an effort to influence elections and policy. Last week, cyberattacks using software stolen from the National Security Agency paralyzed operations in at least a dozen countries, from Britain’s National Health Service to Russia’s Interior Ministry.
Since the election, Trump has hosted Chinese President Xi Jinping, Japanese Prime Minister Shinzo Abe and British politician Nigel Farage at his properties. The cybersecurity issues we discovered could have allowed those diplomatic discussions — and other sensitive conversations at the properties — to be monitored by hackers.
The Trump Organization follows “cybersecurity best practices,” said spokeswoman Amanda Miller. “Like virtually every other company these days, we are routinely targeted by cyberterrorists whose only focus is to inflict harm on great American businesses. While we will not comment on specific security measures, we are confident in the steps we have taken to protect our business and safeguard our information. Our teams work diligently to deploy best-in-class firewall and anti-vulnerability platforms with constant 24/7 monitoring.”
The White House did not respond to repeated requests for comment.
Trump properties have been hacked before. Last year, the Trump hotel chain paid $50,000 to settle charges brought by the New York attorney general that it had not properly disclosed the loss of more than 70,000 credit card numbers and 302 Social Security numbers?. Prosecutors alleged that hotel credit card systems were “the target of a cyber-attack” due to poor security. The company agreed to beef up its security; it’s not clear if the vulnerabilities we found violate that agreement. A spokesman for the New York attorney general declined comment.
Our experience also indicates that it’s easy to gain physical access to Trump properties, at least when the president is not there. As Politico has previously reported, Trump hotels and clubs are poorly guarded. We drove a car past the front of Mar-a-Lago and parked a boat near its lawn. We drove through the grounds of the Bedminster golf course and into the parking lot of the golf course in Sterling, Virginia. No one questioned us.
Both President Obama and President Bush often vacationed at the more traditional presidential retreat, the military-run Camp David. The computers and networks there and at the White House are run by the Defense Information Systems Agency.
In 2016, the military spent $64 million on maintaining the networks at the White House and Camp David, and more than $2 million on “defense solutions, personnel, techniques, and best practices to defend, detect, and mitigate cyber-based threats” from hacking those networks.
Even after spending millions of dollars on security, the White House admitted in 2015 that it was hacked by Russians. After the hack, the White House replaced all its computer systems, according to a person familiar with the matter. All staffers who work at the White House are told that “there are people who are actively watching what you are doing,” said Mikey Dickerson, who ran the U.S. Digital Service in the Obama administration.
By comparison, Mar-a-Lago budgeted $442,931 for security in 2016 — slightly more than double the $200,000 initiation fee for one new member. The Trump Organization declined to say how much Mar-a-Lago spends specifically on digital security. The club, last reported to have almost 500 members paying annual dues of $14,000 apiece, allotted $1,703,163 for all administration last year, according to documents filed in a lawsuit Trump brought against Palm Beach County in an effort to halt commercial flights from flying over Mar-a-Lago. The lawsuit was dropped, but the FAA now restricts flights over the club when the president is there.
It is not clear whether Trump connects to the insecure networks while at his family’s properties. When he travels, the president is provided with portable secure communications equipment. Trump tracked the military strike on a Syrian air base last month from a closed-door situation room at Mar-a-Lago with secure video equipment.
However, Trump has held sensitive meetings in public spaces at his properties. Most famously, in February, he and the Japanese prime minister discussed a North Korean missile test on the Mar-a-Lago patio. Over the course of that weekend in February, the president’s Twitter account posted 21 tweets from an Android phone. An analysis by an Android-focused website showed that Trump had used the same make of phone since 2015. That phone is an older model that isn’t approved by the NSA for classified use.
Photos of Trump and Abe taken by diners on that occasion prompted four Democratic senators to ask the Government Accountability Office to investigate whether electronic communications were secure at Mar-a-Lago.
In March, the GAO agreed to open an investigation. Chuck Young, a spokesman for the office, said in an interview that the work was in “the early stages,” and did not offer an estimate for when the report would be completed.
So, we decided to test the cybersecurity of Trump’s favorite hangouts ourselves.
Our first stop was Mar-a-Lago, a Trump country club in Palm Beach, Florida, where the president has spent most weekends since taking office. Driving past the club, we picked up the signal for a Wi-Fi-enabled combination printer and scanner that has been accessible since at least February 2016, according to a public Wi-Fi database.
An open printer may sound innocuous, but it can be used by hackers for everything from capturing all the documents sent to the device to trying to infiltrate the entire network.
Banner, End of Story, Desktop
Banner, End of Story, Mobile
Watch a selection of Wibbitz videos based on Truthdig stories:
New and Improved Comments
Right Skyscraper, Site Wide
Right Internal Skyscraper, Site wide