Application security, Compliance Management, Network Security, Privacy, Vulnerability Management

Trump staffers use private email server, president still favors unsecured Android

After relentlessly hammering opponent Hillary Clinton during the presidential campaign for using a private email server and unsecured personal devices while she was Secretary of State and ostensibly putting the U.S. at risk from hackers, Donald Trump is still using an unsecured Android phone.

Also, some of his closest White House aides still maintain accounts on a private email server run by the Republican National Committee (RNC) that was reportedly hacked during the campaign.

It is not yet clear if or how Trump's son-in-law Jared Kushner, Kellyanne Conway, Steve Bannon, Sean Spicer and others are using the email system, Newsweek reported, but it's not unusual for staffers to retain both private and White House email addresses so they can separate political business from official government business.

The RNC email server is the same one used by members of the Bush administration to communicate during the Iraq War and while the White House was planning to ouster seven U.S. attorneys. It became the center of controversy for a short time after the administration claimed it lost 22 million emails on the server (rnchq.org).

Trump has repeatedly said that Russian hackers who broke into the Democratic National Committee (DNC) systems and others affiliated with Democratic Party and/or Clinton were unable to best what he called the RNC's superior security.

But on January 10, FBI Director James Comey confirmed to the Senate Select Committee on Intelligence that Russian hackers had in fact made “limited penetration of old RNC” systems “no longer in use.”

Clinton's use of a private email server was fodder for Trump, whose fans regularly chanted “Lock her up!” during rallies across the country. The new president, whose prolific use of Twitter has raised security concerns, continues to use an unsecured Android device, the New York Times reported Wednesday. The Times had reported on Inauguration Day that Trump had traded his Android in for an encrypted device. But Wednesday's report indicated the president was still using his old Android and cited a friend of his as saying his aides want him to relinquish the phone as well as his personal Twitter account and stop texting.

"Trump should be using a secure device. The use of an Android device increases his attackable surface where hackers could intercept information through unsecure WiFi," said CyberScout Chairman and Founder Adam Levin, noting in comments emailed to SC Media that high profile figures and government agencies are "walking targets" for hackers. "Trump's constant use of his personal Twitter account could be a goldmine for hackers looking to engage in cyber espionage. Hackers could cause major international upsets and scandals by simply posting disinformation." 

Matthew Gardiner, cybersecurity strategist at Mimecast compared the issue to "the 'rogue IT' problem" that challenge enterprises. 

"The use of consumer grade, un-defended and un-monitored communications systems for use by high-value and thus highly targeted individuals is a recipe for a security disaster. A cybercriminal would technically be able to hack President Trump's or some other official's Twitter account and be able to move markets. Enterprise systems and security controls are there for a reason," Gardiner said in comments emailed to SC Media. "But if the users circumvent them and use consumer grade systems to conduct official business, then all bets are off.”

Indeed, on Monday night, WauchulaGhost, the hacker who's best known for hacking into the Twitter accounts of ISIS members and replacing their messages with those of gay pride and porn, tweeted out to Trump's team that the president, first lady and vice president needed to change one of the security settings on their Twitter accounts, adding a phone number or email address to change passwords, to thwart hackers.

Posting partially redacted emails, WauchulaGhost also tweeted, "we found the following information associated with your account."

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.

You can skip this ad in 5 seconds