The CEO of email security firm Agari, Ravi Khatod, has said that the John Podesta emails could well be the tip of the iceberg – and that he expects another scandal to emerge in the days before the results of the US election are announced.
John Podesta is the White House chief of staff leading Hillary Clinton's 2016 presidential campaign. Wikileaks obtained a tranche of emails allegedly from Podesta and made these public in October this year, leading to investigations from the FBI and speculation about the Clinton campaign.
Speaking with Techworld, Khatod said: "This is making Brexit look like a sunny day. There is going to be another issue that drops – I hate to say it but I predict that there will be another significant bombshell that comes out between now and Tuesday."
"Those emails, they are not just emails," Khatod explained. "The attackers got access to Podesta's email, so they also have access to his Dropbox and other file systems. I am sure there is one more shoe that's waiting to drop – so there's a real chance Hillary Clinton could lose and Donald Trump will become president."
Agari supplies email security to businesses like Google and Microsoft – which are also partners – in a way that is designed to create trust among consumers and businesses. It uses machine learning to try to determine which emails are trusted and which are not, providing these with a signature. Paypal is a customer, as are six of the top 10 banks, including Barclays, JP Morgan Chase and HSBC. Facebook, the largest sender of emails in the world by volume, is also a customer.
The company sifts through between eight to 10 billion email messages a day.
"Email is your fundamental identity," Khatod said. "Where we're going with our business is not just to stop email fraud and abuse but to understand identity and score trust based on identity. For example, what would be the effort to change your business email address? It'd be hard – you might have an alias – but it's hard to change your ID because it's linked to active directory, policy and lots of other things. You use that ID to log onto your intranet, other types of things."
Because email is a 40-year-old technology that did not have security baked in from the start, it is an easy target to compromise, Khatod said.
"The identity you have is very sticky and hard to change, so therein lies a real problem," he explained. "It's hard to change your identity – and someone can perpetrate your identity, and a lot can be gained by the attack."
"Email was never designed to be secure," he said. "People try to use email encryptions and things like that, but it's so unusable – so we go back to using email on our devices."
He acknowledged that email is now a political battleground – and that this is a trend that shows no signs of slowing.
The potential downfall of the Democratic party in this race, Khatod said, was due to a simple spoof.
"We call it business email compromise," he said. "You might have a presidential race that's compromised – $175 million dollars have been spent and just one attack can expose it all."
"There's a concept called account takeover," Khatod said. "The other thing the hackers could have done is taken over John Podesta's email account – and then perpetrated themselves as John Podesta. They could have sent out to his contacts an email they would have thought came from John: he's asked me to deliver this speech, or send my communication notes. If you think about it, it's frightening how easy it is, and how much access and privilege you can get just by compromising an email."
Khatod has prior experience working closely with intelligence agencies to develop their ‘air-gapping' strategies – essentially micro-segmentation at the desktop level, so if systems are compromised they can't infect the host or spread.
But according to Khatod, email will be an area where intelligence agencies the world over are focusing a lot of their time.
"The United States, the British, the Israeli agencies make what the Russians and Chinese do look like child's play," he said. "It's not just email based – they have some very sophisticated means of human deception. Some of the attacks they have launched are substantial."
"I think the worst part is we've probably not seen the worst yet," he said. "Given the effectiveness of it, with the DNC hack – I'm sure somebody has hacked the Republicans. Someone might have hacked Theresa May, or one of her confidants or administrators. It's very effective. When you have state actors they can be very sophisticated."
"It's effective. People don't have perfect defences – every study we have seen shows that nearly half of people will click on an email that impersonates, and nearly 15 percent will be compromised. If you think about it from a hacker's standpoint, it's inexpensive, it's highly effective as opposed to trying to attack the network. It's used at the state level, at the consumer level, and at the enterprise level."