Donald Trump running insecure email servers
But he's got a yuge firewall, folks... the best kind of firewall
US presidential candidate Donald Trump’s criticism of rival Hillary Clinton's use of a private email server while Secretary of State appeared to have rebounded on him.
Security researcher Kevin Beaumont discovered the Trump organisation uses a hopelessly outdated and insecure internet setup.
Servers on the Trump Organization's domain, TrumpOrg.com, are using outdated software, run Windows Server 2003 and the built-in Internet Information Server 6 web server. Microsoft cut off support for this technology in July 2015, leaving the systems unpatched for the last 15 months.
In addition, Beaumont said he'd found that emails from the Trump Organization failed to support two-factor authentication. That’s particularly bad because the Trump Organization's web-based email access page relies on an outdated March 2015 build of Microsoft Exchange 2007, he says. “Windows Server 2003, IIS 6 and Exchange 2003 went end of life years ago. There are no security fixes. They don't have basics down,” the UK based researcher concludes.
Beaumont’s findings are based simply on inspecting publicly available information rather than actively scanning for vulnerabilities or attempting to gain access to insecure systems, a point lost on Trump supporters who have reported him to the Feds.
The Trump Organisation responded to Beaumont’s criticism by putting out a statement to the media saying that its web setup is shielded behind a firewall.
The Trump Organization deploys best in class firewall and anti-vulnerability technology with constant 24/7 monitoring. Our infrastructure is vast and leverages multiple platforms which are consistently monitored and upgraded using current cyber security best practices.
Beaumont dismissed this line of defence as hopelessly weak. “That's a bit like saying it's okay to install WordPress and leave it unpatched forever because there's a firewall,” the researcher said on Twitter before satirising the stance.
The email server issue follows a Trump campaign cloud-based server config snafu that left interns' CVs exposed that surfaced last month. ®