Donald Trump Is Running Some Really Insecure Email Servers
TrumpOrg.com servers are using Windows Server 2003, which Microsoft no longer supports.
Photo: Joseph Sohm/Shutterstock
In what might be one of the more delicious cases of irony to ever grace a presidential election, a researcher has found that a number of email servers linked to Donald Trump's hotel and others businesses are running horribly out of date software which receive no security patches, and are lacking other precautions for keeping hackers out.
The findings come at a time when cybersecurity is a crucial topic in the presidential election, with hackers dumping documents from Hillary Clinton's campaign online, and Trump and his supporters continuing to criticise Clinton's use of a private email server.
"Running outdated software and operating systems for your publicly facing email infrastructure is problematic, especially when you're a high profile organisation," security architect Kevin Beaumont, who highlighted the issues with Trump's servers, told Motherboard in an email. "During an election where cybersecurity is such a big issue, I was a little amazed at what I saw."
A number of mail servers for TrumpOrg.com, a domain registered to The Trump Organization, are using end-of-life software, according to Beaumont. Those include the operating system Windows Server 2003 and IIS 6.0, which comes shipped with it.
"IIS is a webserver, and it's particularly dangerous to run unpatched," Beaumont told Motherboard.
"During an election where cybersecurity is such a big issue, I was a little amazed at what I saw."
According to Microsoft's official website, "Microsoft will no longer issue security updates for any version of Windows Server 2003. If you are still running Windows Server 2003 in your datacenter, you need to take steps now to plan and execute a migration strategy to protect your infrastructure." Microsoft ended support for that operating system in July 2015.
"It's rather worse than just using an out of date OS that can't be kept up to date with security patches as vulnerabilities are discovered," Professor Alan Woodward, visiting professor at the University of Surrey's Department of Computer Science, told Motherboard in a Twitter message. "The configuration of the server appears to be somewhat less than ideal."
On top of all this, Beaumont said the email service only uses single factor authentication. That is, users can't link a device, say their mobile phone, to receive an extra login code, and to keep their account more secure.
It's important to point out that Beaumont is only looking at public records and information: he said he hasn't run any advanced scans on the servers.
"Obviously, there is a lot more which could be looked into—but I'm just looking at publicly available information, I have no interest in accessing these systems," he told Motherboard.
Others might though.
For months, the character known as Guccifer 2.0 has dumped hacked documents from organisations such as the Democratic National Committee, and has claimed to have provided emails to WikiLeaks for publication as well. Over the last week, WikiLeaks has published a steady stream of emails from Hillary Clinton's campaign chair John Podesta.
Based on publicly available information, experts widely believe Guccifer 2.0 to be part of a Russian hacking operation. Earlier this month, the US government officially accused Russia of breaching the Democratic party's computer systems, and claimed that Russia was trying to interfere in the US election.
Regardless, this certainly isn't the first time that some sort of Trump-run operation has exposed itself. In August, The Register reported that Trump's online store wasn't encrypting customer's credit card details. And last month a researcher found that Trump's website had left myriad intern applications openly accessible on the internet.
At the time of writing, Trump.com, which TrumpOrg.com redirects to, has a message that reads, "Thank You for Visiting. We're Currently Experience [sic] a High Volume of Traffic, Please Check Back Soon." The organisation did not immediately respond to a request for comment.
Update: A Trump Organization spokesperson sent us the following comment:
"The Trump Organization deploys best in class firewall and anti-vulnerability technology with constant 24/7 monitoring. Our infrastructure is vast and leverages multiple platforms which are consistently monitored and upgraded using current cyber security best practices."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.