Any Half-Decent Hacker Could Break Into Mar-a-Lago

This story was co-published with Gizmodo.


Two weeks ago, on a sparkling spring morning, we went trawling along Florida's coastal waterway. But not for fish.


We parked a 17-foot motor boat in a lagoon about 800 feet from the back lawn of The Mar-a-Lago Club in Palm Beach and pointed a 2-foot wireless antenna that resembled a potato gun toward the club. Within a minute, we spotted three weakly encrypted Wi-Fi networks. We could have hacked them in less than five minutes, but we refrained.


A few days later, we drove through the grounds of the Trump National Golf Club in Bedminster, New Jersey, with the same antenna and aimed it at the clubhouse. We identified two open Wi-Fi networks that anyone could join without a password. We resisted the temptation.


We have also visited two of President Donald Trump's other family-run retreats, the Trump International Hotel in Washington, D.C., and a golf club in Sterling, Virginia. Our inspections found weak and open Wi-Fi networks, wireless printers without passwords, servers with outdated and vulnerable software, and unencrypted login pages to back-end databases containing sensitive information.


The risks posed by the lax security, experts say, go well beyond simple digital snooping. Sophisticated attackers could take advantage of vulnerabilities in the Wi-Fi networks to take over devices like computers or smart phones and use them to record conversations involving anyone on the premises.


"Those networks all have to be crawling with foreign intruders, not just ProPublica," said Dave Aitel, chief executive officer of Immunity, Inc., a digital security company, when we told him what we found.


Security lapses are not uncommon in the hospitality industry, which — like most industries and government agencies — is under increasing attack from hackers. But they are more worrisome in places where the president of the United States, heads of state and public officials regularly visit.


U.S. leaders can ill afford such vulnerabilities. As both the U.S. and French presidential campaigns showed, hackers increasingly exploit weaknesses in internet security systems in an effort to influence elections and policy. Last week, cyberattacks using software stolen from the National Security Agency paralyzed operations in at least a dozen countries, from Britain's National Health Service to Russia's Interior Ministry.


Since the election, Trump has hosted Chinese President Xi Jinping, Japanese Prime Minister Shinzo Abe and British politician Nigel Farage at his properties. The cybersecurity issues we discovered could have allowed those diplomatic discussions — and other sensitive conversations at the properties — to be monitored by hackers.


The Trump Organization follows "cybersecurity best practices," said spokeswoman Amanda Miller. "Like virtually every other company these days, we are routinely targeted by cyberterrorists whose only focus is to inflict harm on great American businesses. While we will not comment on specific security measures, we are confident in the steps we have taken to protect our business and safeguard our information. Our teams work diligently to deploy best-in-class firewall and anti-vulnerability platforms with constant 24/7 monitoring."


The White House did not respond to repeated requests for comment.


Trump properties have been hacked before. Last year, the Trump hotel chain paid $50,000 to settle charges brought by the New York attorney general that it had not properly disclosed the loss of more than 70,000 credit card numbers and 302 Social Security numbersFEFF. Prosecutors alleged that hotel credit card systems were "the target of a cyber-attack" due to poor security. The company agreed to beef up its security; it's not clear if the vulnerabilities we found violate that agreement. A spokesman for the New York attorney general declined comment.


Our experience also indicates that it's easy to gain physical access to Trump properties, at least when the president is not there. As Politico has previously reported, Trump hotels and clubs are poorly guarded. We drove a car past the front of Mar-a-Lago and parked a boat near its lawn. We drove through the grounds of the Bedminster golf course and into the parking lot of the golf course in Sterling, Virginia. No one questioned us.


Both President Obama and President Bush often vacationed at the more traditional presidential retreat, the military-run Camp David. The computers and networks there and at the White House are run by the Defense Information Systems Agency.


In 2016, the military spent $64 million on maintaining the networks at the White House and Camp David, and more than $2 million on "defense solutions, personnel, techniques, and best practices to defend, detect, and mitigate cyber-based threats" from hacking those networks.


Even after spending millions of dollars on security, the White House admitted in 2015 that it was hacked by Russians. After the hack, the White House replaced all its computer systems, according to a person familiar with the matter. All staffers who work at the White House are told that "there are people who are actively watching what you are doing," said Mikey Dickerson, who ran the U.S. Digital Service in the Obama administration.


By comparison, Mar-a-Lago budgeted $442,931 for security in 2016 — slightly more than double the $200,000 initiation fee for one new member. The Trump Organization declined to say how much Mar-a-Lago spends specifically on digital security. The club, last reported to have almost 500 members paying annual dues of $14,000 apiece, allotted $1,703,163 for all administration last year, according to documents filed in a lawsuit Trump brought against Palm Beach County in an effort to halt commercial flights from flying over Mar-a-Lago. The lawsuit was dropped, but the FAA now restricts flights over the club when the president is there.


It is not clear whether Trump connects to the insecure networks while at his family's properties. When he travels, the president is provided with portable secure communications equipment. Trump tracked the military strike on a Syrian air base last month from a closed-door situation room at Mar-a-Lago with secure video equipment.


However, Trump has held sensitive meetings in public spaces at his properties. Most famously, in February, he and the Japanese prime minister discussed a North Korean missile test on the Mar-a-Lago patio. Over the course of that weekend in February, the president's Twitter account posted 21 tweets from an Android phone. An analysis by an Android-focused website showed that Trump had used the same make of phone since 2015. That phone is an older model that isn't approved by the NSA for classified use.


Photos of Trump and Abe taken by diners on that occasion prompted four Democratic senators to ask the Government Accountability Office to investigate whether electronic communications were secure at Mar-a-Lago.

In March, the GAO agreed to open an investigation. Chuck Young, a spokesman for the office, said in an interview that the work was in "the early stages," and did not offer an estimate for when the report would be completed.


So, we decided to test the cybersecurity of Trump's favorite hangouts ourselves.


Our first stop was Mar-a-Lago, a Trump country club in Palm Beach, Florida, where the president has spent most weekends since taking office. Driving past the club, we picked up the signal for a Wi-Fi-enabled combination printer and scanner that has been accessible since at least February 2016, according to a public Wi-Fi database.


An open printer may sound innocuous, but it can be used by hackers for everything from capturing all the documents sent to the device to trying to infiltrate the entire network.


To prevent such attacks, the Defense Information Systems Agency, which secures the White House and other military networks, forbids installing printers that anyone can connect to from outside networks. It also warns against using printers that do more than printing, such as faxing. "If an attacker gains network access to one of these devices, a wide range of exploits may be possible," the agency warns in its security guide.


We also were able to detect a misconfigured and unencrypted router, which could potentially provide a gateway for hackers.


To get a better line of sight, we rented a boat and piloted it to within sight of the club. There, we picked up signals from the club's wireless networks, three of which were protected with a weak and outmoded form of encryption known as WEP. In 2005, an FBI agent publicly broke this type of encryption in minutes.


By comparison, the military limits the signal strength of networks at places such as Camp David and the White House so that they are not reachable from a car driving by. It also requires wireless networks to use the strongest available form of encryption.


From our desks in New York, we were also able to determine that the club's website hosts a database with an insecure login page that is not protected by standard internet encryption. Login forms like this are considered a severe security risk, according to the Defense Information Systems Agency.


Without encryption, spies could eavesdrop on the network until a club employee logs in, and then steal his or her username and password. They then could download a database that appears to include sensitive information on the club's members and their families, according to videos posted by the club's software provider.


This is "bad, very bad," said Jeremiah Grossman, chief of Security Strategy for cybersecurity firm SentinelOne, when we described Mar-a-Lago's systems. "I'd assume the data is already stolen and systems compromised."


A few days later, we took our equipment to another Trump club in Bedminster, New Jersey. During the transition, Trump had interviewed candidates for top administration positions there, including James Mattis, now secretary of defense.


We drove on a dirt access road through the middle of the golf course and spotted two open Wi-Fi networks, TrumpMembers and WelcomeToTrumpNationalGolfClub, that did not require a password to join.


Such open networks allow anyone within range to scoop up all unencrypted internet activity taking place there, which could, on insecure sites, include usernames, passwords and emails.


Robert Graham, an Atlanta, Georgia, cybersecurity expert, said that hackers could use the open Wi-Fi to remotely turn on the microphones and cameras of devices connected to the network. "What you're describing is typical hotel security," he said, but "it's pretty concerning" that an attacker could listen to sensitive national security conversations.


Two days after we visited the Bedminster club, Trump arrived for a weekend stay.


Then we visited the Trump International Hotel in Washington, D.C., where Trump often dines with his son-in-law and senior adviser Jared Kushner, whose responsibilities range from Middle East diplomacy to revamping the federal bureaucracy. We surveyed the networks from a Starbucks in the hotel basement.


From there, we could tell there were two Wi-Fi networks at the hotel protected with what's known as a captive portal. These login screens are often used at airports and hotels to ensure that only paying customers can access the network.


However, we gained access to both networks just by typing "457" into the room number field. Because we provided a room number, the system assumed we were guests. We looked up the hotel's public IP address before logging off.


From our desks in New York, we could also tell that the hotel is using a server that is accessible from the public internet. This server is running software that was released almost 13 years ago.


Finally, we visited the Trump National Golf Club in Sterling, Virginia, where the president sometimes plays golf. From the parking lot, we recognized three encrypted wireless networks, an encrypted wireless phone and two printers with open Wi-Fi access.


The Trump club websites are hosted by an Ohio-based company called Clubessential. It offers everything from back-office management and member communications to tee time and room reservations.


In a 2014 presentation, a company sales director warned that the club industry as a whole is "too lax" in managing and protecting passwords. There has been a "rising number of attacks on club websites over the last two years," according to the presentation. Clubessential "performed [an] audit of security in the club industry" and "found thousands of sensitive documents from clubs exposed on [the] Internet," such as "lists of members and staff, and their contact info; board minutes, financial statements, etc."


Still, the club software company has set up a backend server accessible on the internet, and configured its encryption incorrectly. Anyone who reaches the login page is greeted with a warning that the encryption is broken. In its documentation, the company advises club administrators to ignore these warnings and log in regardless. That means that anybody snooping on the unprotected connection could intercept the administrators' passwords and gain access to the entire system.


The company also publishes online, without a password, many of the default settings and usernames for its software — essentially providing a roadmap for intruders.


Clubessential declined comment.


Aitel, the CEO of Immunity, said the problems at Trump properties would be difficult to fix: "Once you are at a low level of security it is hard to develop a secure network system. You basically have to start over."


ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.



Vishakhapatnam cleanest railway station, Darbhanga dirtiest
Vishakhapatnam in Andhra Pradesh and Beas in Punjab have been declared the cleanest railway stations in A-1 and A categories respectively. Darbhanga and Jogbani in Bihar were the dirtiest in the two sections, according to a survey by Quality Council of India.
Vishakhapatnam emerged the winner in cleanliness index by securing first position in A-1 category station while Beas in Punjab topped the A category stations, Railway Minister Suresh Prabhu said here.
He was releasing the third survey on cleanliness. The survey is done by the railways to keep a tab on rail premises.
Secunderabad (Telangana) and Jammu station got the second and third place in the A-1 category. In A category, Khammam came second and Ahmedabad third. 
Hazarat Nizammudin and Old Delhi stations in the national capital were placed at 23rd and 24th position while New Delhi station was ranked 39th among the busiest stations in A-1 category.
Varanasi occupied the 14th place in A-1 category. Darbhanga was at the bottom -- 75th position.
Prabhu said: "Railways have accomplished a significant improvement in cleanliness at stations since last year."
He said the biggest challenge for cleanliness on platforms were visitors and passengers.
"The focus is on platform cleanliness, coach cleanliness, toilet cleanliness and track cleanliness," he said.
The cleanliness survey was carried out at 407 stations, of which 75 were in A-1 category or most busy stations and 332 were in A category.
Disclaimer: Information, facts or opinions expressed in this news article are presented as sourced from IANS and do not reflect views of Moneylife and hence Moneylife is not responsible or liable for the same. As a source and news provider, IANS is responsible for accuracy, completeness, suitability and validity of any information in this article.




Vinay Isloorkar

4 months ago

Trains have become cleaner and stations too. Pune and Hubli have become significantly cleaner in last 2 years. So has Yeshvantpur in Bangalore. People should co operate. Dharbanga is more a reflection of the locals than apathy on the part of rlys.


4 months ago

A good and right initative of this Government to encourage cleanliness. After all cleanliness is next to godliness.

NPAs of nationalised banks jumped 143% in two years to March 2017
The gross non-performing asset (GNPA) ratio of 13 public sector banks (PSBs) that peaked in December 2016, have remained just about an average basis. However, compared with March 2015, the growth in NPA jumped 143% in March 2017, says a research note.
According to Care Ratings, since March 2016, these banks have continued to witness an increase in NPAs with an increment of about Rs50,000 crore in the next four quarters till March 2017. It said, "This increase was spread quite evenly across the four quarters – Rs20,217 crore in Q1, Rs11,128 crore in Q2, Rs8,318 crore in Q3 and Rs10,642 crore in Q4 (see chart below). Compared with March 2015, growth by March 2017 was 143%. These high NPAs have been a major reason for pressure on profitability as they have been making progressively higher provisions on this count."
In the report, the ratings agency says, "The indication is that there is a mixed picture for PSBs so far, and while at the aggregate level, it appears to have stabilised, the ratio has come down for fight of the 13 banks which could improve going ahead. For the other five banks, another quarter’s performance would be critical for drawing any conclusion on whether or not the worst is over."
According to report, five PSBs, Central Bank of India, Bank of Maharashtra, Dena Bank Andra Bank and Punjab & Sind Bank the NPA continue to at peak levels during March 2017.
Care Ratings says, in terms of the Gross NPA ratio (see chart below), there has been a continuous increase from March 2015 onwards, with two sharp spikes witnessed first in December 2015 by 1.5% and then by 2.67% in March followed by 1.17% in June 2016. Subsequently, the NPA ratio has almost touched 12% by December 2016 and remained virtually unchanged by March 2017, it added.
"The question posed is whether this is a plateau reached by these banks or whether the number could increase in the coming quarters. Some of these banks have reported that they have managed to lower the volume of NPAs at a faster pace than fresh slippages, which is a positive sign for the system as it does indicate that the worst may be behind us," the ratings agency said.

The Reserve Bank of India (RBI) had asked banks to complete the process of asset quality recognition by March 2017. "Prima facie there is reason to believe that the numbers should not increase subsequently and whatever is recognized would be more on new loans rather than the existing portfolio. This would hold especially for banks which have recorded lower NPA ratios in March 2017 compared with December 2016," Care Ratings concluded.



shushli tiwari

4 months ago

The Reserve Bank of India may put restriction on United Bank of IndiaBSE 2.26 %'s branch expansion and direct it to make higher provisions to cover risks due to its rising stressed loans, Equity tips

shushli tiwari

4 months ago

The Reserve Bank of India may put restriction on United Bank of IndiaBSE 2.26 %'s branch expansion and direct it to make higher provisions to cover risks due to its rising stressed loans, Equity tips

Ashok m Rane

4 months ago

Public Sector Banks r earning ( Making Operating Profit) for the benefit of Bad Borrowers. Obtaining Bank Loans, turning them NPA and getting them written off has become d culture of Businessmen. In d name of Balance sheet clean up thousands of crore NPAs r written off. Unless and untill stringent criminal action is taken against the borrowers this culture will not change. The Graph of Bad Loans will be always increasing. In absence of stringent regulations it is very difficult to make recovery from Big Borrowers. Only small borrowers can be harassed for recovery. Bullying Big Borrowers is just not possible. The Judiciary is also very slow. Hence PSBs should stop granting Bigger Loans and confine their loaning to small borrowers only, to get out of d situation.


4 months ago

It is hightime the management and the staff in the banking sector work in tandem sincerely on a war footing, to recover the maximum amount of NPAs, which is a drain on the country's economy.


Ashok m Rane

In Reply to SRINIVAS SHENOY 4 months ago

Over 70% of Loans are for Big Ticket Borrowers, where recovery by Branch Staff is very difficult. Staff can at the most try recovery of small Loans from Poor Borrowers. Unless stringent action is taken against Big Borrowers, the efforts of Bank Staff will not bear any fruits!

We are listening!

Solve the equation and enter in the Captcha field.

To continue

Sign Up or Sign In


To continue

Sign Up or Sign In



The Scam
24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
Moneylife Magazine
Fiercely independent and pro-consumer information on personal finance
Stockletters in 3 Flavours
Outstanding research that beats mutual funds year after year
MAS: Complete Online Financial Advisory
(Includes Moneylife Magazine)