Donald Trump often criticizes Hillary Clinton’s use of a private email server, but it appears she’s not the only presidential candidate guilty of poor email security practices. A researcher has revealed that the Trump Organization’s mail servers are badly configured and use software so out of date they no longer receive patches.
British security architect Kevin Beaumont discovered that the email servers used by the Trump Organization – the parent company of the Republican’s hotels, golf courses, and other businesses – run an unpatched version of Windows Server 2003 with Internet Information Server 6.
Quick update on Trump corp email servers - all internet accessible, single factor auth, no MDM, Win2003, no security patching. pic.twitter.com/nIMTa9UmdL— Kevin Beaumont (@GossiTheDog) October 17, 2016
“Running outdated software and operating systems for your publicly facing email infrastructure is problematic, especially when you're a high-profile organization,” Beaumont told Motherboard in an email. “During an election where cybersecurity is such a big issue, I was a little amazed at what I saw.”
Microsoft stopped supporting Windows Server 2003 when it reached end of life status in July 2015. The company's official website advises those still using the software to upgrade.
Beaumont also discovered inadequate security measures in the servers. The service doesn’t use two-factor authentication, meaning it doesn't link to another device to receive an extra login code – an extra layer of security everyone should use, especially those running for President.
The researcher also found the email access page of the Trump Organization. The page’s code reveals that it is using a 2015 build of Microsoft Exchange 2007 (SP3 RU16), which, as noted by Ars Technica, contains a number of known vulnerabilities.
The OS, by the way, is the one Clinton's private email server run and she got in trouble for.— Kevin Beaumont (@GossiTheDog) October 17, 2016
Beaumont has faced the wrath of Tweeting Trump supporters since he made the revelations. One even threatened to report him to the FBI, despite the fact that the information he gathered is publicly accessible and he did not attempt to log into the e-mail system.
Responding to the news, the Trump Organization sent the following statement to Motherboard:
The Trump Organization deploys best in class firewall and anti-vulnerability technology with constant 24/7 monitoring. Our infrastructure is vast and leverages multiple platforms which are consistently monitored and upgraded using current cyber security best practices.