Teen Who Hacked CIA Director’s Email Tells How He Did It

I think the REAL story here is that the Direct of the Frickin CIA has an AOL e-mail address &amp; AOL e-mail is not the first thing that comes to your mind when you think Security.<p>Also he thought it was Ok to forward Sensitive Govt. Docs to a non-secured commercial e-mail address.<p>The amount of almost un-restrained power that these people have vs the very low quality of their InfoSec is truly appalling.

&gt; After providing the Verizon employee with a fabricated employee Vcode—a unique code the he says Verizon assigns employees—they got the information they were seeking. This included Brennan’s account number, his four-digit PIN, the backup mobile number on the account, Brennan’s AOL email address and the last four digits on his bank card.<p>There are obviously a _lot_ of wtf moments reading this article, but this one just strikes me as the most egregious - why in the world would a Verizon employee of any kind be able to obtain this information from anyone other than the account holder? The account number, ok maybe, but absolutely none of those other items should be communicated between employees. Absurd.

&gt; The hackers described how they were able to access sensitive government documents stored as attachments in Brennan’s personal account because the spy chief had forwarded them from his work email.<p>How is this acceptable? Shouldn&#x27;t he be held accountable for this kind of stuff?

Social engineering is, and will always be, the fastest way to compromise a system.<p>Computers are pretty good at security; humans, especially underpaid and overworked helpdesk jockeys, are not.

Norman? This is Mr. Eddie Vedder, from Accounting.... My BLT Drive on my computer just went AWOL .... <a href="http:&#x2F;&#x2F;cyberdelianyc.tumblr.com&#x2F;post&#x2F;131628279720&#x2F;hackers-cia-email-hacked-dade-hacks-tv-station" rel="nofollow">http:&#x2F;&#x2F;cyberdelianyc.tumblr.com&#x2F;post&#x2F;131628279720&#x2F;hackers-ci...</a>

Wikileaks has now published the emails:<p><a href="https:&#x2F;&#x2F;wikileaks.org&#x2F;cia-emails&#x2F;" rel="nofollow">https:&#x2F;&#x2F;wikileaks.org&#x2F;cia-emails&#x2F;</a>

The worst news here is that the director of the most powerful information gathering agency on the planet uses AOL.

AOL doesn&#x27;t support 2-factor authentication for email sign-in. If they did, then this entire debacle would [edit- replace &quot;would&quot; with &quot;could&quot;] have been stopped before it even started.<p>I&#x27;m also surprised that the government doesn&#x27;t have more stringent guidelines about the private email use of its top officials.

How do you design a system that&#x27;s hardened against social engineering but not hardened against innocent mistakes, like losing your password? It seems like the easiest way to access public systems like this is through social engineering techniques around password recovery or phishing.<p>Of course there are well-known answers that are used to mitigate these problems somewhat, TFA solutions, login images, etc. But I still feel as if social engineering attacks hit a really vulnerable weak spot in many systems.<p>(On a mostly unrelated note, can we get rid of security questions forever? I&#x27;ve taken to just giving nonsense answers for them and storing my answers somewhere secure. I sure don&#x27;t want my passwords being reset because somebody knows my mom&#x27;s maiden name...)

Much is being made of him using AOL for work emails. Seems like a fairly minor issue. The worst part was the spreadsheet with ~20 people&#x27;s info on it. Otherwise, he forwarded emails to himself that he wanted to permanently have possession of, like his own clearance application and a letter from the Senate on torture. I&#x27;m more interested in this letter--sent in 2009. Who knew what and when?<p>(Edit) the letter -- <a href="https:&#x2F;&#x2F;twitter.com&#x2F;phphax&#x2F;status&#x2F;653665742987100163" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;phphax&#x2F;status&#x2F;653665742987100163</a>

What do you want?<p>&gt; We said ‘2 trillion dollars hahhaa&#x27;<p>Ok, I can work with that<p>&gt; They told Brennan “We just want Palestine to be free and for you to stop killing innocent people.”<p>Sorry, can&#x27;t do that

I really hope these kids have not destroyed the rest of their lives just to make a (very good) Dr. Evil joke [1]:<p>&#x27;So they called Brennan’s mobile number, using VoIP, and told him he’d been hacked. The conversation was brief.<p>“[I]t was like ‘Hey,…. its CWA.’ He was like ‘What do you want?’ We said ‘2 trillion dollars hahhaa, just joking,&#x27;” the hacker recounted to WIRED.&#x27;<p>[1] <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=l91ISfcuzDw" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=l91ISfcuzDw</a>

There was a story within the past year or two I remember that was in a similar vein: where the hackers were able to obtain some address info from Apple support, which led to CC info from Amazon tech support, which led to interception of the users phone number and then bypassing of 2FA, which led to primary email takeover. I felt then, as I do now, that there should be a standardized process for identifying user information across all companies that doesn&#x27;t allow for this patchwork gathering of info and incorporates a type of 2FA.<p>I remembered this thought again recently when dealing with major banks over the phone. All I needed to identify who I am was confirmation of my home address, and last 4 digits of my social. That is hardly secure! A single data breach for SSN, cross referencing an email to social media or DNS if you don&#x27;t use private registration and boom, you can pretend to be me as far as some banks are concerned.<p>The SSN is the most abused number in the ID world. It&#x27;s a de-facto federal ID number and it&#x27;s simply not meant for the task. Everyone gets all upidy about having some type of federal ID number whenever I mention it, but I feel like some type of public key cryptographic federal ID number plus cross-signing, changeable password, AND a 2+FA should be used to truly identify who you are.

People seem to forget that hacking personal accounts is not difficult, even for novice hackers. The reason most people don&#x27;t get hacked is either 1. they weren&#x27;t a funny&#x2F;interesting target, or 2. nobody wanted to get caught.<p>Also, the CWA&#x27;s twitter account was suspended, but thanks be to The Internet Archive we have a mirror:<p><a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20151019192351&#x2F;https:&#x2F;twitter.com&#x2F;_CWA_&#x2F;" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20151019192351&#x2F;https:&#x2F;twitter.co...</a><p>The Twitter pictures aren&#x27;t archived, but they also haven&#x27;t been taken down from Twitter&#x27;s site.

Shouldn&#x27;t there be like a department in the CIA that scraps all of that stuff for agency employees?<p>I know that some other agencies, and even private corporation do that.

It&#x27;s crazy to me that as a society we celebrate the digital equivalent of smashing a window in with a brick and climbing in through the jagged glass.<p>This wasn&#x27;t a skillful attack. It was a messy, shitty social engineering exploit that very many people could have done.

How did the attackers know that Brennan had an AOL address?<p>Let&#x27;s not take the attackers at face value. They could have had help or be employed by anyone, including those either interested in Brennan&#x27;s AOL email or in embarassing him.

Two things.<p>1) This kid just got at least one person fired from his job (though he may deserve it).<p>2) This kid WILL be caught and regret it the rest of his life.

Now the kid is going to be hunted. Blacklist. You know. Anything, hacking someone&#x27;s account is wrong regardless. just because he&#x27;s the Director of CIA.

&gt;Teen Who Hacked...<p>&gt;The hacker, who says he’s under 20 years old<p>20 years old is a teen? What a terrible headline.

Why is this even a story?<p>Has there been any confirmation that this account even actually belonged to the CIA director? If yes, has there been any evidence that there was actually anything sensitive on the account? (I seriously doubt the latter)<p>If there was nothing on the account how is this different from any of the other tens of thousands of aols that have been hijacked since the 90s?