CIA Director's Personal Email Account Breached By Hackers… Who Find Official Documents Stored In It
from the FWD:FWD:FWD:-classified-data-[KEEP-SAFE!] dept
The Central Intelligence Agency will make one of the biggest overhauls in its nearly 70-year history, aimed in part at sharpening its focus on cyber operations and incorporating digital innovations, CIA director John Brennan said.
Brennan said he is creating new units within the CIA, called “mission centers,” intended to concentrate the agency’s focus on specific challenges or geographic areas, such as weapons proliferation or Africa.
The CIA director said he also is establishing a new “Directorate of Digital Innovation” to lead efforts to track and take advantage of advances in cyber technology to gather intelligence.
A hacker who claims to have broken into the AOL account of CIA Director John Brennan says he obtained access by posing as a Verizon worker to trick another employee into revealing the spy chief’s personal information.
Using information like the four digits of Brennan’s bank card, which Verizon easily relinquished, the hacker and his associates were able to reset the password on Brennan’s AOL account repeatedly as the spy chief fought to regain control of it.
Brennan: leading from the rear. “Digital innovations,” “cyber operations,” and a CIA director who forwards work email to his AOL account.
Now, there is very little anyone can do to prevent hacking via social engineering. There are too many weak links, many of which will probably be attending some mandatory training classes on account security in the near future. Not that it will help. As long as nearly every company uses the same list of personal info for identity verification, social engineering will continue to crack open secured accounts.
The hackers posed as Verizon techs. After producing a fabricated “Vcode” (an identifier that “verifies” a person as a Verizon employee), Verizon gave up the information the hackers needed to gain control of Brennan’s AOL account: PIN, backup phone number, email address and last four digits of his credit card.
They then called AOL to tell them they were locked out of “their” account. The information handed over by Verizon answered all of AOL’s verification questions. And in they went, uncovering — among other things — the SF-86 application Brennan had filled out to apply for security clearances. They also discovered — and posted — screenshots of a spreadsheet apparently listing names and social security numbers of intelligence officials.
There’s been no document dump, so it’s unclear at this point how many work emails and documents Brennan forwarded to himself or if he used his AOL account to conduct official business. The thing is, Brennan should have known this was a terrible idea, no matter how convenient it was for him to peruse CIA docs from an email account he could access anywhere. He may not have been able to prevent the social engineering attack, but he could have ensured his personal email account only contained personal email. And I’m pretty sure the CIA frowns on taking official documents off-site, even if “Forward email” is used rather than an attache case.