CIA Director's Personal Email Account Breached By Hackers… Who Find Official Documents Stored In It
from the FWD:FWD:FWD:-classified-data-[KEEP-SAFE!] dept
The Central Intelligence Agency will make one of the biggest overhauls in its nearly 70-year history, aimed in part at sharpening its focus on cyber operations and incorporating digital innovations, CIA director John Brennan said.
Brennan said he is creating new units within the CIA, called “mission centers,” intended to concentrate the agency’s focus on specific challenges or geographic areas, such as weapons proliferation or Africa.
The CIA director said he also is establishing a new “Directorate of Digital Innovation” to lead efforts to track and take advantage of advances in cyber technology to gather intelligence.
A hacker who claims to have broken into the AOL account of CIA Director John Brennan says he obtained access by posing as a Verizon worker to trick another employee into revealing the spy chief’s personal information.
Using information like the four digits of Brennan’s bank card, which Verizon easily relinquished, the hacker and his associates were able to reset the password on Brennan’s AOL account repeatedly as the spy chief fought to regain control of it.
Brennan: leading from the rear. “Digital innovations,” “cyber operations,” and a CIA director who forwards work email to his AOL account.
Now, there is very little anyone can do to prevent hacking via social engineering. There are too many weak links, many of which will probably be attending some mandatory training classes on account security in the near future. Not that it will help. As long as nearly every company uses the same list of personal info for identity verification, social engineering will continue to crack open secured accounts.
The hackers posed as Verizon techs. After producing a fabricated “Vcode” (an identifier that “verifies” a person as a Verizon employee), Verizon gave up the information the hackers needed to gain control of Brennan’s AOL account: PIN, backup phone number, email address and last four digits of his credit card.
They then called AOL to tell them they were locked out of “their” account. The information handed over by Verizon answered all of AOL’s verification questions. And in they went, uncovering — among other things — the SF-86 application Brennan had filled out to apply for security clearances. They also discovered — and posted — screenshots of a spreadsheet apparently listing names and social security numbers of intelligence officials.
There’s been no document dump, so it’s unclear at this point how many work emails and documents Brennan forwarded to himself or if he used his AOL account to conduct official business. The thing is, Brennan should have known this was a terrible idea, no matter how convenient it was for him to peruse CIA docs from an email account he could access anywhere. He may not have been able to prevent the social engineering attack, but he could have ensured his personal email account only contained personal email. And I’m pretty sure the CIA frowns on taking official documents off-site, even if “Forward email” is used rather than an attache case.
Filed Under: breach, cia, classified info, hacked, john brennan
Comments on “CIA Director's Personal Email Account Breached By Hackers… Who Find Official Documents Stored In It”
Brennan’s response:
Bring me the heads of these hackers by month’s end.
Accountability: 0
Abuse of Power: off the charts
For those who hacked, best tweet Snowden on some advice on how to leave the country. The CIA (via the NSA’s tools) will stop at nothing to track you down.
Good luck!
Re: Re:
Brennan: I will fully cooperate with investigators to assist in finding some unrelated low level person to blame this on.
Re: Re: Re:
“My admin assistant set up the forwarding for me. I don’t know how email works!”
Re: Re:
Two things are guaranteed in Washington: No one with power will accept blame for their actions, and those with too little power will suffer for the failure of those with power.
If only we had CISPA, this never would have happened…
Re: Re:
Maybe there is some way this could be blamed on Edward Snowden.
(or should I have said Eric Snowden?)
stop at nothing
yeah, it’s almost like they swapped out the flag at the brooklyn bridge, or something.
*His* SF-86
This is not a security violation. It’s his personal info in his personal email account. Granted it has info on people he’s offering up to interview for his clearance, but they gave it to him willingly. Little different than an app asking for access to your contacts on your phone.
Stupid to have it just sitting there, but as a fellow cleared person, it is sometimes handy to have reference to that data. A thumb drive would be a better choice, but then I suppose that would be against policy too; bringing in personal thumb drives…
Re: *His* SF-86
Did you not even read the summary?
I am pretty sure that a list of intelligence officials is not his personal information.
Re: *His* SF-86
Stupid in the extreme for such data to be held unencrypted on a server outside the organisations control. While the external hacker is making the breach public, who knows the loyalties of the people working for AOL, and which Governments are paying them. AOL company could be a spies paradise.
Re: *His* SF-86
You Scientologists always stick together, don’t ya?
Looks like he and google have a motto in common.
“Do as I say, not as I do!”
You have to wonder how this CIA Director got past security clearance for the job.
What was that about wanting backdoors?
Re: Re:
Well since Apple and co claim backdoors are impossible he had to install his own! Now if everyone would just forward all their email to insecure accounts how easy it would be …
He failed question #1...
How does a “cyber-security professional” have an AOL account?!?
Re: He failed question #1...
Nothing wrong with having an AOL or yahoo type email account for your Personal, non-secure crap. His mistake was using it IN ANY FASHION for work related info. The whole point of most web-mail based systems is to allow the provider to data mine all of the user’s emails for information.
Sending that spreadsheet full of PII should result in the CIA having to send out data breach notifications and the resulting liability for possible identity theft. Plus a review of that person’s suitability for his job. Didn’t he hear about that small ruckus over Hillary’s email server? What kind of intelligence gathering ability does the CIA have anyway? This failure to connect the dots doesn’t fill me with great confidence.
Re: He failed question #1...
That’s not really hacking. More like phishing. I remember AOL instant messages used to always have a warning that says AOL staff will never ask you for your password. Despite this I always got random instant messages from random people claiming to work for AOL and needing my password. Apparently enough people fell for it at the time to encourage all these phishers to keep asking for personal information. I thought phishing was a dead art. Didn’t think people still fell for that.
Re: Re:
Phishing is no where near a dead art. It is one of the most popular was to get on “the inside”
Re: Re:
That’s not really hacking. More like phishing.
If hacking is broadly defined as illicitly gaining access to a computer system, then this certainly qualified.
Re: Re: Re:
But that’s not how hacking is defined.
Re: Re: Re: Re:
I disagree.
https://en.wikipedia.org/wiki/Hacker_%28computer_security%29
http://www.thefreedictionary.com/hack
https://en.wiktionary.org/wiki/hack#Verb
Lets see if the 'bulk metadata collection'
can bring these people to a court trial.
And then lets see the quality of the trial.
Re: Lets see if the 'bulk metadata collection'
you mean the secret courts with secret witnesses and secret evidence the defence and judge are not allowed to see. Since it would compromise national security if they were given access to the supposed evidence the government says it has to prosecute their victim.
Misprint in the Reuters article headline?
Was:
CIA to make sweeping changes, focus more on cyber ops
Intended?
CIA to make sweeping changes, focus more on cyber Ooops
Yet another example of meta-risks in data collection
There has been (and will continue to be) copious discussion of the risks of allowing governments and corporations to collect private data on individuals. But one of the often-overlooked aspects of that issue is that disclosure and abuse is possible not just by the collectors themselves, but by anyone clever enough to hack them.
Consider this case: if it’s really true that the people who pulled this off were teenagers, then (a) does anyone think they’re the first ones to succeed? and (b) if they weren’t the first ones, who were the others?
The massive data collections being assembled every day are touted by their proponent as weapons (against terror, the bogeyman du jour) or as tools. And perhaps, if we take a very generous view of them, they are. But they’re also enormous, extremely tempting targets. And when the people at top of the food chain provide textbook demonstrations of worst practices in security, we know they’re vulnerable targets.
And that’s the meta-risk: indirect acquisition and exploitation by third parties. In this case, it appears to have been someone with a point to make. But what if it’s not, this time or the next time?
John Brennan
“But I’ve had this email account for decades, and I use my middle name for the password, so it’s secure, right? It always was in the past.”
Dear John Brennen,
Half ass your own data protection , leave mine alone.
Like A Personal Email Server
At least he was not using his own personal email server. Oh wait… I think that Secretary Clinton screwed up with the email server and have been dismayed by her inability to come clean (but not surprised). If the US Congress is going to spend millions of dollars on her situation then they should be crawling up this guy’s back side as well. What he did is just as bad if not worse.
Re: Like A Personal Email Server
As you say it may be reasonable that this guy be investigated as much as Hillary.
The reality is, regardless of political party, congress only spends millions of dollars on an investigation, such as Hillary, when one party makes congress begin the investigation, and the action is against someone of an opposing party, or somehow considered an enemy.
On the positive side
Hilary’s account couldn’t have gotten social engineered – it was her own server. It would be unlikely if any telecom/etc would have been able to reset her password to allow a hacker access.
Security Epic Fail!
Now tell me again why we want government spy agencies to have a set of master keys to our encryption?
Re
After laughing for several minutes, I concluded that he should be fucking fired for that. What a dipshit.
Brennan got his cyber security advice from Petraeus
or Petraeus’s mistress…
And Hillary is the bad guy here , when the government can’t seem to keep their shit locked down , seems she’s the only one that was secure.
Re: Re:
You have utterly failed with your comment, unless your goal was to include as many factual errors as possible.
Hillary is widely acknowledged as being female, even by Trump.
This story is specifically about abuse of non-government e-mail, not about containment of government owned fecal matter. For more information on that topic, you may review any of the recent stories about Congress.
Hillarys e-mail was only considered secure by Hillary.
Americans...
Bah…
yep! no need at all for encryption! no one will ever get into official email accounts!
hmm. wonder what happened here then?
He must be Republican, if it was Hilary, they’d demand pitchforks and fires! She kept a secured standalone system, this is idiotic free public access cloud service. The stupidity is just overwhelming.
Re: Re:
He must be Republican, if it was Hilary, they’d demand pitchforks and fires!
I don’t know about his personal politics, but he was appointed by Obama.
Both Twitter links broken
Either the links are bad or Twitter has taken the images away.
Imagine the unthinkable…
We are at war half way around the globe because someone’s AOL account got hacked, and to cover up all of the secrets they had ex-filtrated they came up with a giant distraction.
Perhaps it is time to find people who have a fucking clue to come in and clean up this giant mess of people to stupid to have power have created. They pay out money to corporations who have the evidence of the stupidity and keep it quiet as long as the contracts keep coming, and they pay a little to keep their idiot buddy in power because they will fuck up again and they will gain more influence.
The terrifying thought hitting you right now, is I could be right.
AOL wasn't hacked!!
AOL wasn’t the system that was hacked.
VERIZON was!
Verizon coughed up the info that allowed the normal unlock-procedure for the AOL account.
Let me begin by asserting that I am not responsible for this, and I support the USA. The Internet tough guys in this thread, however, gave me a good laugh, and I invite them to pretend it was me, and give me their worst. lol Where are those billions the Obama admin has spent for cyber security gone? Fed hackers and investigators are always simple for me to identify, in 2 minutes maximum. They always have million dollar toys, yet lack the skills to properly utilize them. This is actually a blessing in disguise because their target selection is often incredibly misguided.