Teen Hacker Who Social Engineered His Way Into Top-Level US Government Officials' Accounts Pleads Guilty To Ten Charges

from the barely-post-pubescent-wrecking-crew dept

The teenage hacker who tore CIA director John Brennan a new AOL-hole is awaiting sentencing in the UK. Kane Gamble, the apparent founder of hacker collective Crackas With Attitude, was able to access classified documents Brennan has forwarded to his personal email account by posing as a Verizon tech. Social engineering is still the best hacking tool. It’s something anyone anywhere can do. If you do it well, a whole host of supposedly-secured information can be had, thanks to multiple entities relying on the same personal identifiers to “verify” the social engineer they’re talking to is the person who owns accounts they’re granting access to.

Despite claiming he was motivated by American injustices perpetrated around the world (Palestine is namechecked in the teen’s multiple mini-manifestos), a lot of what Gamble participated in was plain, old fashioned harassment.

Gamble taunted his victims online, released personal information, bombarded them with calls and messages, downloaded pornography onto their computers and took control of their iPads and TV screens, a court heard.

This might be chalked up to Gamble’s youth or his supposed residence on the autism spectrum. But that’s not the limit of the chaos caused by his social engineering. He was able to gain access to the FBI’s law enforcement database and DHS boss Jeh Johnson’s voicemail. He apparently dumped a database of FBI 20,000 agents’ personal info and accessed email accounts of deputy national security advisor Avril Haines.

But there were other acts as well, some that resulted in plenty of people fearing for their safety.

He used his access to steal and post online personal details of Officer Darren Wilson who shot and killed black teenager Michael Brown in Ferguson Missouri.

At the same time he harassed the [FBI Deputy Director Mark] Giuliano family and people associated with them and bombarded them with calls, meaning that they were forced to seek protection from the intelligence agencies and an armed guard was placed at their home.

Mr Obama’s senior science and technology adviser John Holdren had his personal accounts hacked and Gamble passed all of his personal details to an accomplice who used them to make hoax calls to the local police claiming that there was a violent incident at Mr Holdren’s house resulting in an armed swat team being deployed.

Gamble has pled guilty to ten counts of criminal computer misuse. He has yet to be sentenced but I can’t imagine it will go well for him. What Gamble did was harmful to many people’s personal security and the harassment of family members of public officials crosses several lines, as does the SWATing. But he did expose plenty of weak leaks in the security protocols deployed by companies like Verizon and the US government itself. The reliance on the same security questions (names of pets, schools, maiden names, etc.) across multiple services often means accessing one will open up access to all of them. Once a primary account is compromised, it can be used to change login and security verification info for accounts reliant on it.

It also exposed how high-ranking government officials made these weak links even weaker. In CIA Director Brennan’s case, the sensitive documents Gamble accessed had been forwarded to an email account maintained by a third party. If Brennan had been more careful with his handling of classified documents — like keeping them in the secured systems they came from — Gamble wouldn’t have been able to view and/or distribute these to people who shouldn’t be seeing them.

Governments make weird enemies. Sometimes they’re teens residing in small council houses in the UK. But the enemies they make can do considerable damage armed with nothing more than a cellphone, a laptop, and an internet connection.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Teen Hacker Who Social Engineered His Way Into Top-Level US Government Officials' Accounts Pleads Guilty To Ten Charges”

Subscribe: RSS Leave a comment
Bergman (profile) says:

Re: Secure Documents on an Unsecured System

If he had a manifesto, odds are he counts as a lawful combatant, especially if he wears the same sort of clothes every day.

Imprisoning a foreign soldier, even a domestic rebel, for acting like a soldier is a war crime. Given how the US considers cyber-warfare, what the kid did is probably not illegal.

As a POW, he can be interned for ‘the duration’ but as an army of one, his war ended when he was captured.

Wendy Cockcroft (user link) says:

Re: He's never set foot in the US, how can these be crimes?

No, his abhorrent stalking and harassment cancels that. In any case this is not a speech issue, this is about a rebellious teen accessing personal and government accounts without prior authorisation, then using the information gleaned thereby to make people’s lives a misery.

SWAT-ing is not speech, it’s attempted murder.

Hugo S Cunningham (profile) says:

Let users make up their own security *questions*

Hackers have opportunities to assemble security-question info for users, eg mother’s maiden name, make of first car, names of family pets, etc. But the job would become useless if users were able to put in their own questions as well as their answers– really weird stuff that no computer search could generate, eg “What did your toddler break during Grandma’s Easter visit two years ago?”

Bruce C. says:

Re: Let users make up their own security *questions*

Which is fine until it’s 10 years later and your toddler is entering High School. . .and you no longer remember what year it was when you created the security question.

But the general idea is sound up to a point. Forcing users to make up their own questions doesn’t prevent them from duplicating them across multiple sites. Frankly, it’s probably easier to request the users to put in fake answers to standard security questions. The smart ones will store the fakes with their password manager. The dumb ones probably can’t be helped. There’s always the legit user who can’t remember their password OR the answers to the security questions, and they’ll always be vulnerable if they don’t use the tools needed to make them less so.

Anonymous Hero says:

Gross negligence

> In CIA Director Brennan’s case, the sensitive documents Gamble accessed had been forwarded to an email account maintained by a third party. If Brennan had been more careful with his handling of classified documents…

Brennan must’ve known this was against protocol. I don’t have a clearance and even I know that you are NOT allowed to take classified material and put it on unsecured systems.

Anonymous Coward says:

Misuse of SWAT team

I’m disappointed, but not all that surprised, that the bogus SWAT raid against Someone Important didn’t turn into even token attempts to get the SWAT teams to be a little more circumspect. This was a perfect opportunity for the right people to learn that you can’t trust easily-forged messages when deciding where and when to deploy deadly force.

Rekrul says:

Except for when hackers discover a security flaw and exploit it, most hacking is done through social engineering and research. The idea that you can just guess someone’s password or “hack” a specific account/device by typing furiously on a keyboard for about 30 seconds is pure fantasy perpetuated by TV shows like CSI, NCIS and the like.

As for this case, I’m surprised that the US didn’t demand that Gamble be extradited to American to face trial here. I can’t find any mention of what kind of a sentence he’s facing, but given that the UK seems to exercise at least a little common sense, I’d guess it might be somewhere in the 5-10 years range. Which might seem like a long time, but if he was sentenced in the US, I have no doubt that it would be in the range of 30-50 years, if not longer.

Toom1275 (profile) says:

“Ok, hacking into the Pentagon…”
*taka taka taka*
“Double-click ‘YES’…”
*taka taka taka*
“Oh, a password… 50 billion combinations, hmm…”
“Oh, how did I know the password was Jeff? Oh, I know the guy who wrote this. His name was Jeff JeffJeff, born on the first of Jeff, 19JeffJeff. So I put in ‘Jeff’ and ayy.”

-Eddie Izzard, on what hacking is like in movies.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...