HideOnly 2 days left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »
HideOnly 2 days left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »

CIA Director's Personal Email Account Breached By Hackers... Who Find Official Documents Stored In It

from the FWD:FWD:FWD:-classified-data-[KEEP-SAFE!] dept

LOL. Cybersecurity.

The Central Intelligence Agency will make one of the biggest overhauls in its nearly 70-year history, aimed in part at sharpening its focus on cyber operations and incorporating digital innovations, CIA director John Brennan said.

Brennan said he is creating new units within the CIA, called "mission centers," intended to concentrate the agency's focus on specific challenges or geographic areas, such as weapons proliferation or Africa.

The CIA director said he also is establishing a new "Directorate of Digital Innovation" to lead efforts to track and take advantage of advances in cyber technology to gather intelligence.
WHERE DO I SIGN UP?!?
A hacker who claims to have broken into the AOL account of CIA Director John Brennan says he obtained access by posing as a Verizon worker to trick another employee into revealing the spy chief’s personal information.

Using information like the four digits of Brennan’s bank card, which Verizon easily relinquished, the hacker and his associates were able to reset the password on Brennan’s AOL account repeatedly as the spy chief fought to regain control of it.
Brennan: leading from the rear. "Digital innovations," "cyber operations," and a CIA director who forwards work email to his AOL account.

Now, there is very little anyone can do to prevent hacking via social engineering. There are too many weak links, many of which will probably be attending some mandatory training classes on account security in the near future. Not that it will help. As long as nearly every company uses the same list of personal info for identity verification, social engineering will continue to crack open secured accounts.

The hackers posed as Verizon techs. After producing a fabricated "Vcode" (an identifier that "verifies" a person as a Verizon employee), Verizon gave up the information the hackers needed to gain control of Brennan's AOL account: PIN, backup phone number, email address and last four digits of his credit card.

They then called AOL to tell them they were locked out of "their" account. The information handed over by Verizon answered all of AOL's verification questions. And in they went, uncovering -- among other things -- the SF-86 application Brennan had filled out to apply for security clearances. They also discovered -- and posted -- screenshots of a spreadsheet apparently listing names and social security numbers of intelligence officials.


There's been no document dump, so it's unclear at this point how many work emails and documents Brennan forwarded to himself or if he used his AOL account to conduct official business. The thing is, Brennan should have known this was a terrible idea, no matter how convenient it was for him to peruse CIA docs from an email account he could access anywhere. He may not have been able to prevent the social engineering attack, but he could have ensured his personal email account only contained personal email. And I'm pretty sure the CIA frowns on taking official documents off-site, even if "Forward email" is used rather than an attache case.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Violynne (profile), 20 Oct 2015 @ 8:46am

    Brennan's response:
    Bring me the heads of these hackers by month's end.

    Accountability: 0
    Abuse of Power: off the charts

    For those who hacked, best tweet Snowden on some advice on how to leave the country. The CIA (via the NSA's tools) will stop at nothing to track you down.

    Good luck!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 9:34am

    If only we had CISPA, this never would have happened...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 9:44am

    stop at nothing

    yeah, it's almost like they swapped out the flag at the brooklyn bridge, or something.

    reply to this | link to this | view in chronology ]

  • icon
    pixelpusher220 (profile), 20 Oct 2015 @ 9:44am

    *His* SF-86

    This is not a security violation. It's his personal info in his personal email account. Granted it has info on people he's offering up to interview for his clearance, but they gave it to him willingly. Little different than an app asking for access to your contacts on your phone.

    Stupid to have it just sitting there, but as a fellow cleared person, it is sometimes handy to have reference to that data. A thumb drive would be a better choice, but then I suppose that would be against policy too; bringing in personal thumb drives...

    reply to this | link to this | view in chronology ]

    • identicon
      Whoever, 20 Oct 2015 @ 9:55am

      Re: *His* SF-86

      This is not a security violation. It's his personal info in his personal email account.

      Did you not even read the summary?
      They also discovered -- and posted -- screenshots of a spreadsheet apparently listing names and social security numbers of intelligence officials.
      I am pretty sure that a list of intelligence officials is not *his* personal information.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Oct 2015 @ 9:57am

      Re: *His* SF-86

      Stupid in the extreme for such data to be held unencrypted on a server outside the organisations control. While the external hacker is making the breach public, who knows the loyalties of the people working for AOL, and which Governments are paying them. AOL company could be a spies paradise.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Oct 2015 @ 12:13am

      Re: *His* SF-86

      but as a fellow cleared person

      You Scientologists always stick together, don't ya?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 9:48am

    Looks like he and google have a motto in common.

    "Do as I say, not as I do!"

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 9:50am

    You have to wonder how this CIA Director got past security clearance for the job.

    reply to this | link to this | view in chronology ]

  • identicon
    avideogameplayer, 20 Oct 2015 @ 9:53am

    What was that about wanting backdoors?

    reply to this | link to this | view in chronology ]

    • icon
      Jeff Green (profile), 21 Oct 2015 @ 4:34am

      Re:

      Well since Apple and co claim backdoors are impossible he had to install his own! Now if everyone would just forward all their email to insecure accounts how easy it would be ...

      reply to this | link to this | view in chronology ]

  • identicon
    PRMan, 20 Oct 2015 @ 10:16am

    He failed question #1...

    How does a "cyber-security professional" have an AOL account?!?

    reply to this | link to this | view in chronology ]

    • icon
      tom (profile), 20 Oct 2015 @ 10:33am

      Re: He failed question #1...

      Nothing wrong with having an AOL or yahoo type email account for your Personal, non-secure crap. His mistake was using it IN ANY FASHION for work related info. The whole point of most web-mail based systems is to allow the provider to data mine all of the user's emails for information.

      Sending that spreadsheet full of PII should result in the CIA having to send out data breach notifications and the resulting liability for possible identity theft. Plus a review of that person's suitability for his job. Didn't he hear about that small ruckus over Hillary's email server? What kind of intelligence gathering ability does the CIA have anyway? This failure to connect the dots doesn't fill me with great confidence.

      reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 20 Oct 2015 @ 10:38am

      Re: He failed question #1...

      > How does a "cyber-security professional" have an AOL account?!?

      Maybe getting an AOL account was the easiest way to get AOL to stop sending him floppy disks?

      Then CDs came along, but he didn't have any use for them since his vacation homes were already fully tiled in the decorative floppy disks.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 10:18am

    That's not really hacking. More like phishing. I remember AOL instant messages used to always have a warning that says AOL staff will never ask you for your password. Despite this I always got random instant messages from random people claiming to work for AOL and needing my password. Apparently enough people fell for it at the time to encourage all these phishers to keep asking for personal information. I thought phishing was a dead art. Didn't think people still fell for that.

    reply to this | link to this | view in chronology ]

  • identicon
    alternatives(), 20 Oct 2015 @ 10:22am

    Lets see if the 'bulk metadata collection'

    can bring these people to a court trial.

    And then lets see the quality of the trial.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Oct 2015 @ 12:42pm

      Re: Lets see if the 'bulk metadata collection'

      you mean the secret courts with secret witnesses and secret evidence the defence and judge are not allowed to see. Since it would compromise national security if they were given access to the supposed evidence the government says it has to prosecute their victim.

      reply to this | link to this | view in chronology ]

  • icon
    DannyB (profile), 20 Oct 2015 @ 10:28am

    Misprint in the Reuters article headline?

    Was:
    CIA to make sweeping changes, focus more on cyber ops

    Intended?
    CIA to make sweeping changes, focus more on cyber Ooops

    reply to this | link to this | view in chronology ]

  • identicon
    Rich Kulawiec, 20 Oct 2015 @ 10:28am

    Yet another example of meta-risks in data collection

    There has been (and will continue to be) copious discussion of the risks of allowing governments and corporations to collect private data on individuals. But one of the often-overlooked aspects of that issue is that disclosure and abuse is possible not just by the collectors themselves, but by anyone clever enough to hack them.

    Consider this case: if it's really true that the people who pulled this off were teenagers, then (a) does anyone think they're the first ones to succeed? and (b) if they weren't the first ones, who were the others?

    The massive data collections being assembled every day are touted by their proponent as weapons (against terror, the bogeyman du jour) or as tools. And perhaps, if we take a very generous view of them, they are. But they're also enormous, extremely tempting targets. And when the people at top of the food chain provide textbook demonstrations of worst practices in security, we know they're vulnerable targets.

    And that's the meta-risk: indirect acquisition and exploitation by third parties. In this case, it appears to have been someone with a point to make. But what if it's not, this time or the next time?

    reply to this | link to this | view in chronology ]

  • identicon
    Digitari, 20 Oct 2015 @ 10:45am

    John Brennan

    "But I've had this email account for decades, and I use my middle name for the password, so it's secure, right? It always was in the past."

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 11:08am

    Dear John Brennen,

    Half ass your own data protection , leave mine alone.

    reply to this | link to this | view in chronology ]

  • icon
    hij (profile), 20 Oct 2015 @ 11:13am

    Like A Personal Email Server

    At least he was not using his own personal email server. Oh wait... I think that Secretary Clinton screwed up with the email server and have been dismayed by her inability to come clean (but not surprised). If the US Congress is going to spend millions of dollars on her situation then they should be crawling up this guy's back side as well. What he did is just as bad if not worse.

    reply to this | link to this | view in chronology ]

    • icon
      DannyB (profile), 20 Oct 2015 @ 12:36pm

      Re: Like A Personal Email Server

      As you say it may be reasonable that this guy be investigated as much as Hillary.

      The reality is, regardless of political party, congress only spends millions of dollars on an investigation, such as Hillary, when one party makes congress begin the investigation, and the action is against someone of an opposing party, or somehow considered an enemy.

      reply to this | link to this | view in chronology ]

  • identicon
    David, 20 Oct 2015 @ 11:16am

    On the positive side

    Hilary's account couldn't have gotten social engineered - it was her own server. It would be unlikely if any telecom/etc would have been able to reset her password to allow a hacker access.

    reply to this | link to this | view in chronology ]

  • icon
    Pronounce (profile), 20 Oct 2015 @ 11:38am

    Security Epic Fail!

    Now tell me again why we want government spy agencies to have a set of master keys to our encryption?

    reply to this | link to this | view in chronology ]

  • identicon
    Tim, 20 Oct 2015 @ 11:47am

    Re

    After laughing for several minutes, I concluded that he should be fucking fired for that. What a dipshit.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 11:47am

    Brennan got his cyber security advice from Petraeus

    or Petraeus's mistress...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 12:02pm

    And Hillary is the bad guy here , when the government can't seem to keep their shit locked down , seems she's the only one that was secure.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Oct 2015 @ 1:14pm

      Re:

      You have utterly failed with your comment, unless your goal was to include as many factual errors as possible.
      And Hillary is the bad guy here ,

      Hillary is widely acknowledged as being female, even by Trump.
      when the government can't seem to keep their shit locked down ,

      This story is specifically about abuse of non-government e-mail, not about containment of government owned fecal matter. For more information on that topic, you may review any of the recent stories about Congress.
      seems she's the only one that was secure.

      Hillarys e-mail was only considered secure by Hillary.

      reply to this | link to this | view in chronology ]

  • icon
    DocGerbil100 (profile), 20 Oct 2015 @ 1:21pm

    Americans...

    Bah...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 1:50pm

    yep! no need at all for encryption! no one will ever get into official email accounts!
    hmm. wonder what happened here then?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 2:06pm

    He must be Republican, if it was Hilary, they'd demand pitchforks and fires! She kept a secured standalone system, this is idiotic free public access cloud service. The stupidity is just overwhelming.

    reply to this | link to this | view in chronology ]

    • icon
      nasch (profile), 21 Oct 2015 @ 7:38am

      Re:

      He must be Republican, if it was Hilary, they'd demand pitchforks and fires!

      I don't know about his personal politics, but he was appointed by Obama.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Oct 2015 @ 2:31pm

    Both Twitter links broken

    Either the links are bad or Twitter has taken the images away.

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 20 Oct 2015 @ 7:44pm

    Imagine the unthinkable...
    We are at war half way around the globe because someone's AOL account got hacked, and to cover up all of the secrets they had ex-filtrated they came up with a giant distraction.

    Perhaps it is time to find people who have a fucking clue to come in and clean up this giant mess of people to stupid to have power have created. They pay out money to corporations who have the evidence of the stupidity and keep it quiet as long as the contracts keep coming, and they pay a little to keep their idiot buddy in power because they will fuck up again and they will gain more influence.

    The terrifying thought hitting you right now, is I could be right.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Oct 2015 @ 12:53am

    AOL wasn't hacked!!

    AOL wasn't the system that was hacked.

    VERIZON was!

    Verizon coughed up the info that allowed the normal unlock-procedure for the AOL account.

    reply to this | link to this | view in chronology ]

  • identicon
    john may, 21 Oct 2015 @ 9:40am

    Let me begin by asserting that I am not responsible for this, and I support the USA. The Internet tough guys in this thread, however, gave me a good laugh, and I invite them to pretend it was me, and give me their worst. lol Where are those billions the Obama admin has spent for cyber security gone? Fed hackers and investigators are always simple for me to identify, in 2 minutes maximum. They always have million dollar toys, yet lack the skills to properly utilize them. This is actually a blessing in disguise because their target selection is often incredibly misguided.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.