Teen Hacker Who Social Engineered His Way Into Top-Level US Government Officials' Accounts Pleads Guilty To Ten Charges
from the barely-post-pubescent-wrecking-crew dept
The teenage hacker who tore CIA director John Brennan a new AOL-hole is awaiting sentencing in the UK. Kane Gamble, the apparent founder of hacker collective Crackas With Attitude, was able to access classified documents Brennan has forwarded to his personal email account by posing as a Verizon tech. Social engineering is still the best hacking tool. It’s something anyone anywhere can do. If you do it well, a whole host of supposedly-secured information can be had, thanks to multiple entities relying on the same personal identifiers to “verify” the social engineer they’re talking to is the person who owns accounts they’re granting access to.
Despite claiming he was motivated by American injustices perpetrated around the world (Palestine is namechecked in the teen’s multiple mini-manifestos), a lot of what Gamble participated in was plain, old fashioned harassment.
Gamble taunted his victims online, released personal information, bombarded them with calls and messages, downloaded pornography onto their computers and took control of their iPads and TV screens, a court heard.
This might be chalked up to Gamble’s youth or his supposed residence on the autism spectrum. But that’s not the limit of the chaos caused by his social engineering. He was able to gain access to the FBI’s law enforcement database and DHS boss Jeh Johnson’s voicemail. He apparently dumped a database of FBI 20,000 agents’ personal info and accessed email accounts of deputy national security advisor Avril Haines.
But there were other acts as well, some that resulted in plenty of people fearing for their safety.
He used his access to steal and post online personal details of Officer Darren Wilson who shot and killed black teenager Michael Brown in Ferguson Missouri.
At the same time he harassed the [FBI Deputy Director Mark] Giuliano family and people associated with them and bombarded them with calls, meaning that they were forced to seek protection from the intelligence agencies and an armed guard was placed at their home.
Mr Obama’s senior science and technology adviser John Holdren had his personal accounts hacked and Gamble passed all of his personal details to an accomplice who used them to make hoax calls to the local police claiming that there was a violent incident at Mr Holdren’s house resulting in an armed swat team being deployed.
Gamble has pled guilty to ten counts of criminal computer misuse. He has yet to be sentenced but I can’t imagine it will go well for him. What Gamble did was harmful to many people’s personal security and the harassment of family members of public officials crosses several lines, as does the SWATing. But he did expose plenty of weak leaks in the security protocols deployed by companies like Verizon and the US government itself. The reliance on the same security questions (names of pets, schools, maiden names, etc.) across multiple services often means accessing one will open up access to all of them. Once a primary account is compromised, it can be used to change login and security verification info for accounts reliant on it.
It also exposed how high-ranking government officials made these weak links even weaker. In CIA Director Brennan’s case, the sensitive documents Gamble accessed had been forwarded to an email account maintained by a third party. If Brennan had been more careful with his handling of classified documents — like keeping them in the secured systems they came from — Gamble wouldn’t have been able to view and/or distribute these to people who shouldn’t be seeing them.
Governments make weird enemies. Sometimes they’re teens residing in small council houses in the UK. But the enemies they make can do considerable damage armed with nothing more than a cellphone, a laptop, and an internet connection.
Filed Under: hacking, john brennan, kane gamble, social engineering
Comments on “Teen Hacker Who Social Engineered His Way Into Top-Level US Government Officials' Accounts Pleads Guilty To Ten Charges”
Secure Documents on an Unsecured System
Isn’t that a crime punishable by time in Ft. Leavenworth? Just some friendly advice, he is part of the “high court”, don’t hold your breath waiting for the charges to be filed. They got the kid, crisis over.
Re: Secure Documents on an Unsecured System
Hasn’t this already been covered by Hillary?
Re: Re: Secure Documents on an Unsecured System
She lost, get over it.
Re: Secure Documents on an Unsecured System
If he had a manifesto, odds are he counts as a lawful combatant, especially if he wears the same sort of clothes every day.
Imprisoning a foreign soldier, even a domestic rebel, for acting like a soldier is a war crime. Given how the US considers cyber-warfare, what the kid did is probably not illegal.
As a POW, he can be interned for ‘the duration’ but as an army of one, his war ended when he was captured.
He's never set foot in the US, how can these be crimes?
CIA justice.
Where’s the usual outcry for the free speech of this victim / whistleblower?
I bet his apparent sympathy for Palestine cancels that.
Re: He's never set foot in the US, how can these be crimes?
Perhaps your confusion lies within your bias.
Re: Re: He's never set foot in the US, how can these be crimes?
U R JEW
Re: Re: Re: He's never set foot in the US, how can these be crimes?
Stick to sticking crayons up your nose.
Re: He's never set foot in the US, how can these be crimes?
No, his abhorrent stalking and harassment cancels that. In any case this is not a speech issue, this is about a rebellious teen accessing personal and government accounts without prior authorisation, then using the information gleaned thereby to make people’s lives a misery.
SWAT-ing is not speech, it’s attempted murder.
Playing the game
There is always some risk involved when attempting to “stick it to the man”. This kid out of anyone should’ve known if it was worth the Gamble…
I’ll see myself out..
I fought the above-the-law, and the above-the-law won.
So you read all that and you felt sorry for this douchebag? Talk about victim blaming.
Let users make up their own security *questions*
Hackers have opportunities to assemble security-question info for users, eg mother’s maiden name, make of first car, names of family pets, etc. But the job would become useless if users were able to put in their own questions as well as their answers– really weird stuff that no computer search could generate, eg “What did your toddler break during Grandma’s Easter visit two years ago?”
Re: Let users make up their own security *questions*
Or just keep track of what lies you told to the security questions.
“What was your mother’s maiden name?”
Correct Horse Battery Staple
Re: Re: Let users make up their own security *questions*
Yeah, the “correct horse battery staple” method is ideal for generating security answers, because you want them to be something you can read over the phone in case you ever need to talk to tech support.
Re: Let users make up their own security *questions*
Which is fine until it’s 10 years later and your toddler is entering High School. . .and you no longer remember what year it was when you created the security question.
But the general idea is sound up to a point. Forcing users to make up their own questions doesn’t prevent them from duplicating them across multiple sites. Frankly, it’s probably easier to request the users to put in fake answers to standard security questions. The smart ones will store the fakes with their password manager. The dumb ones probably can’t be helped. There’s always the legit user who can’t remember their password OR the answers to the security questions, and they’ll always be vulnerable if they don’t use the tools needed to make them less so.
Gross negligence
> In CIA Director Brennan’s case, the sensitive documents Gamble accessed had been forwarded to an email account maintained by a third party. If Brennan had been more careful with his handling of classified documents…
Brennan must’ve known this was against protocol. I don’t have a clearance and even I know that you are NOT allowed to take classified material and put it on unsecured systems.
Fuck em
they can’t stand the heat get the fuck out of the kitchen
this from the largest military spy complex in the whole world that just cried to the American public that their largest military budget in the whole world was being held hostage by Democrats by not giving them more money to spy on everyone ???????
Re: Re:
Why do you think we’re constantly complaining about it? It’s not just the routine violations by their own staff, it’s the vulnerability to bad actors that raise our hackles.
Yes, I plead guilty to
easily tricking you fucking dipshits, you made it so easy I just could not resist.
It’s a shame we are not sending Brennan to jail instead for being a total fucking tool who failed to protect “national security”
Re: Yes, I plead guilty to
Won’t happen; Establishment types get a slap on the wrist, the rest of us get hard time.
Misuse of SWAT team
I’m disappointed, but not all that surprised, that the bogus SWAT raid against Someone Important didn’t turn into even token attempts to get the SWAT teams to be a little more circumspect. This was a perfect opportunity for the right people to learn that you can’t trust easily-forged messages when deciding where and when to deploy deadly force.
The correct repsonse <i>should be</i> to jail those that fell for this <b>basic-level scam</b>. Because they clearly cannot be trusted with either our votes or our security.
Soooooo, a UK kid hacks the most powerful intelligence agencies in the world. Right.
Except for when hackers discover a security flaw and exploit it, most hacking is done through social engineering and research. The idea that you can just guess someone’s password or “hack” a specific account/device by typing furiously on a keyboard for about 30 seconds is pure fantasy perpetuated by TV shows like CSI, NCIS and the like.
As for this case, I’m surprised that the US didn’t demand that Gamble be extradited to American to face trial here. I can’t find any mention of what kind of a sentence he’s facing, but given that the UK seems to exercise at least a little common sense, I’d guess it might be somewhere in the 5-10 years range. Which might seem like a long time, but if he was sentenced in the US, I have no doubt that it would be in the range of 30-50 years, if not longer.
The “victims” really have nobody else to blame but themselves for refusing to have functioning opsec.
Same goes for the reviewers who insist that all Hollywood screeners have to be sent to them in DVD format because the idea of streaming gives them a miniature heart attack.
“Ok, hacking into the Pentagon…”
*taka taka taka*
“Double-click ‘YES’…”
*taka taka taka*
“Oh, a password… 50 billion combinations, hmm…”
“Jeff…”
“Hey!”
“Oh, how did I know the password was Jeff? Oh, I know the guy who wrote this. His name was Jeff JeffJeff, born on the first of Jeff, 19JeffJeff. So I put in ‘Jeff’ and ayy.”
-Eddie Izzard, on what hacking is like in movies.
If a punk with a laptop was able to do all of that just imagine what nation-states and other organized outfits must be getting hold of.
Re: Re:
Exactly.