Wired and other media are reporting the the head of the CIA, John Brennan, had his personal email account hacked. The hacker, a teenager, talked to Wired about how he did it. It points to general weaknesses in commercial online services security that you should understand.
It is less of a surprise that Brennan’s commercial, consumer email account (it was an AOL account) was hacked than what he had in it.
- First, the fact that it was an AOL account. Probably an indication of his age. Hopefully, not an indication of his technical sophistication.
- The hackers (apparently, it was a team effort) posed as Verizon technicians and were able to socially engineer Verizon customer service out of his account number, PIN, backup mobile phone number, email address and last 4 of his bank card number. The fact that they were able to do that is not a surprise, but it should be a concern. It points to the processes for security that most commercial providers use are “somewhat lacking”.
- Once they had that information, they went to AOL, impersonating Brennan and said they were locked out. Using the information they got from Verizon, they got AOL to reset the password. Unfortunately, password resets are relatively, very easy to get them (meaning all consumer online providers) to do.
- Brennan, for some pretty strange reason had a number of sensitive, but unlikely unclassified, documents stored in his AOL account – his government security clearance form that contains an identify thief’s dream information, a spreadsheet containing names and socials of people who may be intelligence agents and other files. That he would store this information in a public, commercial, consumer information service makes me nervous.
- Brennan attempted to recover his account and the hackers stole it again. Apparently, 3 times.
- Brennan finally deleted his account.
So what does this tell you?
First, don’t trust commercial, consumer online services not to be socially engineered. Unfortunately, commercial business class services are not much better.
Second, don’t trust those service’s security. If you are using it for something sensitive, you need to make sure that you overlay your own security (such as encryption with you controlling the keys).
If you are a business, sometimes you can negotiate additional security with online service providers – you can always ask.
While the CIA is not confirming that this is real, there are a number of media sources reporting it and the CIA is not denying it, so it has some credibility. The files date back to 2009, so it is possible that Brennan had forgotten it existed.
For the nation’s head spy, this is a bit embarrassing.
Information for this post came from Wired.