Establishing Digital Trust: Don't Sacrifice Security for Convenience
A high school aged hacker recently told the New York Post that he'd breached the personal AOL email account of CIA director John Brennan on October 12, 2015.
According to the Post, files obtained by the hacker included Brennan's 47-page application for top secret security clearance, along with the Social Security numbers of over a dozen top U.S. intelligence officials.
A law enforcement source told the Post the FBI and other federal agencies are likely to pursue criminal charges against the hacker, who remains active on Twitter. "I think they'll want to make an example out of him to deter people from doing this in the future," the source said.
"[The] problem with these older-generation guys is that they don't know anything about cyber security, and as you can see, it can be problematic," the source added.
The hacker, who also claimed to have accessed the personal Comcast email account of Homeland Security Secretary Jeh Johnson, told WIRED that he and two others gained access to Brennan's account through social engineering, by posing as a Verizon employee to trick another employee into revealing Brennan's personal information.
The Verizon employee apparently provided the hackers with Brennan's account number, four-digit PIN, backup mobile number, AOL email address, and the last four digits of his credit card.
"[A]fter getting that info, we called AOL and said we were locked out of our AOL account," the hacker said. "They asked security questions like the last 4 on [the bank] card and we got that from Verizon so we told them that and they reset the password."
Among the emails the hackers were able to view were some that Brennan had forwarded from his government email address to his personal email address, several of them with sensitive documents attached.
IDT911 chairman and founder Adam Levin told eSecurity Planet by email that the news begs the question, what part of the concept that the Cyber War has replaced the Cold War isn't clear to high-ranking intelligence officials? "In light of the relentless and sophisticated assaults on public and private sector American databases (and the Hilary email-gate issue that won't die -- Bernie Sanders to the contrary notwithstanding), it should cause countless sleepless nights for our leaders in Washington as well as the rest of us," he said.
"Breaches have become the third certainty in life," Levin added. "U.S. government agencies and officials are in the cross-hairs of state-sponsored, cause and 'because I can' hackers. Email (especially unencrypted email) is both the wrong conduit and the absolute wrong storage environment for sensitive personal information, much less information that might be considered 'classified.'"
"And the fact that clever social engineering enabled this young fellow to gather significant rose buds of PII from major American corporations confirms yet again that we have not adopted the culture of security so desperately required in today's globalized and interconnected world," Levin said.