CIA Director's Personal Email Account Breached By Hackers... Who Find Official Documents Stored In It
from the FWD:FWD:FWD:-classified-data-[KEEP-SAFE!] dept
The Central Intelligence Agency will make one of the biggest overhauls in its nearly 70-year history, aimed in part at sharpening its focus on cyber operations and incorporating digital innovations, CIA director John Brennan said.WHERE DO I SIGN UP?!?
Brennan said he is creating new units within the CIA, called "mission centers," intended to concentrate the agency's focus on specific challenges or geographic areas, such as weapons proliferation or Africa.
The CIA director said he also is establishing a new "Directorate of Digital Innovation" to lead efforts to track and take advantage of advances in cyber technology to gather intelligence.
A hacker who claims to have broken into the AOL account of CIA Director John Brennan says he obtained access by posing as a Verizon worker to trick another employee into revealing the spy chief’s personal information.Brennan: leading from the rear. "Digital innovations," "cyber operations," and a CIA director who forwards work email to his AOL account.
Using information like the four digits of Brennan’s bank card, which Verizon easily relinquished, the hacker and his associates were able to reset the password on Brennan’s AOL account repeatedly as the spy chief fought to regain control of it.
Now, there is very little anyone can do to prevent hacking via social engineering. There are too many weak links, many of which will probably be attending some mandatory training classes on account security in the near future. Not that it will help. As long as nearly every company uses the same list of personal info for identity verification, social engineering will continue to crack open secured accounts.
The hackers posed as Verizon techs. After producing a fabricated "Vcode" (an identifier that "verifies" a person as a Verizon employee), Verizon gave up the information the hackers needed to gain control of Brennan's AOL account: PIN, backup phone number, email address and last four digits of his credit card.
They then called AOL to tell them they were locked out of "their" account. The information handed over by Verizon answered all of AOL's verification questions. And in they went, uncovering -- among other things -- the SF-86 application Brennan had filled out to apply for security clearances. They also discovered -- and posted -- screenshots of a spreadsheet apparently listing names and social security numbers of intelligence officials.
There's been no document dump, so it's unclear at this point how many work emails and documents Brennan forwarded to himself or if he used his AOL account to conduct official business. The thing is, Brennan should have known this was a terrible idea, no matter how convenient it was for him to peruse CIA docs from an email account he could access anywhere. He may not have been able to prevent the social engineering attack, but he could have ensured his personal email account only contained personal email. And I'm pretty sure the CIA frowns on taking official documents off-site, even if "Forward email" is used rather than an attache case.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: breach, cia, classified info, hacked, john brennan
Reader Comments
Subscribe: RSS
View by: Time | Thread
Bring me the heads of these hackers by month's end.
Accountability: 0
Abuse of Power: off the charts
For those who hacked, best tweet Snowden on some advice on how to leave the country. The CIA (via the NSA's tools) will stop at nothing to track you down.
Good luck!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
(or should I have said Eric Snowden?)
[ link to this | view in chronology ]
yeah, it's almost like they swapped out the flag at the brooklyn bridge, or something.
[ link to this | view in chronology ]
*His* SF-86
Stupid to have it just sitting there, but as a fellow cleared person, it is sometimes handy to have reference to that data. A thumb drive would be a better choice, but then I suppose that would be against policy too; bringing in personal thumb drives...
[ link to this | view in chronology ]
Re: *His* SF-86
Did you not even read the summary?
I am pretty sure that a list of intelligence officials is not *his* personal information.
[ link to this | view in chronology ]
Re: *His* SF-86
[ link to this | view in chronology ]
Re: *His* SF-86
You Scientologists always stick together, don't ya?
[ link to this | view in chronology ]
Looks like he and google have a motto in common.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
He failed question #1...
[ link to this | view in chronology ]
Re: He failed question #1...
Sending that spreadsheet full of PII should result in the CIA having to send out data breach notifications and the resulting liability for possible identity theft. Plus a review of that person's suitability for his job. Didn't he hear about that small ruckus over Hillary's email server? What kind of intelligence gathering ability does the CIA have anyway? This failure to connect the dots doesn't fill me with great confidence.
[ link to this | view in chronology ]
Re: He failed question #1...
Maybe getting an AOL account was the easiest way to get AOL to stop sending him floppy disks?
Then CDs came along, but he didn't have any use for them since his vacation homes were already fully tiled in the decorative floppy disks.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
If hacking is broadly defined as illicitly gaining access to a computer system, then this certainly qualified.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
https://en.wikipedia.org/wiki/Hacker_%28computer_security%29
http://www.thefreedictionary.co m/hack
https://en.wiktionary.org/wiki/hack#Verb
[ link to this | view in chronology ]
Lets see if the 'bulk metadata collection'
And then lets see the quality of the trial.
[ link to this | view in chronology ]
Re: Lets see if the 'bulk metadata collection'
[ link to this | view in chronology ]
Misprint in the Reuters article headline?
CIA to make sweeping changes, focus more on cyber ops
Intended?
CIA to make sweeping changes, focus more on cyber Ooops
[ link to this | view in chronology ]
Yet another example of meta-risks in data collection
Consider this case: if it's really true that the people who pulled this off were teenagers, then (a) does anyone think they're the first ones to succeed? and (b) if they weren't the first ones, who were the others?
The massive data collections being assembled every day are touted by their proponent as weapons (against terror, the bogeyman du jour) or as tools. And perhaps, if we take a very generous view of them, they are. But they're also enormous, extremely tempting targets. And when the people at top of the food chain provide textbook demonstrations of worst practices in security, we know they're vulnerable targets.
And that's the meta-risk: indirect acquisition and exploitation by third parties. In this case, it appears to have been someone with a point to make. But what if it's not, this time or the next time?
[ link to this | view in chronology ]
John Brennan
[ link to this | view in chronology ]
Half ass your own data protection , leave mine alone.
[ link to this | view in chronology ]
Like A Personal Email Server
[ link to this | view in chronology ]
Re: Like A Personal Email Server
The reality is, regardless of political party, congress only spends millions of dollars on an investigation, such as Hillary, when one party makes congress begin the investigation, and the action is against someone of an opposing party, or somehow considered an enemy.
[ link to this | view in chronology ]
On the positive side
[ link to this | view in chronology ]
Security Epic Fail!
[ link to this | view in chronology ]
Re
[ link to this | view in chronology ]
Brennan got his cyber security advice from Petraeus
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Hillary is widely acknowledged as being female, even by Trump.
This story is specifically about abuse of non-government e-mail, not about containment of government owned fecal matter. For more information on that topic, you may review any of the recent stories about Congress.
Hillarys e-mail was only considered secure by Hillary.
[ link to this | view in chronology ]
Americans...
[ link to this | view in chronology ]
hmm. wonder what happened here then?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
I don't know about his personal politics, but he was appointed by Obama.
[ link to this | view in chronology ]
Both Twitter links broken
[ link to this | view in chronology ]
We are at war half way around the globe because someone's AOL account got hacked, and to cover up all of the secrets they had ex-filtrated they came up with a giant distraction.
Perhaps it is time to find people who have a fucking clue to come in and clean up this giant mess of people to stupid to have power have created. They pay out money to corporations who have the evidence of the stupidity and keep it quiet as long as the contracts keep coming, and they pay a little to keep their idiot buddy in power because they will fuck up again and they will gain more influence.
The terrifying thought hitting you right now, is I could be right.
[ link to this | view in chronology ]
AOL wasn't hacked!!
VERIZON was!
Verizon coughed up the info that allowed the normal unlock-procedure for the AOL account.
[ link to this | view in chronology ]
[ link to this | view in chronology ]