CIA Director's Personal Email Account Breached By Hackers... Who Find Official Documents Stored In It

from the FWD:FWD:FWD:-classified-data-[KEEP-SAFE!] dept

Tue, Oct 20th 2015 9:32am — Tim Cushing

The Central Intelligence Agency will make one of the biggest overhauls in its nearly 70-year history, aimed in part at sharpening its focus on cyber operations and incorporating digital innovations, CIA director John Brennan said.

Brennan said he is creating new units within the CIA, called "mission centers," intended to concentrate the agency's focus on specific challenges or geographic areas, such as weapons proliferation or Africa.

The CIA director said he also is establishing a new "Directorate of Digital Innovation" to lead efforts to track and take advantage of advances in cyber technology to gather intelligence.

WHERE DO I SIGN UP?!?

A hacker who claims to have broken into the AOL account of CIA Director John Brennan says he obtained access by posing as a Verizon worker to trick another employee into revealing the spy chief’s personal information.

Using information like the four digits of Brennan’s bank card, which Verizon easily relinquished, the hacker and his associates were able to reset the password on Brennan’s AOL account repeatedly as the spy chief fought to regain control of it.

Brennan: leading from the rear. "Digital innovations," "cyber operations," and a CIA director who forwards work email to his AOL account.

Now, there is very little anyone can do to prevent hacking via social engineering. There are too many weak links, many of which will probably be attending some mandatory training classes on account security in the near future. Not that it will help. As long as nearly every company uses the same list of personal info for identity verification, social engineering will continue to crack open secured accounts.

The hackers posed as Verizon techs. After producing a fabricated "Vcode" (an identifier that "verifies" a person as a Verizon employee), Verizon gave up the information the hackers needed to gain control of Brennan's AOL account: PIN, backup phone number, email address and last four digits of his credit card.

They then called AOL to tell them they were locked out of "their" account. The information handed over by Verizon answered all of AOL's verification questions. And in they went, uncovering -- among other things -- the SF-86 application Brennan had filled out to apply for security clearances. They also discovered -- and posted -- screenshots of a spreadsheet apparently listing names and social security numbers of intelligence officials.

There's been no document dump, so it's unclear at this point how many work emails and documents Brennan forwarded to himself or if he used his AOL account to conduct official business. The thing is, Brennan should have known this was a terrible idea, no matter how convenient it was for him to peruse CIA docs from an email account he could access anywhere. He may not have been able to prevent the social engineering attack, but he could have ensured his personal email account only contained personal email. And I'm pretty sure the CIA frowns on taking official documents off-site, even if "Forward email" is used rather than an attache case.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: breach, cia, classified info, hacked, john brennan

45 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Violynne (profile), 20 Oct 2015 @ 8:46am

Brennan's response:
Bring me the heads of these hackers by month's end.

Accountability: 0
Abuse of Power: off the charts

For those who hacked, best tweet Snowden on some advice on how to leave the country. The CIA (via the NSA's tools) will stop at nothing to track you down.

Good luck!
[ link to this | view in chronology ]
- DannyB (profile), 20 Oct 2015 @ 9:40am
  
  Re:
  Brennan: I will fully cooperate with investigators to assist in finding some unrelated low level person to blame this on.
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Oct 2015 @ 9:45am
    
    Re: Re:
    "My admin assistant set up the forwarding for me. I don't know how email works!"
    [ link to this | view in chronology ]
- Pronounce (profile), 20 Oct 2015 @ 11:45am
  
  Re:
  Two things are guaranteed in Washington: No one with power will accept blame for their actions, and those with too little power will suffer for the failure of those with power.
  [ link to this | view in chronology ]
Anonymous Coward, 20 Oct 2015 @ 9:34am

If only we had CISPA, this never would have happened...
[ link to this | view in chronology ]
- DannyB (profile), 20 Oct 2015 @ 10:32am
  
  Re:
  Maybe there is some way this could be blamed on Edward Snowden.
  
  (or should I have said Eric Snowden?)
  [ link to this | view in chronology ]
Anonymous Coward, 20 Oct 2015 @ 9:44am

stop at nothing

yeah, it's almost like they swapped out the flag at the brooklyn bridge, or something.
[ link to this | view in chronology ]
pixelpusher220 (profile), 20 Oct 2015 @ 9:44am

*His* SF-86
This is not a security violation. It's his personal info in his personal email account. Granted it has info on people he's offering up to interview for his clearance, but they gave it to him willingly. Little different than an app asking for access to your contacts on your phone.

Stupid to have it just sitting there, but as a fellow cleared person, it is sometimes handy to have reference to that data. A thumb drive would be a better choice, but then I suppose that would be against policy too; bringing in personal thumb drives...
[ link to this | view in chronology ]
- Whoever, 20 Oct 2015 @ 9:55am
  
  Re: *His* SF-86
  This is not a security violation. It's his personal info in his personal email account.
  
  Did you not even read the summary?
  
  They also discovered -- and posted -- screenshots of a spreadsheet apparently listing names and social security numbers of intelligence officials.
  I am pretty sure that a list of intelligence officials is not *his* personal information.
  [ link to this | view in chronology ]
- Anonymous Coward, 20 Oct 2015 @ 9:57am
  
  Re: *His* SF-86
  Stupid in the extreme for such data to be held unencrypted on a server outside the organisations control. While the external hacker is making the breach public, who knows the loyalties of the people working for AOL, and which Governments are paying them. AOL company could be a spies paradise.
  [ link to this | view in chronology ]
- Anonymous Coward, 22 Oct 2015 @ 12:13am
  
  Re: *His* SF-86
  but as a fellow cleared person
  
  You Scientologists always stick together, don't ya?
  [ link to this | view in chronology ]
Anonymous Coward, 20 Oct 2015 @ 9:48am

Looks like he and google have a motto in common.
"Do as I say, not as I do!"
[ link to this | view in chronology ]
Anonymous Coward, 20 Oct 2015 @ 9:50am

You have to wonder how this CIA Director got past security clearance for the job.
[ link to this | view in chronology ]
avideogameplayer, 20 Oct 2015 @ 9:53am

What was that about wanting backdoors?
[ link to this | view in chronology ]
- Jeff Green (profile), 21 Oct 2015 @ 4:34am
  
  Re:
  Well since Apple and co claim backdoors are impossible he had to install his own! Now if everyone would just forward all their email to insecure accounts how easy it would be ...
  [ link to this | view in chronology ]
PRMan, 20 Oct 2015 @ 10:16am

He failed question #1...
How does a "cyber-security professional" have an AOL account?!?
[ link to this | view in chronology ]
- tom (profile), 20 Oct 2015 @ 10:33am
  
  Re: He failed question #1...
  Nothing wrong with having an AOL or yahoo type email account for your Personal, non-secure crap. His mistake was using it IN ANY FASHION for work related info. The whole point of most web-mail based systems is to allow the provider to data mine all of the user's emails for information.
  
  Sending that spreadsheet full of PII should result in the CIA having to send out data breach notifications and the resulting liability for possible identity theft. Plus a review of that person's suitability for his job. Didn't he hear about that small ruckus over Hillary's email server? What kind of intelligence gathering ability does the CIA have anyway? This failure to connect the dots doesn't fill me with great confidence.
  [ link to this | view in chronology ]
- DannyB (profile), 20 Oct 2015 @ 10:38am
  
  Re: He failed question #1...
  > How does a "cyber-security professional" have an AOL account?!?
  
  Maybe getting an AOL account was the easiest way to get AOL to stop sending him floppy disks?
  
  Then CDs came along, but he didn't have any use for them since his vacation homes were already fully tiled in the decorative floppy disks.
  [ link to this | view in chronology ]
Anonymous Coward, 20 Oct 2015 @ 10:18am

That's not really hacking. More like phishing. I remember AOL instant messages used to always have a warning that says AOL staff will never ask you for your password. Despite this I always got random instant messages from random people claiming to work for AOL and needing my password. Apparently enough people fell for it at the time to encourage all these phishers to keep asking for personal information. I thought phishing was a dead art. Didn't think people still fell for that.
[ link to this | view in chronology ]
- Anonymous Coward, 20 Oct 2015 @ 10:39am
  
  Re:
  Phishing is no where near a dead art. It is one of the most popular was to get on "the inside"
  [ link to this | view in chronology ]
- nasch (profile), 21 Oct 2015 @ 7:27am
  
  Re:
  That's not really hacking. More like phishing.
  
  If hacking is broadly defined as illicitly gaining access to a computer system, then this certainly qualified.
  [ link to this | view in chronology ]
  - John Fenderson (profile), 21 Oct 2015 @ 7:45am
    
    Re: Re:
    But that's not how hacking is defined.
    [ link to this | view in chronology ]
    - nasch (profile), 21 Oct 2015 @ 9:32am
      
      Re: Re: Re:
      I disagree.
      
      https://en.wikipedia.org/wiki/Hacker_%28computer_security%29
      http://www.thefreedictionary.co m/hack
      https://en.wiktionary.org/wiki/hack#Verb
      [ link to this | view in chronology ]
alternatives(), 20 Oct 2015 @ 10:22am

Lets see if the 'bulk metadata collection'
can bring these people to a court trial.

And then lets see the quality of the trial.
[ link to this | view in chronology ]
- Anonymous Coward, 20 Oct 2015 @ 12:42pm
  
  Re: Lets see if the 'bulk metadata collection'
  you mean the secret courts with secret witnesses and secret evidence the defence and judge are not allowed to see. Since it would compromise national security if they were given access to the supposed evidence the government says it has to prosecute their victim.
  [ link to this | view in chronology ]
DannyB (profile), 20 Oct 2015 @ 10:28am

Misprint in the Reuters article headline?
Was:
CIA to make sweeping changes, focus more on cyber ops

Intended?
CIA to make sweeping changes, focus more on cyber Ooops
[ link to this | view in chronology ]
Rich Kulawiec, 20 Oct 2015 @ 10:28am

Yet another example of meta-risks in data collection
There has been (and will continue to be) copious discussion of the risks of allowing governments and corporations to collect private data on individuals. But one of the often-overlooked aspects of that issue is that disclosure and abuse is possible not just by the collectors themselves, but by anyone clever enough to hack them.

Consider this case: if it's really true that the people who pulled this off were teenagers, then (a) does anyone think they're the first ones to succeed? and (b) if they weren't the first ones, who were the others?

The massive data collections being assembled every day are touted by their proponent as weapons (against terror, the bogeyman du jour) or as tools. And perhaps, if we take a very generous view of them, they are. But they're also enormous, extremely tempting targets. And when the people at top of the food chain provide textbook demonstrations of worst practices in security, we know they're vulnerable targets.

And that's the meta-risk: indirect acquisition and exploitation by third parties. In this case, it appears to have been someone with a point to make. But what if it's not, this time or the next time?
[ link to this | view in chronology ]
Digitari, 20 Oct 2015 @ 10:45am

John Brennan
"But I've had this email account for decades, and I use my middle name for the password, so it's secure, right? It always was in the past."
[ link to this | view in chronology ]
Anonymous Coward, 20 Oct 2015 @ 11:08am

Dear John Brennen,

Half ass your own data protection , leave mine alone.
[ link to this | view in chronology ]
hij (profile), 20 Oct 2015 @ 11:13am

Like A Personal Email Server
At least he was not using his own personal email server. Oh wait... I think that Secretary Clinton screwed up with the email server and have been dismayed by her inability to come clean (but not surprised). If the US Congress is going to spend millions of dollars on her situation then they should be crawling up this guy's back side as well. What he did is just as bad if not worse.
[ link to this | view in chronology ]
- DannyB (profile), 20 Oct 2015 @ 12:36pm
  
  Re: Like A Personal Email Server
  As you say it may be reasonable that this guy be investigated as much as Hillary.
  
  The reality is, regardless of political party, congress only spends millions of dollars on an investigation, such as Hillary, when one party makes congress begin the investigation, and the action is against someone of an opposing party, or somehow considered an enemy.
  [ link to this | view in chronology ]
David, 20 Oct 2015 @ 11:16am

On the positive side
Hilary's account couldn't have gotten social engineered - it was her own server. It would be unlikely if any telecom/etc would have been able to reset her password to allow a hacker access.
[ link to this | view in chronology ]
Pronounce (profile), 20 Oct 2015 @ 11:38am

Security Epic Fail!
Now tell me again why we want government spy agencies to have a set of master keys to our encryption?
[ link to this | view in chronology ]
Tim, 20 Oct 2015 @ 11:47am

Re
After laughing for several minutes, I concluded that he should be fucking fired for that. What a dipshit.
[ link to this | view in chronology ]
Anonymous Coward, 20 Oct 2015 @ 11:47am

Brennan got his cyber security advice from Petraeus
or Petraeus's mistress...
[ link to this | view in chronology ]
Anonymous Coward, 20 Oct 2015 @ 12:02pm

And Hillary is the bad guy here , when the government can't seem to keep their shit locked down , seems she's the only one that was secure.
[ link to this | view in chronology ]
- Anonymous Coward, 20 Oct 2015 @ 1:14pm
  
  Re:
  You have utterly failed with your comment, unless your goal was to include as many factual errors as possible.
  And Hillary is the bad guy here ,
  
  Hillary is widely acknowledged as being female, even by Trump.
  when the government can't seem to keep their shit locked down ,
  
  This story is specifically about abuse of non-government e-mail, not about containment of government owned fecal matter. For more information on that topic, you may review any of the recent stories about Congress.
  seems she's the only one that was secure.
  
  Hillarys e-mail was only considered secure by Hillary.
  [ link to this | view in chronology ]
DocGerbil100 (profile), 20 Oct 2015 @ 1:21pm

Americans...
Bah...
[ link to this | view in chronology ]
Anonymous Coward, 20 Oct 2015 @ 1:50pm

yep! no need at all for encryption! no one will ever get into official email accounts!
hmm. wonder what happened here then?
[ link to this | view in chronology ]
Anonymous Coward, 20 Oct 2015 @ 2:06pm

He must be Republican, if it was Hilary, they'd demand pitchforks and fires! She kept a secured standalone system, this is idiotic free public access cloud service. The stupidity is just overwhelming.
[ link to this | view in chronology ]
- nasch (profile), 21 Oct 2015 @ 7:38am
  
  Re:
  He must be Republican, if it was Hilary, they'd demand pitchforks and fires!
  
  I don't know about his personal politics, but he was appointed by Obama.
  [ link to this | view in chronology ]
Anonymous Coward, 20 Oct 2015 @ 2:31pm

Both Twitter links broken
Either the links are bad or Twitter has taken the images away.
[ link to this | view in chronology ]
That Anonymous Coward (profile), 20 Oct 2015 @ 7:44pm

Imagine the unthinkable...
We are at war half way around the globe because someone's AOL account got hacked, and to cover up all of the secrets they had ex-filtrated they came up with a giant distraction.

Perhaps it is time to find people who have a fucking clue to come in and clean up this giant mess of people to stupid to have power have created. They pay out money to corporations who have the evidence of the stupidity and keep it quiet as long as the contracts keep coming, and they pay a little to keep their idiot buddy in power because they will fuck up again and they will gain more influence.

The terrifying thought hitting you right now, is I could be right.
[ link to this | view in chronology ]
Anonymous Coward, 21 Oct 2015 @ 12:53am

AOL wasn't hacked!!
AOL wasn't the system that was hacked.

VERIZON was!

Verizon coughed up the info that allowed the normal unlock-procedure for the AOL account.
[ link to this | view in chronology ]
john may, 21 Oct 2015 @ 9:40am

Let me begin by asserting that I am not responsible for this, and I support the USA. The Internet tough guys in this thread, however, gave me a good laugh, and I invite them to pretend it was me, and give me their worst. lol Where are those billions the Obama admin has spent for cyber security gone? Fed hackers and investigators are always simple for me to identify, in 2 minutes maximum. They always have million dollar toys, yet lack the skills to properly utilize them. This is actually a blessing in disguise because their target selection is often incredibly misguided.
[ link to this | view in chronology ]