Teen Hacker Who Social Engineered His Way Into Top-Level US Government Officials' Accounts Pleads Guilty To Ten Charges

from the barely-post-pubescent-wrecking-crew dept

The teenage hacker who tore CIA director John Brennan a new AOL-hole is awaiting sentencing in the UK. Kane Gamble, the apparent founder of hacker collective Crackas With Attitude, was able to access classified documents Brennan has forwarded to his personal email account by posing as a Verizon tech. Social engineering is still the best hacking tool. It's something anyone anywhere can do. If you do it well, a whole host of supposedly-secured information can be had, thanks to multiple entities relying on the same personal identifiers to "verify" the social engineer they're talking to is the person who owns accounts they're granting access to.

Despite claiming he was motivated by American injustices perpetrated around the world (Palestine is namechecked in the teen's multiple mini-manifestos), a lot of what Gamble participated in was plain, old fashioned harassment.

Gamble taunted his victims online, released personal information, bombarded them with calls and messages, downloaded pornography onto their computers and took control of their iPads and TV screens, a court heard.

This might be chalked up to Gamble's youth or his supposed residence on the autism spectrum. But that's not the limit of the chaos caused by his social engineering. He was able to gain access to the FBI's law enforcement database and DHS boss Jeh Johnson's voicemail. He apparently dumped a database of FBI 20,000 agents' personal info and accessed email accounts of deputy national security advisor Avril Haines.

But there were other acts as well, some that resulted in plenty of people fearing for their safety.

He used his access to steal and post online personal details of Officer Darren Wilson who shot and killed black teenager Michael Brown in Ferguson Missouri.

At the same time he harassed the [FBI Deputy Director Mark] Giuliano family and people associated with them and bombarded them with calls, meaning that they were forced to seek protection from the intelligence agencies and an armed guard was placed at their home.

Mr Obama's senior science and technology adviser John Holdren had his personal accounts hacked and Gamble passed all of his personal details to an accomplice who used them to make hoax calls to the local police claiming that there was a violent incident at Mr Holdren’s house resulting in an armed swat team being deployed.

Gamble has pled guilty to ten counts of criminal computer misuse. He has yet to be sentenced but I can't imagine it will go well for him. What Gamble did was harmful to many people's personal security and the harassment of family members of public officials crosses several lines, as does the SWATing. But he did expose plenty of weak leaks in the security protocols deployed by companies like Verizon and the US government itself. The reliance on the same security questions (names of pets, schools, maiden names, etc.) across multiple services often means accessing one will open up access to all of them. Once a primary account is compromised, it can be used to change login and security verification info for accounts reliant on it.

It also exposed how high-ranking government officials made these weak links even weaker. In CIA Director Brennan's case, the sensitive documents Gamble accessed had been forwarded to an email account maintained by a third party. If Brennan had been more careful with his handling of classified documents -- like keeping them in the secured systems they came from -- Gamble wouldn't have been able to view and/or distribute these to people who shouldn't be seeing them.

Governments make weird enemies. Sometimes they're teens residing in small council houses in the UK. But the enemies they make can do considerable damage armed with nothing more than a cellphone, a laptop, and an internet connection.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hacking, john brennan, kane gamble, social engineering


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    TasMot (profile), 23 Jan 2018 @ 9:40am

    Secure Documents on an Unsecured System

    Isn't that a crime punishable by time in Ft. Leavenworth? Just some friendly advice, he is part of the "high court", don't hold your breath waiting for the charges to be filed. They got the kid, crisis over.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Jan 2018 @ 10:36am

      Re: Secure Documents on an Unsecured System

      Hasn't this already been covered by Hillary?

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 23 Jan 2018 @ 1:09pm

        Re: Re: Secure Documents on an Unsecured System

        She lost, get over it.

        link to this | view in chronology ]

    • icon
      Bergman (profile), 23 Jan 2018 @ 8:51pm

      Re: Secure Documents on an Unsecured System

      If he had a manifesto, odds are he counts as a lawful combatant, especially if he wears the same sort of clothes every day.

      Imprisoning a foreign soldier, even a domestic rebel, for acting like a soldier is a war crime. Given how the US considers cyber-warfare, what the kid did is probably not illegal.

      As a POW, he can be interned for 'the duration' but as an army of one, his war ended when he was captured.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2018 @ 9:41am

    He's never set foot in the US, how can these be crimes?

    CIA justice.

    Where's the usual outcry for the free speech of this victim / whistleblower?

    I bet his apparent sympathy for Palestine cancels that.

    link to this | view in chronology ]

    • identicon
      Anonymous Coward, 23 Jan 2018 @ 10:18am

      Re: He's never set foot in the US, how can these be crimes?

      Perhaps your confusion lies within your bias.

      link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        identicon
        Anonymous Coward, 23 Jan 2018 @ 1:07pm

        Re: Re: He's never set foot in the US, how can these be crimes?

        U R JEW

        link to this | view in chronology ]

        • identicon
          Anonymous Coward, 23 Jan 2018 @ 1:09pm

          Re: Re: Re: He's never set foot in the US, how can these be crimes?

          Stick to sticking crayons up your nose.

          link to this | view in chronology ]

    • identicon
      Wendy Cockcroft, 24 Jan 2018 @ 5:38am

      Re: He's never set foot in the US, how can these be crimes?

      No, his abhorrent stalking and harassment cancels that. In any case this is not a speech issue, this is about a rebellious teen accessing personal and government accounts without prior authorisation, then using the information gleaned thereby to make people's lives a misery.

      SWAT-ing is not speech, it's attempted murder.

      link to this | view in chronology ]

  • identicon
    Anonymouse Cupboard, 23 Jan 2018 @ 10:01am

    Playing the game

    There is always some risk involved when attempting to "stick it to the man". This kid out of anyone should've known if it was worth the Gamble...

    I'll see myself out..

    link to this | view in chronology ]

  • icon
    Roger Strong (profile), 23 Jan 2018 @ 10:16am

    I fought the above-the-law, and the above-the-law won.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2018 @ 10:18am

    So you read all that and you felt sorry for this douchebag? Talk about victim blaming.

    link to this | view in chronology ]

  • icon
    Hugo S Cunningham (profile), 23 Jan 2018 @ 10:21am

    Let users make up their own security *questions*

    Hackers have opportunities to assemble security-question info for users, eg mother's maiden name, make of first car, names of family pets, etc. But the job would become useless if users were able to put in their own questions as well as their answers-- really weird stuff that no computer search could generate, eg "What did your toddler break during Grandma's Easter visit two years ago?"

    link to this | view in chronology ]

    • icon
      Toom1275 (profile), 23 Jan 2018 @ 12:40pm

      Re: Let users make up their own security *questions*

      Or just keep track of what lies you told to the security questions.

      "What was your mother's maiden name?"
      Correct Horse Battery Staple

      link to this | view in chronology ]

      • identicon
        Thad, 23 Jan 2018 @ 2:16pm

        Re: Re: Let users make up their own security *questions*

        Yeah, the "correct horse battery staple" method is ideal for generating security answers, because you want them to be something you can read over the phone in case you ever need to talk to tech support.

        link to this | view in chronology ]

    • identicon
      Bruce C., 23 Jan 2018 @ 12:43pm

      Re: Let users make up their own security *questions*

      Which is fine until it's 10 years later and your toddler is entering High School. . .and you no longer remember what year it was when you created the security question.

      But the general idea is sound up to a point. Forcing users to make up their own questions doesn't prevent them from duplicating them across multiple sites. Frankly, it's probably easier to request the users to put in fake answers to standard security questions. The smart ones will store the fakes with their password manager. The dumb ones probably can't be helped. There's always the legit user who can't remember their password OR the answers to the security questions, and they'll always be vulnerable if they don't use the tools needed to make them less so.

      link to this | view in chronology ]

  • identicon
    Anonymous Hero, 23 Jan 2018 @ 10:27am

    Gross negligence

    > In CIA Director Brennan's case, the sensitive documents Gamble accessed had been forwarded to an email account maintained by a third party. If Brennan had been more careful with his handling of classified documents...

    Brennan must've known this was against protocol. I don't have a clearance and even I know that you are NOT allowed to take classified material and put it on unsecured systems.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2018 @ 10:39am

    Fuck em
    they can't stand the heat get the fuck out of the kitchen

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2018 @ 10:42am

    this from the largest military spy complex in the whole world that just cried to the American public that their largest military budget in the whole world was being held hostage by Democrats by not giving them more money to spy on everyone ???????

    link to this | view in chronology ]

    • identicon
      Wendy Cockcroft, 24 Jan 2018 @ 5:40am

      Re:

      Why do you think we're constantly complaining about it? It's not just the routine violations by their own staff, it's the vulnerability to bad actors that raise our hackles.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2018 @ 12:20pm

    Yes, I plead guilty to

    easily tricking you fucking dipshits, you made it so easy I just could not resist.

    It's a shame we are not sending Brennan to jail instead for being a total fucking tool who failed to protect "national security"

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2018 @ 12:25pm

    Misuse of SWAT team

    I'm disappointed, but not all that surprised, that the bogus SWAT raid against Someone Important didn't turn into even token attempts to get the SWAT teams to be a little more circumspect. This was a perfect opportunity for the right people to learn that you can't trust easily-forged messages when deciding where and when to deploy deadly force.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2018 @ 12:28pm

    The correct repsonse <i>should be</i> to jail those that fell for this <b>basic-level scam</b>. Because they clearly cannot be trusted with either our votes or our security.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2018 @ 1:02pm

    Soooooo, a UK kid hacks the most powerful intelligence agencies in the world. Right.

    link to this | view in chronology ]

  • identicon
    Rekrul, 23 Jan 2018 @ 2:16pm

    Except for when hackers discover a security flaw and exploit it, most hacking is done through social engineering and research. The idea that you can just guess someone's password or "hack" a specific account/device by typing furiously on a keyboard for about 30 seconds is pure fantasy perpetuated by TV shows like CSI, NCIS and the like.

    As for this case, I'm surprised that the US didn't demand that Gamble be extradited to American to face trial here. I can't find any mention of what kind of a sentence he's facing, but given that the UK seems to exercise at least a little common sense, I'd guess it might be somewhere in the 5-10 years range. Which might seem like a long time, but if he was sentenced in the US, I have no doubt that it would be in the range of 30-50 years, if not longer.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2018 @ 8:15pm

    The "victims" really have nobody else to blame but themselves for refusing to have functioning opsec.

    Same goes for the reviewers who insist that all Hollywood screeners have to be sent to them in DVD format because the idea of streaming gives them a miniature heart attack.

    link to this | view in chronology ]

  • icon
    Toom1275 (profile), 23 Jan 2018 @ 9:21pm

    "Ok, hacking into the Pentagon..."
    *taka taka taka*
    "Double-click 'YES'..."
    *taka taka taka*
    "Oh, a password... 50 billion combinations, hmm..."
    "Jeff..."
    "Hey!"
    "Oh, how did I know the password was Jeff? Oh, I know the guy who wrote this. His name was Jeff JeffJeff, born on the first of Jeff, 19JeffJeff. So I put in 'Jeff' and ayy."

    -Eddie Izzard, on what hacking is like in movies.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Jan 2018 @ 10:51pm

    If a punk with a laptop was able to do all of that just imagine what nation-states and other organized outfits must be getting hold of.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.