Teen Hacker Who Social Engineered His Way Into Top-Level US Government Officials' Accounts Pleads Guilty To Ten Charges
from the barely-post-pubescent-wrecking-crew dept
The teenage hacker who tore CIA director John Brennan a new AOL-hole is awaiting sentencing in the UK. Kane Gamble, the apparent founder of hacker collective Crackas With Attitude, was able to access classified documents Brennan has forwarded to his personal email account by posing as a Verizon tech. Social engineering is still the best hacking tool. It's something anyone anywhere can do. If you do it well, a whole host of supposedly-secured information can be had, thanks to multiple entities relying on the same personal identifiers to "verify" the social engineer they're talking to is the person who owns accounts they're granting access to.
Despite claiming he was motivated by American injustices perpetrated around the world (Palestine is namechecked in the teen's multiple mini-manifestos), a lot of what Gamble participated in was plain, old fashioned harassment.
Gamble taunted his victims online, released personal information, bombarded them with calls and messages, downloaded pornography onto their computers and took control of their iPads and TV screens, a court heard.
This might be chalked up to Gamble's youth or his supposed residence on the autism spectrum. But that's not the limit of the chaos caused by his social engineering. He was able to gain access to the FBI's law enforcement database and DHS boss Jeh Johnson's voicemail. He apparently dumped a database of FBI 20,000 agents' personal info and accessed email accounts of deputy national security advisor Avril Haines.
But there were other acts as well, some that resulted in plenty of people fearing for their safety.
He used his access to steal and post online personal details of Officer Darren Wilson who shot and killed black teenager Michael Brown in Ferguson Missouri.
At the same time he harassed the [FBI Deputy Director Mark] Giuliano family and people associated with them and bombarded them with calls, meaning that they were forced to seek protection from the intelligence agencies and an armed guard was placed at their home.
Mr Obama's senior science and technology adviser John Holdren had his personal accounts hacked and Gamble passed all of his personal details to an accomplice who used them to make hoax calls to the local police claiming that there was a violent incident at Mr Holdren’s house resulting in an armed swat team being deployed.
Gamble has pled guilty to ten counts of criminal computer misuse. He has yet to be sentenced but I can't imagine it will go well for him. What Gamble did was harmful to many people's personal security and the harassment of family members of public officials crosses several lines, as does the SWATing. But he did expose plenty of weak leaks in the security protocols deployed by companies like Verizon and the US government itself. The reliance on the same security questions (names of pets, schools, maiden names, etc.) across multiple services often means accessing one will open up access to all of them. Once a primary account is compromised, it can be used to change login and security verification info for accounts reliant on it.
It also exposed how high-ranking government officials made these weak links even weaker. In CIA Director Brennan's case, the sensitive documents Gamble accessed had been forwarded to an email account maintained by a third party. If Brennan had been more careful with his handling of classified documents -- like keeping them in the secured systems they came from -- Gamble wouldn't have been able to view and/or distribute these to people who shouldn't be seeing them.
Governments make weird enemies. Sometimes they're teens residing in small council houses in the UK. But the enemies they make can do considerable damage armed with nothing more than a cellphone, a laptop, and an internet connection.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hacking, john brennan, kane gamble, social engineering
Reader Comments
Subscribe: RSS
View by: Time | Thread
Secure Documents on an Unsecured System
[ link to this | view in thread ]
He's never set foot in the US, how can these be crimes?
Where's the usual outcry for the free speech of this victim / whistleblower?
I bet his apparent sympathy for Palestine cancels that.
[ link to this | view in thread ]
Playing the game
I'll see myself out..
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: He's never set foot in the US, how can these be crimes?
[ link to this | view in thread ]
Let users make up their own security *questions*
[ link to this | view in thread ]
Gross negligence
Brennan must've known this was against protocol. I don't have a clearance and even I know that you are NOT allowed to take classified material and put it on unsecured systems.
[ link to this | view in thread ]
Re: Secure Documents on an Unsecured System
[ link to this | view in thread ]
they can't stand the heat get the fuck out of the kitchen
[ link to this | view in thread ]
[ link to this | view in thread ]
Yes, I plead guilty to
It's a shame we are not sending Brennan to jail instead for being a total fucking tool who failed to protect "national security"
[ link to this | view in thread ]
Misuse of SWAT team
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Let users make up their own security *questions*
"What was your mother's maiden name?"
Correct Horse Battery Staple
[ link to this | view in thread ]
Re: Let users make up their own security *questions*
But the general idea is sound up to a point. Forcing users to make up their own questions doesn't prevent them from duplicating them across multiple sites. Frankly, it's probably easier to request the users to put in fake answers to standard security questions. The smart ones will store the fakes with their password manager. The dumb ones probably can't be helped. There's always the legit user who can't remember their password OR the answers to the security questions, and they'll always be vulnerable if they don't use the tools needed to make them less so.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: He's never set foot in the US, how can these be crimes?
[ link to this | view in thread ]
Re: Re: Secure Documents on an Unsecured System
[ link to this | view in thread ]
Re: Re: Re: He's never set foot in the US, how can these be crimes?
[ link to this | view in thread ]
Re: Re: Let users make up their own security *questions*
[ link to this | view in thread ]
As for this case, I'm surprised that the US didn't demand that Gamble be extradited to American to face trial here. I can't find any mention of what kind of a sentence he's facing, but given that the UK seems to exercise at least a little common sense, I'd guess it might be somewhere in the 5-10 years range. Which might seem like a long time, but if he was sentenced in the US, I have no doubt that it would be in the range of 30-50 years, if not longer.
[ link to this | view in thread ]
Same goes for the reviewers who insist that all Hollywood screeners have to be sent to them in DVD format because the idea of streaming gives them a miniature heart attack.
[ link to this | view in thread ]
Re: Secure Documents on an Unsecured System
Imprisoning a foreign soldier, even a domestic rebel, for acting like a soldier is a war crime. Given how the US considers cyber-warfare, what the kid did is probably not illegal.
As a POW, he can be interned for 'the duration' but as an army of one, his war ended when he was captured.
[ link to this | view in thread ]
*taka taka taka*
"Double-click 'YES'..."
*taka taka taka*
"Oh, a password... 50 billion combinations, hmm..."
"Jeff..."
"Hey!"
"Oh, how did I know the password was Jeff? Oh, I know the guy who wrote this. His name was Jeff JeffJeff, born on the first of Jeff, 19JeffJeff. So I put in 'Jeff' and ayy."
-Eddie Izzard, on what hacking is like in movies.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: He's never set foot in the US, how can these be crimes?
SWAT-ing is not speech, it's attempted murder.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Yes, I plead guilty to
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]