Also he thought it was Ok to forward Sensitive Govt. Docs to a non-secured commercial e-mail address.
The amount of almost un-restrained power that these people have vs the very low quality of their InfoSec is truly appalling.
What's scary is that this kind of clueless, and technology illiterate, people are actively involved in shaping the future landscape of massive data collection.
I think we are about to witness, in the next decade, multiple "incidents" where millions, perhaps billions, of private records about innocent citizens will be leaked because of this kind of negligence.
And in most ways, leaving his e-mail to a provider which works with e-mail and has dealt with attacks before, is probably the most sensible thing to do.
And of course, I've read Legacy of Ashes and a few of Robert Baear's books (Beaer?) and understand being accomplished in the world of the CIA just avoiding political entanglement and not fucking up too badly, but whatever, the point stands ;-).
There are obviously a _lot_ of wtf moments reading this article, but this one just strikes me as the most egregious - why in the world would a Verizon employee of any kind be able to obtain this information from anyone other than the account holder? The account number, ok maybe, but absolutely none of those other items should be communicated between employees. Absurd.
Whether it should be, well that is another matter.
The PIN at least seems like it should have been hashed, then an employee puts in a form the stated PIN to see if it's correct and the hashes are compared on the backend.
The other info though is needed for initiating contact and to allow customers to perform transactions (verifying card details for example).
How is this acceptable? Shouldn't he be held accountable for this kind of stuff?
Computers are pretty good at security; humans, especially underpaid and overworked helpdesk jockeys, are not.
Why break into a system when you can ask someone to unlock it for you?
The barrier to entry to become a Verizon employee is lower than the barrier to obtaining this info should be.
What this country grew to become :(
EDIT: The leaks are pretty disappointing, unless you care about how many times the director ate with Alan Lovell. The real story is the fact that there were leaks at all, not the leaks themselves.
It tends to confirm me in my suspicions that the media-projected image of ruthlessly efficient and mindbogglingly smart intel apparatchiks is a fantasy, and that the reality might be more like Burn After Reading[1]
If you read that article you'll see this is more of a social engineering hack on Verizon than AOL. Verizon gave up all sorts of information about him which made answering AOL's password reset questions easy for them. Its scary how much you can do to a person if you know the last four digits of their credit card.
This is yet another example where things like S/MIME would have helped, but apparently we're all content with completely unencrypted emails. I suspect guys like Brennan prefer email unencrypted anyway, except when things like this happen to him personally.
Not really, but they are definitely on the bottom of the trusted list. That being said, the WTFs in this story would be the same if it was yahoo, gmail, etc. The problem is that the emails were forwarded out from his work network.
I'm also surprised that the government doesn't have more stringent guidelines about the private email use of its top officials.
Since these guys knew how verizon works internally I wouldn't be surprised if they could forward his cell # somewhere else. Some 2FA systems require a PIN for auth, but they have his verizon one already, which is probably re-used everywhere.
https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_Algorithm
https://en.wikipedia.org/wiki/Time-based_One-time_Password_AlgorithmNot even offering it is a serious oversight on AOL's part for exactly this type of scenario- it makes it extremely easy for a motivated person to socially hack someone's email. However even if it is offered it has to be turned on to work, so then we'd be back where we started if it was off by default.
Its kind of obvious that not everyone will use it. However, not offering it when its somewhat trivial to do so seems like a no-brainer.
It does. Guidelines don't stop people from doing things, especially when they're at the level where they think they're above such policies.
Of course there are well-known answers that are used to mitigate these problems somewhat, TFA solutions, login images, etc. But I still feel as if social engineering attacks hit a really vulnerable weak spot in many systems.
(On a mostly unrelated note, can we get rid of security questions forever? I've taken to just giving nonsense answers for them and storing my answers somewhere secure. I sure don't want my passwords being reset because somebody knows my mom's maiden name...)
Not only that, any site that used that question and all those that got hacked know your mom's maiden name if that question was ever answered seriously. That's the main reason such 'secret questions' suck because there apparently is a fairly small set of commonly used questions like that (first school, first pet, favorite pet, moms maiden name, street where you were born and so on).
(Edit) the letter -- https://twitter.com/phphax/status/653665742987100163
> We said ‘2 trillion dollars hahhaa'
Ok, I can work with that
> They told Brennan “We just want Palestine to be free and for you to stop killing innocent people.”
Sorry, can't do that
Whistler: I want peace on earth and goodwill toward man.
Bernard Abbott: Oh, this is ridiculous.
Martin Bishop: He's serious.
Whistler: I want peace on earth and goodwill toward men.
Bernard Abbott: We are the United States Government! We don't do that sort of thing.
'So they called Brennan’s mobile number, using VoIP, and told him he’d been hacked. The conversation was brief.
“[I]t was like ‘Hey,…. its CWA.’ He was like ‘What do you want?’ We said ‘2 trillion dollars hahhaa, just joking,'” the hacker recounted to WIRED.'
Could be an embellishment, but it sounds like he really was willing to pay something. Perhaps more for his personal privacy than out of fear of national secrets leaking, though.
I remembered this thought again recently when dealing with major banks over the phone. All I needed to identify who I am was confirmation of my home address, and last 4 digits of my social. That is hardly secure! A single data breach for SSN, cross referencing an email to social media or DNS if you don't use private registration and boom, you can pretend to be me as far as some banks are concerned.
The SSN is the most abused number in the ID world. It's a de-facto federal ID number and it's simply not meant for the task. Everyone gets all upidy about having some type of federal ID number whenever I mention it, but I feel like some type of public key cryptographic federal ID number plus cross-signing, changeable password, AND a 2+FA should be used to truly identify who you are.
Also, the CWA's twitter account was suspended, but thanks be to The Internet Archive we have a mirror:
https://web.archive.org/web/20151019192351/https:/twitter.co...
The Twitter pictures aren't archived, but they also haven't been taken down from Twitter's site.
I know that some other agencies, and even private corporation do that.
This wasn't a skillful attack. It was a messy, shitty social engineering exploit that very many people could have done.
Let's not take the attackers at face value. They could have had help or be employed by anyone, including those either interested in Brennan's AOL email or in embarassing him.
1) This kid just got at least one person fired from his job (though he may deserve it).
2) This kid WILL be caught and regret it the rest of his life.
It's a lot easier to get away with hacking than most people make it out to be. When I was 14 years old I hacked one of the largest banks in the UK on a laugh with friends in high school using SQL injection. I didn't steal anything, but I did get access to very sensitive information about many members' accounts. It wouldn't have been difficult to do so and get away with it on a compartmentalized burner laptop with a VPN. Most banks write off relatively "small amounts" and simply eat the loss for the customer.
Young kids who have an aptitude for it pull off immature, amateur hacks like this all the time. Based purely on anecdote I'd say there is likely at least one adolescent in virtually every high school in America who has committed some sort of serious computer fraud.
Now I work in the security industry and just yesterday, I found a vulnerability in a website allowing you to use another user's payment because of an insecure direct object reference combined with clearly sequential payment IDs in the database. The methods evolve, but the core systems have stayed more or less the same and it would not be difficult to exploit this one and get away with it either.
People think this stuff is hard to get away with because of the sensationalized mystique surrounding it in the media. Unless you're very loud, incompetent or a big enough target, it just doesn't usually happen. I've personally spoken to "blackhat" groups that have cleared a few million dollars in a year, allowing each member a roughly top-1% income after laundering for a few hours of "work" per week. They're still around.
The very description of this kid. At least the loud part. His age may make him other things.
>The hacker, who says he’s under 20 years old
20 years old is a teen? What a terrible headline.
If you're gonna be pedantic, at least be correct.
Has there been any confirmation that this account even actually belonged to the CIA director? If yes, has there been any evidence that there was actually anything sensitive on the account? (I seriously doubt the latter)
If there was nothing on the account how is this different from any of the other tens of thousands of aols that have been hijacked since the 90s?
Wikileaks is publishing all of the supposed files, so they do exist and have been leaked.
http://www.theverge.com/2015/10/21/9583464/wikileaks-cia-ema...
Yes
> If yes, has there been any evidence that there was actually anything sensitive on the account?
Yes
Go Google for 5 minutes.
In that article the hacker claims he found sensitive material, and even flagrantly taunted the CIA director with it...
You're the new young email admin. You see this in your logs. You tell your boss. Your boss shrugs and says, "He's the director and I don't feel like getting fired."
I don't know why people think government, be it any agency including intelligence, is run any different than any other political or corporate bureaucracy. Humanity has a natural pecking order cooked into it and it reflects in our organizations. One does not just challenge the big dog without consequences. Hell, staff may not be able to even audit him the same way Congress has made itself immune to the NSA wire-tapping programs.
Maybe it's the big "democracy" label that people apply to it.
Maybe it's the concept of "Rule of Law" that underpins Western Democracy.
If it's possible to be fired for simply applying the statutory regulations to a civil servant then any semblance of either democracy or rule of law has clearly been replaced with other structures.
Presumably the CIA would try to kill you to cover this up, because otherwise the sacking of the infringer should be a normal conclusion?
However, I wonder why the agency simply does not disable forwarding or at least add sure warnings in bright red that doing so violates policy and subject to charges.
Sure, disabling fwd-ing is trivial to defeat but it makes clear fwd-ing is non standard.
edit: No, seriously. I can't see how the CIA is the most powerful information gathering agency on the planet. Even restricting to government organizations, the NSA likely has far more access to information. Allowing for private organizations, Google/Facebook likely know far more about individual people than any government agency does given Google Analytics, Facebook Like buttons, etc. strewn around virtually every public internet page.
Sorry, but this doesn't sound like "personal email address for non-work reasons"...
There are several problems with this:
1.) The phone number can be found on the internet.
2.) The technician code is just noted down as part of the request. It is not verified.
3.) The support employee's validation process that they are a field technician was that they were calling over the special phone number.
Obviously sensitive information was not supposed to be given out, but they hired anyone that was alive enough to answer a phone and tell people to reset their router.
> Iran will be a major player on the world stage in the decades ahead, and its actions and behavior will have a major and enduring impact on near- and long-term US interests on a variety of regional and global issues. With a population of over 70 million, XX percent of the world's proven oil reserves, a geostrategic location of tremendous (enviable?) significance, and a demonstrated potential to develop a nuclear-weapons program, the United States has no choice but to find a way to coexist - and to come to terms with - whatever government holds power in Tehran. [...]
> An unfortunate hallmark of US-Iranian relations since 2001 has been [the] growing divide between Washington and Tehran, chronicled by bombastic rhetorical broadsides that have been hurled publicly by each side against the other. The tragedy of the al-Qa'ida launched terrorist attacks against the US homeland in September 2001 prompted the US administration to engage in a far-reaching campaign to eradicate the sources of terrorism, and Iran, understandably - but regrettably - was swept up in the emotionally charged rhetoric that emanated from Washington under the seemingly all-encompassing rubric of "The Global War On Terrorism". The gratuitious labeling of Iran as part of a worldwide "axis of evil" by President Bush combined with strong US criticisms of Iran's nascent nuclear program and its meddling in Iraq led Tehran to view that Washington had embarked on a course of confrontation in the region that would soon set a kinetic focus on Iran. Even Iran's positive engagement in helping repair the post-Taliban political environment in Afghanistan was met with indifference by Washington. [...]
https://wikileaks.org/cia-emails/The-Conundrum-of-Iran/page-...
While this leak may not be particularly confidential nor surprising to informed readers, I'd say reading this kind of insight into what US leaders really think is pretty damn interesting.
Their clients usually include celebs, pro athletes, etc... I'm surprised that the CIA chief isn't on that tier.
It would be nice to be able to purchase this kind of thing directly though.
> The barrier to entry to become a Verizon employee is lower than the barrier to obtaining this info should be.
The problem with this approach is that it leaves a pretty clear trail. At best you need to hand the customer info off to someone else with no obvious ties and claim you were social-engineered in giving up your employee id. Also you can really only do this once.
If you lose your phone, upgrade to a new one, or erase and restore it you lose all your authenticator credentials. That doesn't happen with SMS.
If you're in a situation where security is paramount, then physical cards or authenticator are a better way to go. If you're 99.9% of the population, Sms is a far better solution.
"How do you break into a place with no weak points?"
"I see four weak points right there."
Or we can go deeper, the CIA director was preparing to do this so the subject-to-be of the docs he wished to leak had his account hacked to expose the flaw and prevent the leak-to-be.
A ton of info. was posted on his twitter account that is now suspended. For DHS and FBI to investigate, they must have solid evidence of a breach to do so.
The one where you can buy pretty much anyone's (with a credit history) for $1.8?