Arrests Made After Group Hacks CIA Director's AOL Account (washingtonpost.com) 107
Slashdot reader FullBandwidth writes:
U.S. authorities have arrested two North Carolina men accused of hacking into the private email accounts of high-ranking U.S. intelligence officials. [The men] will be extradited next week to Alexandria, where federal prosecutors for the Eastern District of Virginia have spent months building a case against a group that calls itself Crackas With Attitude... Authorities say the group included three teenage boys being investigated in the United Kingdom.
The group used social engineering to access the email accounts of John Brennan, the director of the CIA, as well as the Director of National Intelligence, and former FBI deputy director Mark Giuliano, according to the article. One exploit involved "posing as a Verizon technician and tricking the company's tech-support unit into revealing the CIA director's account number, password and other details." An FBI affidavit alleges that a British teenager named "Cracka" also began forwarding the calls of a former FBI deputy director "to a number associated with the Free Palestine Movement," while "D3F4ULT" paid for a campaign of harassing phone calls. In addition, "According to the affidavit, Cracka appears to have gotten into the law enforcement database simply by calling an FBI help desk and asking for Giuliano's password to be reset..."
"One member told CNN [In a video interview] that he smoked marijuana 'all day every day' and was 'probably' high when gaining access to high-level accounts."
The group used social engineering to access the email accounts of John Brennan, the director of the CIA, as well as the Director of National Intelligence, and former FBI deputy director Mark Giuliano, according to the article. One exploit involved "posing as a Verizon technician and tricking the company's tech-support unit into revealing the CIA director's account number, password and other details." An FBI affidavit alleges that a British teenager named "Cracka" also began forwarding the calls of a former FBI deputy director "to a number associated with the Free Palestine Movement," while "D3F4ULT" paid for a campaign of harassing phone calls. In addition, "According to the affidavit, Cracka appears to have gotten into the law enforcement database simply by calling an FBI help desk and asking for Giuliano's password to be reset..."
"One member told CNN [In a video interview] that he smoked marijuana 'all day every day' and was 'probably' high when gaining access to high-level accounts."
False flag operation? (Score:1)
To divert attention away from Russia?
Not sure (Score:5, Interesting)
What's more concerning... That the director of the CIA had his account hacked, or that he has an AOL account.
Re: (Score:2)
Last time I checked, AOL Instant Messenger needed a AOL account, at least one on the free tier. Or has everybody switched from AIM to Skype?
Re: (Score:2)
Last time I checked, AOL Instant Messenger needed a AOL account, at least one on the free tier. Or has everybody switched from AIM to Skype?
Yes, everyone left AIM years ago, for Skype and others.
Re:Not sure (Score:5, Informative)
Last time I checked, AOL Instant Messenger needed a AOL account, at least one on the free tier.
I still have both, but I haven't paid for AOL in 20 years. There are a lot of AIM users who never had an AOL account. Registration at aim.com was free for a long time (maybe it still is?) and I talk to a lot of people via AIM who were never AOL users. Despite the ridicule, AIM/Oscar via the Pidgin client with the OTR plugin remains a relatively secure method of communication.
As for Skype, fuck that entirely, it's been compromised forever. If I want to holler at the NSA, I'll just yell into any phone and hope for the worst.
Re: (Score:2)
Registration at aim.com was free for a long time (maybe it still is?) and I talk to a lot of people via AIM who were never AOL users
That's what I meant by a "free tier AOL account", because you can log in at AOL.com with your AIM credentials.
Re: (Score:1)
Calm the fuck down, Mr. Clapper. We'll get you a car. Just relax, will you? There are microphones around.
Re: Not sure (Score:5, Funny)
The news tomorrow should be, 'CIA Director steps down after shameful discovery of using AOL accounts.'
Re: (Score:3)
Re: (Score:2)
Most of my tech friends have gmail accounts, many of them from the days when they were hard to get and almost considered a status symbol. But why is Google's data mining preferable to AOL's or any other? I know that AOL has long been derided as being associated with grandmothers and "free" AOL disks, but their basic email is free now.
Non-tech family and friends tend to have <cable-company>.com email addresses, more or less locking them into a specific cable provider.
As for myself, I chose an I
Re: (Score:2)
Caught that too. Incompetent buffoons.
They likely have CRT monitors to boot.
Re: (Score:2)
Caught that too. Incompetent buffoons.
They likely have CRT monitors to boot.
What's with the CRT-hate?
I'll have you know my SGI 061-0025-001(Sony GDM4011P) 20" 1900x1280 monitor looks *great* running on my SGI Octane!
Strat
Re: (Score:2)
It's called a honeypot, and they took some skells off the board.
AOL IS FUCKING GEENIUS. ER GIENUS, ER... (Score:5, Funny)
These CIA guys, always throwing fucking curve balls. They are like, Inception deep.....
Re:Not sure (Score:5, Interesting)
What's more concerning... That the director of the CIA had his account hacked, or that he has an AOL account.
What really is concerning is that tech support knew ''Brennan’s account number, password and other details''. Who stores passwords in clear these days ? The only safe storage is a one way hash or something. This is vague as to exactly which tech support was tricked and which account details were revealed, but who in tech support would tell anyone someone's password ?
Re: (Score:3)
but who in tech support would tell anyone someone's password ?
Someone they hired after they fired all of the competent people following the Snowden leaks?
Re: (Score:2)
AOL fired people? I wasn't aware that AOL had a recent downsizing in their tech support department.
Re: (Score:2)
You've apparently never worked on a project for a government agency.
They're typically a combination of right-up-to-date (on things which you can just spend money on and it shows up, like a brand new laptop and monitor every year) and 20-30+ years behind (on things which require actual policy/best practices/technology knowledge).
It doesn't shock me at all that the FBI help desk is as described [washingtonpost.com]. I'm a little more familiar with the IRS. In 1991 they were spending $8 Bi [baltimoresun.com]
Re: (Score:2)
When did AOL become a government agency?
Re: (Score:2)
I know it's too much to read the articles, but try to keep up with at least the summary and the thread you're replying to.
We were discussing this line: "According to the affidavit, Cracka appears to have gotten into the law enforcement database simply by calling an FBI help desk and asking for Giuliano's password to be reset..."
I'm pretty sure AOL doesn't provide the FBI help desk staff, nor manage authentication for their law enforcement databases....
Re: (Score:2)
Perhaps you should keep up with the thread?
'Brennan’s account number, password and other details''
that is what was responded to, this was AOL, not the FBI that had unencrypted passwords. The FBI needed to reset the password because they don't have unencrypted passwords.
Re: (Score:3)
Missing the point (Score:5, Interesting)
While it is always worthwhile to prosecute the hacker, the real question is how is it possible that the Director of the CIA was hacked? Massive incompetence in the CIA is the only possible explanation.
Re:Missing the point (Score:5, Insightful)
Re:Missing the point (Score:5, Insightful)
What the fuck are you talking about? Who cares if his AOL account was "at risk" if he used it for the same stupid shit more people use their AOL account for?
Personally I prefer that government employees receive Viagra spam and pictures of their grandchildren on their private email accounts, and national security briefings on their government email accounts.
Re: (Score:2)
When you get to the CIA doing anything on a public web host for email is wrong. You need to be running a private server.
Republicans are grilling Hillary for using an private server both home and work. This guy needs to be executed for treason for using aol at all.
Not Brennan's fault (Score:5, Insightful)
While it is always worthwhile to prosecute the hacker, the real question is how is it possible that the Director of the CIA was hacked? Massive incompetence in the CIA is the only possible explanation.
This came up and was discussed on Schneier's security blog.
In this instance the CIA director did nothing wrong. He had a strong password, didn't let it out, and had no sensitive information on this particular personal account.
The hackers convinced AOL to to do everything on behalf of Brennan, without his knowledge or consent. All the security "best practices" in the world won't help if you can convince someone at the ISP to let you in.
To his credit, Brennan used this account for personal purposes, and apparently there was absolutely nothing of a sensitive nature there.
Re: (Score:1)
They've already established that high level government officials can use their personal accounts for official sensitive data. The rules are more like recommendations at the SES and above levels.
Sensitive files (Score:2)
The article says there were sensitive files stolen from his personal email account. If true, he shouldn't have had them there.
Whoosh.
Re: Not Brennan's fault (Score:4, Informative)
The article says there were sensitive files stolen from his personal email account. If true, he shouldn't have had them there.
From a Wired article dated almost a year ago:
"News of the hack was first reported by the New York Post after the hacker contacted the newspaper last week. The hackers described how they were able to access sensitive government documents stored as attachments in Brennan’s personal account because the spy chief had forwarded them from his work email.
The documents they accessed included the sensitive 47-page SF-86 application that Brennan had filled out to obtain his top-secret government security clearance. Millions of SF86 applications were obtained recently by hackers who broke into networks belonging to the Office of Personnel Management. The applications, which are used by the government to conduct a background check, contain a wealth of sensitive data not only about workers seeking security clearance, but also about their friends, spouses and other family members. They also include criminal history, psychological records and information about past drug use as well as potentially sensitive information about the applicant’s interactions with foreign nationals—information that can be used against those nationals in their own country."
Sounds pretty bad to me, but I doubt he'll receive the same level of scrutiny as Hillary Clinton has, because it isn't as interesting politically.
Source: https://www.wired.com/2015/10/... [wired.com] -- interesting article.
Re: (Score:2)
The documents they accessed included the sensitive 47-page SF-86 application that Brennan had filled out to obtain his top-secret government security clearance.
An SF86 form is filled out by and "owned" by the individual. It is NOT a secret government document. Yes, it has tons of personal information in it about him and his family.
Sounds pretty bad to me, but I doubt he'll receive the same level of scrutiny as Hillary Clinton has, because it isn't as interesting politically.
Why would it receive scrutiny? There is nothing illegal about a person storing personal information in their own email account. Stupid? Probably. Illegal? Not a chance.
Re: (Score:2)
Personal information about a high ranking intelligence official is intrinsically sensitive.
Intelligence agencies put a lot of time in by smart people teasing out deductions from apparently innocuous information about high ranking foreign officials. Back in the Cold War it was called "Kremlinology".
Of course there's only so much you you can do about it. People have private lives and leave traces of information behind. You can never be sure what anyone can do with any piece of data, because it's connecting
Re: (Score:2)
It didn't say there were *government* sensitive, files, it said they were personally sensitive files - primarily his application for Top Secret clearance, which I assume was emailed from his personal accounts since he obviously didn't HAVE a government/CIA account yet.
By definition he didn't have access to classified information when he filled it out, so it couldn't have contained information that was classified when he filled it out...
It would be like you applying for a mortgage, and you SSN and bank accou
Re: (Score:1)
Ahem, he did nothing wrong at all... OTHER THAN CHOOSE TO USE AOL... dumbass is as dumbass does. Although it was a personal account so who gives a shit so why are these people being prosecuted exactly? How about prosecute the AOL morons that let this happen.
Re: (Score:2)
Re: (Score:3)
For high enough target value, all services look commodity grade.
Re: (Score:2)
All the security "best practices" in the world won't help if you can convince someone at the ISP to let you in.
I can't help but feel as though you're missing the joke, hence I quoted the relevant part.
Re: (Score:2)
Kept it safe from the NSA, GCHQ, MI6, other parts of the CIA or other agencies... or just decades of later FOIA requests.
The point is not to have anything thats interesting to your own staff, rogue staff, long term spies, 5 eye nations, the NSA, ex staff, former staff who might be looking or have sold/given/been of the same faith/cult and liked to give details to other govs, mils...
The selection of a mainstream US brand is so unexpecte
Alexandria (Score:1)
[The men] will be extradited next week to Alexandria.
Holy crap, why are they sending them to Egypt?
Re: (Score:2)
This was officially the dumbest and most useless attempt at a joke on this article.
The argument for having your own e-mail server? (Score:5, Interesting)
I used to think that the only reason someone would want their own e-mail server would be to try to erase a central record of sent e-mails should the need arise, but after reading this summary I see that there is merit in not entrusting a third party's low level tech support person with the ability to either read or reset your password.
In other news, Verizon knows its users' passwords? Let me guess -- they're stored in plaintext.
Re: (Score:1)
The assertion that "home-based e-mail servers are no more secure than public chat based accounts" is baseless and is dependent on the knowledge level of the person who set it up and administers it, just like any other server in existence.
Re: We should be scared... (Score:1)
Director wasn't conned, his service providers were.
None of this makes any sense. (Score:1)
Posing as a technician to get passwords - what?
Law enforcement database for managing private e-mail accounts - what?
I mean this shit could all just be made up to cover up the more embarrassing things they actually did, because if security were so lax as this story claims, every hostile nation would have pretty much everything on all high ranking intelligence officials.
Would? Worth trying over and over, so they do (Score:2)
> every hostile nation would have pretty much everything on all high ranking intelligence officials.
Would it be worth it to China to spend a million dollars trying all sorts of ways to get into the President's email, or the secretary of state? Of course it would. If the
I hit Submit too soon (Score:2)
I accidentally hit submit before I was done writing.
> every hostile nation would have pretty much everything on all high ranking intelligence officials.
Would it be worth it to China to spend a million dollars trying all sorts of ways to get into the President's email, or the secretary of state? Of course it would. If they tried hundreds or even thousands of different hacks, would they eventually get lucky? Sure, probably.
Therefore they probably have tried thousands of times, and eventually been succes
Yeah the guy who advises the president on security (Score:5, Funny)
Has an AOL account ?
Come on what does he use for personal information ? Myspace ?
Re: (Score:3)
He probably has bills to pay and family to keep up with like every other person out there.
And that's fine, but all of the sensitive attachments he forwarded from his government account to his AOL account are a pretty damn serious matter. Brennan was definitely not just using his AOL email account to pay bills and see if his brother wanted to play golf on Sunday.
Re: (Score:3)
Hey, AOL is for serious work. Shut up!
- Colin P.
He got his AOL account hacked? (Score:2)
Re: (Score:1)
1996 called? Did you warn them?!!
Our head of intelligence (Score:2)
Has an AOL account? Jeeze, that just about says it all doesn't it?
Life imitates art (Score:1)
arrest the CIA directory (Score:2)
For a government official to use an AOL account for anything should be a criminal offense.
I'm sorry I don't believe this (Score:2)
It's right up there on top. The sentence with "cia director" and "aol account". That's impossible.
resetting passwords (Score:2)
I work at a large finnish ISP. We employ a very simple method to avoid problems with impostors trying to reset account passwords and the like, we do not, under any circumstances, reset the password on the customer's behalf. The customer has to do it him/herself. In theory, we are not forbidden from resetting a password, but we are (under penalty of immediate termination) forbidden from giving up the new password to anyone via any form of communication. The customer has to do the resetting him/herself via th
Re: (Score:2)
I'm sorry, but what??? (Score:2)
That IT department (in CIA/FBI) should be fired. Everyone knows that there is no reason for Verizon to ask for
Re: (Score:3)
}
"Probably because it was mostly the white countries that enslaved or "colonized" all of the non-white people from other countries over the last few hundred years.}
"
I guess you missed The Greater East Asia Co-Prosperity Sphere
They did plenty of conquering and enslaving in the 30's and 40'e
And they are still not 'diverse'