Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Government Privacy Security News

White House Officials Tricked By Email Prankster (cnn.com) 131

Jake Tapper, reporting for CNN: A self-described "email prankster" in the UK fooled a number of White House officials into thinking he was other officials, including an episode where he convinced the White House official tasked with cyber security that he was Jared Kushner and received that official's private email address unsolicited. "Tom, we are arranging a bit of a soiree towards the end of August," the fake Jared Kushner on an Outlook account wrote to the official White House email account of Homeland Security Adviser Tom Bossert. "It would be great if you could make it, I promise food of at least comparible (sic) quality to that which we ate in Iraq. Should be a great evening." Bossert wrote back: "Thanks, Jared. With a promise like that, I can't refuse. Also, if you ever need it, my personal email is" (redacted). Bossert did not respond to CNN's request for comment; the email prankster said he was surprised Bossert responded given his expertise. The emails were shared with CNN by the email prankster. White House officials acknowledged the incidents and said they were taking the matter seriously. "We take all cyber related issues very seriously and are looking into these incidents further," White House press secretary Sarah Huckabee Sanders told CNN.
This discussion has been archived. No new comments can be posted.

White House Officials Tricked By Email Prankster

Comments Filter:
  • by Anonymous Coward

    Or in jail. I would never dare to even attempt something like that. Hurting a powerful person's pride/"face" is just about the dumbest thing you can do... if you aren't also (very) powerful..

  • So what? (Score:3, Insightful)

    by Train0987 ( 1059246 ) on Tuesday August 01, 2017 @10:23AM (#54919763)
    Let me get this straight. John Podesta gets fooled by a phishing attempt and suddenly the Russian government colluded with Trump to steal the election that Clinton was promised, but when someone in the Trump admin gets fooled by an email it's just a harmless prankster.
    • Re:So what? (Score:4, Insightful)

      by Anonymous Coward on Tuesday August 01, 2017 @10:32AM (#54919827)

      I'm not sure what your point is. I'd say that, yes, a foreign power breaking into a campaign's email files is something that is and should be illegal.

      This should be illegal, too, but, I agree with the story, it does seem more like a prank, and not a foreign power attempting to change U.S. election results. There is a difference.

    • by Anonymous Coward

      Well, the Russian hackers used the info gained from the phishing to steal files which were then publicly released with the intent to harm Clinton's campaign.

      This guy got an email back with the guy's real email address. He didn't steal any files. He didn't release any damaging info. He didn't even request the guy's email address.

      One is a phishing attempt for a malicious purpose. From Wikipedia: "Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and

      • So you don't think that releasing all this to CNN was political in nature? You honestly don't think this was an attempt to embarrass the Trump administration? Isn't the UK a foreign power?

        I think we should just ignore all of this nonsense. It is illegal, sure. So is most spam.

        • Re:So what? (Score:5, Insightful)

          by Anonymous Coward on Tuesday August 01, 2017 @10:56AM (#54919967)

          I'm impressed. It is very rare for such a short post to contain so many failures in basic reasoning:

          1. This was some idiot prankster, not the UK government. Thus, not a foreign power.

          2. Publicizing achievements is not inherently political. Some people just really attention. Most people, in fact.

          3. Who cares if the administration is embarassed?

          4. Phishing is not illegal under federal law, which is applicable to DC.

          5. Ignoring a cyber security breach by a high-ranking member of DHS is stupid. It is his job to do better -- literally.

        • You honestly don't think this was an attempt to embarrass the Trump administration?

          It's funny that you think the Trump administration is capable of embarrassment. After all, embarrassment requires a certain level of self-awareness, and there has been zero of that on evidence.

      • Re: (Score:2, Funny)

        by Maritz ( 1829006 )

        Apparently, they only find cyber issues against them to be serious since the Russian meddling in our election (I'm not privy to investigation results so I can't comment on collusion) appears A-OK.

        He's a wannabee tyrant, without the competence to become one. It must be frustrating for him.

    • Re: (Score:2, Insightful)

      by Maritz ( 1829006 )

      The reason you can't see the difference is either (a) you're extremely biased or (b) you're a bit slow. Both is perfectly possible also (likely, in fact).

    • by Tablizer ( 95088 )

      The Russians made many attempts in many systems using many methods. The "Podesta" incident just happens to be one made public and high profile and is NOT the entirety of the Russia "problem", as you seem to imply. The server logs on many election-related systems have been found full of attempts.

      I imagine most attempts made by Russia failed, but if you try enough things on enough servers and enough people, eventually you will find holes. Hacking favors the patient and persistent.

      I've fallen for a trick mysel

      • by Tablizer ( 95088 )

        humans are humans and somethings skip steps

        Oh the irony burns. Correction: ...sometimes skip steps...

    • So what?! Podesta was not and is not the Homeland Security Advisor to the President, that's what!

  • by Anonymous Coward

    Trump has a sonâ"heâ(TM)s 10 years old. He has computers. He is so good with these computers. Itâ(TM)s unbelievable.

  • "I promise food of at least comparible (sic) quality to that which we ate in Iraq"
    Really, who talks like that. This a is a member of the Trump White House staff.

    "Good food, better food than Iraq. Food will be greatest food, simply the best, I promise." seems a little less suspect.

  • by bogaboga ( 793279 ) on Tuesday August 01, 2017 @10:36AM (#54919857)

    "Thanks, Jared. With a promise like that, I can't refuse. Also, if you ever need it, my personal email is" (redacted).

    A "food" promise will work most of the time.

    Now, just suppose it were something to do with [propositioning] the fairer sex! Now, that would have been a scandal big time.

    My take: Those folks are lucky, for now.

  • Looks like some people need training on how to spot phishing email attempts.
    • Comment removed based on user account deletion
      • by unrtst ( 777550 )

        SMIME certificates do help. :)

        Could help, but they don't.
        My company uses them and requires us to use them, except when they don't. The problem, IMO, is that the email clients don't alert when there is no signature. They add a tiny icon if a signature is present and valid. They add a warning if the signature is present but invalid.

        What is needed is something akin to HTTP's Strict-Transport-Security header. IE. once your email client receives a valid signed email from a particular user, it will then require all email from that user to be

        • Comment removed based on user account deletion
          • by unrtst ( 777550 )

            the entire point is to validate an incoming e-mail isn't a phishing message with forged headers. An SMIME cert will help shed light on that.

            Close, but wrong.
            The S/MIME signature applies to the message body. That does NOT include any of the headers (and note, "Subject" is a header, not part of the message body).
            As an example, I have actually done the following and can assure you this is not only possible, but trivially easy:
            * have someone send you an S/MIME signed email
            * send that back out, forge the FROM address to that users address rather than your own, and modify the Subject to something obscene, and set the TO address to anywhere you like
            *

  • A good many Republicans trashed the DNC for their "lax security". Crow soup anyone?

    • by Anonymous Coward

      Meanwhile a Fox reporter is suing Hannity and Fox 'News' for making up the Seth Rich story.

      Apparently it was cooked up to kill the Russia inquiry and he didn't like them faking quotes from him to give it credence.

      If Seth leaked the emails to Wikileaks, then the Russians are innocent, which was the aim of Hannity, clear the Russians of involvement in the hack by pinning it on Seth:

      "Congress, investigate Seth Rich Murder! @JulianAssange made comments u need to listen to! If Seth was wiki source, no Trump/Russ

  • Poor kid is going to get swatted in 3... 2... 1...

  • Has never been known for being tight-lipped.

    Take that as you will. It literally works both ways. The unspoken way is likely true given her behavior.

  • PGP was introduced in 1991. Now it's 2017 and we still don't know how to make sure we are talking to the person we think we are talking to. *weep*

    • PGP was introduced in 1991. Now it's 2017 and we still don't know how to make sure we are talking to the person we think we are talking to. *weep*

      I work in what might best be described as an internal IT support job for a US based Fortune 500 company. Every now and then the particular product I support has a customer with a problem and I have to jump in and try to help. We only sell this product in North America and the vast majority of that within the USA. I say that because when there are problems I have to talk to IT staff who work for our customers and I want it understood that I'm not talking about dealing with companies in undeveloped countr

    • Comment removed based on user account deletion
      • That's what private key servers are for, and nothing is stopping the feds from setting one up for their own people to use.
  • [Suspected Spam] (Score:3, Informative)

    by Anonymous Coward on Tuesday August 01, 2017 @10:57AM (#54919975)

    It was tagged [Suspected Spam], how could it NOT have been a legit email?

    How much stupider can these people get?

  • "A self-described "email prankster" .. wrote to the official White House email account of Homeland Security Adviser Tom Bossert .. the email prankster said he was surprised Bossert responded given his expertise"

    What expertise? Have these people never heard of encryption and digital signatures, cause using standard email mean anyone can read your email or impersonate a real person. But then again these are the same people who decided to run Homeland Security on Microsoft Windows.
  • Shock (Score:4, Insightful)

    by American AC in Paris ( 230456 ) on Tuesday August 01, 2017 @11:05AM (#54920027) Homepage
    You elect amateur hour, you're gonna get amateur hour.
    • Re:Shock (Score:4, Interesting)

      by hey! ( 33014 ) on Tuesday August 01, 2017 @01:39PM (#54921033) Homepage Journal

      Yes, I was surprised that the prankster thought Bossert had "expertise". He's a lawyer.

      Now a lot of lawyers are very smart, and the best are information sponges who do manage to acquire impressive depth of knowledge in fields outside the law. But Bossert's only security experience was working as Deputy Homeland Security Advisor under Bush, a position he was utterly unqualified for; as for experience he picked up in that position, this was a period when the department was new and notorious for security theater and expensive boondoggles. Oh, yes he did serve as Director of Infrastructure Protection under Bush as well, during a period where nothing significant was accomplished.

      I wouldn't be the least surprised if he got suckered by a phishing campaign.

  • by Anonymous Coward
    Hey if Whitehouse staffers are so dumb and uninformed when it comes to basic OPSEC then I think we'd better have the FBI investigate whether they're using private email for official purposes, too, just in case!
  • Jared Kushner<jared.kushner@foobar.com>

    He probably just saw light blue "Jared Kushner". This kind of information hiding crap is getting more pervasive all the time. The same goes for file extensions "FamilyPhotos.jpg.exe"
  • by nospam007 ( 722110 ) * on Tuesday August 01, 2017 @12:17PM (#54920463)

    What's with US politicians and email?
    Don't they know it's like postcards that can be written by any idiot?
    I guess not.

  • Pretty sure that spear phishing is a crime, regardless of your success level or whether you self style yourself as a prankster or not. The only way to legally do what was done is to immediately reply back to the targeted official/business/government agency and inform them that you were not who you said you were and that they need to improve their IT security training/systems. This guy may very well wind up extradited and charged with a crime since he went to CNN with the intention of damaging the organiza

    • Pretty sure that spear phishing is a crime [...]

      It probably comes under the generic catch-all, "Fraud." I'm not sure there's anything specific about spear-phishing...

    • by Anonymous Coward

      he went to CNN with the intention of damaging the organization that he attacked

      Exposing stupid actions is not "damaging".

  • by gosand ( 234100 ) on Tuesday August 01, 2017 @01:23PM (#54920943)

    "So we had to get very, very tough on cyber and cyber warfare. It is a huge problem. I have a son—he’s 10 years old. He has computers. He is so good with these computers. It’s unbelievable. The security aspect of cyber is very, very tough. And maybe, it's hardly doable. But I will say, we are not doing the job we should be doing. But that’s true throughout our whole governmental society. We have so many things that we have to do better, Lester. And certainly cyber is one of them."

You are always doing something marginal when the boss drops by your desk.

Working...