White House Officials Tricked By Email Prankster (cnn.com) 131
Jake Tapper, reporting for CNN: A self-described "email prankster" in the UK fooled a number of White House officials into thinking he was other officials, including an episode where he convinced the White House official tasked with cyber security that he was Jared Kushner and received that official's private email address unsolicited. "Tom, we are arranging a bit of a soiree towards the end of August," the fake Jared Kushner on an Outlook account wrote to the official White House email account of Homeland Security Adviser Tom Bossert. "It would be great if you could make it, I promise food of at least comparible (sic) quality to that which we ate in Iraq. Should be a great evening." Bossert wrote back: "Thanks, Jared. With a promise like that, I can't refuse. Also, if you ever need it, my personal email is" (redacted). Bossert did not respond to CNN's request for comment; the email prankster said he was surprised Bossert responded given his expertise. The emails were shared with CNN by the email prankster. White House officials acknowledged the incidents and said they were taking the matter seriously. "We take all cyber related issues very seriously and are looking into these incidents further," White House press secretary Sarah Huckabee Sanders told CNN.
He's gonna end up in some camp. (Score:1)
Or in jail. I would never dare to even attempt something like that. Hurting a powerful person's pride/"face" is just about the dumbest thing you can do... if you aren't also (very) powerful..
Re: He's gonna end up in some camp. (Score:4, Informative)
Lauri Love [independent.co.uk] might care to differ. The UK hands people over the US regularly, and ignores humanitarian concerns when doing so. There was another guy a few years before that, think his condition was more severe than this one.
Re: (Score:2)
The standard for refusing a properly submitted extradition request is somewhat more specific than vague "humanitarian concerns." And hilariously, that link doesn't even cite any humanitarian concerns; or any claims of innocence. All it actually contains is some whining about American prison sentences being longer than British ones, and typical media misrepresentation about the maximum sentence possible under actual American sentencing guidelines.
Re: (Score:1)
He turns them into anonymous cowards on /.
Re: (Score:3, Insightful)
I like rules of thumb. You just touched on one of my favorites:
"Never challenge a small-minded man in a position of power."
Re:He's gonna end up in some camp. (Score:4, Funny)
Re: (Score:2)
>>Never put a small-minded man in a position of power.
Re: (Score:1)
Never put a small-minded man in a position of power.
Then there would never be any men in a position of power.
camp gimo and you are not an USC so no jury! (Score:2)
camp gimo and you are not an USC so no jury!
So what? (Score:3, Insightful)
Re:So what? (Score:4, Insightful)
I'm not sure what your point is. I'd say that, yes, a foreign power breaking into a campaign's email files is something that is and should be illegal.
This should be illegal, too, but, I agree with the story, it does seem more like a prank, and not a foreign power attempting to change U.S. election results. There is a difference.
Re: (Score:1)
Well, the Russian hackers used the info gained from the phishing to steal files which were then publicly released with the intent to harm Clinton's campaign.
This guy got an email back with the guy's real email address. He didn't steal any files. He didn't release any damaging info. He didn't even request the guy's email address.
One is a phishing attempt for a malicious purpose. From Wikipedia: "Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and
Re: (Score:1)
So you don't think that releasing all this to CNN was political in nature? You honestly don't think this was an attempt to embarrass the Trump administration? Isn't the UK a foreign power?
I think we should just ignore all of this nonsense. It is illegal, sure. So is most spam.
Re:So what? (Score:5, Insightful)
I'm impressed. It is very rare for such a short post to contain so many failures in basic reasoning:
1. This was some idiot prankster, not the UK government. Thus, not a foreign power.
2. Publicizing achievements is not inherently political. Some people just really attention. Most people, in fact.
3. Who cares if the administration is embarassed?
4. Phishing is not illegal under federal law, which is applicable to DC.
5. Ignoring a cyber security breach by a high-ranking member of DHS is stupid. It is his job to do better -- literally.
Re: (Score:3)
It's funny that you think the Trump administration is capable of embarrassment. After all, embarrassment requires a certain level of self-awareness, and there has been zero of that on evidence.
Re: (Score:2, Funny)
Apparently, they only find cyber issues against them to be serious since the Russian meddling in our election (I'm not privy to investigation results so I can't comment on collusion) appears A-OK.
He's a wannabee tyrant, without the competence to become one. It must be frustrating for him.
Re: (Score:2, Insightful)
The reason you can't see the difference is either (a) you're extremely biased or (b) you're a bit slow. Both is perfectly possible also (likely, in fact).
Re: (Score:1)
The Russians made many attempts in many systems using many methods. The "Podesta" incident just happens to be one made public and high profile and is NOT the entirety of the Russia "problem", as you seem to imply. The server logs on many election-related systems have been found full of attempts.
I imagine most attempts made by Russia failed, but if you try enough things on enough servers and enough people, eventually you will find holes. Hacking favors the patient and persistent.
I've fallen for a trick mysel
Re: (Score:2)
Oh the irony burns. Correction: ...sometimes skip steps...
Re: (Score:2)
So what?! Podesta was not and is not the Homeland Security Advisor to the President, that's what!
Re:It will happen in any administration (Score:5, Informative)
Re: (Score:2)
The fact that people can be fooled in this way in this particular organization. That's actually useful. The guy might be making an ass of folks, but that's harmless; people can do the same thing to cause harm. By his actions, he's made people more-vigilant; however, they need to take this information and instill permanent policies, as that vigilance is only temporary.
Re: (Score:2, Flamebait)
The fact that people can be fooled in this way in this particular organization. That's actually useful.
That would depend on how the facts get presented and what opinions and position accompany the facts.
The guy might be making an ass of folks, but that's harmless; people can do the same thing to cause harm.
Absolutely, this guy could have done this for personal gain and causing harm to others. Oh wait, isn't that exactly what happened?
By his actions, he's made people more-vigilant; however, they need to take this information and instill permanent policies, as that vigilance is only temporary.
Right on, CNN is now out educating people about the dangers of fishing and teaching everyone how to read mail headers and verify! Oh wait, that is not what they are doing. They are using it to bash an administration that they dislike and have bashed since election day.
I'll close
Re: (Score:2)
Re: (Score:2)
Absolutely, this guy could have done this for personal gain and causing harm to others. Oh wait, isn't that exactly what happened?
Even criminal hacking is delineated by financial damage and, usually, criminal intent (mens rea). If you can't show more than $5,000 of damage, the FBI generally doesn't care.
Calling you a giant douchebag causes harm to others: you get your feelings hurt and feel bad for a little while. Psychological pain tends to cause maturation--even traumatized soldiers develop more mature defense mechanisms (they grow up and become actual adults) compared to people in the service with less or less-traumatic combat
Re: (Score:2)
This guy's "personal gain" was some Internet fame.
Not quite. You do realize that TV shows quite often _pay_ for people to appear. There is of course what you mention with internet fame, but I'll add that the person also gained "media" fame for paid appearance even if he didn't get paid this time. Book deals, interviews, etc... That he didn't get information to hack into a bank account or commit direct blackmail does not mean he doesn't gain financially by releasing the information to a media outlet.
If the motivation was truly altruistic as you are atte
Re: (Score:2)
You're going out to ridiculous lengths. It's like when ProPublica claimed Red Cross's "real overhead" is 40%, not the 9% they publish, because "they hire contractors, who have overhead." Well shit, son, the people doing the work get paid; that's overhead, and they should work for free!
I think we disagree on principle, where I don't subscribe to moral relativism.
Moral relativism is a matter of whether the same exact action is moral or amoral based on the society's culture and, essentially, how common it is, and if the society at large accepts it. The large problem with moral rel
Re: (Score:2)
Wait, you accuse me of going to ridiculous lengths talking about the same guy and his actions while you have to jump to a NGO which didn't do anything at all similar to this person? Who is going to ridiculous lengths to justify their opinion exactly? What we have here is called a case of projection.
I don't believe you fully understand moral relativism. Moral relativism is changing the rules when you believe it suits your position or beliefs instead of from a position of pure good/evil, true/false, justic
Re: (Score:2)
You use gross generalizations which include the famous appeal to emotion "people are suffering and dying because they don't have jobs" and an NGO. WTF?
No, I'm comparing the non-government organization (ProPublica)'s arguments to yours, and carrying them to completion, as a way to demonstrate your argument in a more-relatable context.
You claim that this person's actions can provide him a potential monetary benefit somewhere down the line, thus he has taken action for personal gain, regardless of all other factors or circumstance. I pointed out a similar claim made by someone else about cost overhead, and carried it out to its conclusion (that people's
Re: (Score:2)
No, I'm comparing the non-government organization (ProPublica)'s arguments to yours, and carrying them to completion, as a way to demonstrate your argument in a more-relatable context.
Okay, I'll play along for now.
You claim that this person's actions can provide him a potential monetary benefit somewhere down the line, thus he has taken action for personal gain, regardless of all other factors or circumstance.
What other factors or circumstances? The person did, or did not take action for personal gain. As stated twice previously, if the action was not for personal gain they would have reported in a different fashion, and probably to a different location.
Your "other factors or circumstances" is exactly what I referred to as moral relativism.
Example: If you see a 100 dollar bill on the ground and pick it up and keep it, you either did or did not commit the act. Whether the 100 doll
Re: (Score:2)
What is absurd is trying to establish this persons actions as a moral equivalence to an NGO's overhead.
You're dodging that I've used your own reasoning to equate your continued existence as murder.
What other factors or circumstances? The person did, or did not take action for personal gain.
A person may, knowingly and willingly, hack into a bank, steal credit card numbers, and make purchases. This will deprive a retailer of money (the person whose card they use will be compensated; the merchant takes the burden). That, in turn, reduces revenue streams. In aggregate, this acts as a form of risk, increasing costs, thus increasing prices of goods. That lowers the number of goods people can afford.
Re: (Score:2)
You're dodging that I've used your own reasoning to equate your continued existence as murder.
Perhaps in your own mind, but no you have not. Your assertion that this person doing something and giving that data away for personal gain is the equivalent to a person who works for an NGO and counts as overhead is simply ludicrous. The reductio ad absurdem to claim I am a murderer is based on your former fallacious logic. Fallacy of a Fallacy != logical, it makes you more irrational..
I have repeatedly provided the way to reference my point in debate, and given you two questions to answer. Lets see if
Re: (Score:1)
Was the email provided the one used for official communication or just the personal one on the work server?
I have email for biz and email for other stuff. I have no compunctions about sharing my "other stuff" email address even if that means I need a third party spam manager on that address. (gad, the GP email gets a couple of hundred posts a day of which about 20 are of interest - including the daily cartoons I like. The work email; about six posts and those are very pertinent to projects.)
Someone conta
Don't worry (Score:1)
Trump has a sonâ"heâ(TM)s 10 years old. He has computers. He is so good with these computers. Itâ(TM)s unbelievable.
Seems like the wording is dead give away. (Score:1)
"I promise food of at least comparible (sic) quality to that which we ate in Iraq"
Really, who talks like that. This a is a member of the Trump White House staff.
"Good food, better food than Iraq. Food will be greatest food, simply the best, I promise." seems a little less suspect.
Not surprised though t it could have been worse... (Score:5, Interesting)
"Thanks, Jared. With a promise like that, I can't refuse. Also, if you ever need it, my personal email is" (redacted).
A "food" promise will work most of the time.
Now, just suppose it were something to do with [propositioning] the fairer sex! Now, that would have been a scandal big time.
My take: Those folks are lucky, for now.
Sensitivity training... (Score:1)
Re: (Score:2)
Re: (Score:2)
SMIME certificates do help. :)
Could help, but they don't.
My company uses them and requires us to use them, except when they don't. The problem, IMO, is that the email clients don't alert when there is no signature. They add a tiny icon if a signature is present and valid. They add a warning if the signature is present but invalid.
What is needed is something akin to HTTP's Strict-Transport-Security header. IE. once your email client receives a valid signed email from a particular user, it will then require all email from that user to be
Re: (Score:2)
Re: (Score:2)
the entire point is to validate an incoming e-mail isn't a phishing message with forged headers. An SMIME cert will help shed light on that.
Close, but wrong.
The S/MIME signature applies to the message body. That does NOT include any of the headers (and note, "Subject" is a header, not part of the message body).
As an example, I have actually done the following and can assure you this is not only possible, but trivially easy:
* have someone send you an S/MIME signed email
* send that back out, forge the FROM address to that users address rather than your own, and modify the Subject to something obscene, and set the TO address to anywhere you like
*
If you live in glass houses... (Score:2)
A good many Republicans trashed the DNC for their "lax security". Crow soup anyone?
Seth Rich (Score:1)
Meanwhile a Fox reporter is suing Hannity and Fox 'News' for making up the Seth Rich story.
Apparently it was cooked up to kill the Russia inquiry and he didn't like them faking quotes from him to give it credence.
If Seth leaked the emails to Wikileaks, then the Russians are innocent, which was the aim of Hannity, clear the Russians of involvement in the hack by pinning it on Seth:
"Congress, investigate Seth Rich Murder! @JulianAssange made comments u need to listen to! If Seth was wiki source, no Trump/Russ
"cyber related issues" (Score:2)
Poor kid is going to get swatted in 3... 2... 1...
Re: (Score:2)
Re: "cyber related issues" (Score:2)
Black-bagged and dumped out the back of a C-130, somewhere over the mid-Atlantic. That's my guess.
Well, no... He will probably just get a stern talking to.
Re: (Score:2)
Sarah Sanders (Score:2)
Has never been known for being tight-lipped.
Take that as you will. It literally works both ways. The unspoken way is likely true given her behavior.
Re: (Score:2)
Are you saying that friends of the prankster should check up on him every so often to make sure he's still breathing?
Re: (Score:1)
So she has a big mouth too?
Use PGP/GPG (Score:2)
PGP was introduced in 1991. Now it's 2017 and we still don't know how to make sure we are talking to the person we think we are talking to. *weep*
Re: (Score:2)
PGP was introduced in 1991. Now it's 2017 and we still don't know how to make sure we are talking to the person we think we are talking to. *weep*
I work in what might best be described as an internal IT support job for a US based Fortune 500 company. Every now and then the particular product I support has a customer with a problem and I have to jump in and try to help. We only sell this product in North America and the vast majority of that within the USA. I say that because when there are problems I have to talk to IT staff who work for our customers and I want it understood that I'm not talking about dealing with companies in undeveloped countr
Re: (Score:1)
PGP was introduced in 1991. Now it's 2017 and we still don't know how to make sure we are talking to the person we think we are talking to. *weep*
And you still wouldn't, even if PGP was in widespread use, because there's no easy way to verify that the public key you've been issued actually belongs to the person you're communicating with. This is the same pitfall that all public key cryptography faces. It only works with https because we trust the root certificate authorities.
Cryptography is useless if you don't have a secure channel to exchange keys before the communication that you wish to secure/authenticate.
Re: (Score:3)
[Suspected Spam] (Score:3, Informative)
It was tagged [Suspected Spam], how could it NOT have been a legit email?
How much stupider can these people get?
Re: (Score:2)
Re: (Score:2)
Tom assumed they would be serving Spam.
Re: (Score:2)
I have seen legit e-mails that were marked spams. :(
The expertise of Tom Bossert .. (Score:1)
What expertise? Have these people never heard of encryption and digital signatures, cause using standard email mean anyone can read your email or impersonate a real person. But then again these are the same people who decided to run Homeland Security on Microsoft Windows.
Shock (Score:4, Insightful)
Re:Shock (Score:4, Interesting)
Yes, I was surprised that the prankster thought Bossert had "expertise". He's a lawyer.
Now a lot of lawyers are very smart, and the best are information sponges who do manage to acquire impressive depth of knowledge in fields outside the law. But Bossert's only security experience was working as Deputy Homeland Security Advisor under Bush, a position he was utterly unqualified for; as for experience he picked up in that position, this was a period when the department was new and notorious for security theater and expensive boondoggles. Oh, yes he did serve as Director of Infrastructure Protection under Bush as well, during a period where nothing significant was accomplished.
I wouldn't be the least surprised if he got suckered by a phishing campaign.
Better investigate their use of email! (Score:1)
Information hiding (Score:2)
He probably just saw light blue "Jared Kushner". This kind of information hiding crap is getting more pervasive all the time. The same goes for file extensions "FamilyPhotos.jpg.exe"
Re: (Score:2)
The stupidity is mind-baffling (Score:3)
What's with US politicians and email?
Don't they know it's like postcards that can be written by any idiot?
I guess not.
Waiting for this "prankster" to get arrested (Score:1)
Pretty sure that spear phishing is a crime, regardless of your success level or whether you self style yourself as a prankster or not. The only way to legally do what was done is to immediately reply back to the targeted official/business/government agency and inform them that you were not who you said you were and that they need to improve their IT security training/systems. This guy may very well wind up extradited and charged with a crime since he went to CNN with the intention of damaging the organiza
Re: (Score:3)
Pretty sure that spear phishing is a crime [...]
It probably comes under the generic catch-all, "Fraud." I'm not sure there's anything specific about spear-phishing...
Re: (Score:1)
he went to CNN with the intention of damaging the organization that he attacked
Exposing stupid actions is not "damaging".
Let's be perfectly clear - it's a huge problem. (Score:4, Interesting)
"So we had to get very, very tough on cyber and cyber warfare. It is a huge problem. I have a son—he’s 10 years old. He has computers. He is so good with these computers. It’s unbelievable. The security aspect of cyber is very, very tough. And maybe, it's hardly doable. But I will say, we are not doing the job we should be doing. But that’s true throughout our whole governmental society. We have so many things that we have to do better, Lester. And certainly cyber is one of them."
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:1)
One bloke in the UK = the UK did it?
But we know the UK did it; the attack came from a UK IP, and we have many reasons to believe the UK could benefit from it. They probably have lots of evidence, we're just not allowed to see it because we're just common citizens.
Of course, I wouldn't trust a paid UK astroturfer to see reason.