I think the REAL story here is that the Direct of the Frickin CIA has an AOL e-mail address & AOL e-mail is not the first thing that comes to your mind when you think Security.
Also he thought it was Ok to forward Sensitive Govt. Docs to a non-secured commercial e-mail address.
The amount of almost un-restrained power that these people have vs the very low quality of their InfoSec is truly appalling.
I don't think anyone should be surprised that an intelligence agency - that has repeatedly violated its own country's law, and actively contributed to the weakening of civil rights - be guilty of this sort of negligence. That is exactly what happens when an institutions is allowed to grow unchecked, with no or little civilian oversight or consequences for the wrong-doings.
What's scary is that this kind of clueless, and technology illiterate, people are actively involved in shaping the future landscape of massive data collection.
I think we are about to witness, in the next decade, multiple "incidents" where millions, perhaps billions, of private records about innocent citizens will be leaked because of this kind of negligence.
I think people do deserve to be surprised. Competence is not the same as selflessness. Many people routinely question whether the FBI is operating for the good of the country, but most people at least believe that they are good at their job.
I'm not sure that the CIA has ever been a real ally of the people in general, but to the extent that they are, it's similar to the inclusion of the USSR in the Allied Powers during World War II.
Nice rant. The last two paragraphs threw me off, though... how exactly is the CIA Director involved in shaping the future landscape of massive data collection?
On top of that the previous CIA director was undone by a Gmail account he shared with his mistress. You'd think email security would have come up during the onboarding process. The CIA is an intelligence agency, but its leaders are apparently just regular bureaucrats.
To be fair, being an accomplished member of an agency of foreign affairs, and being in any way competent with information security and being a US citizen in the notice of the highest echelons of our government is asking a lot from a small circle of potential candidates who are predominately far older than your tech savvy computer engineer.
And in most ways, leaving his e-mail to a provider which works with e-mail and has dealt with attacks before, is probably the most sensible thing to do.
And of course, I've read Legacy of Ashes and a few of Robert Baear's books (Beaer?) and understand being accomplished in the world of the CIA just avoiding political entanglement and not fucking up too badly, but whatever, the point stands ;-).
The sensible thing to do is to leave his work email in his work account. That guidance should be email training 101 as well as common sense. You're not supposed to take classified government documents home with you, and you don't take government property home with you, and you don't send official work email to your random private email account.
He has 24/7 instant access to very high quality opsec though, it doesn't matter that he's old. If he's too old to know any better he doesn't belong anywhere near classified material.
If it makes you feel any better (it won't), anyone else in the company would have been summarily fired and barred from further work in the IC if they had done the same.
This isn't to excuse his conduct in any way shape or form, but I suspect that every high ranking official in the public or private sector keeps a private e-mail account for conducting business off-the-books.
Or just having a personal email address for non-work reasons. They're still human, even if they're high-level elected officials or CEOs, and they won't have that job/office forever.
> "...where they read several dozen emails, some of them that Brennan had forwarded from his government work address and that contained attachments..."
Sorry, but this doesn't sound like "personal email address for non-work reasons"...
> After providing the Verizon employee with a fabricated employee Vcode—a unique code the he says Verizon assigns employees—they got the information they were seeking. This included Brennan’s account number, his four-digit PIN, the backup mobile number on the account, Brennan’s AOL email address and the last four digits on his bank card.
There are obviously a _lot_ of wtf moments reading this article, but this one just strikes me as the most egregious - why in the world would a Verizon employee of any kind be able to obtain this information from anyone other than the account holder? The account number, ok maybe, but absolutely none of those other items should be communicated between employees. Absurd.
That information is internally available within Verizon, to its employees, to (presumably) verify ownership of an account when speaking to a customer. None of that is surprising - that information is commonly used as security challenge questions in phone support situations.
Whether it should be, well that is another matter.
It's understandable that the information is there and accessible. But, again, it should never be communicated between employees, only between employee and account holder. Maybe such policy is not common practice for businesses? It seems like an obvious security measure.
When I worked for Embarq doing DSL support the procedure for a field technician to obtain customer information was to call into a special phone number provide a technician code.
There are several problems with this:
1.) The phone number can be found on the internet.
2.) The technician code is just noted down as part of the request. It is not verified.
3.) The support employee's validation process that they are a field technician was that they were calling over the special phone number.
Obviously sensitive information was not supposed to be given out, but they hired anyone that was alive enough to answer a phone and tell people to reset their router.
Well, it seems like employees should be able to verify that the security information matches what's on file without actually seeing. So, an employee could enter the last four digits of the CC number into a form and then get verification if they're correct, but wouldn't be able to just pull up that info and give it to someone else.
>None of that is surprising - that information is commonly used as security challenge questions in phone support situations. //
The PIN at least seems like it should have been hashed, then an employee puts in a form the stated PIN to see if it's correct and the hashes are compared on the backend.
The other info though is needed for initiating contact and to allow customers to perform transactions (verifying card details for example).
Hashing wouldn't help much for a PIN (which is usually just 4 digits). You could get a rainbow table for that in like 5 seconds. Even salting wouldn't help, given how tiny the keyspace is.
> The hackers described how they were able to access sensitive government documents stored as attachments in Brennan’s personal account because the spy chief had forwarded them from his work email.
How is this acceptable? Shouldn't he be held accountable for this kind of stuff?
>How is this acceptable? Shouldn't he be held accountable for this kind of stuff?
You're the new young email admin. You see this in your logs. You tell your boss. Your boss shrugs and says, "He's the director and I don't feel like getting fired."
I don't know why people think government, be it any agency including intelligence, is run any different than any other political or corporate bureaucracy. Humanity has a natural pecking order cooked into it and it reflects in our organizations. One does not just challenge the big dog without consequences. Hell, staff may not be able to even audit him the same way Congress has made itself immune to the NSA wire-tapping programs.
>I don't know why people think government, be it any agency including intelligence, is run any different than any other political or corporate bureaucracy. //
Maybe it's the big "democracy" label that people apply to it.
Maybe it's the concept of "Rule of Law" that underpins Western Democracy.
If it's possible to be fired for simply applying the statutory regulations to a civil servant then any semblance of either democracy or rule of law has clearly been replaced with other structures.
Presumably the CIA would try to kill you to cover this up, because otherwise the sacking of the infringer should be a normal conclusion?
However, I wonder why the agency simply does not disable forwarding or at least add sure warnings in bright red that doing so violates policy and subject to charges.
Sure, disabling fwd-ing is trivial to defeat but it makes clear fwd-ing is non standard.
Doesn't matter-- He's talking about torture and Iranian "realpolitik" on an @AOL email address. In an election cycle. With one headline candidate already getting grilled over improper use of private email.
I read the autobiography of hacker Kevin Mitnick and the thing that struck me the most was how his "hacking" consisted of manipulating people. I can recall one case in the book where he compromised a system on a purely technical level. Almost every other hack was based on convincing people to tell him things they should not.
Why break into a system when you can ask someone to unlock it for you?
It definitely was a little disillusioning when I learned that many famous hackers were not technical wizards (like bunnie) but in fact basically con artists.
Take a broader view of hacking. A system is not just its code, it's the people that run it, too. If you want to break into a system, they are frequently the best point of entry.
To paraphrase from the first season of Mr. Robot as they're looking over surveillance pictures of a secure data center compound with high walls, biometrics, security cameras, and 4 armed security guards;
"How do you break into a place with no weak points?"
I find it interesting how Verizon didn't notice that they used a fake employee id. I wonder if they just made up one that looked like it could pass or if they had to generate one that passed a verification, and if so, how.
Fun fact: The telco's have the notion of a "VIP" customer where their information is restricted to a very small group of customer service reps who are trained to protect their privacy.
Their clients usually include celebs, pro athletes, etc... I'm surprised that the CIA chief isn't on that tier.
No, it's understanding that different customers have different risk profiles and using that information to deploy your security resources efficiently. Verified accounts on Twitter use the same concept... not everybody needs that.
It would be nice to be able to purchase this kind of thing directly though.
> The barrier to entry to become a Verizon employee is lower than the barrier to obtaining this info should be.
The problem with this approach is that it leaves a pretty clear trail. At best you need to hand the customer info off to someone else with no obvious ties and claim you were social-engineered in giving up your employee id. Also you can really only do this once.
I think your fear says more about you than the country. I open these links without a second thought.
EDIT: The leaks are pretty disappointing, unless you care about how many times the director ate with Alan Lovell. The real story is the fact that there were leaks at all, not the leaks themselves.
> Iran will be a major player on the world stage in the decades ahead, and its actions and behavior will have a major and enduring impact on near- and long-term US interests on a variety of regional and global issues. With a population of over 70 million, XX percent of the world's proven oil reserves, a geostrategic location of tremendous (enviable?) significance, and a demonstrated potential to develop a nuclear-weapons program, the United States has no choice but to find a way to coexist - and to come to terms with - whatever government holds power in Tehran. [...]
> An unfortunate hallmark of US-Iranian relations since 2001 has been [the] growing divide between Washington and Tehran, chronicled by bombastic rhetorical broadsides that have been hurled publicly by each side against the other. The tragedy of the al-Qa'ida launched terrorist attacks against the US homeland in September 2001 prompted the US administration to engage in a far-reaching campaign to eradicate the sources of terrorism, and Iran, understandably - but regrettably - was swept up in the emotionally charged rhetoric that emanated from Washington under the seemingly all-encompassing rubric of "The Global War On Terrorism". The gratuitious labeling of Iran as part of a worldwide "axis of evil" by President Bush combined with strong US criticisms of Iran's nascent nuclear program and its meddling in Iraq led Tehran to view that Washington had embarked on a course of confrontation in the region that would soon set a kinetic focus on Iran. Even Iran's positive engagement in helping repair the post-Taliban political environment in Afghanistan was met with indifference by Washington. [...]
While this leak may not be particularly confidential nor surprising to informed readers, I'd say reading this kind of insight into what US leaders really think is pretty damn interesting.
Did you just glance at them or do you mean not a lot of interesting national sec/CIA stuff. There's some pretty personal private stuff in there including a complete SF86 form with a minefield of personal information including SSN numbers, previous addresses etc. I imagine these could be useful to someone who might be interested in compromising a few more of his personal accounts.
I know what you mean, but in a way I find it strangely reassuring that the head of the CIA is (in some respects at least) plain old old-skool dumb.
It tends to confirm me in my suspicions that the media-projected image of ruthlessly efficient and mindbogglingly smart intel apparatchiks is a fantasy, and that the reality might be more like Burn After Reading[1]
Is it worse than any other free email provider? None of them have two factor login by default and they all have sketchy password reset policies/mechanisms. Brennan is 60 years old. He's probably been using AOL since the 90's. He felt no need for change. A lot of our top leadership are boomers and will have boomer habits.
If you read that article you'll see this is more of a social engineering hack on Verizon than AOL. Verizon gave up all sorts of information about him which made answering AOL's password reset questions easy for them. Its scary how much you can do to a person if you know the last four digits of their credit card.
This is yet another example where things like S/MIME would have helped, but apparently we're all content with completely unencrypted emails. I suspect guys like Brennan prefer email unencrypted anyway, except when things like this happen to him personally.
Not really, but they are definitely on the bottom of the trusted list. That being said, the WTFs in this story would be the same if it was yahoo, gmail, etc. The problem is that the emails were forwarded out from his work network.
What does this article have to do with Google and Facebook's CEOs?
edit: No, seriously. I can't see how the CIA is the most powerful information gathering agency on the planet. Even restricting to government organizations, the NSA likely has far more access to information. Allowing for private organizations, Google/Facebook likely know far more about individual people than any government agency does given Google Analytics, Facebook Like buttons, etc. strewn around virtually every public internet page.
AOL doesn't support 2-factor authentication for email sign-in. If they did, then this entire debacle would [edit- replace "would" with "could"] have been stopped before it even started.
I'm also surprised that the government doesn't have more stringent guidelines about the private email use of its top officials.
Since these guys knew how verizon works internally I wouldn't be surprised if they could forward his cell # somewhere else. Some 2FA systems require a PIN for auth, but they have his verizon one already, which is probably re-used everywhere.
Google Authenticator is pretty easy to use, as are the alternatives. Also really easy to provision. Not sure how SMS is more practical than an offline code generator.
First notice how "pretty easy" isn't the same as straightforward. Good luck getting my mom to figure it out.
If you lose your phone, upgrade to a new one, or erase and restore it you lose all your authenticator credentials. That doesn't happen with SMS.
If you're in a situation where security is paramount, then physical cards or authenticator are a better way to go. If you're 99.9% of the population, Sms is a far better solution.
You're right, I should have clarified that in my comment.
Not even offering it is a serious oversight on AOL's part for exactly this type of scenario- it makes it extremely easy for a motivated person to socially hack someone's email. However even if it is offered it has to be turned on to work, so then we'd be back where we started if it was off by default.
I agree that AOL and most other services should offer 2fa. However, I disagree with the parent that the situation would not have occurred if AOL did offer 2fa because the subject in question would still be unlikely to use it.
Even 2FA will have some mechanism for resetting the password without the second factor, because people lose their 2FA device (usually a phone) all the time. There has to be a way to recover from losing your 2FA device - given how easily the social engineering was shown to be here, I doubt that would help much.
How do you design a system that's hardened against social engineering but not hardened against innocent mistakes, like losing your password? It seems like the easiest way to access public systems like this is through social engineering techniques around password recovery or phishing.
Of course there are well-known answers that are used to mitigate these problems somewhat, TFA solutions, login images, etc. But I still feel as if social engineering attacks hit a really vulnerable weak spot in many systems.
(On a mostly unrelated note, can we get rid of security questions forever? I've taken to just giving nonsense answers for them and storing my answers somewhere secure. I sure don't want my passwords being reset because somebody knows my mom's maiden name...)
> I sure don't want my passwords being reset because somebody knows my mom's maiden name...
Not only that, any site that used that question and all those that got hacked know your mom's maiden name if that question was ever answered seriously. That's the main reason such 'secret questions' suck because there apparently is a fairly small set of commonly used questions like that (first school, first pet, favorite pet, moms maiden name, street where you were born and so on).
Much is being made of him using AOL for work emails. Seems like a fairly minor issue. The worst part was the spreadsheet with ~20 people's info on it. Otherwise, he forwarded emails to himself that he wanted to permanently have possession of, like his own clearance application and a letter from the Senate on torture. I'm more interested in this letter--sent in 2009. Who knew what and when?
> Brennan, the hacker says, replied, “How much do you really want?”
Could be an embellishment, but it sounds like he really was willing to pay something. Perhaps more for his personal privacy than out of fear of national secrets leaking, though.
Doubt it. Sounds to me like he was fishing for information so he could find out who they were. If they'd said, "Sure, we want $X million!" then they'd have to hash out a delivery method, all of a sudden they're on USGov's turf.
There was a story within the past year or two I remember that was in a similar vein: where the hackers were able to obtain some address info from Apple support, which led to CC info from Amazon tech support, which led to interception of the users phone number and then bypassing of 2FA, which led to primary email takeover. I felt then, as I do now, that there should be a standardized process for identifying user information across all companies that doesn't allow for this patchwork gathering of info and incorporates a type of 2FA.
I remembered this thought again recently when dealing with major banks over the phone. All I needed to identify who I am was confirmation of my home address, and last 4 digits of my social. That is hardly secure! A single data breach for SSN, cross referencing an email to social media or DNS if you don't use private registration and boom, you can pretend to be me as far as some banks are concerned.
The SSN is the most abused number in the ID world. It's a de-facto federal ID number and it's simply not meant for the task. Everyone gets all upidy about having some type of federal ID number whenever I mention it, but I feel like some type of public key cryptographic federal ID number plus cross-signing, changeable password, AND a 2+FA should be used to truly identify who you are.
People seem to forget that hacking personal accounts is not difficult, even for novice hackers. The reason most people don't get hacked is either 1. they weren't a funny/interesting target, or 2. nobody wanted to get caught.
Also, the CWA's twitter account was suspended, but thanks be to The Internet Archive we have a mirror:
How did the attackers know that Brennan had an AOL address?
Let's not take the attackers at face value. They could have had help or be employed by anyone, including those either interested in Brennan's AOL email or in embarassing him.
The vast majority of hackers are never caught. If the individual makes a habit of doing this without proper opsec, maybe.
It's a lot easier to get away with hacking than most people make it out to be. When I was 14 years old I hacked one of the largest banks in the UK on a laugh with friends in high school using SQL injection. I didn't steal anything, but I did get access to very sensitive information about many members' accounts. It wouldn't have been difficult to do so and get away with it on a compartmentalized burner laptop with a VPN. Most banks write off relatively "small amounts" and simply eat the loss for the customer.
Young kids who have an aptitude for it pull off immature, amateur hacks like this all the time. Based purely on anecdote I'd say there is likely at least one adolescent in virtually every high school in America who has committed some sort of serious computer fraud.
Now I work in the security industry and just yesterday, I found a vulnerability in a website allowing you to use another user's payment because of an insecure direct object reference combined with clearly sequential payment IDs in the database. The methods evolve, but the core systems have stayed more or less the same and it would not be difficult to exploit this one and get away with it either.
People think this stuff is hard to get away with because of the sensationalized mystique surrounding it in the media. Unless you're very loud, incompetent or a big enough target, it just doesn't usually happen. I've personally spoken to "blackhat" groups that have cleared a few million dollars in a year, allowing each member a roughly top-1% income after laundering for a few hours of "work" per week. They're still around.
I have a suspicion that the CIA knew the identity of this kid and his associates within a few minutes of this Brennan guy figuring out his email had been hacked.
Well I have a [conspiracy] theory that they knew his identity before the hack - perfect way for the director to leak information without being brought to book, send it to an account that can be easily accessed with social engineering.
Or we can go deeper, the CIA director was preparing to do this so the subject-to-be of the docs he wished to leak had his account hacked to expose the flaw and prevent the leak-to-be.
Now the kid is going to be hunted. Blacklist. You know. Anything, hacking someone's account is wrong regardless. just because he's the Director of CIA.
Has there been any confirmation that this account even actually belonged to the CIA director? If yes, has there been any evidence that there was actually anything sensitive on the account? (I seriously doubt the latter)
If there was nothing on the account how is this different from any of the other tens of thousands of aols that have been hijacked since the 90s?
>Yes and there is zero evidence of any sensitive material.
A ton of info. was posted on his twitter account that is now suspended. For DHS and FBI to investigate, they must have solid evidence of a breach to do so.
Also he thought it was Ok to forward Sensitive Govt. Docs to a non-secured commercial e-mail address.
The amount of almost un-restrained power that these people have vs the very low quality of their InfoSec is truly appalling.