Teen Says He Hacked CIA Director’s AOL Account

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Some kid hacking into the AOL account of the director of the CIA isn't the real news here. The fact that the head of the biggest spy agency on the planet uses AOL probably is though. :eek:

CIA Director John Brennan’s private account held sensitive files — including his 47-page application for top-secret security clearance — until he recently learned that it had been infiltrated, the hacker told The Post. “I can’t believe he did this to the head of the CIA,’’ the source added. “[The] problem with these older-generation guys is that they don’t know anything about cybersecurity, and as you can see, it can be problematic.”
 
The second part is exactly right.

It's nobody's fault. Until the millennials who grew up with computers grow old and naturally hold all the governmental posts, situations like this will continue.
 
I guess it's good that this kid woke up the old geezer in charge of the CIA to his absent mindedness in terms of leaving sensitive docs on his email server.

<rant>
I also think the kid is kind of a douche. From the article text, it sounds like he thinks he's hot stuff just because he convinced a customer support guy to reset the password on an account. It all sounds a little "War Games" to me.

But hey, what can you expect from a high school student. Is it every kid computer science geek's dream to be the next Snowden?
</rant>
 
This kid is a dumbass. I'm sure he brags in the lunch line to his 5 semi-friends, but he'll get what's coming to him.

Millennials have been raised in a digital reality, and thus, many are completely out of touch and ill-prepared for the real world. I'm looking forward to the example they make of him. One late night visit from Peter Quinn and he'll STFU like he should.

With that being said, who is the even bigger dumbass that didn't help these Gov't VIP's secure all of their shit? This seems like security 101. I don't expect the suits in the big chair to know WTF to do, but I expect someone somewhere to be like, "Hey boss, you shouldn't use 12345 as your personal luggage code, just sayin." Sadly, it would appear the gov't, like many organizations, doesn't have a clear dialogue with their IT Dept to make sure they are on top of all their shit. So many companies, big and small, don't want to spend the time nor $$$ that IT peeps tell them that they should. Someone's head needs to roll for this internally, and this can't ever happen again.

If I didn't read this story with my own eyes, I'd think it was a joke.
 
He social engineered Verizon into giving him Brennan's phone number and last 4 of his card. He then used that detail to call AOL and have the e-mail password reset; multiple times.
 
potency said:
Sadly, it would appear the gov't, like many organizations, doesn't have a clear dialogue with their IT Dept to make sure they are on top of all their shit. So many companies, big and small, don't want to spend the time nor $$$ that IT peeps tell them that they should.
Click to expand...

Nah, usually the higher ups don't want to deal with the security hassles that they approve and have paid for. Instead, they setup waivers for themselves, cause they feel they know better and will take the risk. Then we have these kinds of incidents happen.
 
Is the web even usable at 56kbps speeds anymore? I mean with as much flash content and shit going around, it would seem all but some newsgroup type feeds would be so slow there would be no point in using it.
 
Wouldn't have been a big deal if the director of the CIA wasn't storing sensitive info on a private account. He should be fired simply for being incredibly stupid.
 
TwistedAegis said:
He social engineered Verizon
Click to expand...

This, so much this, I hate when the term "hacked" is used, as if some high level computer knowledge is used, rather it is all about being convincing to some phone jockey on the other end of the line, very easy to do. I called one of my CC a while back, they said I had made a password for the account, though I never remember making one, other than the one for the online login, which was not it, the person allowed me to just guess and even gave hints and if I was close etc etc till I got it, which ended up being a randomly selected password recovery question I had answered online. I ended up telling them after to NOT allow this to be done to my account in the future and to add a note to my account about this. I go through the trouble to have very strong passwords etc etc only to have someone on the phone more or less give away access to my account.
 
p.i.m.p said:
damn, AOL still has 2million+ dial-up users
Click to expand...

Don't laugh, some people don't have much of a choice.

A few years ago, we visited some old family friends that live way out in the country.
There was no cell service for the last several miles before we got to their home/farm.

They only have dialup access to the internet, and even that is a toll call.
There is no cell coverage, and no cable or other broadband access available.
Only TV reception is with a satellite dish.

They only use the internet for email or the occasional on-line shopping.
They're old, and dial-up is the only access they have ever had, so they manage.
 
If it's the Director's personal stuff, whatever. Should have two-factor authentication enabled, but if the kid got to Verizon he might have been able to social engineer that too (although I doubt it).

However, if there's any official government business on there, burn him. Have fun in jail buddy.
 
Sp33dFr33k said:
Wouldn't have been a big deal if the director of the CIA wasn't storing sensitive info on a private account. He should be fired simply for being incredibly stupid.
Click to expand...

This. Kid may have done something wrong, but wouldn't be nearly as news worthy if there wasn't sensitive info being stored in the wrong place.
 
potency said:
This kid is a dumbass. I'm sure he brags in the lunch line to his 5 semi-friends, but he'll get what's coming to him.

Millennials have been raised in a digital reality, and thus, many are completely out of touch and ill-prepared for the real world. I'm looking forward to the example they make of him. One late night visit from Peter Quinn and he'll STFU like he should.

With that being said, who is the even bigger dumbass that didn't help these Gov't VIP's secure all of their shit? This seems like security 101. I don't expect the suits in the big chair to know WTF to do, but I expect someone somewhere to be like, "Hey boss, you shouldn't use 12345 as your personal luggage code, just sayin." Sadly, it would appear the gov't, like many organizations, doesn't have a clear dialogue with their IT Dept to make sure they are on top of all their shit. So many companies, big and small, don't want to spend the time nor $$$ that IT peeps tell them that they should. Someone's head needs to roll for this internally, and this can't ever happen again.

If I didn't read this story with my own eyes, I'd think it was a joke.
Click to expand...

Let me put it into an entirely different context for you. AOL has been around for a very long time now. I would say it's probably a good bet that this guy has had this AOL account for a very long time as well. We all know what it's like when you get used to something sometimes you don't want to switch or change because you'll have to change everything and you are afraid you'll lose things. 15 or more years ago when this guy created his AOL account you can bet he wasn't the Director of the CIA, He was sitting much lower on the totem pole back then.

As for the IT link, you wouldn't believe it. Every single day when I log in I have to answer an IA security question as part of the process, a way to keep all the workers tuned in to security issues, every day. I have to take 3 or 4 different IA Security classes anually, mandatory, must do it. There are No exceptions for these things, if you don't take these classes they suspend your user account and it doesn't matter who you are. Now the CIA isn't part of the DoD, but I wouldn't think they are that far appart on these things. And no one helps any one with their personal shit unless they ask someone for that help.

You mentioned luggage codes, yes, there are training requirements for all kinds of things, foreign travel-they tell you where is the safest place to stay in a hotel, how to very your route from where you live to work, how to check out your car before you drive off looking for packages underneath, evidence of tampering, etc. All kinds of things from personal security practices at home to anti-terror training and active shooter responce. Yes they get training, do they all take it serious enough, the evidence sits before you.
 
Oh, and these "sensative documents, most of what they listed is sorta bullshit. The Security Questionaire isn't classified, but it is sensative information for the individual, the problem is you fill these out on your own. They give you a short term account to access their website and complete the questionaire which includes things like everywhere you have lived, all your jobs, people who know you and can vouche for your character, your education, etc. Most people have to do a lot of digging into where they lived, their old addresses and phone numbers. Many guys like me have moved a hell of alot over the years and digging back ten years or longer is a chore. So once you finish this detailed list of your life, most people keep it so they can reference it the next time they have to go through it again. It is no surprise that he might have used his personal email account to perhaps email the document to his work email address. His sin is storing it there. It's also not unusual for people to have SSNs on each other, in the old days they used to post that stuff out in the open, I mean like outside on buliten boards you would find your name on a list with everyone's social so you knew which Tom Jones had duty next friday night. Today people are supposed to be more careful but we have decades of terrible habbits and old failures to deal with. The old guys are the ones most likely to still have older documents with such casual use of personally identifiable information with them. And the reference to &#8220;harsh interrogation techniques&#8221;, there is nothing even sensative about a term like this, not out of context. It's quoted as if he simply used this term talking with someone in an email. It doesn't say anything at all damning, it's not classified and it wouldn't be a stretch to say the actual email wasn't even really sensative at all.

Anyway, it's a fuck up, the security questionaire for sure. But it isn't something that isn't understandable when you know something about how such things come to happen.
 
nutzo said:
Don't laugh, some people don't have much of a choice.

A few years ago, we visited some old family friends that live way out in the country.
There was no cell service for the last several miles before we got to their home/farm.

They only have dialup access to the internet, and even that is a toll call.
There is no cell coverage, and no cable or other broadband access available.
Only TV reception is with a satellite dish.

They only use the internet for email or the occasional on-line shopping.
They're old, and dial-up is the only access they have ever had, so they manage.
Click to expand...

And there has been satalite internet access available throughout the continental US for something over 10 years. Everyone has a better option then dial-up, but I do understand why an older couple would either be unaware or simply not want to get/pay for it.
I'm not dissing you on this, just saying, anyone can get online access that's far better then dial-up.
 
J Macker said:
This. Kid may have done something wrong, but wouldn't be nearly as news worthy if there wasn't sensitive info being stored in the wrong place.
Click to expand...

So easy to get people wound up, like using the word "senstive" and all of a sudden people imagine classified.
 
Looks like there is some updated info on this and it's a lot different from what Steve linked to.

http://www.foxnews.com/politics/2015/10/20/hacker-allegedly-behind-cia-email-hack-praised-allah-wants-to-free-palestine/?intcmp=hplnws

According to this report the "hack" was much more involved. There are no new details revealing anything more about the information taken other then it includes his phone's contacts.

And it includes a "Security Expert's statement that is frankly, moronic.
"His SF86 contains information on references on bosses, on managers, on friends. If that file gets out, it could actually put these people&#8217;s lives in danger. Their identity is not supposed to be known by the general public," Morgan Wright, a cybersecurity expert, told Fox News.
Click to expand...

This "expert" is trying to say that the identity of people he knows and lists on his SF86 is somehow supposed to be secret information and these people's lives could be in danger. What horseshit. These names are not going to be the names of Active Intelligence Agents.

Yes the document is a treasure of personal information about a guy who wouldn't be happy about this getting loose, then again, neither would you or I. I bet he is really pissed at Verizon right now.

But this guy Morgan Wright is an idiot. He just doesn't know what he is talking about. An SF86 isn't a classified document, there are no secrets on it, if there were, it would be classified. The SF86 serves as a "road map" for investigators to check out a person's life to see if they should be considered trustworthy. It's very hard to fabricate an entire life and have people in place who can verify who you are. They really will go talk to your high school teachers, formor employers, neighbors, and coworkers. But these people's lives aren't in danger because they happen to have known young John Brennan 30 years ago, or worked with him as a fellow analyst in Virginia.
 
Ya like my SF86 hard document I keep in my safe because it is a fucking pain in the ass to come up with some of that information on demand. The SF86 and the information stored on the AOL server was probably old information anyways none of it being classified. Its the NY Post for fucks sake.
 
lcpiper said:
This "expert" is trying to say that the identity of people he knows and lists on his SF86 is somehow supposed to be secret information and these people's lives could be in danger. What horseshit. These names are not going to be the names of Active Intelligence Agents.
Click to expand...

Those co-workers could currently be intelligence agents or CIA security analysts. I don't know Brennan's background - if he was once a field operative, then he probably had other operatives he worked with. Their names and how they are or were affiliated with Brennan would be out there. It is sensitive enough that you don't want it public. Yes, there are people out there with same names, but also plenty of names that are not normal enough for more than a tiny handful of people to have.
 
Why does a CIA director use AOL? you figure there would be some sort of lock on this guys shit at both Verizon and AOL


I mean it is AOL, people have been social engineering those guys for years and years, I remember people used to sell social engineering services on various forums for people who wanted to try and get a screen name/account...you used to be able to steal peoples AOL accounts by registering their expired email address then resetting the screen names password, of course if the person was still using the account they'd get it back but still, worked for AIM and ICQ accounts also


I still get emails from AOL, people trying to reset passwords for screen names I've got attached to my email
 
lcpiper said:
Looks like there is some updated info on this and it's a lot different from what Steve linked to.

http://www.foxnews.com/politics/2015/10/20/hacker-allegedly-behind-cia-email-hack-praised-allah-wants-to-free-palestine/?intcmp=hplnws

According to this report the "hack" was much more involved. There are no new details revealing anything more about the information taken other then it includes his phone's contacts.

And it includes a "Security Expert's statement that is frankly, moronic.


This "expert" is trying to say that the identity of people he knows and lists on his SF86 is somehow supposed to be secret information and these people's lives could be in danger. What horseshit. These names are not going to be the names of Active Intelligence Agents.

Yes the document is a treasure of personal information about a guy who wouldn't be happy about this getting loose, then again, neither would you or I. I bet he is really pissed at Verizon right now.

But this guy Morgan Wright is an idiot. He just doesn't know what he is talking about. An SF86 isn't a classified document, there are no secrets on it, if there were, it would be classified. The SF86 serves as a "road map" for investigators to check out a person's life to see if they should be considered trustworthy. It's very hard to fabricate an entire life and have people in place who can verify who you are. They really will go talk to your high school teachers, formor employers, neighbors, and coworkers. But these people's lives aren't in danger because they happen to have known young John Brennan 30 years ago, or worked with him as a fellow analyst in Virginia.
Click to expand...

An SF86 isn't classified, that's true; however, something mapping out all the associates and relatives of a country's chief spymaster would probably be valuable information. Your average run of the mill dink-dork with a Secret clearance isn't going to have access to as much data as the Director of the CIA. Besides, if he was this sloppy with his personal records, how sloppy was he with official documents? Pattern of behavior.
 
blade12 said:
Those co-workers could currently be intelligence agents or CIA security analysts. I don't know Brennan's background - if he was once a field operative, then he probably had other operatives he worked with. Their names and how they are or were affiliated with Brennan would be out there. It is sensitive enough that you don't want it public. Yes, there are people out there with same names, but also plenty of names that are not normal enough for more than a tiny handful of people to have.
Click to expand...

OK, you are not listening. No Cheif of Station is going to listen an Agent, who is living as a unrelated name with a cover in another country, as a coworker. Imagine this please, your the CIA Station Chief, it's time for you to do an updated SF86, and when you get to the point where you list coworkers, your going to write down the name of a coworker, who is living in the country where you are running operations hiding out as a Danish Photographer working with the AP. Does this sound at all remotely plausable? Your secret man on the inside your going to list as a character reference? But hey, let's go on a stretch and say he was an Analyst back in the day when you were an Analyst. Cool, you listed your old friend. Analysts don't become field agenst, field agents become field agents because .... they don't have a history of working as an Analyst for the CIA, Ta Da ....

Listen to the other guy here who mentioned his SF86 if you don't like listening to me. but stop thinking that people like some IT Security Analyst knows anything at all about the world of Intelligence Operations when people who have worked intelligence Operations tell you differently.
 
flashoverride said:
An SF86 isn't classified, that's true; however, something mapping out all the associates and relatives of a country's chief spymaster would probably be valuable information. Your average run of the mill dink-dork with a Secret clearance isn't going to have access to as much data as the Director of the CIA. Besides, if he was this sloppy with his personal records, how sloppy was he with official documents? Pattern of behavior.
Click to expand...

Again, people that think they know something about things they know nothing about.

First, I love how you quote what I write but don't read what I write;
Yes the document is a treasure of personal information about a guy who wouldn't be happy about this getting loose, then again, neither would you or I. I bet he is really pissed at Verizon right now.
Click to expand...

I'll give you a better feel for things.


But again, as "sensative" as an SF86 sounds, the information for the most part is just public record shit, all nice and neat in one place. It is not so sensative that anyone wouldn't think it was OK to send via email from a major service provider to a Security Agent for review. In fact, that's how we are told to do it. Go home, use the account your given, complete the SF86, and email it to us when you are done, unclassified, unencrypted, blah.

Does this give you any perspective?
 
You must log in or register to reply here.
Back
Top