
Teen Who Hacked CIA Director’s Email Tells How He Did It - phesse14
http://www.wired.com/2015/10/hacker-who-broke-into-cia-director-john-brennan-email-tells-how-he-did-it/
======
suprgeek
I think the REAL story here is that the Direct of the Frickin CIA has an AOL
e-mail address & AOL e-mail is not the first thing that comes to your mind
when you think Security.

Also he thought it was Ok to forward Sensitive Govt. Docs to a non-secured
commercial e-mail address.

The amount of almost un-restrained power that these people have vs the very
low quality of their InfoSec is truly appalling.

~~~
r0naa
I don't think anyone should be surprised that an intelligence agency - that
has repeatedly violated its own country's law, and actively contributed to the
weakening of civil rights - be guilty of this sort of negligence. That is
exactly what happens when an institutions is allowed to grow unchecked, with
no or little civilian oversight or consequences for the wrong-doings.

What's scary is that this kind of clueless, and technology illiterate, people
are actively involved in shaping the future landscape of massive data
collection.

I think we are about to witness, in the next decade, multiple "incidents"
where millions, perhaps billions, of private records about innocent citizens
will be leaked because of this kind of negligence.

~~~
gilgad13
I think people do deserve to be surprised. Competence is not the same as
selflessness. Many people routinely question whether the FBI is operating for
the good of the country, but most people at least believe that they are good
at their job.

~~~
sbochins
If interested in the CIA, you should read "Legacy of Ashes". That book
documents how the CIA's biggest flaw through the years has been incompetence.

~~~
bootload
cf: Competence _" What The Khost Bombing Says About The CIA"_ (Robert Baer) ~
[http://www.npr.org/templates/story/story.php?storyId=1247377...](http://www.npr.org/templates/story/story.php?storyId=124737760)
and _" A Dagger to the CIA"_ ~ [http://www.gq.com/story/dagger-to-the-
cia](http://www.gq.com/story/dagger-to-the-cia)

------
cdubzzz
> After providing the Verizon employee with a fabricated employee Vcode—a
> unique code the he says Verizon assigns employees—they got the information
> they were seeking. This included Brennan’s account number, his four-digit
> PIN, the backup mobile number on the account, Brennan’s AOL email address
> and the last four digits on his bank card.

There are obviously a _lot_ of wtf moments reading this article, but this one
just strikes me as the most egregious - why in the world would a Verizon
employee of any kind be able to obtain this information from anyone other than
the account holder? The account number, ok maybe, but absolutely none of those
other items should be communicated between employees. Absurd.

~~~
kileywm
That information is internally available within Verizon, to its employees, to
(presumably) verify ownership of an account when speaking to a customer. None
of that is surprising - that information is commonly used as security
challenge questions in phone support situations.

Whether it should be, well that is another matter.

~~~
pbhjpbhj
>None of that is surprising - that information is commonly used as security
challenge questions in phone support situations. //

The PIN at least seems like it should have been hashed, then an employee puts
in a form the stated PIN to see if it's correct and the hashes are compared on
the backend.

The other info though is needed for initiating contact and to allow customers
to perform transactions (verifying card details for example).

~~~
cortesoft
Hashing wouldn't help much for a PIN (which is usually just 4 digits). You
could get a rainbow table for that in like 5 seconds. Even salting wouldn't
help, given how tiny the keyspace is.

~~~
azinman2
The suggestion wasn't about having verizon's database being hacked, but rather
that other employees can see this data at all.

------
mkobit
> The hackers described how they were able to access sensitive government
> documents stored as attachments in Brennan’s personal account because the
> spy chief had forwarded them from his work email.

How is this acceptable? Shouldn't he be held accountable for this kind of
stuff?

~~~
rhino369
None of it was classified.

~~~
Phlarp
Doesn't matter-- He's talking about torture and Iranian "realpolitik" on an
@AOL email address. In an election cycle. With one headline candidate already
getting grilled over improper use of private email.

------
fein
Social engineering is, and will always be, the fastest way to compromise a
system.

Computers are pretty good at security; humans, especially underpaid and
overworked helpdesk jockeys, are not.

~~~
apozem
I read the autobiography of hacker Kevin Mitnick and the thing that struck me
the most was how his "hacking" consisted of manipulating people. I can recall
one case in the book where he compromised a system on a purely technical
level. Almost every other hack was based on convincing people to tell him
things they should not.

Why break into a system when you can ask someone to unlock it for you?

~~~
sliverstorm
It definitely was a little disillusioning when I learned that many famous
hackers were not technical wizards (like bunnie) but in fact basically con
artists.

~~~
flashman
Take a broader view of hacking. A system is not just its code, it's the people
that run it, too. If you want to break into a system, they are frequently the
best point of entry.

~~~
mikeyouse
To paraphrase from the first season of Mr. Robot as they're looking over
surveillance pictures of a secure data center compound with high walls,
biometrics, security cameras, and 4 armed security guards;

"How do you break into a place with no weak points?"

"I see four weak points right there."

~~~
ukyrgf
"I see about six walking around."

------
ChrisArchitect
Norman? This is Mr. Eddie Vedder, from Accounting.... My BLT Drive on my
computer just went AWOL ....
[http://cyberdelianyc.tumblr.com/post/131628279720/hackers-
ci...](http://cyberdelianyc.tumblr.com/post/131628279720/hackers-cia-email-
hacked-dade-hacks-tv-station)

------
WillPostForFood
Wikileaks has now published the emails:

[https://wikileaks.org/cia-emails/](https://wikileaks.org/cia-emails/)

~~~
joering2
+1. I just clicked to read the frontpage, but living in the USA, I'm honestly
concerned of consequences of clicking any HTML/PDF links.

What this country grew to become :(

~~~
tinalumfoil
I think your fear says more about you than the country. I open these links
without a second thought.

EDIT: The leaks are pretty disappointing, unless you care about how many times
the director ate with Alan Lovell. The real story is the fact that there were
leaks at all, not the leaks themselves.

~~~
Pyxl101
> The Conundrum of Iran.

> Iran will be a major player on the world stage in the decades ahead, and its
> actions and behavior will have a major and enduring impact on near- and
> long-term US interests on a variety of regional and global issues. With a
> population of over 70 million, XX percent of the world's proven oil
> reserves, a geostrategic location of tremendous (enviable?) significance,
> and a demonstrated potential to develop a nuclear-weapons program, the
> United States has no choice but to find a way to coexist - and to come to
> terms with - whatever government holds power in Tehran. [...]

> An unfortunate hallmark of US-Iranian relations since 2001 has been [the]
> growing divide between Washington and Tehran, chronicled by bombastic
> rhetorical broadsides that have been hurled publicly by each side against
> the other. The tragedy of the al-Qa'ida launched terrorist attacks against
> the US homeland in September 2001 prompted the US administration to engage
> in a far-reaching campaign to eradicate the sources of terrorism, and Iran,
> understandably - but regrettably - was swept up in the emotionally charged
> rhetoric that emanated from Washington under the seemingly all-encompassing
> rubric of "The Global War On Terrorism". The gratuitious labeling of Iran as
> part of a worldwide "axis of evil" by President Bush combined with strong US
> criticisms of Iran's nascent nuclear program and its meddling in Iraq led
> Tehran to view that Washington had embarked on a course of confrontation in
> the region that would soon set a kinetic focus on Iran. Even Iran's positive
> engagement in helping repair the post-Taliban political environment in
> Afghanistan was met with indifference by Washington. [...]

[https://wikileaks.org/cia-emails/The-Conundrum-of-
Iran/page-...](https://wikileaks.org/cia-emails/The-Conundrum-of-
Iran/page-2.html)

While this leak may not be particularly confidential nor surprising to
informed readers, I'd say reading this kind of insight into what US leaders
really think is pretty damn interesting.

------
ryandvm
The worst news here is that the director of the most powerful information
gathering agency on the planet uses AOL.

~~~
drzaiusapelord
Is it worse than any other free email provider? None of them have two factor
login by default and they all have sketchy password reset policies/mechanisms.
Brennan is 60 years old. He's probably been using AOL since the 90's. He felt
no need for change. A lot of our top leadership are boomers and will have
boomer habits.

If you read that article you'll see this is more of a social engineering hack
on Verizon than AOL. Verizon gave up all sorts of information about him which
made answering AOL's password reset questions easy for them. Its scary how
much you can do to a person if you know the last four digits of their credit
card.

This is yet another example where things like S/MIME would have helped, but
apparently we're all content with completely unencrypted emails. I suspect
guys like Brennan prefer email unencrypted anyway, except when things like
this happen to him personally.

~~~
CaptSpify
> Is it worse than any other free email provider?

Not really, but they are definitely on the bottom of the trusted list. That
being said, the WTFs in this story would be the same if it was yahoo, gmail,
etc. The problem is that the emails were forwarded out from his work network.

~~~
drzaiusapelord
Who is trusted? Federal law applies equally too all American companies. Google
can't say no to a warrant the same way AOL can't.

------
sageabilly
AOL doesn't support 2-factor authentication for email sign-in. If they did,
then this entire debacle would [edit- replace "would" with "could"] have been
stopped before it even started.

I'm also surprised that the government doesn't have more stringent guidelines
about the private email use of its top officials.

~~~
chishaku
Just because a service offers 2-factor authentication doesn't mean people will
use it.

~~~
castis
Is there a term for this kind of response?

Its kind of obvious that not everyone will use it. However, not offering it
when its somewhat trivial to do so seems like a no-brainer.

~~~
chishaku
I agree that AOL and most other services should offer 2fa. However, I disagree
with the parent that the situation would not have occurred if AOL did offer
2fa because the subject in question would still be unlikely to use it.

------
freditup
How do you design a system that's hardened against social engineering but not
hardened against innocent mistakes, like losing your password? It seems like
the easiest way to access public systems like this is through social
engineering techniques around password recovery or phishing.

Of course there are well-known answers that are used to mitigate these
problems somewhat, TFA solutions, login images, etc. But I still feel as if
social engineering attacks hit a really vulnerable weak spot in many systems.

(On a mostly unrelated note, can we get rid of security questions forever?
I've taken to just giving nonsense answers for them and storing my answers
somewhere secure. I sure don't want my passwords being reset because somebody
knows my mom's maiden name...)

~~~
jacquesm
> I sure don't want my passwords being reset because somebody knows my mom's
> maiden name...

Not only that, any site that used that question and all those that got hacked
know your mom's maiden name if that question was ever answered seriously.
That's the main reason such 'secret questions' suck because there apparently
is a fairly small set of commonly used questions like that (first school,
first pet, favorite pet, moms maiden name, street where you were born and so
on).

~~~
eropple
Yup. I end up just storing the questions in my password vault along with the
generated answers I used for them. _Not exactly helpful._

------
logn
Much is being made of him using AOL for work emails. Seems like a fairly minor
issue. The worst part was the spreadsheet with ~20 people's info on it.
Otherwise, he forwarded emails to himself that he wanted to permanently have
possession of, like his own clearance application and a letter from the Senate
on torture. I'm more interested in this letter--sent in 2009. Who knew what
and when?

(Edit) the letter --
[https://twitter.com/phphax/status/653665742987100163](https://twitter.com/phphax/status/653665742987100163)

------
davotoula
What do you want?

> We said ‘2 trillion dollars hahhaa'

Ok, I can work with that

> They told Brennan “We just want Palestine to be free and for you to stop
> killing innocent people.”

Sorry, can't do that

~~~
fotbr
Or as Sneakers (1992) did it:

Whistler: I want peace on earth and goodwill toward man.

Bernard Abbott: Oh, this is ridiculous.

Martin Bishop: He's serious.

Whistler: I want peace on earth and goodwill toward men.

Bernard Abbott: We are the United States Government! We don't do that sort of
thing.

------
dankohn1
I really hope these kids have not destroyed the rest of their lives just to
make a (very good) Dr. Evil joke [1]:

'So they called Brennan’s mobile number, using VoIP, and told him he’d been
hacked. The conversation was brief.

“[I]t was like ‘Hey,…. its CWA.’ He was like ‘What do you want?’ We said ‘2
trillion dollars hahhaa, just joking,'” the hacker recounted to WIRED.'

[1]
[https://www.youtube.com/watch?v=l91ISfcuzDw](https://www.youtube.com/watch?v=l91ISfcuzDw)

~~~
scintill76
> Brennan, the hacker says, replied, “How much do you really want?”

Could be an embellishment, but it sounds like he really was willing to pay
something. Perhaps more for his personal privacy than out of fear of national
secrets leaking, though.

~~~
vinceguidry
Doubt it. Sounds to me like he was fishing for information so he could find
out who they were. If they'd said, "Sure, we want $X million!" then they'd
have to hash out a delivery method, all of a sudden they're on USGov's turf.

~~~
scintill76
True. They could have tried bitcoin. Receiving is the easy part -- spending it
and remaining free might have been a problem, though...

------
brianclements
There was a story within the past year or two I remember that was in a similar
vein: where the hackers were able to obtain some address info from Apple
support, which led to CC info from Amazon tech support, which led to
interception of the users phone number and then bypassing of 2FA, which led to
primary email takeover. I felt then, as I do now, that there should be a
standardized process for identifying user information across all companies
that doesn't allow for this patchwork gathering of info and incorporates a
type of 2FA.

I remembered this thought again recently when dealing with major banks over
the phone. All I needed to identify who I am was confirmation of my home
address, and last 4 digits of my social. That is hardly secure! A single data
breach for SSN, cross referencing an email to social media or DNS if you don't
use private registration and boom, you can pretend to be me as far as some
banks are concerned.

The SSN is the most abused number in the ID world. It's a de-facto federal ID
number and it's simply not meant for the task. Everyone gets all upidy about
having some type of federal ID number whenever I mention it, but I feel like
some type of public key cryptographic federal ID number plus cross-signing,
changeable password, AND a 2+FA should be used to truly identify who you are.

------
peterwwillis
People seem to forget that hacking personal accounts is not difficult, even
for novice hackers. The reason most people don't get hacked is either 1. they
weren't a funny/interesting target, or 2. nobody wanted to get caught.

Also, the CWA's twitter account was suspended, but thanks be to The Internet
Archive we have a mirror:

[https://web.archive.org/web/20151019192351/https:/twitter.co...](https://web.archive.org/web/20151019192351/https:/twitter.com/_CWA_/)

The Twitter pictures aren't archived, but they also haven't been taken down
from Twitter's site.

------
dogma1138
Shouldn't there be like a department in the CIA that scraps all of that stuff
for agency employees?

I know that some other agencies, and even private corporation do that.

------
barefoot
It's crazy to me that as a society we celebrate the digital equivalent of
smashing a window in with a brick and climbing in through the jagged glass.

This wasn't a skillful attack. It was a messy, shitty social engineering
exploit that very many people could have done.

------
hackuser
How did the attackers know that Brennan had an AOL address?

Let's not take the attackers at face value. They could have had help or be
employed by anyone, including those either interested in Brennan's AOL email
or in embarassing him.

~~~
Titanous
The article says they got the AOL address from Verizon via pretexting.

------
gopowerranger
Two things.

1) This kid just got at least one person fired from his job (though he may
deserve it).

2) This kid WILL be caught and regret it the rest of his life.

~~~
dsacco
The vast majority of hackers are never caught. If the individual makes a habit
of doing this without proper opsec, maybe.

It's a lot easier to get away with hacking than most people make it out to be.
When I was 14 years old I hacked one of the largest banks in the UK on a laugh
with friends in high school using SQL injection. I didn't steal anything, but
I did get access to very sensitive information about many members' accounts.
It wouldn't have been difficult to do so and get away with it on a
compartmentalized burner laptop with a VPN. Most banks write off relatively
"small amounts" and simply eat the loss for the customer.

Young kids who have an aptitude for it pull off immature, amateur hacks like
this all the time. Based purely on anecdote I'd say there is likely at least
one adolescent in virtually every high school in America who has committed
some sort of serious computer fraud.

Now I work in the security industry and just yesterday, I found a
vulnerability in a website allowing you to use another user's payment because
of an insecure direct object reference combined with clearly sequential
payment IDs in the database. The methods evolve, but the core systems have
stayed more or less the same and it would not be difficult to exploit this one
and get away with it either.

People think this stuff is hard to get away with because of the
sensationalized mystique surrounding it in the media. Unless you're very loud,
incompetent or a big enough target, it just doesn't usually happen. I've
personally spoken to "blackhat" groups that have cleared a few million dollars
in a year, allowing each member a roughly top-1% income after laundering for a
few hours of "work" per week. They're still around.

~~~
rcurry
I have a suspicion that the CIA knew the identity of this kid and his
associates within a few minutes of this Brennan guy figuring out his email had
been hacked.

~~~
pbhjpbhj
Well I have a [conspiracy] theory that they knew his identity before the hack
- perfect way for the director to leak information without being brought to
book, send it to an account that can be easily accessed with social
engineering.

Or we can go deeper, the CIA director was preparing to do this so the subject-
to-be of the docs he wished to leak had his account hacked to expose the flaw
and prevent the leak-to-be.

~~~
meowface
Well, you're right. That certainly is a conspiracy theory.

~~~
pbhjpbhj
It's a fun pastime coming up with them IMO, clearly not appreciated here
however.

------
yeukhon
Now the kid is going to be hunted. Blacklist. You know. Anything, hacking
someone's account is wrong regardless. just because he's the Director of CIA.

------
jotux
>Teen Who Hacked...

>The hacker, who says he’s under 20 years old

20 years old is a teen? What a terrible headline.

~~~
jtokoph
It says under 20, which is 19 or less.

~~~
BillTheCat
They could be 12 or under. Who knows?

------
ryanlol
Why is this even a story?

Has there been any confirmation that this account even actually belonged to
the CIA director? If yes, has there been any evidence that there was actually
anything sensitive on the account? (I seriously doubt the latter)

If there was nothing on the account how is this different from any of the
other tens of thousands of aols that have been hijacked since the 90s?

~~~
starshadowx2
"as there been any evidence that there was actually anything sensitive on the
account?"

Wikileaks is publishing all of the supposed files, so they do exist and have
been leaked.

[http://www.theverge.com/2015/10/21/9583464/wikileaks-cia-
ema...](http://www.theverge.com/2015/10/21/9583464/wikileaks-cia-email-hack-
published-download)

~~~
ryanlol
The sensitivity of any of that is really questionable.

