
British 15-year-old gained access to intelligence, pretending to be head of CIA - rbanffy
http://www.telegraph.co.uk/news/2018/01/19/british-15-year-old-gained-access-intelligence-operations-afghanistan
======
INTPenis
It's also pretty crazy to me how easily he received access to these top secret
databases when he was pretending to be essentially the CEO.

I would never let my manager into my Linux systems, just to make an analogy. I
give my manager a report on what's going on but I'd never let them in. Because
they're not competent enough to handle them.

Yet these top directors are able to get access to essentially any database or
system just because of their title.

~~~
walshemj
That struck me as odd do not US phone companies secure their sensitive
customers information. When I worked at BT they took this very seriously and
say looking up the queens unlisted telephone number you would get into serious
trouble.

For some systems team leaders who needed wide access to data had to pass
security clearing at the TS / DV level I was told.

~~~
netsharc
Hah, the queen has an unlisted phone? Well I guess she has a private
landline...

Reading your comment makes me imagine HM The Queen in the royal carriage,
being bored at the slow pace, staring at her smartphone, scrolling through
Instagram.

~~~
walshemj
Yep there was a big scandal in Scotland when a some what sketchy journalist
got a job in a call centre and did that.

The irony was the press office was on the floor above and didn't notice.

~~~
carterehsmith
Lol, how did that go? I am thinking... something along these lines:

Telemarketer: When you sign up with ShitWare, our Platinum partner, you get a
free BigMac (tm) with a crumpet and a small drink! This exciting promotion is
only available to our subscribers! Limited time offer. Quantities are limited.
Only in participating restaurants. Some conditions apply. Taxes (incl. VAT)
not included.

Queen: Goodness gracious, did you just say free BigMac (tm) and crumpets? That
is, like, fucking amazing! OK I clicked on that link, it says "Your Windows is
infected! Click here to clean!" Is that OK? Btw where is my food.

Telemarketer: It is, indeed, perfectly OK! Just click on where it says "I
Agree". BTW it is one crumpet (not "crumpets") or a hashbrown, subject to
availability. This exciting, time-limited offer is ---

Queen: Yeah whatever dude, just send the food in.

Queen: This is good. Most good.

------
interfixus
Someone clearly needs to be punished. Several someones. I'd let this intrepid
and talented 15 year old go, and let the US (and whoever else concerned)
prosecute the living crap out of all those in public positions of trust and
clearly not up to it.

Suggest starting from the top. A head of CIA with classified material stored
on his computer in such a way that access is dependent on some external
internet provider? Under the always ressourceful American penal system, that
sounds to me like any number of centuries on the inside looking out.

~~~
Larrikin
Why should the person committing the crimes be let go? Because you identify
with them? Because they are seemingly intelligent in how they committed their
crimes? I don't understand wanting to punish "dumb" criminals when the "smart"
ones are far more dangerous

~~~
jimnotgym
> Why should the person committing the crimes be let go?

Because a child calling a helpdesk and pretending to be someone else is a
prank. Slap on the wrist, followed by a job offer. It seems on a similar level
to ringing a bar and asking for 'Amanda Hugginkiss' or 'Mike Hunt'. At least
this kid found the problem before the Russians did.

~~~
Larrikin
Crimes are not pranks

~~~
ballenf
Most pranks can be prosecuted as crimes. Broad disturbing the peace and
harassment statutes apply to most.

Here's 3 that come to mind:

\- toilet-papering a house/tree

\- ding-dong-ditch (harassment, possibly even rising to a hate crime in the
right circumstances)

\- flaming shit on doorstep (obviously)

Whether something is a crime or not is a pretty bad test for whether a child
should be held accountable as an adult for the act.

------
always_good
Just a reminder of how fucked we all are any time a social engineering
attacker wants to target us.

I once thought I was safer since I don't even have an American address anymore
and have been living abroad for years.

Nah, Amazon customer support answered an attacker's "so where was my last item
shipped to" question after they authenticated by giving the support rep an
address I used as a shipping address for one item almost 10 years ago.

The poor kid in TFA was doing some free social engineering pen testing.

~~~
atonse
He would’ve been a “poor kid” had he not swatted people and harassed their
families saying he’d bang their daughter.

What a waste of talent.

~~~
tekism
What?

~~~
yorby
maybe he meant "he would NOT have been" instead of "He would’ve been a poor
kid had he not swatted people"

------
watmough
> He used similar methods to access Mr Brennan’s AOL account and eventually
> Gamble was able to access his emails, contacts, his iCloud storage account
> and his wife’s iPad remotely.

Too crazy.

~~~
tgragnato
Is there something similar to Google's Advanced Protection for iCloud?

~~~
boulos
After the iCloud celebrity "hacking" scandals they added phone-based 2FA and
now have "your iOS device can be trusted":

[https://support.apple.com/en-us/HT204915](https://support.apple.com/en-
us/HT204915)

though I don't know if the security question reset path is closed.

There was a small flare up earlier this year about people hijacking cell phone
numbers, which then of course let's you take over all sorts of accounts since
you can defeat the (relatively) poor security of SMS-based OTP.

------
hinkley
Was it always this easy or have we gotten soft since the Cold War ended?

Why weasel into an organization and steal piddly shit when you can just
pretend to be the director and ask anybody for anything?

------
loteck
One takeaway here is that the professionalization, training, oversight and
salaries of IT support staff all need to follow the same ascending curve as
the sensitivity of the staff and systems they are supporting.

------
itronitron
he could have continued this for years if he hadn't been blatantly harassing
people

~~~
__s
He seems to have some anti US sentiments, but went with trolling random
members of the machine rather than quietly collecting information & passing it
off to wikileaks

~~~
digi_owl
I think of that approach as the Anon legacy.

That group (if one can even call it that) taught a generation to go for
trolling/harassment rather than subversion.

~~~
SoberKay
False dichotomy. One can do both and each can act as the other. Trolling is a
tool.

------
boulos
Sigh. These organizations clearly need mandated 2FA, and no "security
questions". I like that some people use a password manager to fill in the
security questions with random strings, but sensitive systems just shouldn't
allow such easy attacks.

------
touristtam
Anyone surprised should read up on Mitnick career and specially his book: The
Art of Deception

------
markdog12
This is incredible (in a bad way). How is it not on the front page of every
news site?

~~~
pacifika
Attention diversion

