Slashdot Mirror

← Back to Stories (view on slashdot.org)

Arrests Made After Group Hacks CIA Director's AOL Account (washingtonpost.com)

Posted by EditorDavid on from the you've-got-jail dept.

Slashdot reader FullBandwidth writes: U.S. authorities have arrested two North Carolina men accused of hacking into the private email accounts of high-ranking U.S. intelligence officials. [The men] will be extradited next week to Alexandria, where federal prosecutors for the Eastern District of Virginia have spent months building a case against a group that calls itself Crackas With Attitude... Authorities say the group included three teenage boys being investigated in the United Kingdom.
The group used social engineering to access the email accounts of John Brennan, the director of the CIA, as well as the Director of National Intelligence, and former FBI deputy director Mark Giuliano, according to the article. One exploit involved "posing as a Verizon technician and tricking the company's tech-support unit into revealing the CIA director's account number, password and other details." An FBI affidavit alleges that a British teenager named "Cracka" also began forwarding the calls of a former FBI deputy director "to a number associated with the Free Palestine Movement," while "D3F4ULT" paid for a campaign of harassing phone calls. In addition, "According to the affidavit, Cracka appears to have gotten into the law enforcement database simply by calling an FBI help desk and asking for Giuliano's password to be reset..."

"One member told CNN [In a video interview] that he smoked marijuana 'all day every day' and was 'probably' high when gaining access to high-level accounts."

59 of 107 comments (clear)

  1. False flag operation? by Anonymous Coward · · Score: 1

    To divert attention away from Russia?

  2. Not sure by Anonymous Coward · · Score: 5, Interesting

    What's more concerning... That the director of the CIA had his account hacked, or that he has an AOL account.

    1. Re:Not sure by tepples · · Score: 1

      Last time I checked, AOL Instant Messenger needed a AOL account, at least one on the free tier. Or has everybody switched from AIM to Skype?

    2. Re: Not sure by Anonymous Coward · · Score: 5, Funny

      The news tomorrow should be, 'CIA Director steps down after shameful discovery of using AOL accounts.'

    3. Re:Not sure by uvajed_ekil · · Score: 2

      Upon reading this summary, my immediate thought was, "Which is worst, that some high-ranking intelligence officials got hacked, the fact that it was so easy that kids did it without having to do any real hacking, that these high-ranking intelligence officials use AOL, or that ANYONE still uses AOL?" This makes Hillary's former IT under-achievers look like actual professionals. I think we now need to investigate whether these morons were using AOL for sensitive communications that should only go through secure and approved channels.

      Personally, I'm glad to see that this "Cracka" joker is not the infamous ytcracker, at least. When he was young he learned his lesson about not messing with US government agencies. These fools did less and will likely face worse penalties, but such are the times, I guess.

      --
      This is a hacked account, for which the owner can not be held responsible.
    4. Re:Not sure by uvajed_ekil · · Score: 1

      Last time I checked, AOL Instant Messenger needed a AOL account, at least one on the free tier. Or has everybody switched from AIM to Skype?

      Yes, everyone left AIM years ago, for Skype and others.

      --
      This is a hacked account, for which the owner can not be held responsible.
    5. Re:Not sure by ortholattice · · Score: 1

      Most of my tech friends have gmail accounts, many of them from the days when they were hard to get and almost considered a status symbol. But why is Google's data mining preferable to AOL's or any other? I know that AOL has long been derided as being associated with grandmothers and "free" AOL disks, but their basic email is free now.

      Non-tech family and friends tend to have <cable-company>.com email addresses, more or less locking them into a specific cable provider.

      As for myself, I chose an ISP that I'm pretty sure isn't interested in data mining my correspondence. And I have my own permanent domain name I can move to a different ISP should things change. I pay a small monthly fee, but it is mainly for my web site with an email account included. A small price I don't mind paying for basically total control over these things. I'd do it with my own server, but all cable companies in this area block incoming port 80 and probably others unless you buy an expensive "business" account for far more than I pay for the web site ISP.

    6. Re:Not sure by ShaunC · · Score: 4, Informative

      Last time I checked, AOL Instant Messenger needed a AOL account, at least one on the free tier.

      I still have both, but I haven't paid for AOL in 20 years. There are a lot of AIM users who never had an AOL account. Registration at aim.com was free for a long time (maybe it still is?) and I talk to a lot of people via AIM who were never AOL users. Despite the ridicule, AIM/Oscar via the Pidgin client with the OTR plugin remains a relatively secure method of communication.

      As for Skype, fuck that entirely, it's been compromised forever. If I want to holler at the NSA, I'll just yell into any phone and hope for the worst.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    7. Re:Not sure by hambone142 · · Score: 1

      Caught that too. Incompetent buffoons.
      They likely have CRT monitors to boot.

    8. Re:Not sure by PopeRatzo · · Score: 1

      What's more concerning... That the director of the CIA had his account hacked, or that he has an AOL account.

      It's called a honeypot, and they took some skells off the board.

      --
      You are welcome on my lawn.
    9. Re:Not sure by Alain+Williams · · Score: 5, Interesting

      What's more concerning... That the director of the CIA had his account hacked, or that he has an AOL account.

      What really is concerning is that tech support knew ''Brennan’s account number, password and other details''. Who stores passwords in clear these days ? The only safe storage is a one way hash or something. This is vague as to exactly which tech support was tricked and which account details were revealed, but who in tech support would tell anyone someone's password ?

    10. Re:Not sure by guises · · Score: 2

      but who in tech support would tell anyone someone's password ?

      Someone they hired after they fired all of the competent people following the Snowden leaks?

    11. Re:Not sure by BlueStrat · · Score: 1

      Caught that too. Incompetent buffoons.
      They likely have CRT monitors to boot.

      What's with the CRT-hate?

      I'll have you know my SGI 061-0025-001(Sony GDM4011P) 20" 1900x1280 monitor looks *great* running on my SGI Octane!

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    12. Re:Not sure by tepples · · Score: 1

      Registration at aim.com was free for a long time (maybe it still is?) and I talk to a lot of people via AIM who were never AOL users

      That's what I meant by a "free tier AOL account", because you can log in at AOL.com with your AIM credentials.

    13. Re:Not sure by Greyfox · · Score: 2

      HEY! He got 20 HOURS of free dialup with that CD that came in the mail!

      --

      I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

    14. Re:Not sure by _Sharp'r_ · · Score: 1

      Who stores passwords in clear these days ?

      You've apparently never worked on a project for a government agency.

      They're typically a combination of right-up-to-date (on things which you can just spend money on and it shows up, like a brand new laptop and monitor every year) and 20-30+ years behind (on things which require actual policy/best practices/technology knowledge).

      It doesn't shock me at all that the FBI help desk is as described. I'm a little more familiar with the IRS. In 1991 they were spending $8 Billion to modernize from their 1950s/60s system. By 1997 the IRS was already on their second or third failed "modernization" project, that one failed to the tune of $4 Billion. As recently as 2013 they were still failing to migrate from "1960s" technology to a relational database system.

      Multiply that by all the other government agencies

      Quote:

      Of 3,555 federal IT projects that cost at least $10 million, only 6 percent were a success, according to a study by the Standish Group. In addition, 52 percent of large projects were deemed "challenged," meaning they didn't meet user expectations, went over budget, or ran late. All of the remaining projects - 42 percent - were outright failures.

      And that's just quick news stories/studies from 5 minutes of Google search reading.

      Consider that AFAIK, (this being 9/11 today, its pertinent) since we reported it to them 15+ years ago, none of the Air Traffic Control radar installations have any physical security and they're still running an OS from 20+ years ago that anyone can walk up to and make modifications to. At one point, the Dept. of Agriculture turned off all their firewalls to rely on IDS only because it was too inconvenient to have to keep punching holes for more ports through them.... the stories go on and on!

      --
      The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
    15. Re:Not sure by Coren22 · · Score: 1

      AOL fired people? I wasn't aware that AOL had a recent downsizing in their tech support department.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    16. Re:Not sure by Coren22 · · Score: 1

      When did AOL become a government agency?

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    17. Re:Not sure by _Sharp'r_ · · Score: 1

      I know it's too much to read the articles, but try to keep up with at least the summary and the thread you're replying to.

      We were discussing this line: "According to the affidavit, Cracka appears to have gotten into the law enforcement database simply by calling an FBI help desk and asking for Giuliano's password to be reset..."

      I'm pretty sure AOL doesn't provide the FBI help desk staff, nor manage authentication for their law enforcement databases....

      --
      The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
    18. Re:Not sure by Coren22 · · Score: 1

      Perhaps you should keep up with the thread?

      'Brennan’s account number, password and other details''

      that is what was responded to, this was AOL, not the FBI that had unencrypted passwords. The FBI needed to reset the password because they don't have unencrypted passwords.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  3. Missing the point by pdclarry · · Score: 4, Interesting

    While it is always worthwhile to prosecute the hacker, the real question is how is it possible that the Director of the CIA was hacked? Massive incompetence in the CIA is the only possible explanation.

    1. Re:Missing the point by fl_litig8r · · Score: 5, Insightful

      This was his private e-mail, not his CIA e-mail.

    2. Re:Missing the point by peragrin · · Score: 1

      When you get to the CIA doing anything on a public web host for email is wrong. You need to be running a private server.

      Republicans are grilling Hillary for using an private server both home and work. This guy needs to be executed for treason for using aol at all.

      --
      i thought once I was found, but it was only a dream.
    3. Re:Missing the point by Dahamma · · Score: 4, Insightful

      What the fuck are you talking about? Who cares if his AOL account was "at risk" if he used it for the same stupid shit more people use their AOL account for?

      Personally I prefer that government employees receive Viagra spam and pictures of their grandchildren on their private email accounts, and national security briefings on their government email accounts.

    4. Re:Missing the point by AHuxley · · Score: 1

      Re 'Massive incompetence in the CIA is the only possible explanation."
      Kept it safe from the NSA, GCHQ, MI6, other parts of the CIA or other agencies... or just decades of later FOIA requests.
      The point is not to have anything thats interesting to your own staff, rogue staff, long term spies, 5 eye nations, the NSA, ex staff, former staff who might be looking or have sold/given/been of the same faith/cult and liked to give details to other govs, mils...
      The selection of a mainstream US brand is so unexpected it almost feels like a limited hangout to see who is looking.. that might have kept other US agency staff guessing about the real role of just such an account. Bait, limited hangout, a long term trap, a totally created account as part of an ongoing FBI domestic cyber trap.. something for the NSA to wonder about. Was the CIA setting a spy trap and not sharing domestically ? A trap to induce diplomatic/other gov staff to contact their deep cover staff at any level of the US gov to see it was really real.. Any search for a unique term mentioned would have been perfect.
      Thats another aspect of the US cyber teams foreign and domestic overlap that now has so much agency duplication and international help. Was it FBI, MI6, CIA joint long term bait? Did the NSA know, at what level and when?
      Recall the massive lost of US gov workers, contractors data that was kept in plain text on open servers ..
      Parts of the US gov knew people had access and hoped they would look for names online. The data walked in bulk and was totally lost ..
      But for a while all that other agency and new digital security clearance data was left and kept wide open as a huge open honeypot.
      Missed Opportunities Detailed Ahead of Personnel Agency Hack (Sep 7, 2016)
      http://abcnews.go.com/Technolo...
      ..."others to monitor the hacker to better understand his movements. "
      "Over the next several months, the hacker moved unchecked through the system and stole sensitive security clearance background investigation files, personnel files and, ultimately, fingerprint data."

      --
      Domestic spying is now "Benign Information Gathering"
  4. Alexandria by Anonymous Coward · · Score: 1

    [The men] will be extradited next week to Alexandria.

    Holy crap, why are they sending them to Egypt?

    1. Re:Alexandria by Dahamma · · Score: 1

      This was officially the dumbest and most useless attempt at a joke on this article.

  5. The argument for having your own e-mail server? by fl_litig8r · · Score: 5, Interesting

    I used to think that the only reason someone would want their own e-mail server would be to try to erase a central record of sent e-mails should the need arise, but after reading this summary I see that there is merit in not entrusting a third party's low level tech support person with the ability to either read or reset your password.

    In other news, Verizon knows its users' passwords? Let me guess -- they're stored in plaintext.

    1. Re:The argument for having your own e-mail server? by Anonymous Coward · · Score: 1

      The assertion that "home-based e-mail servers are no more secure than public chat based accounts" is baseless and is dependent on the knowledge level of the person who set it up and administers it, just like any other server in existence.

  6. None of this makes any sense. by Anonymous Coward · · Score: 1

    Posing as a technician to get passwords - what?

    Law enforcement database for managing private e-mail accounts - what?

    I mean this shit could all just be made up to cover up the more embarrassing things they actually did, because if security were so lax as this story claims, every hostile nation would have pretty much everything on all high ranking intelligence officials.

  7. Yeah the guy who advises the president on security by Crashmarik · · Score: 4, Funny

    Has an AOL account ?

    Come on what does he use for personal information ? Myspace ?

  8. Not Brennan's fault by Okian+Warrior · · Score: 5, Insightful

    While it is always worthwhile to prosecute the hacker, the real question is how is it possible that the Director of the CIA was hacked? Massive incompetence in the CIA is the only possible explanation.

    This came up and was discussed on Schneier's security blog.

    In this instance the CIA director did nothing wrong. He had a strong password, didn't let it out, and had no sensitive information on this particular personal account.

    The hackers convinced AOL to to do everything on behalf of Brennan, without his knowledge or consent. All the security "best practices" in the world won't help if you can convince someone at the ISP to let you in.

    To his credit, Brennan used this account for personal purposes, and apparently there was absolutely nothing of a sensitive nature there.

    1. Re: Not Brennan's fault by ninthbit · · Score: 1

      They've already established that high level government officials can use their personal accounts for official sensitive data. The rules are more like recommendations at the SES and above levels.

    2. Re: Not Brennan's fault by uvajed_ekil · · Score: 3, Informative

      The article says there were sensitive files stolen from his personal email account. If true, he shouldn't have had them there.

      From a Wired article dated almost a year ago:
      "News of the hack was first reported by the New York Post after the hacker contacted the newspaper last week. The hackers described how they were able to access sensitive government documents stored as attachments in Brennan’s personal account because the spy chief had forwarded them from his work email.
      The documents they accessed included the sensitive 47-page SF-86 application that Brennan had filled out to obtain his top-secret government security clearance. Millions of SF86 applications were obtained recently by hackers who broke into networks belonging to the Office of Personnel Management. The applications, which are used by the government to conduct a background check, contain a wealth of sensitive data not only about workers seeking security clearance, but also about their friends, spouses and other family members. They also include criminal history, psychological records and information about past drug use as well as potentially sensitive information about the applicant’s interactions with foreign nationals—information that can be used against those nationals in their own country."

      Sounds pretty bad to me, but I doubt he'll receive the same level of scrutiny as Hillary Clinton has, because it isn't as interesting politically.
      Source: https://www.wired.com/2015/10/... -- interesting article.

      --
      This is a hacked account, for which the owner can not be held responsible.
    3. Re:Not Brennan's fault by Anonymous Coward · · Score: 1

      Ahem, he did nothing wrong at all... OTHER THAN CHOOSE TO USE AOL... dumbass is as dumbass does. Although it was a personal account so who gives a shit so why are these people being prosecuted exactly? How about prosecute the AOL morons that let this happen.

    4. Re: Not Brennan's fault by hey! · · Score: 1

      Personal information about a high ranking intelligence official is intrinsically sensitive.

      Intelligence agencies put a lot of time in by smart people teasing out deductions from apparently innocuous information about high ranking foreign officials. Back in the Cold War it was called "Kremlinology".

      Of course there's only so much you you can do about it. People have private lives and leave traces of information behind. You can never be sure what anyone can do with any piece of data, because it's connecting different data points that generates insight.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    5. Re:Not Brennan's fault by Luthair · · Score: 1

      Why would a high value target use a commodity grade email service?

    6. Re:Not Brennan's fault by grasshoppa · · Score: 1

      All the security "best practices" in the world won't help if you can convince someone at the ISP to let you in.

      I can't help but feel as though you're missing the joke, hence I quoted the relevant part.

      --
      Mod me down with all of your hatred and your journey towards the dark side will be complete!
    7. Re:Not Brennan's fault by radarskiy · · Score: 2

      For high enough target value, all services look commodity grade.

    8. Re: Not Brennan's fault by Dahamma · · Score: 1

      It didn't say there were *government* sensitive, files, it said they were personally sensitive files - primarily his application for Top Secret clearance, which I assume was emailed from his personal accounts since he obviously didn't HAVE a government/CIA account yet.

      By definition he didn't have access to classified information when he filled it out, so it couldn't have contained information that was classified when he filled it out...

      It would be like you applying for a mortgage, and you SSN and bank account info being leaked. Definitely sensitive to you, but far from government classified.

    9. Re: Not Brennan's fault by strikethree · · Score: 1

      The documents they accessed included the sensitive 47-page SF-86 application that Brennan had filled out to obtain his top-secret government security clearance.

      An SF86 form is filled out by and "owned" by the individual. It is NOT a secret government document. Yes, it has tons of personal information in it about him and his family.

      Sounds pretty bad to me, but I doubt he'll receive the same level of scrutiny as Hillary Clinton has, because it isn't as interesting politically.

      Why would it receive scrutiny? There is nothing illegal about a person storing personal information in their own email account. Stupid? Probably. Illegal? Not a chance.

      --
      "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
  9. Would? Worth trying over and over, so they do by raymorris · · Score: 1

    > every hostile nation would have pretty much everything on all high ranking intelligence officials.

    Would it be worth it to China to spend a million dollars trying all sorts of ways to get into the President's email, or the secretary of state? Of course it would. If the

  10. I hit Submit too soon by raymorris · · Score: 1

    I accidentally hit submit before I was done writing.

    > every hostile nation would have pretty much everything on all high ranking intelligence officials.

    Would it be worth it to China to spend a million dollars trying all sorts of ways to get into the President's email, or the secretary of state? Of course it would. If they tried hundreds or even thousands of different hacks, would they eventually get lucky? Sure, probably.

    Therefore they probably have tried thousands of times, and eventually been successful. I would be suprised if after all that trying they never succeeded. Once they got a toehold, it's relatively easy to expand access.

  11. He got his AOL account hacked? by jetkust · · Score: 1

    1996 called ...

    1. Re:He got his AOL account hacked? by Anonymous Coward · · Score: 1

      1996 called? Did you warn them?!!

  12. Our head of intelligence by fred911 · · Score: 1

    Has an AOL account? Jeeze, that just about says it all doesn't it?

    --
    09 F9 11 02 9D 74 E3 5B - D8 41 56 C5 63 56 88 C0 45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  13. Re:Did you know? by Anonymous Coward · · Score: 1

    Calm the fuck down, Mr. Clapper. We'll get you a car. Just relax, will you? There are microphones around.

  14. Re: We should be scared... by Anonymous Coward · · Score: 1

    Director wasn't conned, his service providers were.

  15. Life imitates art by Zeroko · · Score: 1

    This sounds suspiciously like part of the story in Hackers.

  16. Sensitive files by Okian+Warrior · · Score: 1

    The article says there were sensitive files stolen from his personal email account. If true, he shouldn't have had them there.

    Whoosh.

  17. Re:Yeah the guy who advises the president on secur by uvajed_ekil · · Score: 2

    He probably has bills to pay and family to keep up with like every other person out there.

    And that's fine, but all of the sensitive attachments he forwarded from his government account to his AOL account are a pretty damn serious matter. Brennan was definitely not just using his AOL email account to pay bills and see if his brother wanted to play golf on Sunday.

    --
    This is a hacked account, for which the owner can not be held responsible.
  18. Re:Diversity = WHITE GENOCIDE by rossdee · · Score: 2

    }
    "Probably because it was mostly the white countries that enslaved or "colonized" all of the non-white people from other countries over the last few hundred years.}
    "

    I guess you missed The Greater East Asia Co-Prosperity Sphere

    They did plenty of conquering and enslaving in the 30's and 40'e

    And they are still not 'diverse'

  19. arrest the CIA directory by ooloorie · · Score: 1

    For a government official to use an AOL account for anything should be a criminal offense.

  20. Re:Yeah the guy who advises the president on secur by Tablizer · · Score: 2

    Hey, AOL is for serious work. Shut up!
      - Colin P.

    --
    Table-ized A.I.
  21. I'm sorry I don't believe this by roc97007 · · Score: 1

    It's right up there on top. The sentence with "cia director" and "aol account". That's impossible.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  22. AOL IS FUCKING GEENIUS. ER GIENUS, ER... by TiggertheMad · · Score: 4, Funny

    I said the same thing at first, but if you think about it, its brilliant. When the KGB tries to hack into his personal account, they see it is an AOL account and say, 'Neyt comrade, you are mistakekink. Thees coold not be direcktors account, only retarded child use AOL account. Must be, how you say, hunny pit? Ve keep lookikink elsever.'

    These CIA guys, always throwing fucking curve balls. They are like, Inception deep.....

    --

    HA! I just wasted some of your bandwidth with a frivolous sig!
  23. resetting passwords by dnaumov · · Score: 1

    I work at a large finnish ISP. We employ a very simple method to avoid problems with impostors trying to reset account passwords and the like, we do not, under any circumstances, reset the password on the customer's behalf. The customer has to do it him/herself. In theory, we are not forbidden from resetting a password, but we are (under penalty of immediate termination) forbidden from giving up the new password to anyone via any form of communication. The customer has to do the resetting him/herself via the account management page.

    If the customer has forgotten the credentials to the account management page, he can get into it using his standard 2-factor online banking authentication (in Finland, ALL banks are part of this system and many public and large private services utilise the provided auth API for authorisation), Yes, we understand older clients might find this inconvenient, but no amount of yelling and screaming is going to make any of our reps divulge a password directly. If the customer can't find the account management page or navigate it, we an offer a remote desktop connection to caller's computer and help them with that, but the caller still has to authenticate, we just show them what links to click and where.

  24. Something you never hear. by ememisya · · Score: 1

    CIA! Freeze!

  25. I'm sorry, but what??? by Puppet+Master · · Score: 1

    The group used social engineering to access the email accounts of John Brennan, the director of the CIA, as well as the Director of National Intelligence, and former FBI deputy director Mark Giuliano, according to the article. One exploit involved "posing as a Verizon technician and tricking the company's tech-support unit into revealing the CIA director's account number, password and other details.

    That IT department (in CIA/FBI) should be fired. Everyone knows that there is no reason for Verizon to ask for any passwords. If they were that easily socially engineered, I'm seriously afraid for this country.

    --
    The day Microsoft creates a product that doesn't suck, it will be known as the Microsoft Vaccuum Cleaner!