CIA boss has his personal email account hacked... and yes, it's on AOL

John BrennanPity poor John Brennan, director of the United States Central Intelligence Agency (CIA).

A hacker, who describes himself as an American high school student, has breached the CIA boss's AOL email account - and found a host of sensitive government files that one assumes a government official shouldn't be sending to his personal email address.

I'm not sure what's more embarrassing. Being hacked or having an AOL email account.

The hacker, whose Twitter account @phphax is still active at the time of writing, has posted what is purported to be the CIA director's contacts list, as well as call logs of Deputy National Security Advisor Avril Haines, amongst other information.

Access to the AOL account was disabled on Friday...

Aol cancelled account

...but only after a certain amount of toing and froing between the hacker and the CIA, as they attempted to wrestle control of the account from each other.

Tweet by hacker

A CIA spokesperson has told the media that they are aware of the reported security breach:

"We are aware of the reports that have surfaced on social media and have referred the matter to the appropriate authorities."

Questions clearly need to be asked, similar to the current Hillary Clinton controversy, as to why a personal email address was being used for sensitive communications.

Meanwhile, AOL should probably take a long hard look at itself and ask whether it is doing enough to secure its members' accounts.

For a long time now, net users have wondered out loud when AOL will offer even simple security measures such as two-factor authentication, which just about every other major webmail service provides today.

Maybe this is evidence of evolution in process. If you're canny enough to be looking for an email account secured by 2FA, then you're probably also not going to still be using the email account you set up in 1994 when AOL sent you a CD through the mail.

I don't know if two-factor authentication would have helped in this case, or whether Verizon staff would have been socially-engineered into letting a high school kid break into the CIA director's email account regardless... but it certainly wouldn't have hurt.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

11 Responses

  1. Techno

    October 20, 2015 at 7:21 am #

    "why a personal email address was being used for sensitive communications."

    It does make sense from their point of view because of the principle of "hiding in plain sight". A dedicated secure system would be more obvious and attract more attacks, whereas using personal email uses "security through obscurity", although these stories show the weakness in this practice.

    The question is, was this hacker tipped off and so knew exactly where to concentrate his efforts straightaway, or did he try lots of accounts in the name of John Brennan, or – even worse – simply stumble across it by accident when accessing lots of email accounts.

    • Andy in reply to Techno.

      October 20, 2015 at 12:29 pm #

      It's also a clear violation of dozens of U.S. laws. It would seem they are doing this to try and stay out of the reach of open records laws and agency inspector generals. Until someone, hopefully Hillary, goes to jail for doing this – it's going to just keep magically being an accident that no one can explain.

      • coyote in reply to Andy.

        October 20, 2015 at 11:13 pm #

        Remember that those seeking power are corrupt, and those that are in power because they sought it, become more corrupt. Any claim to the contrary is being naive and/or gullible. This isn't specific to the US.

        Or: I'm sorry to break it to you, but US government officials have a long history (the word is relevant) of breaking laws, and in fact, there is this concept known as 'diplomatic immunity' (granted congressmen aren't the same but that's not my point; for instance, the laws that congressmen are able to break with impunity). This goes no matter what party is in power and the same goes for law breaking. Laws have loopholes for a reason. And unless I'm sorely mistaken, laws aren't written to penalise a certain party (race, gender, other things, is another matter entirely). At least not in 'the west'. Of course, bias is always there which makes it possible.

        Furthermore, it isn't a matter of no one being able to explain it. Just ask yourself who creates the laws[1] and who enforces the laws (or relevant laws) and you have the answer to the problem (my understanding is it is illegal to deliberately seek out something someone might have done illegally but I know that US politicians are far too moral and ethical to have done something like that…). That's the beauty of corruption, see? If the law isn't what you want, change for your own gain.

        [1] It is my understanding that the US constitution is what gives congressmen so much immunity to things no one else gets away with, for example. I can't imagine it any other way but I would watch paint dry long before I would read the US constitution (and/or other rubbish).

    • David L in reply to Techno.

      October 20, 2015 at 4:06 pm #

      He probably found it in a list on the dark web. There have been so many hacks of all kinds, and this idiot probably used it to register at Target or Homedepot. The arrogance and stupidity of this administration and it's appointees is the gift that just, keeps on giving!

      • coyote in reply to David L.

        October 20, 2015 at 10:46 pm #

        "of this administration"

        Not that there isn't any brilliance in the US (there is, the predecessor to the Internet was created (that is, the predecessor to it) during the tensions of the Cold War, by the US ARPA – what is now DARPA, the defence[1] advance research project agency) but 'this administration' isn't the problem. The problem is US government in general (actually, to be fair, all governments in general – it's just the US is particularly proud of demonstrating their ineptness to the world). And besides that, it isn't like the White House (I presume that is what you mean by 'administration') is responsible for all positions, all actions and everything in general. Using a select few as a reason that X has happened in such a large country with a horribly convoluted government, is a fallacy (the US is not a dictatorship – though it isn't a true democracy, either). Regardless, the entire US government is broken and always has been (many will refute this but they're neglecting certain things – things that I won't bother getting into because it is another topic entirely).

        [1] Technically, it would be 'defense' as that is the American spelling, but America shouldn't have changed spelling in the first place (any more than any other country should change something just so it is 'their way').

      • coyote in reply to David L.

        October 21, 2015 at 4:18 pm #

        Also, David, there is something else to consider. US government networks being compromised goes back decades. The same goes for corporations. This is nothing new – what you see now is just one of many others from years gone. Back in the day when there were mass-defacing[1] of websites (maybe they still happen, I don't know), government computers were often hit – by kids. Kids from all over the world. Many just used canned scripts and they could barely write anything coherent because they didn't really have anything to say other than "I'm doing this to showing off my l33t skillz". It was horrible. I wouldn't be surprised if this still happens, though I would like to believe otherwise. That's after the web was created, so post early 90s. But it goes back further.

        [1] The mass- implies that they would compromise one host (the provider of their original target – when they had one; otherwise those that they happened to find that are vulnerable) and then because it was shared hosting they would deface all the websites hosted. It isn't like they exploited each website individually.

  2. Graham Anderson

    October 20, 2015 at 5:12 pm #

    To be fair to AOL, it used to offer 2FA via SecurID – I think before even Gmail offered SMS based 2FA (2004-2009 versus 2010). But they withdrew it – most likely due to poor take up and member service hassles with those who did.

    AOL pushed hard on SPF, and scores fine on CheckTLS.com and webmail is secure (finally).

    • coyote in reply to Graham Anderson.

      October 20, 2015 at 10:28 pm #

      Maybe, but SPF is 100% irrelevant to passwords. Whether TLS is or is not (for this case) depends on how it was breached.

      As for why they cancelled it – who knows, but maybe it would be because of having to obtain the card ? I don't buy the theory that those who took advantage of it found it a hassle, because they would know what they're getting into (and if not then they must have been rather confused on what SecurID is).

  3. Richard Steven Hack

    October 20, 2015 at 5:54 pm #

    My guess is Brennan wasn't using it for sensitive material. I suspect the hacker got the personnel data he revealed from the OPM hack somewhere and merely married it to the AOL account.

    If Brennan was using an AOL account for CIA purposes, he needs to be removed from his post immediately. In fact, if he was using an AOL account at all, he probably should be fired. :-)

    • coyote in reply to Richard Steven Hack.

      October 20, 2015 at 10:32 pm #

      "In fact, if he was using an AOL account at all, he probably should be fired. :-)"

      True although I imagine many people would prefer he isn't struck off because they could take advantage of him. Then again, government intelligence is an oxymoron, so if it isn't this it will be something else (and/or someone else).

  4. Jim

    October 20, 2015 at 6:05 pm #

    Had a vision of Brennan trying to cancel his AOL account then spending a whole day trying to convince AOL customer service that he wasn't interested in there numerous offers to stay with AOL.

Leave a Reply