A computer criminal called the New York Post this week to say he’d hacked into CIA Director John Brennan’s personal AOL email account.
Once you get over the shock that the director of America’s intelligence agency was using an AOL account, you’ll realize that the elements of the attack sound all-too-familiar. Wired’s Kim Zetter reported that the hacker told her he’d tricked Verizon into divulging Brennon’s personal information by pretending to be a Verizon employee. Armed with those personal details – which reportedly included the last four digits of a bank card – the hacker and his partners went to AOL and fooled the service’s “forgot your password” function, and used it to repeatedly reset the password and hijack the account.
Making matters much, much worse: Brennan had forwarded some sensitive (but not classified) information from his “work” email to his personal email. The hacker said he found a spreadsheet with Social Security numbers, for example.
Sure this story is embarrassing, and perhaps even worth a giggle (the CIA director was using AOL?). But there’s serious lessons to be learned here.
“Forgot your password” is every hacker’s favorite tool. We’ve known this for years. People forget passwords. When they do, there must be a way to recover or reset the password. This method is almost always less secure than the login credentials. The hurdles to reset the password turn out to be something the company knows, and something hackers can learn. Pets’ names. Old girlfriends’ names. At the sophisticated end, the name of your mortgage holder. Or in this case, payment card details. All discoverable. The lesson for you? When you set up an account and a company asks you to supply answers to those annoying questions, take an extra moment to make it hard on a hacker. But can you make it impossible? Probably not. One trick smart security professionals employ is to lie in their answers (“Say your first car was an AMC Pacer when it was a Ford Escort). You have to remember the lies, of course, but lies are a lot harder to discover through traditional research.
Work and pleasure mix. They just do: Everybody forwards work emails to their personal email address. Don’t lie (Sorry for the ambivalence on that one). It’s just too convenient. It’s too easy. With very rare exception, companies encourage employees to bring work home, to bring their own devices, and yes, even their own email addresses to the job. It saves money and gains them productivity. This problem is most clear in the BYOD world, where your iPhone basically becomes company property once you start reading emails on it. Companies that don’t want their secure information finding its way onto AOL email have to invest in serious technology to forbid it. They also have to let workers leave their work at work. No personal laptops. No quick logging in from home. No, “Oh my work phone is dead, I’ll just use my personal phone this one time.” Until companies are willing to make that investment, things like this will happen. Even to the CIA director.
Those F%^%^ING attachments. They are the source of so much trouble. Attachments are the main delivery mechanism for virus attacks that infiltrate companies. Spear phishing emails with fake “resumes” or “spreadsheets” lead to corporate espionage. And yes, it’s easy to forward a spreadsheet of Social Security numbers from some HR database to a web-based email account. And then, holy heck can break out. If you are CIA director, you end up being the lead story on the NBC Nightly News. If you work in human resources, something much worse can happen – you could lose your job. The lesson? Treat attachments like fire. Or maybe like firecrackers. They can be useful, but it is very dangerous to play with fire, and they will almost certainly explode on you at some point. Use attachments sparingly, if at all.
It can happen to anyone. Here is yet another example proving that even people whose lives and careers depend on security have lapses in judgment. Really? The CIA director getting caught by a teenager with his pants down, using an AOL account to store sensitive (if not Top Secret or Classified) information. You can be secure and make smart choices 23 hours and 59 minutes a day, but it only takes a momentary lapse of reason to make a big mistake. So consider this story, think, “There but for the grace of God go I,” and then keep your guard up.