Share on LinkedInShare on FacebookTweet about this on TwitterShare on Google+Pin on PinterestEmail this to someone

PhishingAs far as we know, the emails on Hillary’s personal computer were not hacked. Just subpoenaed. And debated. But the emails on the personal computer of the Director of the Central Intelligence Agency, John Brennan, were hacked.

 

The alleged hackers were part of a group known as CWA, or “Crackas With Attitude.” Reports differ as to motive. Best guess is it was one part political and one part prank.

 

Wikileaks stepped in and published some of the hacked emails last week. And while no bombshells were revealed, a lot of personal information on Brennan and his family – social security numbers, contact information and the like, were.

 

“The hacking of the Brennan family account is a crime and the Brennan family is the victim,” said CIA spokesman Dean Boyd. “The private electronic holdings of the Brennan family were plundered with malicious intent and are now being distributed across the web. This attack is something that could happen to anyone and should be condemned, not promoted.”

 

The hack provokes the question if the head of the CIA cannot protect their email account, how on earth can the private citizen do so? Lucky for us peons, we are less of a target than the head of the a government agency.  But looking at the details of the event, it appears that (once again) technology and firewalls and 25-character long passwords were not the issue.

 

The hack relied on social engineering.  A successful phishing expedition.  They posed as a Verizon employee which eventually resulted in allowing them to take control of Brennan’s AOL account.

 

Here’s a step-by-step account published in Wired on how the hack was accomplished.

 

I don’t know how to build a firewall but I do know to be very suspicious of every email or phone call that asks me to provide information. I am fanatically suspicious. You say you are my mom? OK, how much did I weigh at birth?

 

Director Brennan criticized the press for reporting on the hack, saying “the implication of the reporting was that I was doing something wrong or inappropriate or in violation of my security responsibility, which was not certainly the case”.

 

The potential embarrassment on his part is understandable. But if this news item results in people at home and at their workplace being more aware of their vulnerability via social engineering, then there is at least one positive outcome.

 

Have you ever been socially engineered?