It was recently disclosed that CIA director John Brennan’s personal email account apparently was hacked. Actually, it was hacked four times before he terminated the account. The good news is that the hacking was not done by Russian, Iranian or Chinese government hackers. The bad news is that it was not done by Russian, Iranian or Chinese hackers, but rather according to reports in Wired Magazine, by a teenaged hacker who calls himself cracka. Among the data stolen by the hackers were government documents stored in Brennan’s personal email account. In order to prove that he had accomplished this hack, cracka posted some of the documents on his Twitter account before his Twitter account was shut down. Cracka also turned over documents to Wikileaks which has now made them public. It is not only troubling that a teenaged hacker with help from his friends was able to hack into the CIA director’s email account, but that he apparently did so by simply exploiting human elements of the security systems rather than by even having to attempt to use sophisticated cybertools. The hacker told Wired Magazine that they started the hack by doing a reverse lookup of Brennan’s smartphone and found that he was a customer of Verizon. He then called Verizon and posed as as Verizon technician and merely asked for Brennan’s personal information which was provided upon cracka providing the Verizon employee to whom he was talking with a phony Vcode assigned to all Verizon employees. The Verizon employee then provided cracka with Brennan’s account number, his PIN, the backup cell phone number on the account, his email address and the last four digits of his bank card. Armed with this information, cracka then contacted Brennan’s email provider and after answering security questions with the information they had managed to get from Verizon, changed Brennan’s password and took over the account. In fact, they took over the account three more times as Brennan himself changed his password after which cracka would change it again to regain control of the account until the account was finally terminated by Brennan.
So what does this mean to you? We all have important and sensitive information in our email accounts and perhaps we shouldn’t. A better habit would be to store personal information and sensitive information in a secure folder on your computer. This hacking is also a reminder that whenever possible, you should use dual factor authentication by which when you wish to access a particular account such as your email you can only do so by providing a one time code sent to your smartphone each time you attempt to log in. Dual factor authentication would have prevented this hacking. In addition, a problem that has come up time and time again is that when security questions are used to enable someone to change their password, the answers to many of the security questions we use can be obtained from a variety of sources including social media and public records. One way to make your security question stronger is to provide a nonsensical answer to your security question. So if the question is what is your mother’s maiden name, an often used and particularly weak security question, pick a nonsensical answer such as “grapefruit.” You will remember it because it is so ludicrous, but no one is going to be able to obtain the information necessary to answer your security question. If Brennan had used such a nonsensical security question, the hackers would not have been able to take over his account.