Back in October I told you about CIA Director John Brennan’s personal email account being hacked. The hacking was not done by Russian, Iranian or Chinese government hackers. Instead, it was done by a teen aged hacker who calls himself Cracka and his group Crackas With Attitude. Among the data stolen by the hackers were government documents stored in Brennan’s personal email account. Now it has been disclosed that Cracka has also recently hacked online accounts of James Clapper, the Director of US National Intelligence and John Holdren, the Director of the White House’s Office of Science and Technology. Policy. What is particularly troubling about these hackings is how easy it was for Cracka and his cohorts to hack the accounts of top level government officials using basic phishing social engineering techniques. In the case of John Holdren, Cracka has indicated that he gained access to his accounts merely by sending an email posing as Holdren to Holdren’s wife telling here he lost the password for their Xfinity account and merely asked for it which she supplied him. In the case of the hacking of Brennan, Cracka started the hack by doing a reverse lookup of Brennan’s smartphone and found that he was a customer of Verizon. He then called Verizon and posed as as Verizon technician and merely asked for Brennan’s personal information which was provided upon Cracka providing the Verizon employee to whom he was talking with a phony V code assigned to all Verizon employees. The Verizon employee then provided Cracka with Brennan’s account number, his PIN, the backup cell phone number on the account, his email address and the last four digits of his bank card. Armed with this information, Cracka then contacted Brennan’s email provider and after answering security questions with the information they had managed to get from Verizon, changed Brennan’s password and took over the account.
So what does this mean to you? We all have important and sensitive information in our email accounts and perhaps we shouldn’t. A better habit would be to store personal information and sensitive information in a secure folder on your computer. This hacking is also a reminder that whenever possible, you should use dual factor authentication by which when you wish to access a particular account such as your email you can only do so by providing a one time code sent to your smartphone each time you attempt to log in. Dual factor authentication would have prevented this hacking. In addition, a problem that has come up time and time again is that when security questions are used to enable someone to change their password, the answers to many of the security questions we use can be obtained from a variety of sources including social media and public records. One way to make your security question stronger is to provide a nonsensical answer to your security question. So if the question is what is your mother’s maiden name, an often used and particularly weak security question, pick a nonsensical answer such as “grapefruit.” You will remember it because it is so ludicrous, but no one is going to be able to obtain the information necessary to answer your security question. If Brennan had used such a nonsensical security question, the hackers would not have been able to take over his account. Also, Holdren could have avoided his being hacked had his wife contacted her husband directly before responding to an email posing as him asking for a password. Trust me, you can’t trust anyone.