I can believe that the information security is atrocious for folks unwilling or unable to adopt agency policies, but how stupid do you have to be to poke the head of the CIA in public?
Agreed. Also this in the post>The hacker contacted The Post last week to brag about his exploits, which include posting some of the stolen documents and a portion of Brennan’s contact list on Twitter.
Like seriously, it is like begging to be apprehended.
I am assuming based on this -He explained “CWA” stood for “Crackas With Attitude,” which he said referred to him and a classmate with whom he smokes pot.- The NY Post went for a dramatic title. But I could be wrong. The NY Post is known for such "wild titles" for attention.
I'm less concerned about the hacker, and more concerned that the Director of the CIA not only has an aol.com email account but also uses that account to transmit sensitive information.
I'm not just saying this to be a jerk - this should be grounds for immediate termination of his employment. This is clearly a guy who shows poor judgement with respect to the management of sensitive material.
Also, from the article:
"[The] problem with these older-generation guys is that they don’t know anything about cybersecurity, and as you can see, it can be problematic.”
On the contrary - these "older-generation guys" cut their teeth in an environment where we were going head-to-head with the KGB on a daily basis. These guys have a solid understanding and awareness of basic information security procedures, as well as a strong understanding of adversary capabilities. I don't buy it.
It's plain negligence. Unfortunately, in this political climate it's not favorable to punish a high-ranking government official over mishandling their emails, even if said email is used to transmit sensitive information.
The key point for me is even if we assume that security blunders like this or say keeping a private email server are ignorance rather than malice ignorance is unacceptable at this level of government. Where's the security officer at advising these officials and helping them do it right? That has to be someone's job right?
That someone also is replaced if he gets on the nerves of the guy he is advising to much, at least on this level.
Parallel advising/control structures only work if they have someone higher up they can fall back on if necessary.
Ultimately, this is the same as when the CEO tells me he's disabled anti-virus protection because the popups annoyed him, or that he's using a personal Dropbox account so he doesn't have to go through that pesky login process onto the network drive.
My guess is that to many people in power, the benefits of using these web services seem to outweigh the disadvantages because they just don't understand the disadvantages. "It's OK - I set a great password!" There's simply nobody powerful enough to monitor what they're doing, independent enough to want to do something about it, and respected enough for people to listen.
We need independent bodies that act as national 'IT departments' and can refuse requests from the very highest powers, in much the same way that any other Head of IT can fire someone for gross misconduct because they were downloading torrents on their company laptop.
You make a totally fair point, but I think it's also a fair criticism of the state of proper computer security that plenty of people opt-out as a result of the inconveniences. Someone will solve this someday and make a lot of money, but I have no idea what the solution is.
The US Federal system was designed to have checks and balances provided by oversight by different branches of government.
Unfortunately today we have people in these branches of government who either won't do their duty because they are terrible at their jobs or because there is a silent quid-pro-quo where these sorts of people look the other way for each other.
While you're absolutely right in your diagnosis of the problem in the US, I doubt these problems are specific to the US government. I'm a Brit, and there are enough stories of technical incompetence here to make me assume it's a global problem. I suspect even non-democracies have the same issue. Who's going to tell Kim Jong-un he needs to rotate passwords?
Thanks for your thoughtful response, not sure what I said that rated downvoting on my comment but apparently members of the CIA and Congressional oversight committee are members of hn ;)
I would flip that around: Make zero-knowledge systems and strong encryption routine in consumer internet products and services. Then you could use your yahoo or AOL mail for anything and there would be no bad consequences. Seems more reliable than trying to enforce the use of some crappy system made by a beltway bandit that is hard to use and inconvenient.
Oh dont worry - he was probably only emailing with Hillary and as we know, she would regularly wipe her mail server with a cloth to ensure it was secure.
I'm a bit suspicious of this story. Apparently his top secret security clearance application is in his AOL account, but he's been in the CIA for 25 years so that seems odd (unless his AOL account is very old).
I guess if this happened to some common employee, he would be fired eventually. But Director of the CIA is a political position. So, it's much harder to fire him, because of political implications.
>I'm not just saying this to be a jerk - this should be grounds for immediate termination of his employment.
More specifically, his security clearance should be revoked, or modified such that he's not allowed to use a computer without being supervised by a competent person; which ought to have the effect that he's basically disqualified from working for the CIA, or speaking about anything related to information security.
The only sensitive information listed in this article is his application for security clearance. While that may contain a lot of personal information, that file would have been compiled and sent before he had access to classified documents, and before he had a government email address.
I am guessing this kid wiggled his way into a 10+ year old AOL account containing data that was never deleted. We all probably have emails and contacts sitting in a forgotten AOL account.
>The only sensitive information listed in this article is his application for security clearance. While that may contain a lot of personal information, that file would have been compiled and sent before he had access to classified documents, and before he had a government email address.
All this time I had assumed when Brennan called for dangerous things like encryption back doors he must understand the negative impacts would be but just didn't care as long as it helped the CIA. Now I'm thinking he actually doesn't know what he's talking about at all which is somehow even worse. An AOL email account with confidential files in it? Unbelievable.
CIA Director John Brennan’s private account held sensitive files — including his 47-page application for top-secret security clearance — until he recently learned that it had been infiltrated, the hacker told The Post.
Other emails stored in Brennan’s non-government account contained the Social Security numbers and personal information of more than a dozen top American intelligence officials
Not quite. Confidential is a technical term in the military/IC world. It's a classification, just like secret or top secret. I read somewhere that a lot of the Wikileaks cables were supposedly stuff marked confidential.
Storing confidential material in an AOL account would be a crime, just like giving the same material to Wikileaks.
Brennan's PII, job history, etc. is certainly valuable information, but clearance application paperwork itself is unclassified.
I knew (witnessed) the person who got that famed call... was at the compaq side of the MCI call center handling support calls for compaq, on one side, and iomega on the other (I worked on the iomega side).
Walking by... head pops up... "dude... dude... (trying no to snicker too hard) ... this lady's cup holder is broken..." ... me respondign "cup holder?" ... "yeah, the cd drive.. she thinks it's a cup holder" ...
Such a brief interaction, but really funny none the less... My funniest call was someone calling to back up their master's thesis work, because they were concerned about the power during the storm... was almost 6 minutes into the call when he said the power was out (desktop computer). It's really hard to be professional when faced with certain levels of stupid.
Yeah, in cases like this I refer to Scott Adams Dilbert (or rather one of the books).
"I get emails all the time from people who say they were -that- tech support guy that got -that- call about the cup holder. While we're on the subject of what people want in their email client, I want my email client to lock all those people in a room and force them to duke it out until there really is only -that one guy-."
I wasn't the guy... I just happened to be around when it happened... Like I said, I did get a call from someone trying to get hardware support when the power was out... I also had a friend that used to keep his ash tray in front of the desktop as a "smokeless ashtray" since it sucked the smoke into the front intake.
These are probably the three most stupid tech things I've seen... I also saw a computer that was shot once, I am pretty sure that's happened a few times.
A bit of a naive question but can someone answer this for me? To be a CIA Director, isn't it a requirement to have some sort of a technical background that way whoever is in the role is able to anticipate and always be a step head when it comes to these sort of problems?
I guess they don't look at themselves very closely. Otherwise, the biggest red flag should have been the fact that the CIA director has AN AOL ACCOUNT.
The CIA "is tasked with gathering, processing and analyzing national security information from around the world, primarily through the use of human intelligence (HUMINT)"
The director is presumably in charge of executing specific missions and a long term vision for human spying. She/he does this by directing people who manage people who manage people (etc.). I don't think a technical/engineering background is presumed or necessary for such a role.
That said, an understanding of the basic structures and failure modes of information security in the digital world as it pertains to HUMINT does seem highly relevant (and necessary) for crafting and executing a modern vision/mission.
>I don't think a technical/engineering background is presumed or necessary for such a role.
Definitely, but one should know his/her limitations, and that one in particular should also never speak about infosec. Brennan fails on both of those accounts.
That may be true, but it doesn't help. Impersonating another person could plausibly be construed as accessing a system without permission -- a federal offense, I believe. Couple that with things that likely include classified information, if the director included that kind of thing, and anyone who accesses his account could be facing a very aggressive prosecution.
I'm working in a relatively locked down environment.. At least once a week I have to email myself something (nothing sensitive) just to be able to get to it at home, which requires a resource that's blocked en-masse at work, but none the less I need access to.
> CIA Director John Brennan’s private account held sensitive files — including his 47-page application for top-secret security clearance
Stories like these make me shudder thinking about the times I may have, at some point, included a document with personal information in an email, such as to a prospective landlord for verification. Even if I were able to keep my email account reasonably secure...I'm pretty sure all the recipients of my email aren't as wary, or regularly delete old received emails with attachments that they've collected over the _decade_.
Although in Mr. Brennan's case, he doesn't have that same excuse. It may have been reasonably safe (for a layperson in IT) to send his application file over aol.com's servers, but not to keep a copy of it in his Sent box. Even a novice at cybersecurity should realize the problem of keeping digital files around on an online server...it's not much different than keeping files in a file cabinet and expecting that file cabinet never to be compromised.
>Stories like these make me shudder thinking about the times I may have, at some point, included a document with personal information in an email, such as to a prospective landlord for verification.
I always insist on encryption for these sorts of things. I'm fairly certain that for everyone I've asked about an encrypted channel to deliver data, I've always been the first person to even ask. This includes hospitals, agencies who do background checks, etc. It's incredibly disturbing that no one else is insisting that their sensitive documents not just sit unencrypted in all these random in and out boxes.
I shudder at just how much information chinese and russian hackers were able to get or still in process of acquiring or planted early ahead of time so it can be activated for future use. Hope the US also has enough dirt to counter the balance.
The reason those in charge don't care about secrecy is... secrecy is important not for reasons of "national security", but rather for those of politics. Do we need to bash some hackers or protesters or journalists? "OK, then secrecy is literally the most important thing, more important than cute little kids or the Constitution or even the NFL." On the other hand, when it's just us old M-IC lizards futzing around? "Naw, who cares? I'm the expert!"
And the previous CIA director got fired because he had an affair that was leaked via his email account. What is it with CIA directors and email accounts?
This apparently linked twitter account https://twitter.com/_CWA_ has posted what appears to be un-redacted screenshots of names, phone numbers and social security numbers of what I would assume the NYP article is referring to as "top American intelligence officials".
A quick crosscheck of the names and emails brings up:
* The current Senior Director for the North Africa and Yemen National Security Council for the White House
* The former Former Deputy Assistant Secretary of Defense, for the US Department of Defense
* A retired 3-star general and former Deputy National Security Advisor to the President
It says something sad about our cybersecurity preparedness that the director of the CIA is keeping this info in an aol.com account.
@phphax is still up. @_CWA_ was an account that was linked to by @phphax in a stickied post. The @_CWA_ account posted the SSN's of Brennan and about a dozen other gov't officials and mucky mucks. It appears that @_CWA_ was a sacrificial account used for the purpose of disseminating that info.
92 comments
[ 3.2 ms ] story [ 158 ms ] threadLike seriously, it is like begging to be apprehended.
I guess you are right. I clicked the twitter name on the post and he has indeed posted the documents and is daring them. Just unreal.
Also, what is a NY Post story doing here?
NY Post was the first to break the news and it is all over the news- CNN, Fox, etc.. Can't find the link to them but here it is herehttp://www.computerworld.com/article/2994451/cybercrime-hack...
gotta make it sound edgier
I'm not just saying this to be a jerk - this should be grounds for immediate termination of his employment. This is clearly a guy who shows poor judgement with respect to the management of sensitive material.
Also, from the article:
"[The] problem with these older-generation guys is that they don’t know anything about cybersecurity, and as you can see, it can be problematic.”
On the contrary - these "older-generation guys" cut their teeth in an environment where we were going head-to-head with the KGB on a daily basis. These guys have a solid understanding and awareness of basic information security procedures, as well as a strong understanding of adversary capabilities. I don't buy it.
However, the fact its expected levels of incompetence :/
Maybe we need a secret service for tech that's outside the command structure of these agencies.
My guess is that to many people in power, the benefits of using these web services seem to outweigh the disadvantages because they just don't understand the disadvantages. "It's OK - I set a great password!" There's simply nobody powerful enough to monitor what they're doing, independent enough to want to do something about it, and respected enough for people to listen.
We need independent bodies that act as national 'IT departments' and can refuse requests from the very highest powers, in much the same way that any other Head of IT can fire someone for gross misconduct because they were downloading torrents on their company laptop.
Unfortunately today we have people in these branches of government who either won't do their duty because they are terrible at their jobs or because there is a silent quid-pro-quo where these sorts of people look the other way for each other.
More specifically, his security clearance should be revoked, or modified such that he's not allowed to use a computer without being supervised by a competent person; which ought to have the effect that he's basically disqualified from working for the CIA, or speaking about anything related to information security.
I am guessing this kid wiggled his way into a 10+ year old AOL account containing data that was never deleted. We all probably have emails and contacts sitting in a forgotten AOL account.
CNN is reporting he posted his SSN on Twitter.
There was a time when we all had noisy modems and AOL accounts.
CIA Director John Brennan’s private account held sensitive files — including his 47-page application for top-secret security clearance — until he recently learned that it had been infiltrated, the hacker told The Post. Other emails stored in Brennan’s non-government account contained the Social Security numbers and personal information of more than a dozen top American intelligence officials
Storing confidential material in an AOL account would be a crime, just like giving the same material to Wikileaks.
Brennan's PII, job history, etc. is certainly valuable information, but clearance application paperwork itself is unclassified.
Walking by... head pops up... "dude... dude... (trying no to snicker too hard) ... this lady's cup holder is broken..." ... me respondign "cup holder?" ... "yeah, the cd drive.. she thinks it's a cup holder" ...
Such a brief interaction, but really funny none the less... My funniest call was someone calling to back up their master's thesis work, because they were concerned about the power during the storm... was almost 6 minutes into the call when he said the power was out (desktop computer). It's really hard to be professional when faced with certain levels of stupid.
"I get emails all the time from people who say they were -that- tech support guy that got -that- call about the cup holder. While we're on the subject of what people want in their email client, I want my email client to lock all those people in a room and force them to duke it out until there really is only -that one guy-."
These are probably the three most stupid tech things I've seen... I also saw a computer that was shot once, I am pretty sure that's happened a few times.
The director is presumably in charge of executing specific missions and a long term vision for human spying. She/he does this by directing people who manage people who manage people (etc.). I don't think a technical/engineering background is presumed or necessary for such a role.
That said, an understanding of the basic structures and failure modes of information security in the digital world as it pertains to HUMINT does seem highly relevant (and necessary) for crafting and executing a modern vision/mission.
Definitely, but one should know his/her limitations, and that one in particular should also never speak about infosec. Brennan fails on both of those accounts.
It's stupid, man, it's universally stupid.
Stories like these make me shudder thinking about the times I may have, at some point, included a document with personal information in an email, such as to a prospective landlord for verification. Even if I were able to keep my email account reasonably secure...I'm pretty sure all the recipients of my email aren't as wary, or regularly delete old received emails with attachments that they've collected over the _decade_.
Although in Mr. Brennan's case, he doesn't have that same excuse. It may have been reasonably safe (for a layperson in IT) to send his application file over aol.com's servers, but not to keep a copy of it in his Sent box. Even a novice at cybersecurity should realize the problem of keeping digital files around on an online server...it's not much different than keeping files in a file cabinet and expecting that file cabinet never to be compromised.
I always insist on encryption for these sorts of things. I'm fairly certain that for everyone I've asked about an encrypted channel to deliver data, I've always been the first person to even ask. This includes hospitals, agencies who do background checks, etc. It's incredibly disturbing that no one else is insisting that their sensitive documents not just sit unencrypted in all these random in and out boxes.
A quick crosscheck of the names and emails brings up:
* The current Senior Director for the North Africa and Yemen National Security Council for the White House
* The former Former Deputy Assistant Secretary of Defense, for the US Department of Defense
* A retired 3-star general and former Deputy National Security Advisor to the President
It says something sad about our cybersecurity preparedness that the director of the CIA is keeping this info in an aol.com account.
What about the twitter account in the article? I am assuming that is what you meant?