COMP 607: WEEK 8: Unit 4 Part 2: Gathering Information on Computer Crime

This Global Research article describes the position CIA director John Brennan finds himself in when a hacker group enabled the publication of e-mails from his personal AOL mail account. The hacker group, who call themselves Crackas With Attitude or CWA, were able to gain access to his account through social engineering. According to Dolan (2004, p.2), social engineering involves the use of “tactics to leverage trust, helpfulness, easily attainable information, knowledge of internal processes, authority, technology and any combination thereof.”  What exacerbated the damage to Mr. Brennan was the fact that WikiLeaks started to release documents that were found on the e-mail account on the 21st of October 2015 (Greenberg, 2015).

CWA first performed a reverse look up of Brennan’s phone number. Once it was identified that he was a Verizon customer, one of them pretended to be a Verizon employee, and called the company to obtain details of Brennan’s mobile phone account. Through this, they were able to obtain his AOL e-mail address and the last four digits of his bank card.

They then contacted AOL pretending to be Brennan, indicating he was locked out of his account. The response to the security question AOL posed was the last four digits of the bank card.  Brennan was then informed about the compromise by CWA.  CWA’s outlandish demands resulted in Brennan eventually closing down the account.

In the world of information system security, using social engineering to gain access to a system is a simple and highly effective technique. Anyone with some with some charisma and ability to string a story together can manipulate a target to reveal pieces, if not all, of the information required to access a secure area. According to the US Computer Emergency Readiness Team (US-CERT), phishing incidents such as the one that eventually victimized the CIA director, have become increasingly prevalent and highly lucrative for criminals (Milletary, 2011). Combined with an attack that is more technical in nature, such as one that uses malware to lock a victim out of their account or scam users through phony web-pages, social engineering attacks can be highly damaging and costly. It is noteworthy that this attack started with a human interaction with an employee of a service provider. It is clear that technical savvy does not protect one from an attack that utilizes an everyday activity such as social interaction.

One of the most frequently encountered safeguard against the vulnerability of social engineering is the use of two step verification. This makes it more difficult for someone who has gained access to a piece of authentication information to gain access to a system as a second piece of authentication is required. While it is not infallible, it adds another hurdle to the infiltrator, and may even possibly buy time to mitigate an attack if one is suspected.

References:

Dolan, A. (2004, Feb 10). Social engineering. Retrieved from SANS Institute InfoSec Reading Room: https://www.sans.org/reading-room/whitepapers/engineering/social-engineering-1365

Greenberg, A. (2015). WikiLeaks is publishing the CIA director’s hacked emails. Condé Nast. Retrieved from http://www.wired.com/2015/10/wikileaks-publishing-cia-director-john-brennan-hacked-emails/

Kampmark, B. (2015). Hacking the CIA Director: What John Brennan’s emails reveal. Global Research. Retrieved from http://www.globalresearch.ca/hacking-the-cia-director-what-john-brennans-emails-reveal/5484186

Milletary, J. (2011). Technical trends in phishing attacks. US-CERT. Retrieved from https://www.us-cert.gov/sites/default/files/publications/phishing_trends0511.pdf

Zetter, K. (2015). Teen who hacked CIA director’s email tells how he did it. Condé Nast. Retrieved from http://www.wired.com/2015/10/hacker-who-broke-into-cia-director-john-brennan-email-tells-how-he-did-it/