(CNN) The
FBI and Secret Service are investigating reports that non-government
email accounts associated with CIA Director John Brennan as well as
Department of Homeland Security Secretary Jeh Johnson were hacked, law
enforcement officials told CNN.
The New York Post interviewed
the alleged hacker, who said he accessed an AOL account associated with
Brennan that included files regarding his security clearance
application, and the hacker also claims to have accessed a Comcast
account associated with Johnson.
The
CIA issued a statement Monday saying they are aware of the report. A DHS
spokesman also issued a statement saying, "We don't discuss the
Secretary's security information. We have forwarded this matter to the
appropriate authorities." The FBI declined to comment.
It does not appear that any classified information was accessed, according to a law enforcement official.
The
reports highlight the sensitivity of government officials using
personal email addresses whether or not they use them for government
purposes, an issue thrust into the spotlight in part by Hillary
Clinton's use of private email when she was secretary of state.
While
much of the controversy over Clinton's email use stems from the fact
that she used the account for work purposes -- there has also been
concern about officials using personal email for non-government purposes
but on company computers.
The problem is that private email addresses make easy targets.
Johnson
apologized over the summer for getting a waiver to use personal email
on government computers at the Department of Homeland Security -- the
civilian agency tasked largely with leading the federal government's
cybersecurity efforts. He called it a "whoops" moment and extended an
existing ban to cover top officials who had sought waivers for their
email access.
The concern with personal
email is that it can be relatively easy for hackers to target and
exists outside the protections on .gov email addresses managed by the
government.
In fact, the hacker told The New York Post that he used a stunningly simple tactic to allegedly hack Brennan's account.
The
process, called "social engineering," involves collecting information
on a person that is publicly available and using it to personalize an
attack on their accounts. In this case, the alleged hacker told the Post
he tricked Verizon employees into giving him Brennan's information and
got AOL to reset his password, presumably sending the reset to the
hacker.
The tactic, taking advantage of call centers, has been documented by several in the security community as a relatively easy and dangerous hacking technique.
In another form of social engineering, a hacker in 2008 broke into
the email account of former vice presidential candidate Sarah Palin by
answering her simple security questions, including her birthday and zip
code.
And there are other ways
personal email addresses can be a risk, including malicious software
spread by links in unsophisticated spam.
Though
in this case it doesn't appear any classified information was housed on
the officials' accounts, the hacker claims to have accessed Brennan's
47-page application for his security clearance, which includes countless
personal details, and to have accessed Johnson's billing page and
voicemails.
The hacker told the Post he was a high school student who is critical of U.S. foreign policy and a supporter of Palestine. see more
No comments: