Feds Looking Into Reports CIA Director's Email Was Hacked

An anonymous reader writes: The FBI and Secret Service are looking into reports that non-government personal accounts of CIA Director John Brennan and Department of Homeland Security Secretary Jeh Johnson were hacked. NBC reports: "Questions over a possible hacking of a private email account belonging to the CIA director arose late on Sunday after the New York Post published a story in which a hacker claimed to have gained access to the account. Described by the Post as a 'stoner high school student,' the individual claimed to have taken documents that included the Social Security numbers of top intelligence officials, among other information." ComputerWorld's story on the hack describes some of the images published by the hacker as well, poking fun at Brennan: Another screenshot shows Brennan’s wireless phone bill as the hacker taunted the CIA to “step your game up homies, we own everything of you.” One tweet contains a screenshot of suspicious activity logs as Brennan was “trying to get CWA arrested.” Yet another shows a CIA Office of General Counsel fax cover page. Supposedly, Brennan offered the hacker money to “leave him alone.”

What else do you expect when...

[Anonymous Coward]

you appoint someone like Jeh Johnson, who was a former Democrat fundraiser, for his political connections rather than his ability.

Re: What else do you expect when...

[Anonymous Coward]

Even the announcement when he was nominated to his current cabinet level position recognized that. "To promote racial diversity..."

Re: What else do you expect when...

[Anonymous Coward]

Why was this voted down? Even his Wiki page says he was a Democrat fundraiser.

Re:

[unimacs]

Because maybe when a white dude who had a 25 year career with the CIA gets hacked too, it's not all that relevant.

Re: What else do you expect when...

[unimacs]

Because maybe when a white dude who had a 25 year career with the CIA gets hacked too, it's not all that relevant.

you appoint someone like Jeh Johnson, who was a former Democrat fundraiser, for his political connections rather than his ability.

Uh yes it is relevant. "ability" includes technical abilities which is directly related to hackability. So get over yourself and stick with the facts.

Fact: The assertion was that the Jeh Johnson was hacked because he was not qualified and was appointed to his position because of his political connections. Yet, a 25 year veteran of the CIA who wasn't appointed, was also hacked. So the assertion doesn't hold.

Fact: Another post went on to suggest that Jeh Johnson was selected because of his race and that somehow contributed to the problem. Yet John Brennan was also hacked and he is white. Again, a failure of logic.

Fact: Describing Jeh Johnson as a fundraiser who got the position due to his political connections rather than ability is highly misleading. He has a law degree from Columbia University. He was general council of the Air Force where he received the Decoration for Exceptional Civilian service. He went on to be the General Counsel for the Department of Defense before becoming the Secretary for Homeland Security. Clearly the man is no idiot who was highly placed in organizations charged with our defense prior to his most recent appointment. Not only did he hold those positions but he received an accommodation for his work.

Is he a techie? Probably not, but his job was to run the organization, not be a network administrator. Technical skills likely aren't a big factor in what qualifies one for the job. Should he have known better? Yes, but lots of people who get hacked, have their identity stolen, or whatever should have known better. The problem goes deeper than how department secretaries typically get appointed and whether they are black or not.

The one fact that nobody can deny ....

[Taco Cowboy]

You can list whatever facts you like but at the end of the day the one fact that nobody can deny is that the guy landed his position inside CIA was not based on his ability

No matter if he is a white man or a black man, a high ranking position inside the CIA requires someone who truly _know_ what he or she is doing, that what he does inside the CIA will contribute to the CIA as a whole - not someone who happened to run a fund raising campaign for the POTUS

What happened here signifies what has gone wrong

Re:

[unimacs]

You can list whatever facts you like but at the end of the day the one fact that nobody can deny is that the guy landed his position inside CIA was not based on his ability

Then what was it based on? Brennan worked for the CIA for 25 years. He left around 2005. Prior to being appointed Director of the CIA, Brennan became CEO of The Analysis Corporation, a security consulting business.

I don't doubt that many factors contributed his being selected for the position, but on the surface at least, he would seem to have been qualified.

Some of these posts make it sound like these jobs go to the President's good buddies and favorite fundraisers. There are lots of people on both sides of the political spectrum. When it comes to jobs like this, you can find people who are both qualified and pass whatever political smell test you might want to apply. Remember too, that these folks need to be approved by the Senate.

Re:

[tnk1]

One is a political appointee, the other was an agency executive. The fact is that I expect them to not know shit, people at that level don't know squat about specific security measures for things like email. What I am concerned with is why the numerous experts that the government does have are not running the show on these execs' security.

I get that a lot of this is personal stuff that was not agency or department related. For instance the clearance application is not a government document as much as it

Re:

[Bartles]

Political appointee does not mean what you think it means. They both are political appointees that serve at the pleasure of the President. While one was appointed based on experience, the other was selected based more on political consideration than experience.

Re:

[Mr.CRC]

They should know not to have any sort of personally identifiable information of any employees other than themselves on a personally owned computer, or a work owned computer lacking an encrypted drive. That is a big no-no. Not nearly as big as having classified outside of where it belongs, but still a thing that if someone does it, they should be seriously demoted. Someone at the level of a director should not be fucking up like this.

Re:

[tnk1]

I know it is a government form, just like a 1040 is. And certainly, the government can't simply hand a copy out to anyone they want. That's not the point.

The point is that the information on your form is private and personal, but not classified. Having your own copy of your own form isn't a security violation, but it is a very bad idea to have it laying around in an insecure place were someone could get it.

CIA Sec's AOL account Hacked

[Anonymous Coward]

I think the main thing here is .... AOL is still around?

Re:

[Fire_Wraith]

It is, though mostly in supply email services (and media/ad network stuff).

In fact, you can almost date (non-tech industry) people based on their email addresses now. Gmail? Probably 20s-30s. Yahoo? 40s-50s. Aol? 60+.

Re:

[Anonymous Coward]

Under 20s: wut's email lol?

Re:

[guestapoo]

I don't know about email, but for housing and food stuff, 19 year old youngsters love AOL [slashdot.org]

Re:

[Impy the Impiuos Imp]

I have an aol and a gmail account. These are the only constants as I bump around, changing work emails every 5 years or so.. The aol is from pre-aol-Internet days.

I never felt a need to jump to some cool tech industry address.

SSNs?

[akgooseman]

FFS, why would any person who isn't an idiot email a Social Security number?

is that what your klan is saying?

[publiclurker]

I'd think you'd come up with a better rant since the grownups are all tired of your current one.

my family is black, not stupid

[raymorris]

Some black people aren't stupid, amd make decisions based on something other than "he's black like me."

A few months before Obama started his exploratory presidential campaign, one well-known black leader was asked of he should run. The well-known black leader replied:

You know, I am a believer in knowing what you're doing when you apply for a job. And I think that if [Obama] were to seriously consider running on a national ticket, he would essentially have to start -now-, before having served a day

my family is plaid on the internet.

[publiclurker]

and unlike you, not stupid. Of course, being stupid I'm not surprised that you cannot realize how pathetically ignorant you really are.

Re:

[Coren22]

Your family is Plaid on the internet?

http://movies.stackexchange.co... [stackexchange.com]

Probably mailed himself his EQIP from work

[BenJeremy]

EQIP is the questionnaire the FIB uses to screen people for clearances. It's quite extensive, and quite invasive. It's the information the government lost in the big breach last year. At any rate, it is entirely possible this idiot mailed the form from work to home to fill it out, and then back again... and it sat on his mail server until the hacker gained access to it. It's been a couple of years since I did mine, but I do believe SSNs are on it, including SSNs of family members and associates.

Re:

[Coren22]

https://www.opm.gov/investigat... [opm.gov]

The information is quite extensive. That is why the OPM breach is so very bad. I am amazed more people haven't been owned from this breach, but I haven't heard of the information being used at all.

BTW, EQIP is the online site used to fill it out, the form is the SF86.

Re:

[KGIII]

I did some work for the federal government, specifically a military contract (yes, they use traffic modeling too) and, for some bizarre reason the information was considered classified. I do not really pretend to understand why. I can't tell you what the information was but I can tell you that it probably didn't need to be classified - maybe as FOUO, I guess. But we had to work with the data on their equipment and on site. Anyhow, this was about 12 years ago. I've not heard a thing but I worry that my data

Re:

[Coren22]

I understand, I also am quite worried and have heard very little. It is unfortunate, but they are supposedly trying to figure out who was exposed still.

Re:

[KGIII]

Unless it has arrived in the past month, nothing. Maybe I wasn't included? It was an update that I'd last done - I'd had clearance prior when I was enlisted because I dealt with prisoners and confidential and classified data at times - even just to handle it. I'd kind of like to know something.

Re:

[AHuxley]

In todays digitized, privitized for profit world? It could be as simple as standard gov/mil digital paperwork. A privitized company that keeps one long document that lists mil/gov skills and past work history.
Its sent back to keep safe as "your copy" or to add to or to correct. No need to make the long trip to some secure US gov building and sit down after showing ID :)
The main reason is to make the US mil and gov as attractive to contractors as the private sector. The ability to have a digital work h

Re:

[Solandri]

FFS, why would any person who isn't an idiot email a Social Security number?

I had to last year. Didn't want to, but had to. I was buying a house. I completed most of the mortgage application online via the bank's secure server, including my SSN. But a day before closing the bank told me they needed my signature on some paperwork. The paperwork also had my SSN. The bank's loan office was a hundred mile round trip I didn't have time for, and time was of the essence. So I asked if I could scan and send

Re:

[Mr.CRC]

You may have been able to simply rename the encrypted file .pdf, and it would fly through the filter. Then instruct them to rename it on their end, if need be.

Re:

[pnutjam]

You know, you can password protect pdf's. Sallie Mae used to send me password protected PDF's all the time. I use pdfcreator to make them.

Re:

[Bartles]

Why are agency SSN's on John Brennan's AOL account?

Re:

[Coren22]

That one confused me, but I think they found his SF86 in his email, not other people's SSNs

https://www.opm.gov/investigat... [opm.gov]

Re:

[Bartles]

Since SF 86 is one of the documents used in granting security clearances, I'm fairly certain that a completed SF 86 is a classified document. It should not have been on an unsecured network.

Re:

[jmac_the_man]

SF 86s are not classified. They require special protection because they contain PII, but that's different than classification. You're allowed to work with them on non-classified machines. You're allowed to fill out your own SF 86 on a machine that you personally own.

Personal email accounts

[tripleevenfall]

Why, this is ridiculous. Everyone knows that these personal email servers are secure and aren't a national security risk. Some of our top decision makers have been reassuring us of this all year.

They wouldn't use these simply to subvert record-keeping laws and hide their activities from freedom of information act requests and the like, now would they?

Re:

[khasim]

The problem is that the ONLY people who can use email this way would have to be 100% certain that no one sending them anything will ever betray them.

And that gets even more ludicrous when you're talking about a PUBLIC email service.

Do you think that China and Russia and everyone else does NOT have people working at GMail and Yahoo! and Verizon and so forth?

If they don't have direct access to the public email servers then I'm sure they have access to the ISP's feeding those email servers.

ENCRYPTION! Use it.

Re:

[grilled-cheese]

The interesting question would be if you were to PGP sign+encrypt your email in the public record, could you be compelled to disclose the private key?

Re:

[Coren22]

Unto, not onto.

It's all fun and games...

[The-Ixian]

That "stoner kid" is about to have the weight of the world land on her shoulders....

Re:

[zlives]

did the hacked acknowledge that they are hacked? i am going to assume this is a hoax until then.

Re:

[ganjadude]

yes because everyone who gets hacked fesses up to it

Re:

[zlives]

just because you say you hacked pentagin's gibson, you shouldn't be taken seriously.

Re:

[ganjadude]

also true, always be skeptical, but to assume its a hoax "until they fess up" is a stretch

Re:

[Coren22]

Claiming to have hacked into someone's personal AOL account and showing documents however is much more plausible. (This is what is claimed, not that the CIA or HSA was hacked).

Re:

[Anonymous Coward]

Dude, you're gettin a cell!

Re:

[tnk1]

Apparently pot isn't bad for you, except for some rare side effects where you turn into a moron and hack Homeland Security executives when you don't have a plan to flee to Russia.

It's Reefer Madness!

Re:

[mtrachtenberg]

Although it's illegal and unethical, the CIA is convinced torture works. Brennan should be subjected to it until he reveals all the illegalities in which the CIA has engaged over the past forty years. It's tough, but given that torture works this would provide sufficient information to support the deportation of American war criminals (bye DIck, bye Dubya, bye Condi) to countries in which they can be prosecuted. I'd suggest waterboarding, it's just barely torture, after all.

I suppose there's a possibilit

Re:

[rtb61]

HEY, if they weren't so fucking naughty, murderously so, they would not be so desperate to keep their fucking secrets. They quite erotically explore our every orifice but when it comes to exposing their truly ugly filthy corrupt slimy secrets all hell breaks lose (apparently for good reason because war crimes courts and they are criminals of the worst order). We all know who the weight of world, the weight of their guilt should fall upon and it ain't a bunch of smart stoners, exposing crimes is not a crime,

what goes around comes around

[Anonymous Coward]

good for the goose good for the gander.

Not surprising

[Tablizer]

Any off-the-shelf service or system is probably quite vulnerable to large-state-sponsored hacking.

And this includes "generic" gov't servers not designed for storing secrets (such as the one Mrs. H "should have used").

Correction (Re:Not surprising)

[Tablizer]

Correction, "Mrs. C", not H.

Also, I believe her office had a separate "special" system for classified messages. This is not the "regular" server for non-classified info. However, the details are classified, for obvious reasons.

Re:

[jmac_the_man]

The State Department has an official Unclassified email system, an official Secret one, and an official Top Secret one. The existence of the three parallel networks isn't itself classified.

Clinton should have used the appropriate official network to send each message she sent. (Secret emails through the Secret email system and etc.)

Instead, Clinton used a private system exclusively. That's 100% wrong. Regardless of the protection on the private server, there's NO SUCH THING as a private system approved

I've long been wondering

[Anonymous Coward]

In the Snowden aftermath, why is that everything upper level NSA/CIA/government officials do is not surveilled by the general public and made available to the public?

After all, if they can do it to us, then the senators who voted for the program and the NSA officials who implemented it ought to be fair game, no?

People they sit next to in restaurants should secretly record their conversations. Their ISPs should publish their emails. Their nextdoor neighbors should upload video of their houses. Terrorists are everywhere these days, and you can't be too careful. If they have done nothing wrong, than they should have nothing to fear or hide.

Re:

[MobSwatter]

In the Snowden aftermath, why is that everything upper level NSA/CIA/government officials do is not surveilled by the general public and made available to the public?

After all, if they can do it to us, then the senators who voted for the program and the NSA officials who implemented it ought to be fair game, no?

People they sit next to in restaurants should secretly record their conversations. Their ISPs should publish their emails. Their nextdoor neighbors should upload video of their houses. Terrorists are everywhere these days, and you can't be too careful. If they have done nothing wrong, than they should have nothing to fear or hide.

Perhaps drone strikes on all non gubbermint mail servers are in the future? That's it! All non-gubbermint mail servers are terrorists!

Personal email account so what?

[butchersong]

This is a personal email account. It shouldn't matter all that much that it was hacked unless he was using it for the people's business when he shouldn't have been. Well, other than the fact that some stoner kid was able to get leverage and personal info on the CIA director.. but if that is the case then we should assume the russians, chinese etc. already had such access.

Re:

[bmo]

Isn't the reason that you are grilled during a security clearance audit/review/interview that they are looking for things you might be vulnerable to when blackmailed?

Seeing the stuff that Hastert was being blackmailed for, I think this point is extremely cromulent.

Wouldn't using an insecure email account by such a person be grounds enough to yank that person's clearance if it hasn't been declared? Especially if it has been used for years.

--
BMO

Re:Personal email account so what?

[Locke2005]

Exactly. My coworker had several security clearances, and every time he went up for a new one he had to sign a confession admitting that he had been busted for possession in the Bahamas because someone handed him a lit joint just before a cop walked up. They're not so much concerned with what you've done, just that it's a matter of public record so that you can't be blackmailed for it. This was the main reasons why "Don't ask, don't tell" was the worst possible policy for security - people that can immediately and irrevocably lose their entire career because of a single incident of homosexual conduct are easy targets for blackmailers!

Re:

[HiThere]

Nah...that was a reasonable first step...they just left out the third step, which needed to immediately follow: "don't care".

Re:

[Anonymous Coward]

. lose their entire career because of a single incident of homosexual conduct are easy targets for blackmailers!

I'm curious how valid this is these days or in 1990s. Back in the Cold War, no KGB agent will ever approach a homosexual. i.e. you dedicate service to the duties of Communism and train very hard to be effective KGB agent. Associating with a queer will not put you in good standing with your comrades*. Like other things i.e. catching someone with a mistress, they never did that because the person they are trying to blackmail will probably ask for the photos to give to his friends to show how big a stud he is.

Re:

[tnk1]

I don't think they prevent you from using an insecure email account. The email account is simply how you'd transmit evidence of what you can be blackmailed with.

In any event, you give up some rights, but not all. All they would care about is that you declare to them anything you can be blackmailed with. If you're screwing around behind your wife's back or doing something that makes you look bad, they can bust you for not declaring it to them and decide if you are a risk or not. If they think that you're

Re:

[bmo]

I don't think they prevent you from using an insecure email account. The email account is simply how you'd transmit evidence of what you can be blackmailed with.

I don't think they prevent you from doing it either. I do think that if you have one, that it should be declared that you have one when you do your security audit. If this guy at the CIA had one and didn't declare it then that should be a problem.

People think nothing of creating an email for "non-official business" (like an affair) and not telling

He did it himself

[Hognoxious]

If anyone's hacking the CIA, it's probably the FBI. Assuming that the CIA rate above a milliholmes[1], they're probably aware of this and are counter-hacking the FBI.

Conclusion: He hactually acked himself, the dozy cunt.

[1] SI unit of having a clue

Re:

[labnet]

If anyone's hacking the CIA, it's probably the FBI.

If the USA should abolish any three letter agency, it should be the CIA. This crooked agency has only really worked for big business (esp the Bush cabal), over throwing legitimate governments, destabilizing the world and causing millions of deaths in the resulting civil unrest and general hatred for the USA.

lol!

[Type44Q]

This really reeks of some extremely-poorly-thought-out false flag silliness on the part of the Feds... if the intelligence services themselves are at risk, then surely we need more draconian "security measures" to protect ourselves...

CWA?

[BenJeremy]

Summary doesn't say what "CWA" is.... Chuggers With Attitude? Country Western Airlines?

Just ask the NSA

[Mistakill]

The NSA will have records of this after all