When you heard that CIA Director John Brennan’s private AOL email account had been hacked, you probably had the same question I did: Why did he have an AOL account? As I told NBC’s Pete Williams yesterday, the jokes write themselves. Was his carrier pigeon kidnapped, too?
AOL and CIA don’t seem like they go together very well.
I discussed this and more with Pete for a spot on NBC Nightly News last night. You can click above to watch it. If you want the tech details on how it was done, click here to read Kim Zetter’s piece on Wired. (That’s how you always get the details.) But briefly, the hacker/s tricked one company into giving up information on a consumer, than used that to attack the consumer at second company. It’s an ooooooold problem.
But let me make a few points here:
“Forgot your password” is every hacker’s favorite tool. We’ve known this for years. People forget passwords. When they do, there must be a way to recover or reset the password. This method is almost always less secure than the login credentials. The hurdles to reset the password turn out to be something the company knows, and something hackers can learn. Pets’ names. Old girlfriends’ names. At the sophisticated end, the name of your mortgage holder. Or in this case, payment card details. All discoverable. The lesson for you? When you set up an account and a company asks you to supply answers to those annoying questions, take an extra moment to make it hard on a hacker. But can you make it impossible? Probably not. One trick smart security professionals employ is to lie in their answers (“Say your first car was an AMC Pacer when it was a Ford Escort). You have to remember the lies, of course, but lies are a lot hard to discover through traditional research.
Work and pleasure mix. They just do: Everybody forwards work emails to their personal email address. Don’t lie (Sorry for the ambivalence on that one). It’s just too convenient. It’s too easy. With very rare exception, companies encourage employees to bring work home, to bring their own devices, and yes, even their own email addresses to the job. It saves money and gains them productivity. This problem is most clear in the BYOD world, where your iPhone basically becomes company property once you start reading emails on it. Companies that don’t want their secure information finding its way onto AOL email have to invest in serious technology to forbid it. They also have to let workers leave their work at work. No personal laptops. No quick logging in from home. No, “Oh my work phone is dead, I’ll just use my personal phone this one time.” Until companies are willing to make that investment, things like this will happen. Even to the CIA director.
Those F%^%^ING attachments. They are the source of so much trouble. Attachments are the main delivery mechanism for virus attacks that infiltrate companies. Spear phishing emails with fake “resumes” or “spreadsheets” lead to corporate espionage. And yes, it’s easy to forward a spreadsheet of Social Security numbers from some HR database to a web-based email account. And then, holy heck can break out. If you are CIA director, you end up being the lead story on the NBC Nightly News. If you work in human resources, something much worse can happen – you could lose your job. The lesson? Treat attachments like fire. Or maybe like firecrackers. They can be useful, but it is very dangerous to play with fire, and they will almost certainly explode on you at some point. Use attachments sparingly, if at all.
It can happen to anyone. Here is yet another example proving that even people whose lives and careers depend on security have lapses in judgment. Really? The CIA director getting caught by a teenager with his pants down, using an AOL account to store sensitive (if not Top Secret or Classified) information. You can be secure and make smart choices 23 hours and 59 minutes a day, but it only takes a momentary lapse of reason to make a big mistake. So consider this story, think, “There but for the grace of God go I,” and then keep your guard up.
A slightly different version of the story appeared on the TODAY show this morning. Click below to watch that.