This particular story could be one of dozens (or even hundreds) of these types of incidents that occur in any given week: “government official gets social media and email accounts hacked” which then leads to highly confidential data being leaked on the internet. Except in this case it was the current US Central Intelligence Agency director John Brennan, and several other highly-ranked government officials, and the data that was leaked was data from nearly 30k Federal Bureau of Investigation and Department of Homeland Security employees. Also unusual was that the hackers charged in this breach aren’t Russian or Chinese or North Korean. Nope, at least one of the responsible parties hails from North Carolina. And the real reason I’m bringing this story to your attention was this most important facet of the attack: Brennan and the other victims in this incident weren’t compromised through sophisticated malware and technology – the attackers fooled people associated with the victims – usually service providers – through simple tools like emails and phone calls, under the guise of providing technical assistance.
What this means for you:
“Social engineering” is the digital-age equivalent of con artistry, and it is becoming trivially easy to perpetrate given our reliance on tools like email and large, impersonal corporations. In the case of the above, one of the cons included the hacker actually posing as a Verizon technician in order to fool another Verizon employee into resetting Brennan’s email password, and they just worked their way inward from there. As you should know by now, once a hacker is in your email, it’s all over but the crying. Sadly, there’s not much you can personally do to improve poor security practices at companies like Verizon, and despite impersonation being one of the oldest cons in the book, people still regularly fall for it.
It’s only a matter of time before anyone gets hacked – we are human after all, and despite what you might want to believe, there is always someone more clever than you out there, and if you are unlucky, that person is out to get you. You can practice something that is well known to outfits like the CIA and FBI: compartmentalization. Since none of us are intelligence agents (that I know of!), for our purposes this means keeping personal and work activities separate. You can execute this concept in a number of different ways:
- Keeping work and personal emails in separate accounts
- Use separate devices for social networking and financial activities like online banking
- Use unique passwords for all your important accounts
- Exchange confidential information through appropriate secure channels
- Store confidential information in properly secured and backed up locations
- Require two-factor security for your most important accounts
The key to proper execution of this practice is discipline and vigilance. It may be inconvenient and seem inefficient, but weighed against the alternatives, it will be worth the effort.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net
Apparently, even the (former) head of the CIA can fall victim to a security breach. General David Petraeus recently handed in his resignation as the leader of the US’s Central Intelligence Agency when his extra-marital affair surfaced through an investigation led by the CIA’s own sister agency, the Federal Bureau of Investigation. What’s interesting is that the FBI didn’t use exotic technology or Hollywood-esque espionage to gain access to Petraeus’ “anonymous” email account – in the end, it boiled down to a simple, lawful, court-order through the Electronic Communications Privacy Act. Once the FBI had covert access, they were easily able to track the account usage and trace it to the General himself.
What this means for you:
What undid Petraeus – aside from lack of integrity and fidelity – wasn’t his extremely clever usage of Gmail. Once again, the subterfuge was ruined by a person – in this case, by his own mistress, Paula Broadwell, who sent threatening emails to Petraeus family friend, Jill Kelley who then got the FBI on the case. In the course of any criminal investigation, the ECPA grants the government authority to access any electronic communication without a warrant if it’s under 180 days old, and if it’s older than 180 days, then all that is needed is a court order. Even if you think you’ve set up an anonymous email account, all email travels through the internet by virtue of metadata attached to the digital envelope that is impossible to hide. Think of it as a digital postmark. And because all data must come from somewhere and go somewhere, IP addresses (and logs) make it possible to pinpoint those locations with ruthless precision. The next time you send an email that you need to be completely confidential, think carefully about the implications of it appearing on the front page of every news website in the world. Obviously, the government doesn’t have the time (or the justification) to watch everyone in America, but they certainly have the means, and will to use it, even if it undermines one of their own sacred cows.
Image courtesy of renjith krishnan / FreeDigitalPhotos.net