The hackers who found their way into CIA Director John Brennan's personal email account didn't use sophisticated coding skills. They just wheedled their way past his service providers' customer service agents to take command of all his accounts.
It's a striking reminder that even high-ranking members of the US government's intelligence community are only as secure as their weakest safeguards. In Brennan's case, those weak points were outside of the CIA. That hack followed the Department of Defense's revelation in April that Russian hackers compromised its systems when security professionals clicked on email links containing malicious code. In both cases, people who are trained to know better fell victim to attacks that exploited their human weakness.
"They said, 'Hey sir, it was Monday, it was early in the morning, I was coming in and blowing through my emails trying to get ready for my first meeting,'" Adm. Michael S. Rogers, director of the National Security Agency, said Monday at the WSJD Conference, explaining why employees clicked on the suspect links.
Brennan's personal AOL account was breached after hackers duped customer service agents at Verizon AOL. The hackers told Wired they obtained Brennan's cell phone number, tricked Verizon into handing over his email address and other personal information like the last four digits of his bank card.
In the final step, the intruders used that personal information to talk AOL into resetting Brennan's password, which allowed them access to the account. The hackers claim to have obtained sensitive documents relating to CIA personnel, such as their names and Social Security numbers.
AOL representatives didn't respond to a request for comment on the report.
Security experts refer to this kind of attack as social engineering, and it's easier than it sounds. "These kinds of attacks happen daily all over the world to anyone," said Marc Boroditsky, manager of Authy, a cybersecurity company that creates tools for proving your identity when signing into an account.
Here's where we would love to tell you all the ways you can lock down your email account. And indeed there are some barriers you can throw into the path of hackers. The most substantial of these is called two-factor authentication, Boroditsky said. This makes it harder to remotely reset a password because it requires entering a code sent to your mobile phone, for example.
The more accounts that have the requirement, the harder it will be for intruders to sweet-talk themselves past customer service workers and into your accounts, said Boroditsky. You can check with your bank and other online services for two-factor authentication, or find a list of the companies that offer it for online accounts at twofactorauth.org.
But as long as companies like AOL are willing to trust people who call into customer service with the answers to a few security questions, accounts are vulnerable, Boroditsky warned.
"If someone is as determined as these hackers were to breach these officials' accounts, no amount of knowledge-based security is going to protect you from this extent of social engineering," he said.