"He's supposed to be so high in the government. Head of CIA. He should be more clever." Those are the words of an alleged hacker from a self-styled "operation" called CWA--Crackas With Attitudes--in conversation with CNNMoney's Laurie Segall. The alleged hackers accessed sensitive information stashed in the private email accounts of Homeland Security Secretary Jeh Johnson and CIA Director John Brennan.
As it stands now, the FBI and the Secret Service are looking into claims made by the two high school hackers first reported by the New York Post. If verified, the compromise would represent an alarmingly low-tech assault on two high-profile members of the U.S. intelligence community.
According to the Post, the personal Comcast account of Johnson and a personal AOL email account associated with Brennan were accessed by the hackers using personally identifiable information that they were able to acquire online. According to that account, among the documents found was a 47-page application for top-secret security clearance stashed on the accessed AOL account.
The hackers were scalding in their estimation of the crime.
LAURIE SEGALL: If this is true that you guys have broken into his private email account, how difficult would you say it was?
CWA: Out of ten? One.
Stating to Segall that their goal was to "Free Palestine," the hackers recounted just how easy it was to get access (way too easy) and enumerated still more information they claimed to have accessed in the two personal email accounts, which, again, according to the Post, also included the Social Security numbers of "top American intelligence officers, as well as a government letter about the use of 'harsh interrogation techniques' on terrorism suspects." The hackers told Segall that there was also correspondence about Syria and Iraq as well as "a lot of private information."
On one level, it almost doesn't matter whether or not any of this actually happened. Obviously, it's significant from a national security point of view. But when looked at through the lens of data security, the point here--the real takeaway--is that the sloppy practice described and exploited by the hackers, stashing work documents on a personal email account, is by no means uncommon.
Increasingly, in the aftermath of a big news data security item -- whether it takes the form of a high-profile mega breach (think: Office of Personnel Management, Anthem, Sony Pictures, Home Depot, Target) or a low-tech data grab -- an odd phenomenon happens. First, there is what you might call the "water cooler" phase -- news of the breach comes up in casual conversation. As the news coverage quickly moves on to whatever else is happening in the world, those conversations move on as well. The next thing that happens, unfortunately, is a widespread case of collective amnesia.
At least part of the reason this amnesia sets in is that we don't talk enough about what these breaches and compromises mean on the consumer level. If you have ever found yourself in the sights of an identity thief, you know all too well how horrible life can be after you press send on an e-filed tax return and you're blocked because you already filed, open that letter from a collection agency for a debt you've never heard of, are refused coverage by an insurer, or are denied a loan for a new home, car or investment because your credit has been compromised. But for many consumers, the attack takes the form of a credit card account takeover, which is more a nuisance than anything else. And this low-fallout scenario may be why a significant number of people move on to the next news item after a breach. We're used to thinking the bank will make everything all right.
But it's not always so simple.
Meanwhile, the increasing number of high-profile compromises reveals a generalized apathy in the face of data insecurity--or worse still, resignation. The fact that more than a billion records containing personally identifiable information are already out there and for sale on the information black markets is no longer headline news. The notion that identity theft is now the third certainty in life, right behind death and taxes, is increasingly a truism among informed consumers. So, in the face of that, what does one do? As I outline in my forthcoming book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves, I urge readers to start thinking in terms of the three M's: Minimizing risk, Monitoring your identity and Managing the damage.
The threat to email and the practice of stashing work documents on non-secure email accounts definitely falls under the heading of the first M: Minimizing risk.
- Email is not a safe environment to store data. It is a delivery system.
- Email is not a safe delivery system for sensitive information. There are secure systems -- Zixmail, Hushmail, PGP Desktop Email, JumbleMe, Djigzo and others you can check out in Entrepreneur's roundup -- and to varying degrees, they are safer since they encrypt messages and require authentication before access is granted, but nothing is failsafe, and there is always the issue of human error.
- Passwords are not supposed to be convenient or permanent. The best passwords are impossible to remember and temporary, i.e., Ou45x11!per.iSfG4EeW might work for a week or so. But don't cut and paste it, since that means the password resides somewhere on your hard drive.