Andrea Danti - Fotolia
America's top spy has reportedly been caught using his personal AOL email account to store sensitive government information after the account was hacked multiple times by a high school student.
The alleged hacker told the New York Post that he gained access to the personal email account of CIA Director John Brennan and found sensitive information, including Brennan's SF-86 application for top-secret security clearance, the Social Security numbers and personal information for a number of top American intelligence officials, and a letter from the Senate asking the CIA to halt its use of harsh interrogation techniques against terror suspects.
The hacker said he used social engineering to trick Verizon employees into providing personal information on Brennan, and then used that information to reset Brennan's AOL password. Brennan reset the password to the account three times, but the hacker said he was able to break every time Brennan retook control until the account was permanently closed on Oct. 16.
The hacker also told Wired he had broken into the Comcast account of Jeh Johnson, U.S. secretary of homeland security, but there have been no reports of sensitive information found in that account.
It is unclear if Brennan used the AOL account to conduct government business, but at the very least, he had forwarded emails there from his official White House email account.
The SF-86 application alone potentially held Brennan's Social Security and passport information, as well as contact information on Brennan's relatives and foreign associates. The application may have also included information on Brennan's psychological and emotional health, police record, illegal drug use and hacking record, but Jim Jaeger, chief cyber services strategist for Boston-based Fidelis Cybersecurity, said the existence of the application in Brennan's personal email may not be cause for alarm.
"I don't know what the date is on the SF-86 security clearance application that is in question here, but there is a fair likelihood that it was prepared during Brennan's (roughly) three-year gap in government employment," Jaeger said. "It is standard procedure to prepare these documents on your home computer if you are not an active government employee. Also, it is unlikely that Brennan's SF-86 would contain much derogatory/sensitive information; since he had been a CIA employee most of his life, I would expect that his SF-86 was squeaky clean."
However, the personally identifiable information on other intelligence officials and email from the Senate are examples of a failure in judgment by Brennan, said experts, and another in a long line of senior officials choosing convenience over security.
"It is not uncommon for senior leaders who deal with sensitive information to pick convenience over security," Schilling said. "It is these choices senior leaders make for convenience over security, which create gaps in our security fabric and allow unsophisticated nation state actors to exploit. I think senior leaders will start making different choices when they spend time behind bars for these reckless decisions. However, that has yet to happen."
While experts unanimously said that there is no good reason for a government official to keep sensitive data in a personal email account like this, two experts noted that the security failures are on Verizon and AOL.
Chris Blow, senior security advisor at Indianapolis-based Rook Security Inc., said Verizon should never have given information to the hacker.
"The social engineer in this case was able to procure information from Verizon by posing as a Verizon employee and using a unique number given to each employee," Blow said. "Was that unique number verified as being valid? If not, why wasn't the proper due diligence performed to make sure that this kid was actually who he said he was?"
Blow suggested that traditional security questions regarding someone's mother's maiden name, first car or pet's name are inherently insecure and need to be replaced. Or, in the time being, users should give fake answers that can't be figured out so easily to avoid having their email hacked.
Scott Petry, co-founder and CEO of Authentic8 Inc., based in Mountain View, Calif., said AOL also failed to require sufficient validation of the user before resetting the account.
"This exploit is not the fault of the user. It is the fault of AOL and other service providers that allow accounts to be reset, without sufficient validation of the user," Petry said. "This has been a vulnerability as long as there have been services."
Petry said both Apple and Amazon had dealt with high-profile exploits similar to this and they changed their processes, and AOL should have as well.
"All the information that you'd typically need to pass the 'security questions' of these services can be found online," Petry said. "Service providers should be proactive about ensuring their internal processes keep up with the changing threat environment."
Experts suggested service providers should not only change traditional security questions, but should offer multifactor authentication options, which AOL currently does not offer, and encryption options for data at rest and data in motion. Jaeger and others said the last line of defense is always a more educated employee base.
"When two-factor solutions are not practical, service providers must train their help desk personnel to detect social engineering and hold them accountable for violations of established security procedures," Jaeger said. "Also, individual users need to recognize how easy it is to research their backgrounds on the Internet and only choose security questions with very obscure responses."