I strive to be original in my writing. But sometimes another writer comes up with something that’s so wonderful that I just have to use it. So when a commentator said this, I had to share it with you:
What do China, a 13-year-old stoner, and now, thanks to WikiLeaks, the American public all have in common? They each have a dated copy of CIA Director John Brennan’s application for U.S. security clearance from 2008.
That’s right. But here’s the really insane part about this breach of digital privacy…
Chinese government hackers got Brennan’s details as a result of a highly-sophisticated hack into the Office of Personnel Management’s servers. (They also got details on every security clearance conducted by the U.S. government for the last 15 years.) But a 13-year-old kid got the same information by asking Verizon for the password to Brennan’s email account. And they gave it to him.
I’m not kidding. And you shouldn’t be laughing.
Yes, It’s That Easy
The head of the Central Intelligence Agency (CIA) used an America Online (AOL) email account — one of the least secure in existence — to correspond with the federal government on highly sensitive matters for years. That’s bad.
Even worse is that a 13-year-old kid who goes by the online name “Cracka” obtained access to Brennan’s AOL emails by posing as a Verizon worker to trick an employee into revealing the spy chief’s personal information. Cracka called a Verizon internal helpline, provided a made-up employee ID code, and told them he was trying to help a customer but that his access to Verizon’s database was down.
So the Verizon employee handed over Brennan’s Verizon account number, his four-digit PIN, the backup mobile number on the account, Brennan’s AOL email address and the last four digits on his bank card.
Using that information, Cracka was able to reset the password on Brennan’s AOL email account and log in. The documents he accessed included the sensitive 47-page SF-86 application that Brennan had filled out to obtain his top-secret government security clearance.
They ended up on WikiLeaks the next day.
Laugh or Cry? Both.
John Brennan currently heads an agency that spends millions of our dollars securing government information, and millions more hacking into other governments — and us. The hacked emails date from the period leading up to his appointment as White House Homeland Security Czar, where part of his job was to prevent hacks. He should be able to teach a master class on digital privacy.
Instead, he offers a lesson in how incompetent and untrustworthy our government is when it comes to digital privacy.
Cracka used the very same personal information — “metadata” from Verizon — that the National Security Agency and the rest of the U.S. intelligence community have collected on all of us. Brennan and his ilk have long told us that we shouldn’t have an “expectation of privacy” in such metadata, and so shouldn’t complain when it’s turned over to spy agencies. But as Cracka’s hack of Brennan makes clear, metadata can give anyone easy access to sensitive information.
Forgive me if I indulge in a bit of schadenfreude here. This couldn’t have happened to a more deserving person.
Last year, Brennan authorized the CIA to spy on its own constitutional overseers from the Senate Intelligence Committee, based on the unsubstantiated allegation they had “stolen” a document that they, in fact, had been given. That was a gross violation of the constitutional separation of powers, and one of the more breathtaking bits of abusive and illegal spying in recent years.
Brennan is also clearly criminally careless. He stored sensitive government documents on an AOL server for at least six years, while heading government agencies devoted to information security — as Homeland Security Czar, then CIA Director. And yet he remains one of the key intelligence officials in the Obama Administration.
Don’t Make Brennan’s Digital Privacy Mistake
John Brennan violated many of my key recommendations. He didn’t use encryption. He used an insecure commercial email provider. He left sensitive emails and attachments on an email server long after they had been delivered. He used the same information for multiple accounts, and he didn’t change it regularly.
Brennan’s carelessness is unforgivable for a person in his position. But it’s increasingly clear that none of us will be able to forgive ourselves if we don’t act soon to secure our privacy from snoops.
Fortunately, I’ve released a comprehensive guide on how you can do just that … the Privacy Code 2.0.
Offshore and Asset Protection Editor