Underage Hacker Is behind Attacks against US Government

It's a teenager:

British police have arrested a teenager who allegedly was behind a series of audacious -- and, for senior U.S. national security officials, embarrassing -- hacks targeting personal accounts or top brass at the CIA, FBI, Homeland Security Department, the White House and other federal agencies, according to U.S. officials briefed on the investigation.

[...]

The prominent victims have included CIA Director John Brennan, whose personal AOL account was breached, the then FBI Deputy Director Mark Giuliano, and James Clapper, the director of National Intelligence.

This week, the latest target became apparent when personal details of 20,000 FBI employees surfaced online.

By then a team of some of the FBI's sharpest cyber experts had homed in on their suspect, officials said. They were shocked to find that a "16-year-old computer nerd" had done so well to cover his tracks, a U.S. official said. a

Not really surprised, but underscores how diffuse the threat is.

Posted on February 18, 2016 at 6:02 AM • 35 Comments

Comments

ShazFebruary 18, 2016 8:40 AM

I'd like to know more about how he covered his tracks and where he went wrong.

In fact, I'd love for some doctoral candidate somewhere to do his/her dissertation on how, say, the top 25 hackers were caught. What they did, if anything, to cover their tracks and what ultimately brought them down. A bonus for some post-grad work would be a paper outlining hackers out there that are still at large and what they do to cover their tracks.

Knowledge is power.

RamriotFebruary 18, 2016 8:40 AM

You have to wonder what the Opsec is going on in the federal government if a teen can pwn their stuff so completely.

Oh and BTW, WTF is a senior CIA person doing having a private email account, especially an AOL one.

Take away feds here is, you left your front door open and someone stole all
your stuff, too bad.

Peter A.February 18, 2016 10:17 AM

@Ramriot: Senior CIA person having private email account is perfectly fine as long as he keeps only private stuff there - but not TOO private...

ZFebruary 18, 2016 11:33 AM

Random observation: every time some kid hacks an external system, the narrative is always "their security is so bad, even a kid can break it". It's never "hacking is so easy, even a kid can do it".

ObserverFebruary 18, 2016 11:42 AM

@Shaz

I'd like to know more about how he covered his tracks and where he went wrong.
In fact, I'd love for some doctoral candidate somewhere to do his/her dissertation on how, say, the top 25 hackers were caught. What they did, if anything, to cover their tracks and what ultimately brought them down. A bonus for some post-grad work would be a paper outlining hackers out there that are still at large and what they do to cover their tracks.
Knowledge is power.

Like in espionage, the real case studies to study in 'how not to get caught', are those who never were caught. The ones who are caught are very often the worst.

This sort of hacker has severe personality flaws which ensures they will get caught. They are social creatures motivated by ego and praise. So, they are easy to manipulate.

Taunting them is their easiest to exploit weakness.

wumpusFebruary 18, 2016 11:45 AM

Basically this is the issue with deterrence in computer security. Any deterrence is sufficiently far away from a large segment of potential crackers to be useless. If you are relying on something absolutely worthless in stopping:
teenagers
psycho/sociopaths
other mental illnesses that don't interfere [and likely help] with computer use (mainly the autism spectra, but I'm sure there are others).

As always, defence in depth. And for gods sake, don't let any of your private data touch a computer infected with Microsoft, Android, or Adobe (sounds like Apple is fighting to stay off this list, but SIRIously?)

Sancho_PFebruary 18, 2016 12:33 PM


There’s only one straight way out here:

Reward the kid.
Find out and share how it was done.
Punish those who are responsible.
Learn from the incident.

... Of course none of these points will be done.

Probably the crackas will learn from it:
Don’t brag about, silently sell the access!

SkepticFebruary 18, 2016 1:22 PM

So much fail for the government's argument to collect more of our data. If they can't protect their servers from 16 year old kids how good will they stand against foreign governments and insider attacks?

albertFebruary 18, 2016 2:44 PM


First of all, it's the -alleged hacker-. Second, the IC accounts were -personal- accounts. 'Private' is meaningless; ALL email accounts are supposed to be private. That they are not, should be abundantly clear by now. You'd think so, wouldn't you?

I don't care if some IC drone gets caught with his pants down; if they're that stupid, they deserve it.

The problems start when they use personal accounts for government business, especially 'secret' business.

I know that large international corporations issue company phones along with company email accounts and company laptops, to be used for business purposes only. At least the company has some control of the security of those devices. With the personal versions, anything goes.

Has there been any talk of extradition to the US yet?

. .. . .. --- ....

ObserverFebruary 18, 2016 3:33 PM

@albert

First of all, it's the -alleged hacker-.

How easily we can all throw away the 'innocent until proven guilty' stance, without thinking.

I know that large international corporations issue company phones along with company email accounts and company laptops, to be used for business purposes only. At least the company has some control of the security of those devices. With the personal versions, anything goes.

He didn't really do much or damage much. It all made a lot of headlines, but the captured information was pretty innocuous and ho hum.

Except for releasing the FBI and DHS employee lists.

The time between releasing the FBI employee list and his arrest was very short. Four days is about how long it takes for one foreign, large bureaucracy to move in tandem with another large bureaucracy... when they already have the suspect either turned or under close scrutiny.


It was even worse with Sabu. He was working for the FBI, they had his systems entirely monitored, and they were in the apartment above his to his full knowledge when he engaged in the Stratfor hack and released that data. Along with many other very damaging hacks.

Conspiracy or incompetence? As the Stratfor data seemed to have no disinformation value, it appears to have been sheer incompetence.


SFebruary 18, 2016 4:06 PM

Naturally... the solution isn't to fix weak security on the internet, but to toss out the Constitution and abandon every Human Right, cause... you know... terrists will eat your children!

Alien JerkyFebruary 18, 2016 4:14 PM

@S

Naturally... the solution isn't to fix weak security on the internet, but to toss out the Constitution and abandon every Human Right, cause... you know... terrists will eat your children!

mmm... terrorist burgers... yum

End of innocenceFebruary 18, 2016 5:19 PM

Wait, this cannot be right...

Maybe I just didn't hear about the initial reaction of these agencies, like suspecting Chinese, Russian, etc., hackers...

Shouldn't the "FBI's sharpest cyber experts" audit their own website(s) to secure it against hackers? I must be an idealist...

GrowingUpUnderSurrvailenceFebruary 18, 2016 6:08 PM

If Government can not secure there employee database, how can the NSA secure the giant Utah metadata database?

Good job fellow child tech nerd, good job. :-)

(I am not involved in this hack for the keylogger that might be on my computer).

ObserverFebruary 18, 2016 11:03 PM

@end of innocence, etc

Shouldn't the "FBI's sharpest cyber experts" audit their own website(s) to secure it against hackers? I must be an idealist...

These kids didn't hack anything. They talked their way into these accounts and this information. They did good research to do so. They did cover their tracks for awhile, as far as anybody will ever know.

It is the nation state hackers and organized criminal hackers that are the scary ones. They often have their attacks caught, but they themselves are never caught. The best case is maybe they will be identified, like what Mandiant claimed with one of their reports. Personally identified. But, they won't see any jail time, and that won't be proven.

The difference is the same with physical crimes. No planning, no training, no training for secrecy, impulse control problems, motivations based around unstable needs like need for social acceptance, need for social approval, need for drugs.

Need to feel they are somebody, when the world has taught them they are nobodies.

1) They talk
2) they do not plan
3) very bad impulse control

Is how you can encapsulate it.


You can see the same kind of issue with 'bank robbers with no training' versus 'bank robbers that have long term military experience in similar enterprises'.

This does not mean smarts and experience are a pass. Good example is one of the techs who invented one of the first government computer based cover systems. The guy was also completely nuts, though incredibly intelligent. He sold secrets. He got drunk, got laid up in jail dressed up like a woman, you know, the typical. Eventually, he got found out.

He had no infrastructure.

Soldiers or cops without their infrastructure are like stray ants.

With their infrastructure, they are a force to be reckoned with.

There are various weak points in their attack

1. recon, which, unplanned, is typically loud and random, and relies on a lot of luck
2. infiltration, usually very messy, and not "APT" because it gets caught rather quickly
3. if they are lucky, and get in and get anything, then they have to get out and handle the money
4. the money or talking with the money is usually where a lot who get this far get caught

Different varieties of the same themes.

1. talking means they trust strangers whom they should not trust, but do. It also implies they have no infrastructure they can rely on.

PeteRepeatFebruary 19, 2016 6:23 AM

If I was a criminal TLA-spook spying on my own population I would use "personal" e-mail accounts to -
That way, nothing becomes public record - Ever .
Or at least not until "someone" recreates your "personal" email-server ..

albertFebruary 19, 2016 10:11 AM

@Observer,
Doesn't matter whether you're shot with a 22 or a 45, you're still dead. Doesn't matter how you get into a system, either.

I quite agree with you. Nation-states and organized crime are are serious concerns, but...

The Lone Hacker™ is still a dangerous individual. Infrastructure attacks don't need big teams with vast resources. They can do a -lot- of damage in a short period of time. AFAIC, infrastructure security is more important, and ironically, the least protected.

That's why I'm always prattling on about it.

BTW, lists of gov't employees should be valuable commodities to nation-states, I would think.

That said, hacking personal email accounts is somewhat less serious than shutting down the power grid of the Eastern US in February.

. .. . .. --- ....

ObserverFebruary 19, 2016 10:59 AM

@albert

The Lone Hacker™ is still a dangerous individual. Infrastructure attacks don't need big teams with vast resources. They can do a -lot- of damage in a short period of time. AFAIC, infrastructure security is more important, and ironically, the least protected.
That's why I'm always prattling on about it.

Oh, yeah, yeah, yeah.

No, preach on brutha, not saying otherwise. :) Heheheheh.


BTW, lists of gov't employees should be valuable commodities to nation-states, I would think.


It is extremely valuable. Their foremost push should be to 'see what went wrong' and fix the problem.

Same with OPM, of course, which everyone has in mind.

In no case, do I believe an equivalent "NOC list" has been obtained. Undercover agents and officers have not been revealed. But, this data can help adversaries start to pry open that lid.

If there has not been any preparation and expectation of exactly these failures, as it at least, appears.

In this case, FBI and DHS agents have some degree of anonymity. Their home addresses and other personal information should not be something their adversaries can look up online.

Adversarial nation states can also use this data, of course. In the very same way as OPM data could be used. I am certain this would be a major focus on the investigation and the very reason why they would have not already have arrested these young men. Who knows that they were not being covertly trained and used as patsies for adversarial nations?

You can see "something like this" in the details of the Sabu story, I might add. There was one attacker, with a Japanese nick, who was uncaught. He was mysterious, very cautious - professionally so - and also the most technically able of all of them.

They may have hoped to get more information on him, and so consider the hacking and disclosure of Stratfor an acceptable risk to do so.

Likewise, in this case.


That said, hacking personal email accounts is somewhat less serious than shutting down the power grid of the Eastern US in February.


Yeah, though lone hackers can do that too.

Really, it is simply a bar, not too much unlike with biochemists, regular chemists, soldiers, cops, and so on.

It is actually a surprisingly high bar, but it is being lowered everyday as more and more individuals are being trained and shown to have the natural talent to do so in the area.


Marcos El MaloFebruary 19, 2016 12:32 PM

@Albert

As your comment suggests, PCs are "equalizes" in a way similar to firearms, and the hackers age makes no difference. One would have to be foolish and have a big blind spot to dismiss a penetration because of the age of the hacker. The notion that teens are only and invariably script kiddies is wrong headed. I would seriously doubt the security expertise of someone with that attitude.

@observer makes a very good point about infrastructure and support, and I think the military analogy is apt. Still, a determined lone wolf attacker can inflict substantial damage before he is neutralized, even one without experience and skill.

-------------
Technical security seems to be a race that might be impossible to win, not just because of nation state level attackers, but because of the hordes of "freelancers" -- those doing it for the challenge, for the lulz, or for profit. We need a different approach that addresses the anti-social nature of cyber-attacks, that channels hackers away from the "dark side" early. Maybe make it into a sport. (I realize this already happens, with hacking contests that offer cash prizes and recognition, I'm just saying it could be further developed, formalized, and ritualized in a manner similar to spectator sports).

This wouldn't solve all problems, but it seems like an easy way to divert a lot of attackers and potential attackers.

ObserverFebruary 19, 2016 3:16 PM

@Marcos El Malo

@observer makes a very good point about infrastructure and support, and I think the military analogy is apt. Still, a determined lone wolf attacker can inflict substantial damage before he is neutralized, even one without experience and skill.
Technical security seems to be a race that might be impossible to win, not just because of nation state level attackers, but because of the hordes of "freelancers" -- those doing it for the challenge, for the lulz, or for profit. We need a different approach that addresses the anti-social nature of cyber-attacks, that channels hackers away from the "dark side" early. Maybe make it into a sport. (I realize this already happens, with hacking contests that offer cash prizes and recognition, I'm just saying it could be further developed, formalized, and ritualized in a manner similar to spectator sports).
This wouldn't solve all problems, but it seems like an easy way to divert a lot of attackers and potential attackers.


Tried that, early on, and am confident that there are good outlets. The market for skilled security people is booming. The better they are, the easier it is to get a job. If you want a six figure job right away just find a major vulnerability in a major application. Get your name attached, do a conference show, job offers will be raining at your doorstep.

That, however, is not "the hordes". That is a distinct minority. The personal characteristics of people who can go that far are significantly rare.

It is not just one rare personality trait, it is multiple.

That bar is relatively high, because of that.

That is my scare scenario, personally. Rogue counterparts. They can find security vulnerabilities in anything, and write covert rootkits to match it, as well as run it all.

But, what I see and hear from others, is that the nation state threat and the organized crime threat (often probably related), are ever present.

Very easy to effectively mass produce attacks, which is not how it was in the cold war. One team can be running compromise on tens, hundreds, thousands of different networks at the same time. And they do it.

And they can come out with the money or the information, they never could have gotten pre-internet, pre-today. No fumbling over hidden cameras in the dark, taking one photo at a time; no setting up explosives in the dead of night to break in for merely one score.

CTF (Capture The Flag) is not real, that is about memorization of previously known vulnerabilities. Or, the people come in with previously undisclosed vulnerabilities. That is best for defense training, or for noobs who need to get acquainted with other people's security vulnerabilities.

But, for those wanting to become real hackers, find their own vulnerabilities, code their own exploits -- lotsa conferences always seeking speakers. Plenty of bug bounty programs. Quite a number of eager to hire companies and consultancies. A few solid crowdsourced bug finding groups.

Getting legitimately paid is a very good deterrent.

You don't need a four year degree, you don't need great SAT scores. You could have fucked up in all sorts of way. But, if you know your shit, you will easily get paid, the easy way. A legitimate check, with an easy job that is much more fun then most of the jobs out there, and which let you 'be your self'.

NathanaelFebruary 19, 2016 4:00 PM

What it actually underscores is that the top brass are not competent to do their jobs, and should all be fired.

McAfee is openly insulting them in public at this point.

But they've got their Iron Rice Bowl and will continue sucking down money for making our security worse.

YogFebruary 19, 2016 6:47 PM

Djeezus people, aren't you aware that the crucial part of most of these hacks were single phone calls? Forget "15 year old kid", 7 could be old enough.

Someone could pay a random kid to place the phone call for them and pass along the password they get from support. If the kid wants more money/equipment/cred/excitement/boxes of candy/whatever he can get it by fololowning (*smirk*) the script of downloading the content as well using whatever setup that will ensure that the actual "culprit"/hero can passively duplicate the packets as they travel by some point between the source and destination under the actual hacker's control.

Blindingly obvious right? Don't bother telling the retards in charge, they're reading this and still not getting it :P

(Btw were all the regulars scared away or am I just early?).

ObserverFebruary 20, 2016 12:54 AM

@Nathanael

What it actually underscores is that the top brass are not competent to do their jobs, and should all be fired.

Basically? Yes.

Blindingly obvious right? Don't bother telling the retards in charge, they're reading this and still not getting it :P

Yes, "they" are likely hearing this, because this is a relatively low noise, high signal, genuine and reasonable 'devil's advocate' forum.

And good intelligence wants to consider all reasonable angles, even those contrary to what they want to believe. Because they are trained not to believe what they want to believe. Trained to "want to believe" nothing.

Schneier, is obviously patriotic, reasonable, very informed, and intelligent.

There are probably a number of regulars who are either former intelligence, current, or work for intelligence with friendly nations.


It is possible these kids were controlled by a foreign intelligence entity, apart from their own awareness. This would be a serious factor in the investigation. It is highly likely why they were watched and not apprehended earlier. This later statement is a conjecture, but one based on easily observable facts.


This does not mean that the country which produced the Krays - and FFS MI5 and MI6 - could not produce teenagers capable of social engineering their way into these accounts by sheer confidence.

The fact is the information they did obtain was low hanging fruit obtainable by exceptional condition of actually over confident kids imagining what adults would think is impossible, without knowing it was impossible.

I know, I myself, did all sorts of crazy risk taking as a teenager I would almost never (hah) take as an adult.

Often, the reward is to the ones who take the risk.

And it can be that simple.


But, no, seven year olds could not do this.

I was hacking systems left and right as a twelve year old, my own self.

At sixteen, myself, and many others, were already either in college or doing college level work.


A hundred years ago, it was routine for sixteen year old to already be married and have their first kids...


So, not out of bounds to consider they did this on their own. In fact, it is far more likely then that they are controlled, even if that is a possibility which must be chased down.


As for regulars, not every topic interests them.


You must be a regular, so...

ianfFebruary 21, 2016 2:33 AM


sure the Brits will turn him over to us.

The hacker is underage, so they will not. UK has signed all the U.N. etc child protection conventions, so they won't even spank him – though I'm sure plenty of British officials would have volunteered to do just that, even fully clothed.

SinvexFebruary 21, 2016 3:42 AM

I'd love to know how the hell someone who still uses AOL after the year 2000 is head of something like the CIA...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.