Fancy a holiday in Cuba?
I bet an unmarked business jet registered to a shady holding company in northern Virginia is on its way to pick him up right now.
A 16-year-old Brit has been arrested for allegedly hacking the email account of CIA director John Brennan. The teenager is accused of hacking Brennan's personal email account and releasing some 40 sensitive documents that were contained within including a 47-page security clearance application for the director's current role …
Answer none at the time but several that are in retrospect.
Preumably retrospect =
a) failure to classify them properly originally for which someone should be sacked.
OR
b) use of reclassification for political purposes again for which someone should be sacked.
Which begs the question if it can happen to Hillary what hope has some poor schmo got.
Hacker: woohoo I hacked Teresa May's alt.rec.track-em-all notification messages
GCHPLod: those are NOW all classified beyond top secret here's your ticket for an all-inclusive indefinite stay in Cuba.
Released documents were not highly classified and Brennan said he did not violate his security responsibilities by using the account.
It is not whether they are highly classified, but whether they are classified at all that is important. "Spillage" is a word no-one who has a clearance wants to have mentioned in conjunction with their name.
I don' t think at 16 he can be extradited, so if he doesn' t dissapear at 5 o clock one morning he may well find himself doing time in Gloucester. Being able at 16, to socially engineer his way to an account like this, shows abilities that should be valued by Big Brother,,, or even the British government.
They're going after Hillary Clinton for using a personal email server which appears to have been run better (and safer) than the rest of the government apparatus, and this guy has sensitive material hosted on AOL? WTF is wrong with these people?
Well, OK, as the high echelons in UK government are now allowed to use Gmail I suspect we shouldn't be *that* surprised but really? AOL?
Reports in The Register and elsewhere have it that clintonemail.com did not support ssl access for several months after it was deployed and exposed VNC and RDP on the public internet.
Computer systems used to store and process government records have been required to meet fairly stringent information assurance standards since no later than 2005 (four years before Ms. Clinton's nomination as Secretary of State) under laws on the books in 2001 or earlier. The standards required regular backups, effective disaster recovery planning and testing, and established record retention requirements. The rules do not allow remote administration from the public internet.
Systems operated State Department, Google, or AOL to a certainty are technically more secure and compliant with federal IA requirements than clintonemail.com. That social engineers were able to bamboozle an AOL customer service rep to reset an account simply makes it clear that proper security requires more than technical measures.
First fire the Director for having that sort of stuff outside the proper secured network, then fire his advisors for not reminding him daily, then fire everyone who mailed him at that address concerning 'company' business, and fire everybody who ever saw the footer on the printed emails that showed where the mailbox was.
And someone might wish to ask if that mailbox was accessed by anyone else other than the hacker, and exactly how unauthorised that was, not that I would ever suggest anything at all ever, obviously I mean if one hacker published stuff, then there may be others who sold the info, incompetence vs malice...?
Minor point: a clearance form is NOT classified, but does require one to enter a lot of personally identifiable information (PII).
Basically, you're laying out your personal history, job history, and family relations, as well as any friends you know who are foreigners, so that the investigators can determine whether you're a good risk, or a bad one.
But sending it in unencrypted format is not illegal, merely stupid. And storing it unprotected and unencrypted is even more stupid. But it's not like anybody hacked OPM and got the exact same data on 21+ million OTHER people. . .
Oops, they did. This kid merely did it retail, as opposed to wholesale, the way the Chinese did. . .
IF you want to sack people, then do it because of a demonstrated history of making stupid decisions. . .
> Minor point: a clearance form is NOT classified
Maybe not, but it gains significant value after a person has been approved, especially if it involves multiple polaroids. And a stupid decision can also be one that involves inaction, because letting other people do stupid things can compromise the entire organisation.
It's comforting to think that someone as in touch with the security of personal information as the Director of the CIA could end up looking after the keys to the back-door of everyone's encrypted data.
On the up-side though, if you forget your pass-phrase you should be able to obtain a copy of the back-door key from his AOL account...
Basically, you're laying out your personal history, job history, and family relations, as well as any friends you know who are foreigners, so that the investigators can determine whether you're a good risk, or a bad one.
Um... exactly. This hack proves that the CIA director is a bad risk in terms of data security, so he should be un-hired.
"The teenager is accused of .. releasing some 40 sensitive documents that were contained within including a 47-page security clearance application for the director's current role."
Is CIA director John Brennan going to be subject to an investigation similarly to the congressional investigation currently being carried out against Hilary Clinton.
Is it an offence in the UK to hack a computer, over the internet, which is located abroad (i.e. in the USA)?
Is hacking an online account covered by the same laws as hacking into someone's personal computer equipment?
I'm just trying to understand the justification for his being "arrested on counts of suspicion of conspiracy to commit unauthorised access to access computer material". Is that even an offence in this country?
@AC you could always read the Computer Misuse Act, 1990
http://www.legislation.gov.uk/ukpga/1990/18/contents
(1)On a charge of conspiracy to commit an offence under this Act the following questions are immaterial to the accused’s guilt—
(a)the question where any person became a party to the conspiracy; and
(b)the question whether any act, omission or other event occurred in the home country concerned.
(2)On a charge of attempting to commit an offence under this Act the following questions are immaterial to the accused’s guilt—
(a)the question where the attempt was made; and
(b)the question whether it had an effect in the home country concerned.
Or you could watch paint dry :-)
In short yes.
The CPS guidance here is worth reading: http://www.cps.gov.uk/legal/a_to_c/computer_misuse_act_1990/
Basically if "at least one significant link with the domestic jurisdiction" - so either the hack was performed from the UK, or targeting a computer in the UK would look to be sufficient.
Hacking an online account is no different to any other type of hacking, you are still trying to gain access to computers for which you don't have permission (or are exceeding your permission), in this case computers owned (or operated) by AOL.
Unfortunately, it would appear that it is against the law.
However, what is truly shocking is that the UK government considers it acceptable to arrest and extradite a 16 year old to face a very hostile judiciary, away from any support. The response is disproportionate to the harm, and demonstrates that Cameron is more concerned with tugging his forelock to the yanks than the interests of his fellow Brits.
As has been said many, many times here, the extradition treaty the UK has with the USA needs tearing up and throwing down the crapper. It does nothing to protect UK citizens against the USA, and everything to protect US citizens against the UK (though it did take the courts in the USA to make that clear). The fact that the UK government has failed to protect the people it allegedly represents in favour of another sovereign state says everything you need to know about the fucknozzles in Westminster.
"the boy was arrested on counts of suspicion of conspiracy to commit unauthorised access to access computer material"
So you can be arrested on "suspicion of conspiracy". Is that real? I am suspected of talking about something. There seems to be a lot of "double talk" here that sounds suspiciously like "newspeak" and "suspicion of conspiracy" sounds very much like "thoughtcrime" from 1984.
Clearly, this means that we need two-factor authentication on things like the email addresses of notable officials/private citizens who don't fancy some schmuck doxxing them and gaining access to their account. (It's honestly hard for me to call what this kid did hacking, although it was clever.)
Seriously, this is technology we've been using to secure our World of Warcraft accounts for bloody years! Nowadays you don't even need a dongle, your cell can run the authenticator crypto-RNG just fine, ala Steam.
That way, this would go "You want to reset your password? Okay! Just input the current number on your two-factor authenticator dongle. Aaaand we're done! Please input your new password now."
"Lose your dongle? Lost your dongle AND your password at the same time? Okay, here's what we're going to need: you're going to need to track down an actual Fax machine (try a Kinko's or FedEx store if your home or place of employment does not possess a fax machine,) and fax us an image of some form of photo I.D. (such as a passport or Driver's License or similar document.) You will also need to ship to us a photograph of yourself holding up a piece of paper upon which today's date and the following numbered code is clearly visible, and the original document you used for photo ID is paperclipped to."
The only truthful hacker I have met is brainclark3@gmail.com the guy is a genius, he has helped me and my friends to solve our relationship issues, he also accesses and modify databases, any social account, he is the real deal. Contact brainclark3@gmail.com if you are in need of a good hacker. I vouch for him.