New FBI warning after Brennan doxing
The FBI has revised a warning to senior police officers and other public officials about hacktivism and doxing, following the successful takeover last month of the personal email account of CIA Director John Brennan by teenage hackers.
The new warning, posted Wednesday evening, outlines a method of social engineering against an official’s personal email provider that self-described stoner hacktivists say they used to repeatedly take over Brennan’s AOL account. The hacktivists, in what they said was a protest against U.S. support for the Israeli occupation, later published Brennan’s Social Security number and other personal information — and that of family members and colleagues on the Obama 2008-09 transition team.
The new guidance includes an expanded set of defensive measures that all potential targets are advised to take on social media and online generally, but no new advice for telecom, email and Internet service providers.
“In a recent threat,” reads the new warning, a “threat actor” contacts the target’s ISP posing “as an employee of the company, and requests details regarding the target’s account. Utilizing these details, the caller then contacts the target’s email provider, successfully provides answers to security questions established for the email account, and is granted a password reset for the account.”
This is the process described by “Crackas With Attitude” in a series of encrypted chats, Twitter exchanges and other online communications with reporters after they began posting first boasts about penetrating Brennan’s email account, then data stolen from it.
“Ultimately,” concludes the FBI warning, the hacktivist “gains access to the victim’s email account and begins to harvest personal or other information.”
The FBI press office, in a statement emailed to FedScoop, said merely that “Recent media reports have highlighted hacktivism threats to law enforcement and public officials, causing them to update a doxing warning posted in April.
The original warning highlighted the way that hacktivists from the Anonymous collective were able to compile information available on the Internet, especially on social media sites, into revealing profiles of police officials and other public figures. It included a list of defensive measures individuals could take, like adjusting the privacy settings on social media accounts.
Wednesday’s warning offers an expanded list of defensive measures, including using invented, incorrect answers to security questions, especially ones like mother’s maiden name, which might be discoverable from public records. The revised warning also offers the following new advice:
- Keep your social media footprint to a minimum, where possible, and actively monitor any accounts you maintain.
- When posting on social media sites, do not provide details regarding your workplace, work associates, official position or duties.
- Do not promote your personal or professional importance in online profiles or postings, as this may make you a potential target for adversaries to exploit.