• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Hacks   »   Email Havoc – CIA Director Account Targeted by Hacktivist

Email Havoc – CIA Director Account Targeted by Hacktivist

  • Posted on:October 20, 2015
  • Posted in:Hacks, Security
  • Posted by:Christopher Budd (Global Threat Communications)
0

Email security for people in sensitive positions is a growing topic of concern.

There is of course the ongoing discussion around the security of former Secretary of State Hillary Clinton’s “homebrew” email server, and now news that the personal email accounts of CIA Director John Brennan and Department of Homeland Security Secretary Jeh Johnson may have been breached.

Certainly the possible compromise of personal email of anyone in a sensitive position is cause for concern. But based on what we know so far, unless or until there’s more information, this would seem to be more likely an annoyance and an embarrassment than a national security crisis.

First of all, this episode is a reminder of why it’s important to keep personal and professional email separate. Generally speaking, professional email systems have better overall protections than free, webmail systems. Especially when we’re talking about organizations that deal with highly sensitive information — they have greater protections to match the heightened risks they face.

It also reminds us that personal email can be the weak link that enables an attacker to bypass the stronger safeguards of organizations have to gain access. This is where the adage that a “defense is only as strong as the weakest link” applies. If you mix personal and professional email you’re introducing a weak link that can lead to a compromise.

If you keep your personal and professional email separate, then a breach of personal account doesn’t have translate to exposure for your professional account or organization. So far at least, that would appear to be the case here.

It’s also good to remember that hacks against personal webmail accounts aren’t new. Back in the middle of the 2008 presidential race, Sarah Palin’s personal Yahoo! email account was compromised. In that case, the attacker, David Kernell, was able to reset the account password by posing as Sarah Palin and correctly answering biographical details to “prove” he was her.

He found the answers to the security questions like her birthdate and high school through basic Internet searches and used that information to gain control of her account. While we don’t have specific details of how these hacks occurred, it’s reasonable that a similar attack was carried out in this instance. Resetting the password for webmail accounts is a common and ongoing attack vector to this day.

If nothing else, this latest episode serves as a good reminder that good webmail security practices are important. These accounts are the “keys to the kingdom” for stealing your digital identity: almost every major case of digital identity theft traces back to an initial compromise of a webmail account.

Two easy things you can do to protect your webmail account include enabling two factor authentication (all major webmail providers offer this today), and ensuring that the answers to your security questions can’t’ easily be researched on a routine web search. Protecting access to your account and the ability to reset it goes a long way to securing your overall digital identity.

And of course, don’t mix personal and professional email. Ideally, you shouldn’t include them on the same computer or device. But realistically, if you do need to check them both on the same piece of technology, use different, dedicated email clients for each — don’t go for the convenience of a unified inbox — that makes for an easy target.

Please add your thoughts in the comments below or follow me on Twitter; @ChristopherBudd.

Related posts:

  1. Is it a Mistake to Share Personal Account Passwords with Your Significant Other? I say, “Yes!”
  2. Email breaches: All it takes is one to wreak havoc on an enterprise
  3. What to do when your Facebook account is stolen
  4. Ask Vic — My Facebook Account was Hacked, Now What?

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Fujitsu and Trend Micro Demonstrate Solution To Secure Private 5G
  • Trend Micro Receives 5-Star Rating in 2021 CRN® Partner Program Guide
  • Smart Factory Cyber Attacks Knock Out Production for Days
  • Eliminate Hesitations: Security Simplified For Those Building In The Cloud
  • Nuffield Health Depends on Managed XDR with Trend Micro Vision One
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.