back to article Blighty cops nab Brit teen for 'hacking' CIA Brennan's AOL email

A 16-year-old Brit has been arrested for allegedly hacking the email account of CIA director John Brennan. The teenager is accused of hacking Brennan's personal email account and releasing some 40 sensitive documents that were contained within including a 47-page security clearance application for the director's current role …

  1. Anonymous Coward
    Anonymous Coward

    Fancy a holiday in Cuba?

    I bet an unmarked business jet registered to a shady holding company in northern Virginia is on its way to pick him up right now.

    1. Bibbit

      Re: Fancy a holiday in Cuba?

      I think that particular flight involves a stopover in a corrugated shed in a remote part of Poland.

      1. g e

        "Crackas with Attitude"

        I did almost have a little sympathy until I read down to their name. Stopped caring so rapidly it was almost relativistic.

        1. RedCardinal

          Re: "Crackas with Attitude"

          I think that was originally spelt "crackers with attitude" ;)

  2. DocJames
    Joke

    Lucky for him...

    ...he didn't try to hack (I know, I know) Hillary's email. Imagine the amount of classified information he'd be responsible for leaking then.

    1. Gordon 10

      Re: Lucky for him...

      Answer none at the time but several that are in retrospect.

      Preumably retrospect =

      a) failure to classify them properly originally for which someone should be sacked.

      OR

      b) use of reclassification for political purposes again for which someone should be sacked.

      Which begs the question if it can happen to Hillary what hope has some poor schmo got.

      Hacker: woohoo I hacked Teresa May's alt.rec.track-em-all notification messages

      GCHPLod: those are NOW all classified beyond top secret here's your ticket for an all-inclusive indefinite stay in Cuba.

  3. Paul

    You'd have thought they'd know about the Streisand Effect by new

    1. Sir Runcible Spoon
      Joke

      new?

      I can't quite place your accent :P

  4. Ole Juul

    cost of bragging

    Next time this kid may learn to balance his bragging with the consequences.

  5. werdsmith Silver badge

    Pay the kid the going rate for a vulnerability scan / pen test.

    Punish the AOL and the idiot account holder for using a weak password

    1. Anonymous Coward
      Anonymous Coward

      Punish the idiot account holder for using Verizon and AOL maybe, but other than that it's difficult to see what he did wrong - there's no suggestion that he was using a weak password, for instance. You would have hoped that somebody in his job wasn't quite that naive, though.

  6. Anonymous Coward
    Anonymous Coward

    Sensitive documents on AOL? Personal maybe but Sensitive?

    1. Hans 1

      They are allowed to, since both internal mail server and AOL mail are backed up regularly, to the same server farm.

      More seriously, though ... I guess this is a case of karma, and the CIA should not complain that they are being hacked, since they hack everyF*ingBody else ...

    2. Robert Helpmann??
      Childcatcher

      Emphasis Added

      Released documents were not highly classified and Brennan said he did not violate his security responsibilities by using the account.

      It is not whether they are highly classified, but whether they are classified at all that is important. "Spillage" is a word no-one who has a clearance wants to have mentioned in conjunction with their name.

  7. Chris G

    No rendition

    I don' t think at 16 he can be extradited, so if he doesn' t dissapear at 5 o clock one morning he may well find himself doing time in Gloucester. Being able at 16, to socially engineer his way to an account like this, shows abilities that should be valued by Big Brother,,, or even the British government.

    1. MJI Silver badge

      Re: No rendition

      So if he lives there perhaps he could apply for a job at the other end of Golden Valley By Pass

  8. Anonymous Coward
    Anonymous Coward

    Hang on a minute..

    They're going after Hillary Clinton for using a personal email server which appears to have been run better (and safer) than the rest of the government apparatus, and this guy has sensitive material hosted on AOL? WTF is wrong with these people?

    Well, OK, as the high echelons in UK government are now allowed to use Gmail I suspect we shouldn't be *that* surprised but really? AOL?

    1. tom dial Silver badge

      Re: Hang on a minute..

      Reports in The Register and elsewhere have it that clintonemail.com did not support ssl access for several months after it was deployed and exposed VNC and RDP on the public internet.

      Computer systems used to store and process government records have been required to meet fairly stringent information assurance standards since no later than 2005 (four years before Ms. Clinton's nomination as Secretary of State) under laws on the books in 2001 or earlier. The standards required regular backups, effective disaster recovery planning and testing, and established record retention requirements. The rules do not allow remote administration from the public internet.

      Systems operated State Department, Google, or AOL to a certainty are technically more secure and compliant with federal IA requirements than clintonemail.com. That social engineers were able to bamboozle an AOL customer service rep to reset an account simply makes it clear that proper security requires more than technical measures.

      1. Anonymous Coward
        Anonymous Coward

        Re: Hang on a minute..

        Hey Tom - never let the facts get in the way of a good political, Hilary certainly has never done that!

        Now you will be accused of having problems with women, hating non-Anglos, having horns, cloven feet and a tail...

  9. chivo243 Silver badge

    Isn't this where

    all US info is stored? After all it is America On Line!

    1. Sir Runcible Spoon
      Joke

      Re: Isn't this where

      "America On Line!"

      That's not what the A stands for :)

  10. Andrew Moore

    Please...

    Can we get rid of the term "dropped" when meaning "released"

    1. Anonymous Coward
      Anonymous Coward

      Re: Please...

      I think it's a literal allusion to "shat on from a great height by releasing .."

      :)

  11. Doctor Syntax Silver badge

    CIA's motto

    Do as I say, not as I do.

  12. Anonymous Coward
    Anonymous Coward

    AOL

    Asshats

    Or

    Losers

  13. Doctor_Wibble
    Black Helicopters

    Fire Everybody

    First fire the Director for having that sort of stuff outside the proper secured network, then fire his advisors for not reminding him daily, then fire everyone who mailed him at that address concerning 'company' business, and fire everybody who ever saw the footer on the printed emails that showed where the mailbox was.

    And someone might wish to ask if that mailbox was accessed by anyone else other than the hacker, and exactly how unauthorised that was, not that I would ever suggest anything at all ever, obviously I mean if one hacker published stuff, then there may be others who sold the info, incompetence vs malice...?

    1. Keith Glass

      Re: Fire Everybody

      Minor point: a clearance form is NOT classified, but does require one to enter a lot of personally identifiable information (PII).

      Basically, you're laying out your personal history, job history, and family relations, as well as any friends you know who are foreigners, so that the investigators can determine whether you're a good risk, or a bad one.

      But sending it in unencrypted format is not illegal, merely stupid. And storing it unprotected and unencrypted is even more stupid. But it's not like anybody hacked OPM and got the exact same data on 21+ million OTHER people. . .

      Oops, they did. This kid merely did it retail, as opposed to wholesale, the way the Chinese did. . .

      IF you want to sack people, then do it because of a demonstrated history of making stupid decisions. . .

      1. Doctor_Wibble

        Re: Fire Everybody

        > Minor point: a clearance form is NOT classified

        Maybe not, but it gains significant value after a person has been approved, especially if it involves multiple polaroids. And a stupid decision can also be one that involves inaction, because letting other people do stupid things can compromise the entire organisation.

        1. Anonymous Blowhard

          Re: Fire Everybody

          It's comforting to think that someone as in touch with the security of personal information as the Director of the CIA could end up looking after the keys to the back-door of everyone's encrypted data.

          On the up-side though, if you forget your pass-phrase you should be able to obtain a copy of the back-door key from his AOL account...

      2. Anonymous Coward
        Anonymous Coward

        Re: Fire Everybody

        Basically, you're laying out your personal history, job history, and family relations, as well as any friends you know who are foreigners, so that the investigators can determine whether you're a good risk, or a bad one.

        Um... exactly. This hack proves that the CIA director is a bad risk in terms of data security, so he should be un-hired.

  14. Anonymous Coward
    Big Brother

    Storing sensitive documents in the email

    "The teenager is accused of .. releasing some 40 sensitive documents that were contained within including a 47-page security clearance application for the director's current role."

    Is CIA director John Brennan going to be subject to an investigation similarly to the congressional investigation currently being carried out against Hilary Clinton.

    1. Anonymous Coward
      Anonymous Coward

      Re: Storing sensitive documents in the email

      No - because he did not break the law. He did not keep national security documents in his private mail account.

      Moreover, if he did break the law, he would be tried in court, unlike other people who consider themselves to be above the law.

  15. Anonymous Coward
    Anonymous Coward

    Legal questions

    Is it an offence in the UK to hack a computer, over the internet, which is located abroad (i.e. in the USA)?

    Is hacking an online account covered by the same laws as hacking into someone's personal computer equipment?

    I'm just trying to understand the justification for his being "arrested on counts of suspicion of conspiracy to commit unauthorised access to access computer material". Is that even an offence in this country?

    1. MyffyW Silver badge

      Re: Legal questions

      @AC you could always read the Computer Misuse Act, 1990

      http://www.legislation.gov.uk/ukpga/1990/18/contents

      (1)On a charge of conspiracy to commit an offence under this Act the following questions are immaterial to the accused’s guilt—

      (a)the question where any person became a party to the conspiracy; and

      (b)the question whether any act, omission or other event occurred in the home country concerned.

      (2)On a charge of attempting to commit an offence under this Act the following questions are immaterial to the accused’s guilt—

      (a)the question where the attempt was made; and

      (b)the question whether it had an effect in the home country concerned.

      Or you could watch paint dry :-)

      1. Mark 85

        Re: Legal questions

        Or you could watch paint dry :-)

        And if there's no wet paint about, then there's a fully approved movie for that.

    2. The Mole

      Re: Legal questions

      In short yes.

      The CPS guidance here is worth reading: http://www.cps.gov.uk/legal/a_to_c/computer_misuse_act_1990/

      Basically if "at least one significant link with the domestic jurisdiction" - so either the hack was performed from the UK, or targeting a computer in the UK would look to be sufficient.

      Hacking an online account is no different to any other type of hacking, you are still trying to gain access to computers for which you don't have permission (or are exceeding your permission), in this case computers owned (or operated) by AOL.

    3. Anonymous Coward
      Anonymous Coward

      Re: Legal questions

      Unfortunately, it would appear that it is against the law.

      However, what is truly shocking is that the UK government considers it acceptable to arrest and extradite a 16 year old to face a very hostile judiciary, away from any support. The response is disproportionate to the harm, and demonstrates that Cameron is more concerned with tugging his forelock to the yanks than the interests of his fellow Brits.

      1. Intractable Potsherd

        Re: Legal questions

        As has been said many, many times here, the extradition treaty the UK has with the USA needs tearing up and throwing down the crapper. It does nothing to protect UK citizens against the USA, and everything to protect US citizens against the UK (though it did take the courts in the USA to make that clear). The fact that the UK government has failed to protect the people it allegedly represents in favour of another sovereign state says everything you need to know about the fucknozzles in Westminster.

        1. Anonymous Coward
          Anonymous Coward

          Re: Legal questions

          Fucknozzles is too generous to that collection of perfidious scum in Westminster.

  16. Anonymous Coward
    Anonymous Coward

    Do we still say 'Hacking?'

    I do, but Tony Stark in Iron Man or Avengers (can't remember which) said that, people don't say 'Hack' any more....does anyone know what you say now as Tony didn't elaborate?

  17. Oengus

    "the boy was arrested on counts of suspicion of conspiracy to commit unauthorised access to access computer material"

    So you can be arrested on "suspicion of conspiracy". Is that real? I am suspected of talking about something. There seems to be a lot of "double talk" here that sounds suspiciously like "newspeak" and "suspicion of conspiracy" sounds very much like "thoughtcrime" from 1984.

    1. zappahey

      "suspicion of conspiracy" is just saying there's enough evidence to suggest it was you but the case isn't yet made.

  18. ShadowDragon8685

    Clearly, this means that we need two-factor authentication on things like the email addresses of notable officials/private citizens who don't fancy some schmuck doxxing them and gaining access to their account. (It's honestly hard for me to call what this kid did hacking, although it was clever.)

    Seriously, this is technology we've been using to secure our World of Warcraft accounts for bloody years! Nowadays you don't even need a dongle, your cell can run the authenticator crypto-RNG just fine, ala Steam.

    That way, this would go "You want to reset your password? Okay! Just input the current number on your two-factor authenticator dongle. Aaaand we're done! Please input your new password now."

    "Lose your dongle? Lost your dongle AND your password at the same time? Okay, here's what we're going to need: you're going to need to track down an actual Fax machine (try a Kinko's or FedEx store if your home or place of employment does not possess a fax machine,) and fax us an image of some form of photo I.D. (such as a passport or Driver's License or similar document.) You will also need to ship to us a photograph of yourself holding up a piece of paper upon which today's date and the following numbered code is clearly visible, and the original document you used for photo ID is paperclipped to."

  19. brainsco

    The only truthful hacker I have met is brainclark3@gmail.com the guy is a genius, he has helped me and my friends to solve our relationship issues, he also accesses and modify databases, any social account, he is the real deal. Contact brainclark3@gmail.com if you are in need of a good hacker. I vouch for him.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like