On the one hand, CWA (“Crackas With Attitude”), may have been a duo of pot-smoking, pro-Palestine 13-year-olds who socially engineered Verizon and got it to reset CIA Director John Brennan’s AOL address.
They might then have posted taxpayer and other personal information of more than a dozen top US intelligence officials, plus a government letter about the use of “harsh interrogation techniques” on terrorism suspects.
Or on the other hand, it could simply be a mile-high baloney sandwich.
The New York Post first reported on the claims of the alleged hacker after he contacted the paper last week to brag about his exploits.
In phone conversations, the purported US high schooler said he was motivated – by opposition to US foreign policy and support for Palestine – to post what looked like stolen documents and a portion of Brennan’s contact list on Twitter, among other documents.
There appeared to be at least two Twitter accounts associated with the breach: @_cwa_ and @phphax.
@_cwa_ has now been taken down but @phphax is still active.
Both accounts had been emitting a steady stream of taunting tweets, followed by screenshots of potentially damaging information, including the screenshots of financial information.
One of the taunts included what looks like a fax cover sheet:
god damn im glad ya'll set it off used to be secure, now you're just wet and softtt @CIA found this in your email :)
Another suggested they had access to call logs from the White House Deputy National Security Advisor.
the current White House Deputy National Security Advisor call logs. #FreePalestine #FreeGaza ...
The page that the tweet links to with the purported call logs has since been deleted.
One of the alleged hackers told Gawker over IM that they were only boys:
since only 13 i am pretty hype about it.
… and that the New York Post was on target when it labelled him a “teen stoner”:
Me and phphax know each other irl, most of our school and grade are smokers and stoners, so i mean it just kind of describes us in away...I dont find it insulting in anyway. [sic]
Is any of that true? Your guess is as good as mine.
In another tweet, @phphax was jeering at self-described “hacktivist for good” @th3j3st3r for believing that he was only 13.
What about the documents? Without access to the originals, if they even exist, it’s tough to verify their authenticity.
Gawker notes that some of the addresses from Brennan’s purported email address book look “incorrect, if not outright fabricated.”
Still, some of those email addresses look real: Gawker said that CIA officers including David Shedd and John Moseman were on the purportedly leaked list, all with “@ugov.gov” addresses, indicating an email system that was shuttered six years ago over (appropriately enough) security concerns.
The pair wouldn’t tell Gawker exactly what they claim to have gotten their hands on, though they did tell the New York Post that Brennan’s private account held sensitive files, including his 47-page application for top-secret security clearance.
They also told Gawker that they have no firm plans to release more evidence of having compromised accounts.
While the claims made by the “teen stoners” are hard to verify, one thing they claim is, unfortunately, pretty easy to believe: if they indeed took over Brennan’s account, it well might have been through social engineering.
According to the FBI’s Internet Crime Complaint Center (IC3) annual report on internet crime, scams and fraud are surging, and that includes social engineering attacks.
Just go ask Mat Honan about social engineering: 3 years ago, his e-life was e-tattered, all thanks to over-helpful iCloud support.
After breaching Apple’s security, the crook remotely wiped Honan’s iGadgets: his iPhone, iPad and Macbook Air.
It didn’t stop there: the criminal then went on to take over Honan’s Gmail account, his Twitter account and, through account linking, the Twitter account of Gizmodo, with which Honan at one point had a trusted journalistic relationship.
It was a mess for Honan, of course, but the rest of us benefited: in the wake of the pwnage, Apple finally bit the bullet and started offering two-factor verification for Apple ID users.
Now, back to those Crackas With Attitude. A spokesperson for the CIA told The Guardian that the agency is aware of the reports on social media and have given a heads-up to “the appropriate authorities,” while a spokesperson for the FBI said that the bureau is investigating the attack.
If, or shall we say once, the Feds track down the kids/adults/crooks/whoever’s responsible for, well, whatever actually happened with Brennan’s AOL account, we’ll let you know how the Crackas’ Attitude changes, as soon as we check out a criminal complaint.
Image of CIA crest courtesy of Shutterstock.com
MrGutts
He just got himself a nice free room at a CIA blacksite.
MrGuse
You mean an apartment and future employment, right?
Anonymous
Ding Ding!
Techno
One thing that makes me doubt it is that the hacker said he rang Brennan up and read him his social security number, to which Brennan put the phone down.
A schoolboy managing to get through to the Director of CIA on the telephone sound pretty unlikely to me.
Daniel
If he has his SSN… do you not think he’d have a personal phone number? Not that I believe it any more than you do, but kinda makes sense.
Bombadil
Dead futures walking
John
CIA director still has an AOL account?
2753 Productions
I know right? That was my first thought, what aged moron keeps useless aol anymore or would chance classified documents to their off-campus servers. Wait, unless he’s friends with Hillary… hmmmm.
Allan Kaplan
It seems to me that you’re missing a huge part of the issue, that the Director of the CIA is keeping sensitive information on his personal email account. Isn’t that worthy of a response, in itself? With all the grief that Hillary is getting for her email usage, it doesn’t seem as though Brennan’s stupidity has even been noted.
Anonymous
The contents of the supposed AOL account are on WikiLeaks now, and it is some dull stuff.
M. Fernandez
If true, I’m not surprised. I see this a lot, where users tend to think email is email no matter which account is being used and how. But this particular story is just as entertaining as it is unfortunate (again, if true). Did anyone pick up on the NWA references? And the riff on Ice Cube’s No Vaseline lyrics in the tweet? Hilarious.