By Stephanie Shepard
Let me start off by clarifying a simple concept to anybody who doesn’t understand internet security or black hat hacking; a phishing scam IS NOT A HACK!
A hack is when somebody exploits the weaknesses and vulnerabilities of a internet security system. This can be the security system of a website, a company, an organization etc. A phishing scam is when somebody exploits the weaknesses and vulnerabilities of a person’s mind.
Most hacks are actually phishing scams in disguise. We now live in a world with high tech con artists and they’re finding ways to perfect old confident schemes. As the saying goes, “The more things change, the more they stay the same”.
There’s a scene in the movie Now You See Me that illustrates this point very accurately.
In the movie a group of magicians decide to steal from an insurance mogul whose company used legal loopholes to deny the insurance claims of Hurricane Katrina victims.
They trick the mogul into revealing the name of his childhood pet and his mother’s maiden name with a mind reading con to obtain the information they need to access to his bank account.
Art: “I warn you. I can be difficult to read when I want to be.”
Atlas: “You were a tough kid… you know… kinda a real rapscallion. You had a dog… a real tough dog… a brutish breed… I wanna say… Ben the Bulldog?”
Art: “Actually I was a prissy little tart. I had a fluffy white cat called snuffles.”
Atlas: “Ok, one more time. Let’s do family. You had an uncle on your mother’s side… he had a real kinda masculine name… kinda salt of the earth… you know… a real stick-it-to-you… some kinda… Paul… Paul Thompson? Ok, you know what… I got nothing.”
Art: “You were nearly there. My uncle’s name was Cushmin Armachiff.”
Laughter
Atlas: “Really? Snuffles and Cushmin Armachiff? That was your childhood?”
The only difference between a regular phishing scam and this “hacking” scam is the culprit valued stealing information instead of stealing money. The scheme was to obtain a password and be granted access through the front door. In a real hack the culprit accesses a system through a back door by finding weaknesses in the system’s code.
John Podesta isn’t the first high level official in recent years to be compromised through a phishing scam. Last year CIA director John Brennan’s AOL email account was “hacked” by teenagers calling themselves Crackas With Attitude. This “hack” was done by using the google search engine and calling Verizon posing as employees.
“The hacker, who says he’s under 20 years old, told WIRED that he wasn’t working alone but that he and two other people worked on the breach. He says they first did a reverse lookup of Brennan’s mobile phone number to discover that he was a Verizon customer. Then one of them posed as a Verizon technician and called the company asking for details about Brennan’s account.
“[W]e told them we work for Verizon and we have a customer on scheduled callback,” he told WIRED. The caller told Verizon that he was unable to access Verizon’s customer database on his own because “our tools were down.”
After providing the Verizon employee with a fabricated employee Vcode—a unique code the he says Verizon assigns employees—they got the information they were seeking. This included Brennan’s account number, his four-digit PIN, the backup mobile number on the account, Brennan’s AOL email address and the last four digits on his bank card.
“[A]fter getting that info, we called AOL and said we were locked out of our AOL account,” he said. “They asked security questions like the last 4 on [the bank] card and we got that from Verizon so we told them that and they reset the password.” AOL also asked for the name and phone number associated with the account, all of which the hackers had obtained from Verizon.
On October 12, they gained access to Brennan’s email account, where they read several dozen emails, some of them that Brennan had forwarded from his government work address and that contained attachments. The hacker provided WIRED with both Brenann’s AOL address and the White House work address used to forward email to that account.
Among the attachments was a spreadsheet containing names and Social Security numbers—some of them for US intelligence officials—and a letter from the Senate asking the CIA to halt its use of harsh interrogation techniques—that is, its controversial use of torture tactics.
Despite Brennan’s experience of indirectly being a victim of a phishing scam and identity theft, it didn’t stop him from jumping on the blame Russia bandwagon. I guess it’s easier to drum up the hysteria of Russian espionage than admit you don’t know what you’re talking about when it comes to cybersecurity.
This year on the 15th anniversary of 9/11 he told CBS’ “Face The Nation”:
“I think that we have to be very, very wary of what the Russians might be trying to do in terms of collecting information in a cyber realm, as well as what they might want to do with it.”
If not for Wikileaks we wouldn’t know the extent of the sheer incompetence of Hillary Clinton’s top aides when it comes to the basic protection of their own personal information. In the leaks it was revealed that Podesta once forgot his Apple iCloud password and had an aide email it to him.
This means the people in the Clinton camp have access to passwords of accounts that can be synced up with other accounts and these passwords were sent over email without being encrypted.
This is very troubling considering Hillary Clinton is a former Security of State, former Senator of New York, former First Lady of the United States; and has always been one phone call away from the top internet security experts in the country.
The Wikileaks dump has revealed the password Podesta was sent over gmail for his Apple iCloud account was Runner4567 which is laughable considering current cybersecurity reality.
When John Oliver interview Edward Snowden from Russia last year the two talked about password security. Edward Snowden said people should start thinking in terms of pass phrases such as margretthatcheris110%SEXY or admiralalonzoghostpenis420YOLO instead of the eight character standard password we assume is secure.
“For someone who has a very common eight character password it can literally take less than a second for a computer to go through the possibilities and pull that password out.” -Edward Snowden
After Wikileaks publish the password someone logged into his twitter account and tweeted, “I’ve switched teams. Vote Trump 2016.” Someone else used the password to login and erase all the content of Podesta’s Apple devices.
This means that AFTER Podesta’s emails were being published by Wikileaks and AFTER the DNC had been hacked Podesta never changed his password.
Very comforting, right?
masters of the universe don’t have to be careful, as they know themselves to be generally immune to consequences. power, influence and lots of money usually gets them any help they may need.
A two-fer; that’s just swell. Not only corrupt but clueless to digital security. SMH
By Joe you are right! Never thought of that! Good points Steph. And yet Podesta is still a talking head on TV and at DNC. Incredible!
The Russians must be laughing their asses off.
Why spend big bucks on GRU and FSB
when one can get info for free….
This should actually give EVERYONE pause.
Have you cemented your password pattern into place? My son bet me 20 dollars he could guess my password anywhere within a few tries.
BRAT.
I realized that over the years, he’d come to know all our special dates and pet names and little family jokes memorialized into password form. And so could other people who pay attention. Too many people DO try hard to pay attention to what is not their business.
Good article Calamity, people really don’t understand just how inept our government is when it comes to cybersecurity. Right now they are using mystical Russian hackers like the bogeyman, when its really just their own blinding stupidity at fault.
PS: You had an error. “If it weren’t for Wikipedia” should reference Wikileaks instead.
@TPC
Shit.
Fixed
JQ on the spot! I don’t care what the big dogs say about you, JQ… you are pretty much all right.
I dunno why they “go” sometimes; others not. I suppose I could figure it out if anyone else hasn’t done so.
So the shocking revelation is that John Podesta is an unadulterated moron like the rest of the demoncrat thieves.
I prefer to call them useful idiots.
Well, it is either that or he intentionally left some things very hackable for some reason(s).
Hubris and greed are usually the downfall of the powerful…and are in a sense forms of stupidity of the most toxic kind.
People are lazy idiots and in some cases, lazy useful idiots as clammy points out, when it comes to passwords. Crafting a memorable 25+ character password is simple.
As an example, most of us have lived in many places over our lives. You could take the house/lot number of the first place you lived coupled with the next three street names you lived on followed by the name of your best friends dog plus a special character or three. You could spell the first street name you lived on combined with the zip code for the next two places you lived. You could also combine three or more of your favorite words spelled out in three different languages. I have a penchant for memorizing long strings of numbers like UPC codes and since I worked in a business where knowing UPC codes was useful, I combine them with unrelated partial product names to create unknowable passwords that only exist in my head. Whenever I have a need to share a password with my wife, she is always astounded at what I can remember with having to write it down.
What drives me nuts that each site requiring a password has different rules for numbers, special characters, length etc so it becomes a pain in the ass keeping track of what was used where especially for infrequently used sites.
What you said. Exactly. Now, where did I use the ampersand and where did I use the zero?
🙂 Maggie, you could put together technical jargon associated with your Bionic M&M days that no one would ever get!
oooh…. I just got a great idea! You are right!
This is some of the things I do for passwords. First, don’t use the same password for multiple accounts. This should be a no-brainer, but it gets skipped ex. John Podesta. Many people will use the same password for banking, as they use for email, as they use for Facebook.
Here’s some examples of how I think of passwords. Say you have 3 kids name John, Jane, and Jill. They’re were born 1980, 1982, and 1984. You can have a password of
80John19&82Jane19&84Jill19- It has 12 characters, upper and lower case, numbers, and symbols.
Say you were born in New York In 1970- (1New9)+(7York0) or New(19)x(7)York/0 or x=New19&y=York70
I like to think of passwords in the style of mathematical equations. But my mind is really, really good at remembering numbers. Some people maybe really good at remembering short quotes or movie lines.
Movie Quote- Yippee Ki Yay Motherf*****, Actor-Bruce Wills, Year released 1988
19YippeeBruceKiWillisYay88Motherf*****
Now I don’t expect people to have passwords this long, they’re just how one can start thinking of more complex passwords.
I have the odd trait of being able to remember all the telephone numbers I called regularly as a kid. So, if my keyword/hint is Karen, then the number was her phone number when we were kids with any 1’s replaced by exclamation points and any zero with an o. Almost always meets the symbol/number/letter requirements. If a Capital Letter is required, then K will be the last letter of the password.
This came to me after I moved back to this part of the country, where I bump into or drive by the occasional home with which I grew familiar in my youth. It is as if a segment of my brain long since closed simply opened up and when I drove by my old friend’s home of her youth, the number just popped into my brain. I called her father later that day to say hello.
Holy crap, clammy has come a long way! I didn’t realize who wrote the article until I got to the bottom. Never before has your content annoyed me less than it did in the above article. Well done, madam!
For what it’s worth, our nation’s military leadership is no better at this game. The DOD has suffered from massive phishing attacks. A couple years ago, OPM lost practically everyone’s background investigation data. I met a guy who told me he received what he believed was an OPM attack-related scam email. The email was a typical phishing email offering several thousand dollars if you just click on the included link. The funny part about it, however, was the sender’s fake email address was the previous OPM Director of Cyber Security’s name at OPM.Gov.
@GilbertS
That’s what happened to Podesta. He received an OPM-style attack phishing email from [email protected] telling him to change his password with an bitly attachment link. The IT guy said the email was legit, but sent him the official google link of myaccounts.google.com to change his password and enable two authorization, but Podesta changed it at the phishing bitly link. Idiot.
“The funny part about it, however, was the sender’s fake email address was the previous OPM Director of Cyber Security’s name at OPM.Gov.”
That’s the latest phishing scam. They’re called spoof domains. Phishers have been posing as legit domains such as Gmail, Googlemail, Microsoft, Intel etc. But instead of releasing information about these new scams they’re blaming Russia.
Or there’s a big inside job happening because I haven’t been able to figure out how somebody is able to spoof a domain such as Google, Microsoft, or .Gov. Maybe Malware? But that poses more questions such as how can a company like Google be vulnerable to Malware?
Personally, I like RiNS the deplorable said above, “The Russians must be laughing their asses off. Why spend big bucks on GRU and FSB when one can get info for free….” Obviously, Russia doesn’t need to do anything if American officials aren’t securing their personal accounts and setting up subpar personal servers.
This is good to realize stuff, Stephanie. My son is really making strides in becoming a self-supporting young rocket scientist.
Oh Maggie, you crack me up sometimes. I think if Trump wins you’re son will definitely be do well. I saw his speech yesterday at Valley Forge where he was talking about we need more vocational training and manufacturing jobs. He wants to focus on technology, and not just the run-of-the-mill Sillion Valley “set it and forget it” algorithms.
I am also hoping Peter Thiel will be involved in his administration. I saw his interview of endorsing Trump and I was in heavy agreement about him talking about broadening investment in engineering. That there’s more to technology than just software engineers at Google.
My views may not be popular amongst women, but we need to focus on putting men back to work in trades, engineering, construction etc. Men are the builders of this nation and most are either unemployed or severely underemployed at service jobs/call centers/retail. It’s terrible.
I posted a comment to my 12 hillbilly friends and neighbors here that included a video of my morning routine. I had coffee, snarked a few remarks here (did I post that letter my religious zealot friend sent to me?), then went out to greet the real big dogs, chickens and bunnies. After a couple of antics included for my dear friend in Ireland, I did the dishes and uploaded the videos of my morning visit with the animals. By the time I returned to the house, my hardworking husband had returned from his morning run to the hardware store for recessed lighting for the basement and was busy in the basement while I had time to clear my kitchen and make the granola. This year’s recipe includes HSF’s maple syrup and Chia seed, which my son suggested would add something. It does.
I titled the video “Have I Got it ALL?”
My husband and I are adjusting to a life where each of us does what it is we do well. He completes me and even though the burden at times may seem hard to him, the reward at the end of the day and throughout is what makes the world go round.
Yeah… at the age of 54, withdrawn from a world that insists only certain people are qualified to be in charge even though they are idiots who write their passwords on their desk with a Sharpie, and determining exactly who and what is going to be worthy of one minute of my time for the rest of my life, I got it made.
Clammy is like fine wine…improving with age all the time.
The hint of fine wine brought this to mind: Did I mention that I do miss being able to open a bottle of Chardonnay or Merlot at a gathering without multiple people walking over to take a swig and “See what you got there” and then spitting it out, proclaiming it to be some sour shit.
Hillbillies are sweet wine folks.
And they share their wine straight from the bottle.