CELEBRITY HACKER
Hacker pleads guilty to unauthorised access to a protected computer and aggravated identity theft. Lucian Constantin reports
It might be a good idea, especially for high-ranking politicians, to attend training courses on how to protect themselves and their online accounts from social engineering attacks
The activity of Romanian hacker Marcel Lehel Lazar (Guccifer), who has admitted to compromising almost 100 email and social media accounts belonging to US government officials, politicians, and other high-profile individuals, is the latest proof that humans are the weakest link in computer security.
Lazar, 44, is not a hacker in the technical sense of the word. He’s a social engineer: a clever and persistent individual with a lot of patience who a Romanian prosecutor once described as “the obsessive-compulsive type”. By his own admission, Lazar has no programming skills. He didn’t find vulnerabilities or write exploits. Instead, he’s good at investigating, finding information online and making connections.
He recently pleaded guilty to a protected computer and aggravated identity theft.
Low-tech hacking, high-profile targets
According to the Department of Justice, Lazar admitted that from at least October 2012 to January 2014, he gained unauthorised access to the email and social media accounts of around 100 Americans, with the intention of obtaining their personal information and correspondence.
His victims included an immediate family member of two former US presidents, a former US Cabinet member, a former member of the US Joint Chiefs of Staff, and a former presidential adviser, the DOJ said.
While the victims weren’t named in the indictment, Lazar is known to have released documents, pictures and information that were stolen from the personal email accounts of former US Secretary of State Colin Powell and several members and friends of the Bush family, including Dorothy Bush Koch, daughter of 41st US President George H.W. Bush and sister of 43rd US President George W. Bush.
In an interview with online publication Pando Daily in 2015, Lazar said that he gained access to Powell’s AOL email account by guessing the password, which was based on the former secretary of state’s grandmother’s name. There he found correspondence between Powell and a Romanian politician named Corina Cretu, which led to him targeting her as well.
In the same interview, Lazar claims that he broke into Cretu’s Yahoo email account after guessing the answer to her security question: the street where she grew up. First, he found the name of the primary school that she attended on her public Facebook page. Then he methodically tried out street names close to Cretu’s childhood school until he found the right one, correctly assuming that she attended a school close to her home.
This shows how apparently harmless information such as a school’s name can help criminals and why people should be careful with what they disclose about their lives online.
Preventing social engineering attacks
Of course, celebrities, politicians and other public figures can’t always avoid information about their personal lives appearing online. If they don’t disclose it themselves, someone else probably will, in Wikipedia pages, news articles, gossip blogs, biographies and so on.
It might be a good idea then, especially for high-ranking politicians, to attend training courses on how to protect themselves and
their online accounts from social engineering attacks. Other politicians whose personal email accounts were compromised in the past by hackers using social engineering techniques include former Alaska Governor Sarah Palin and CIA Director John Brennan.
Once they achieve a certain level of fame that could make them a target, everyone should go back and review their online accounts. Do those websites really need so much real personal information or can some be removed? Are passwords strong enough and different between accounts? Do the websites offer two-factor authentication? What account recovery or password reset options do they offer? Are they easy to bypass using public information? Are the answers to security questions for those accounts easily guessable? Are those accounts even needed anymore? If not, is there an account delete option?
These are good issues for anyone – not just the rich and famous – to address. It might be a time-consuming process, but not more than having to later deal with a potential data breach and having your private conversations with friends, family, or past lovers dumped in the public domain.
Already in prison
Lazar was extradited earlier this year to the US from Romania, where he was already serving a prison sentence for hacking into the email accounts of local public figures. His sentencing is scheduled for 1 September. After that he could be returned to his home country to serve out his sentence there, as the Romanian courts granted extradition for a maximum of 18 months.
In Romania, Lazar is serving two prison sentences, for a total of seven years. In June 2014 he was sentenced to four years in prison for hacking into the personal email account of George Maior, the former head of the Romanian Intelligence Service and current Romanian ambassador to the US.
However, at that time he was already under a six-year supervised release term after receiving a three-year suspended prison sentence in 2012 for hacking into the email accounts of other Romanian celebrities. Because he violated the release terms, the older three-year prison sentence was activated and he must serve seven years. It’s not clear if the US sentence, which can carry a punishment of between two and seven years in prison, will be served separately.