Hacker pleads guilty to unau­tho­rised ac­cess to a pro­tected com­puter and ag­gra­vated iden­tity theft. Lu­cian Con­stantin re­ports

Tech Advisor - - Contents -

It might be a good idea, es­pe­cially for high-rank­ing politi­cians, to at­tend train­ing cour­ses on how to pro­tect them­selves and their on­line ac­counts from so­cial engi­neer­ing at­tacks

The ac­tiv­ity of Romanian hacker Mar­cel Le­hel Lazar (Guc­cifer), who has ad­mit­ted to com­pro­mis­ing al­most 100 email and so­cial me­dia ac­counts be­long­ing to US gov­ern­ment of­fi­cials, politi­cians, and other high-pro­file in­di­vid­u­als, is the lat­est proof that hu­mans are the weak­est link in com­puter se­cu­rity.

Lazar, 44, is not a hacker in the tech­ni­cal sense of the word. He’s a so­cial engi­neer: a clever and per­sis­tent in­di­vid­ual with a lot of pa­tience who a Romanian pros­e­cu­tor once de­scribed as “the ob­ses­sive-com­pul­sive type”. By his own ad­mis­sion, Lazar has no pro­gram­ming skills. He didn’t find vul­ner­a­bil­i­ties or write ex­ploits. In­stead, he’s good at in­ves­ti­gat­ing, find­ing in­for­ma­tion on­line and mak­ing connections.

He re­cently pleaded guilty to a pro­tected com­puter and ag­gra­vated iden­tity theft.

Low-tech hack­ing, high-pro­file tar­gets

Ac­cord­ing to the Depart­ment of Jus­tice, Lazar ad­mit­ted that from at least Oc­to­ber 2012 to Jan­uary 2014, he gained unau­tho­rised ac­cess to the email and so­cial me­dia ac­counts of around 100 Amer­i­cans, with the in­ten­tion of ob­tain­ing their per­sonal in­for­ma­tion and cor­re­spon­dence.

His vic­tims in­cluded an im­me­di­ate fam­ily mem­ber of two former US pres­i­dents, a former US Cab­i­net mem­ber, a former mem­ber of the US Joint Chiefs of Staff, and a former pres­i­den­tial ad­viser, the DOJ said.

While the vic­tims weren’t named in the in­dict­ment, Lazar is known to have re­leased doc­u­ments, pic­tures and in­for­ma­tion that were stolen from the per­sonal email ac­counts of former US Sec­re­tary of State Colin Pow­ell and sev­eral mem­bers and friends of the Bush fam­ily, in­clud­ing Dorothy Bush Koch, daugh­ter of 41st US Pres­i­dent Ge­orge H.W. Bush and sis­ter of 43rd US Pres­i­dent Ge­orge W. Bush.

In an in­ter­view with on­line pub­li­ca­tion Pando Daily in 2015, Lazar said that he gained ac­cess to Pow­ell’s AOL email ac­count by guess­ing the pass­word, which was based on the former sec­re­tary of state’s grand­mother’s name. There he found cor­re­spon­dence be­tween Pow­ell and a Romanian politi­cian named Co­rina Cretu, which led to him tar­get­ing her as well.

In the same in­ter­view, Lazar claims that he broke into Cretu’s Ya­hoo email ac­count af­ter guess­ing the an­swer to her se­cu­rity ques­tion: the street where she grew up. First, he found the name of the pri­mary school that she at­tended on her pub­lic Face­book page. Then he me­thod­i­cally tried out street names close to Cretu’s child­hood school un­til he found the right one, cor­rectly as­sum­ing that she at­tended a school close to her home.

This shows how ap­par­ently harm­less in­for­ma­tion such as a school’s name can help crim­i­nals and why peo­ple should be care­ful with what they dis­close about their lives on­line.

Pre­vent­ing so­cial engi­neer­ing at­tacks

Of course, celebri­ties, politi­cians and other pub­lic fig­ures can’t al­ways avoid in­for­ma­tion about their per­sonal lives ap­pear­ing on­line. If they don’t dis­close it them­selves, some­one else prob­a­bly will, in Wikipedia pages, news ar­ti­cles, gos­sip blogs, bi­ogra­phies and so on.

It might be a good idea then, es­pe­cially for high-rank­ing politi­cians, to at­tend train­ing cour­ses on how to pro­tect them­selves and

their on­line ac­counts from so­cial engi­neer­ing at­tacks. Other politi­cians whose per­sonal email ac­counts were com­pro­mised in the past by hack­ers us­ing so­cial engi­neer­ing tech­niques in­clude former Alaska Gover­nor Sarah Palin and CIA Direc­tor John Bren­nan.

Once they achieve a cer­tain level of fame that could make them a tar­get, ev­ery­one should go back and re­view their on­line ac­counts. Do those web­sites re­ally need so much real per­sonal in­for­ma­tion or can some be re­moved? Are pass­words strong enough and dif­fer­ent be­tween ac­counts? Do the web­sites of­fer two-fac­tor au­then­ti­ca­tion? What ac­count re­cov­ery or pass­word re­set op­tions do they of­fer? Are they easy to bypass us­ing pub­lic in­for­ma­tion? Are the an­swers to se­cu­rity ques­tions for those ac­counts easily guess­able? Are those ac­counts even needed any­more? If not, is there an ac­count delete op­tion?

These are good is­sues for any­one – not just the rich and fa­mous – to ad­dress. It might be a time-con­sum­ing process, but not more than hav­ing to later deal with a po­ten­tial data breach and hav­ing your pri­vate con­ver­sa­tions with friends, fam­ily, or past lovers dumped in the pub­lic do­main.

Al­ready in prison

Lazar was ex­tra­dited ear­lier this year to the US from Ro­ma­nia, where he was al­ready serv­ing a prison sen­tence for hack­ing into the email ac­counts of lo­cal pub­lic fig­ures. His sen­tenc­ing is sched­uled for 1 Septem­ber. Af­ter that he could be re­turned to his home coun­try to serve out his sen­tence there, as the Romanian courts granted ex­tra­di­tion for a max­i­mum of 18 months.

In Ro­ma­nia, Lazar is serv­ing two prison sen­tences, for a to­tal of seven years. In June 2014 he was sen­tenced to four years in prison for hack­ing into the per­sonal email ac­count of Ge­orge Maior, the former head of the Romanian In­tel­li­gence Ser­vice and cur­rent Romanian am­bas­sador to the US.

How­ever, at that time he was al­ready un­der a six-year su­per­vised re­lease term af­ter re­ceiv­ing a three-year sus­pended prison sen­tence in 2012 for hack­ing into the email ac­counts of other Romanian celebri­ties. Be­cause he vi­o­lated the re­lease terms, the older three-year prison sen­tence was ac­ti­vated and he must serve seven years. It’s not clear if the US sen­tence, which can carry a pun­ish­ment of be­tween two and seven years in prison, will be served sep­a­rately.

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.