The FBI has put law enforcement and high-profile public officials on notice that they could be targeted by hacktivists following the recent doxing of CIA director John Brennan by the hacktivism collective called Crackas With Attitude.
Brennan’s AOL email account was taken over by a teen associated with the group who posed as a Verizon employee to steal bits of personal data from Verizon related to Brennan. Enough personal information was socially engineered from Verizon to reset Brennan’s AOL account. The stolen email was then shared with the media and posted to WikiLeaks.
Today’s advisory from the FBI warns that such doxing attacks are likely to continue, and urges officers and public figures to be vigilant about their social media activities in particular.
“Law enforcement personnel and public officials need to maintain an enhanced awareness of the content they post and how it may reflect on themselves, their family, and their employer, or how it could be used against them in court or during online attacks,” the FBI said in its advisory.
While none of the data stolen from Brennan was classified, it was intimately personal, including his SF-86 government security clearance application, which is a complete dossier of an individual’s personal history and is used to by federal agencies for background checks. These are the same types of documents that were lost in the Office of Personnel Management (OPM) hack.
“Recent activity suggests family members of public officials and law enforcement officers are also at risk for these types of targeting activity,” the FBI said. “Targeted information may include personally identifiable information and public information and pictures from social media Web sites.”
The FBI’s advisory concludes with a long laundry list of security measures that officials who are potential targets can take to secure their accounts. These include: enabling two-factor authentication on email and social media accounts; making full use of privacy and security settings for social media accounts and personal computers; sanitize social media posts of personal and professional responsibilities; patching and updating software and hardware; being vigilant about opening suspicious email attachments; avoiding the use of correct or obvious answers to password-reset security questions; and other basic security hygiene.
Security experts have been aware of Crackas With Attitude since early October, which has also claimed to have accessed personal information on other U.S. government officials. There are two prominent members of the collective who link themselves to the group in their respective Twitter profiles, one of which frequently posts about his opposition to U.S. policy with regard to Palestine. They primarily rely on social engineering to steal data.
