Euro Security Watch with Mathew J. Schwartz

Awareness & Training , Cybersecurity , Data Breach

Parents, Teach Kids to Not Share State Secrets via Yahoo Cybersecurity Ignorance Makes Nation-State Hacks Easier
Parents, Teach Kids to Not Share State Secrets via Yahoo

Move over civics class, there needs to be a new, mandatory school lesson: cybersecurity smarts. That's because increasingly, the bad information security choices made by some people in positions of power have ramifications for the rest of us.

See Also: Balancing Fraud Detection & the Consumer Banking Experience

Case in point: Two Russian spies allegedly paid two freelance hackers to hack Yahoo - for intelligence-gathering purposes. Otherwise, why would cybercriminals - who operate with profit as their principle motive - have bothered? They'd have gotten better bang for their buck via other types of attacks, such as ransomware and banking Trojans.

"You may want to sit down with your spouse and children and bring them up to speed." 

Cybercriminals prefer easy pickings. Of course, that same ethos seems to inform many intelligence-gathering operations. As the recent WikiLeaks dump of CIA hacking tools demonstrates, don't worry about cracking crypto when you can just bug the smartphone.

On a related note, hacking Yahoo makes more sense when it comes to gathering intelligence, and especially intelligence about a certain generation of users. As Sean Cassidy, CTO of security firm DefenseStorm, notes via Twitter, "Yahoo/AOL use is high among a certain age group."

Unfortunately, some members of that age group also hold positions of power, yet appear to trust webmail services - AOL, Gmail, Hotmail, Yahoo - to send and store sensitive information, if not state secrets. "At first I was all: 'What good is 500m yahoo accounts? That's like, one step up from AOL,'" the operational security expert who calls himself the Grugq says via Twitter. "And then I remembered that Pence used AOL for work."

He's referring to U.S. Vice President Mike Pence, who used AOL to conduct public business while serving as the governor of Indiana. Perhaps not coincidentally, his AOL account has also been hacked.

Pence, 57, has been called out for apparent hypocrisy, because he'd accused Hillary Clinton, 69, of putting classified secrets at risk by using a private email server while she served as secretary of state. Clinton, meanwhile, appears to have gotten bad advice from her predecessor, Colin Powell, 79, who later had his AOL email account hacked and dumped, allegedly by Russians (see New Clinton Email Shows Bad Advice from Colin Powell).

As of January, meanwhile, U.S. president Donald Trump, 70, appeared to be using a conventional Android smartphone, at least for tweeting. As the CIA hacking-tool dump demonstrated, Android has seen more than its share of exploitable flaws, thus making the commander-in-chief's choice of device questionable, at best.

AOL Jumped the Shark

Pence's own choices also reveal an apparent lack of cybersecurity wisdom. Indeed, AOL was big in the late-1990s dial-up modem days, and arguably peaked in 1998 when its "you've got mail" tagline became the title of Nora Ephron's Tom Hanks and Meg Ryan rom-com of the same name.

Fast-forward to 2014, meanwhile, when AOL warned users that a single online attack had compromised 2 percent of its accounts and urged its tens of millions of users to change their passwords.

The next year, however, the now-former director of the Central Intelligence Agency, John Brennan, 61, was also caught out for poor cybersecurity choices after his personal AOL email account was hacked, apparently by an American teenager who stole emails and attachments. Not long after, WikiLeaks dumped the stolen data, which included personal information for some top U.S. intelligence and national security officials.

Easy Pickings

That's why hackers with nation-state handlers might target AOL or other webmail accounts, rather than just attempting to penetrate more heavily secured - and monitored - government-issued email accounts.

In the Yahoo hacking case, for example, the indictment charges Igor Sushchin and Dmitry Dokuchaev, both members of Russia's Federal Security Service, or FSB, with acting as handlers for a 22-year-old hacker named Karim Baratov.

"When the FSB officers, Sushchin and Dokuchaev, learned that a target of interest had email accounts at webmail providers other than Yahoo, including through information gained from the Yahoo intrusion, they would task Baratov to access the target's account at the other providers," according to the indictment. "When Baratov was successful, as was often the case, his handling FSB officer, Dokuchaev, paid him a bounty."

Baratov was arrested March 14 in Canada and remains in Toronto police custody. His alleged FSB handlers, meanwhile, remain in Russia.

Canada-based Karim Baratov, 22, allegedly hacked Yahoo accounts at the request of Russian FSB handlers. (Photo: Facebook)

Russian authorities have denied that its domestic spy agency, the FSB, was involved in the Yahoo hack. "We have said repeatedly that there can be no discussion of any official involvement of any Russian office, including the FSB, being involved in any unlawful cyber activities," Kremlin spokesman Dmitry Peskov told Reuters. He said Moscow had yet to receive any official communications relating to the indictment from U.S. authorities, saying the Kremlin had to date been relying on media reports.

Russian MP Leonid Slutsky, who chairs the Duma - Russia's legislative body - reportedly said the charges were an attempted smear campaign by the United States, and said his government has repeatedly called on "the respective U.S. agencies to cooperate to establish the truth and to prevent such situations in principle in the near future.

"But apparently, our U.S. colleagues are interested in fabricated and virtual hacks rather than the fight against real hacks," Slutsky told Russian news agency Tass. "Such situations are used for marginalizing Russia's image in the U.S. and the world."

Parents: Talk About 'Cyber' With Your Kids

Whatever your view of Russia's claims, as with so many things in life, the solution to these problems likely comes down to parenting. In fact, it's our duty, as the U.S. indictment revealed that hackers would not only target their victims directly, but also hack into the email accounts of people close to them, seeking potential leverage.

When it comes to online security, one takeaway from the Yahoo hacks, says Thomas Rid, a professor of security studies at King's College London, is to "sit down with your spouse and children and bring them up to speed."

It may be too late for the likes of Clapper, Clinton, Pence, Powell and Trump. But we can still educate our kids.

Then again, as with all things technology - witness this month's fantastic primer on messaging securely in Teen Vogue - they're hopefully already well beyond the rest of us.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network