Hacker Calls FBI's I.T. Department, Gains Access To Network

Humans are the biggest cybersecurity weakness

Early Telephone Set Illustration

Early Telephone Set Illustration

Adolphe Bitard, via Wikimedia Commons

On Sunday, a hacker threatened to dump the contact information of thousands of FBI and Department of Homeland Security employees online. Then on Monday, the hacker made good on said threat and released the information, first from the DHS, then from the FBI. The hacker who released the information claimed to have had access to up to 200GB further of information, meaning there could be plenty more releases to come in the days ahead. So how did a person break into the systems of two of America's most high-profile agencies? A phone call, it appears.

The data was obtained, the hacker told Motherboard, by first compromising the email account of a DoJ employee, although he would not elaborate on how that account was accessed in the first place. (On Monday, the hacker used the DoJ email account to contact this reporter). From there, he tried logging into a DoJ web portal, but when that didn't work, he phoned up the relevant department. “So I called up, told them I was new and I didn't understand how to get past [the portal],” the hacker told Motherboard. “They asked if I had a token code, I said no, they said that's fine—just use our one.”

As is so often the case, the easiest way into a secure system is by asking someone for the key. This is the same tactic that a teen hacker claims to have used to gain access to CIA chief John Brennan's personal email. And it's fairly similar to "spearphising" attacks, where emails with links to download malicious software are sent to specific people inside a network, in the hopes that they'll open the email, follow the link, and compromise the system. This is reportedly how Russian hackers got into a Pentagon email server, Ukrainian power stations, and even less conspicious targets, like a German steel mill. Even as the Director of National Intelligence warns that the Internet of Things is a major threat, it appears IRL networks of people are at least as vulnerable. Fortunately for companies that want to find the vulnerabilities in their human networks, there's an app for that.