ON THE @CENTCOM BREACH AND CYBER (IN)SECURITY

12 January, 2015 INSIGHT & ANALYSIS 2128

ON THE @CENTCOM BREACH AND CYBER (IN)SECURITY
By Michael S. Smith II

On 12 January 2015, it became apparent the credentials used to access USCENTCOM’s Twitter account had been compromised when images and messages that appeared to be supportive of the so-called Islamic State (Daesh) were broadcast by @CENTCOM. Although certainly an attention-winner, such a play is anything but clever. As I advised a Reuters reporter, “While this will probably be described as ‘sophisticated,’ it’s really not that difficult to gain access to someone else’s social media or e-mail account.”

It is not uncommon for users of social media and popular email services to unwittingly share their login information with others. Indeed, the ease with which one can gather and utilize such information from unsuspecting users of most social media and popular email services places the day’s shenanigans on par with using the name “Osama bin Laden” when making an online donation to the Obama campaign.

Understandably, the reporter whom I corresponded with could not reference my comments in full. Here is most of what I related:

While this will probably be described as “sophisticated,” it’s really not that difficult to gain access to someone else’s social media or email account. Particularly if the account manager/owner is not paying careful attention to messages (s)he replies to. And, as the administrators at Twitter will no-doubt acknowledge, it happens quite often.

A common approach: A “hacker” will create a webpage that resembles the login page for the particular social media platform or popular e-mail service (ie gmail) the account is hosted by, with data entry fields setup to auto-forward usernames and passwords to a “cutout” e-mail account. A link to the page is then sent to an unwitting recipient. The link is typically accompanied by a note that advises the recipient must reset the account password due to suspicious failed attempts to access the account by clicking the link, or they must click the link and enter their account credentials to review a message from the service administrator regarding the status of the account. When the recipient follows the instructions, the account username and password are then forwarded to a party who may quickly log in to the account and reset the password, thereby providing them enough time to use the account to send messages, etc before the service administrator freezes the account.

My guess is there are a couple of PAOs who are blushing for handing the Islamic State the password to the accounts that were “hacked” today.

It would be “sophisticated” if IS’s IO agents hacked Twitter, and placed the group’s indicia on all Twitter accounts while announcing the owners have joined IS.

While the sophomoric features of the 12 January cyber campaign targeting social media accounts managed by USG entities make such accomplishments anything but remarkable, the contents uploaded to @CENTCOM are. For they raise questions about whether this was truly demonstrative of Daesh’s capabilities.

Indeed, it is odd that a supporter of the Islamic State, much less a bona fide Daesh cyber operative would refer to the group using the acronym ISIS, as this is the acronym for a name the group had rebranded itself as prior to, most recently, rebranding itself as the Islamic State. (Clearly, the group’s rebranding and expulsion from the al-Qa’ida fold confused some USG officials.)

As the Islamic State’s namesake reflects its controversial claim that it has (re)established a caliphate on territories under its control in Iraq and Syria, the Obama administration and many other governments have made it a policy not to refer to the group by this name. Most Western states refer to the group using acronyms — ISIS and ISIL — that reflect names used by the group prior to its leaders’ decision to rebrand the group as the “Islamic State.” More recently, US officials like Special Presidential Envoy for the Coalition to Counter ISIL Gen John Allen, USMC (Ret) have taken to calling the group Daesh, albeit oftentimes mispronouncing the term as “Dash.”

That a supporter or member of Daesh would execute such an attention-winning campaign while not refering to the group using its official name is suspicious. Then again, one should never overestimate the intelligence or attention to detail of your average jihadi.

Indeed, if the shenanigans du jour are the handiwork of a Daesh IO agent, one can only imagine the terrorist formerly known as Abu Bakr al-Baghdadi — now referred to by his followers as “Caliph Ibrahim” — is admonishing his inner circle for failing to impress upon their subordinates the importance of consistent branding and phraseology. (Think the scene in “Austin Powers” where Dr. Evil says, “It’s Dr. Evil — I didn’t spend six years in Evil Medical School to be called “mister,” thank you very much.”)

Meanwhile, on a more serious note, another issue came to the attention of the DOWNRANGE team pursuant to our review of documents disseminated during the 12 January “hacking” escapades undertaken in the name of “ISIS”: After conducting an online search for information about one of the authors of the documents that were purportedly stolen and leaked by the “hacker(s)” responsible for the day’s headline-winning stunts, we noticed his LinkedIn account publicly lists “DOD” and “Security Clearance” among his “Skills” (screenshot below).

Setting aside the fact that neither is a skill, at a time when Islamist terrorist groups are encouraging their sympathizers to search such accounts for information about US servicemen and individuals who are employed by defense, intelligence and law enforcement organizations, one would think a former Air Force official now employed by a high-profile defense contractor would think twice about advertising his current access to secure facilities and/or classified information and technologies. This, as a member or supporter of Daesh could very well seek to coerce him to divulge classified information — Is this how the purported Daesh supporter gained access to restricted documents with this contractor’s name on them? — or target him for assassination simply for performing work in support of the US Department of Defense.

There is no reason to publicly tout such credentials in this manner. Particularly if one is a contractor, for it either invites offers for one to leak information, or puts a bigger target on a contractor’s back. The only people who really need to know if a contractor has any form of clearance are employers (current and prospective), select colleagues, and USG entities (s)he engages with while performing work that requires such clearances.