“Long Live Palestine, Long Live Gaza: This is for Palestine, Ramallah, West Bank, Gaza, This is for the child that is searching for an answer.”
These words were attached to a Dark Web file which contains personal information of 20,000 FBI employees and 9,000 Department of Homeland Security employees.
The hacker, who goes by the Twitter handle of @dotgovs. said that he or she had downloaded 200 gigabytes of sensitive information from the Department of Justice. If true, then the information obtained is 1,000 times deeper than the 30,000 records released.
The hacker claimed to have compromised US Department of Justice (DOJ) email accounts and gained access to the department’s Intranet.
How credible is this claim?
An Intel study found that 97% of all computer users could not identify all 10 out of 10 phishing emails as not being legitimate. All that a hacker would have to do is to send multiple types of phishing emails to be guaranteed that over 90% of respondents would provide the hacker their passwords.
ZDNET did a study and found that with a single phishing email, an average of 45% of users submitted their full login credentials.
Please see how horrifying these statistics are.
Email lists are available from nearly every government agency and every corporate entity. There are 123,000 DOJ employees. If statistics hold true, a single email phishing scheme would collect the login credentials of 61,000 DOJ employees. These employees would span the lists from finance to operations, to secret surveillance programs. The login credentials would give the hacker access to the DOJ Intranets and from there, access to everything that the compromised employees had access to.
A 12 year child could have done this. No exaggeration. Literally, a 12 year old. There are phishing templates all over the Internet. All the child needs to be able to do is access email lists (all over the net), know how to send an email, and collect the results with the help of a few friends.
I receive phishing emails many times a day. I hope I am adept enough to identify them. However, even I nearly get snagged from time to time. I received one last week that nearly caught me. It looked like this:
The link sent me to a page that had the name of someone I had not heard from in quite a while. It said simply “Have you forgotten me?” There was a link for me to log into Dropbox to get the full message for which I would have to sign into dropbox using my email. I did not because no one had ever before sent me a message via dropbox, and I was suspicious. Later that day I received a bulk mail from the person in question saying her email had been hacked.
Now, how did the email know that I had not been in contact with this person for quite a while? Simple. Our smart phones and the huge volume of applications that we download tell the entire world everything about us.
20% of all apps ask for permission to access our contacts. 10% ask permission to read our emails and our text messages. Nearly all want access to our location and our WIFI connection. 5% want to make phone calls on our phones, without notifying us, that we sometimes must pay for. Another 5% ask permission to send emails and text messages on our behalf without notifying us. A full 15% ask permission to take photos or videos or to record our conversations without notifying us. All of these apps sell or give whatever information we allow them to have to third parties which are always unnamed.
Everyone should know the above because I and hundreds of others have been screaming it from the rooftops for years. But it takes many poundings of a hammer to finally set a nail.
So, the phishing email I received had access to every contact and every email sent by my estranged acquaintance. It would take the most trivial of scripts to identify those people who had not been in touch with my acquaintance for a long time. This simple piece of information added tremendously to the believability of the scam. Had I, and any other contacts been recently in communication with this person, the email would have said something like “please read this about yesterday’s emails” or something similar.
We seldom consider the wide ranging implications of someone hacking into our email accounts. Assuming that they don’t change our passwords and lock us out – the worst of all possible scenarios – we are still in a world of hurt. Every email that we send or have sent and received can be read by the hacker. Every social media account and private website that we access can be accessed by the hacker and all of our private messages on these sites can be read. Our bank statements, credit card statements, on-line purchases, credit reports and every other kind of financial information can be accessed. And of course, our contacts, which the hackers uses to propagate additional phishing and other scams.
But what happens if the hackers lock us out of our social media and other private website accounts?
This happened to me for a short period when one of my fired campaign workers locked me out of Twitter, which the worker was managing. She also changed the password and credentials for the email account used to log on to Twitter.
I sent numerous emails to Twitter security and, after many back and forths, received this final communication:
The authorities finally got my Twitter account back but not before the fired worker had sent out dozens of bogus tweets pretending to be me.
My point is this, email accounts are the fundamental identifying elements of the internet. The assumption is that if a person has access to an email account then that is the real person. Yet these accounts are the easiest elements of the digital world to hack into. It has been estimated by various hacking groups that the passwords for more than 75% of all the world’s email accounts are available for purchase on the Dark Web.
If this paradigm does not change, and soon, there will be no private information left in the world.