Sophos Cloud Optix
Guccifer – a hacker who likes to pick on famous, powerful people – is once again poking at former US Secretary of State Colin Powell.
Powell, who had his email breached when Guccifer doxed ex-president George Bush and his Facebook page subsequently defaced, is now denying Guccifer-spawned allegations of an affair with Corina Cretu, a Romanian politician and journalist.
Guccifer in March took over Powell’s Facebook page and posted images he had weaseled out of the Bush family in February.
Those photos included some taken at the Bohemian Club, a top-secret meeting of the world’s male kingpins, along with a self-portrait of George W. Bush in the shower.
This time around, Guccifer reportedly hacked Cretu’s email account to get at Powell.
According to Infosecurity Magazine, Powell emailed Cretu on 31 July to tell her that by hacking email addresses out of former President Bush’s account, Guccifer is “driving everyone here crazy”:
"The hacker gets addresses from my contact list which he got when he hacked into President Bush's account. Our security people have been chasing him for months. He may have lots of your emails, maybe not, so best to delete all between us."
Alas, that advice appears to have been, as the saying goes, a day late and a dollar short.
Guccifer was apparently already in Cretu’s account.
The hacker reportedly posted tenderly yearning email messages from the Romanian politician to Powell on a Google Drive file, then publicised the drive on the Facebook account of a retired general who’s also a Facebook friend of Powell’s.
Guccifer also exposed the material directly to Powell’s Facebook followers by posting a message on Powell’s wall with a link to the Google Drive page, according to The Smoking Gun.
Guccifer also posted Cretu’s email to Cryptome – an online library of documents to do with cryptography, spying, surveillance and freedom of speech.
In a statement to The Smoking Gun, Powell said there’s no fire beneath the smoke of the flirty emails:
Over time the emails became of a very personal nature, but did not result in an affair. Those type of emails ended a few years ago. There was no affair then and there is not one now.
Was Ms. Cretu sloppy with her computer security? Perhaps she chose an easy-to-guess password, say?
Maybe she typed out those yearning emails to Colin Powell after having signed in to her email account using a head-bangingly silly password, such as the name of a pet?
It’s a crime to hack people’s accounts. Cretu was victimized, and so was Powell, and all else who get doxed in this manner.
One hates to blame the victim.
Oh, wait, scratch that! This is info security! The victim is often blamed!
Ms. Cretu, if you did, in fact, have an easy-to-guess password, I hope that in the aftermath of this incident that you start boning up on how to create one that’s a bit harder to guess.
It might not be your fault, morally speaking, if your password was hacked, but there’s no reason to make it easy as pie for troublemakers like Guccifer to get at your personal data.
Image of Colin Powell courtesy of stocklight / Shutterstock.com.
I have no knowledge of this situation, but often when a famous person's account gets hacked, it's due to those "Forgot My Password" questions that a growing number of sites make you fill out with much-easier-to-research-or-guess answers. So maybe everyone chose super-strong passwords, but answered the "What is the name of your pet?" password recovery question correctly.
I wonder if David Cameron might be caught out by that one?
https://www.google.co.uk/search?q=what+is+the+nam…
"…those "Forgot My Password" questions that a growing number of sites make you fill out with much-easier-to-research-or-guess answers."
That's an excellent point. I recently established an account on a security-related website, and the password recovery security questions they asked were all pre-packaged, and all of them were stupid. Any member of my extended family (siblings, cousins, etc.) could answer most of the questions. And if any of them have been blabbing such family history on Facecrook (many of them have Facecrook accounts; I don't), others could easily discover that information.
Such prepackaged security questions are just blitheringly stupid. How difficult is it to let the user create his/her own security questions, the answers to which ONLY the user knows? Many sites already do it.
We have a long way to go before everyone starts taking security seriously.
Sometimes the canned security questions are not only too easy–sometimes they’re just stupid. The institution at which I bank included “What is your grandmother’s maiden name?” Well, five years later I needed a password reset and was confronted with this question and the only thing I could think of was “Which one?”
When I brought the ambiguous question to their attention, they couldn’t see why there was a problem, and the question is still there.
Ever watch Jeopardy on television? The quiz show where the challenge is an answer and the contestants have to give the corresponding question? It works like this:
CHALLENGE: Wasilla High School
ANSWER: What is Sarah Palin’s email password.