​FBI offers police 19 self-defence techniques to ward off hactivists

Following the breach of the CIA director's personal email account, the FBI has warned police to be wary of hacktivist threats and its chief advice is to enable two-factor authentication (2FA).

The bureau has issued some operational security advice for police and public officials, cautioning against the practice of posting online pictures in official garb that display name tags or other information identifying a particular department.

These details, it noted in a public service announcement on Wednesday, make it easier for hackers to connect images on the web to officers’ personal lives and family.

The FBI singled out hacktivists in the announcement, highlighting their habit of dumping personal data online, known in hacker lingo as “doxing”

“Hacking collectives are effective at leveraging open source, publicly available information identifying officers and public officials, their employers or associates, and their families,” the FBI said.

“With this in mind, officers and public officials should be highly aware of their email account security and their online presence and exposure.”

“Law enforcement personnel and public officials need to maintain an enhanced awareness of the content they post and how it may reflect on themselves, their family, and their employer, or how it could be used against them in court or during online attacks,” it continued.

The warning follows reports in October that a US male teenager had hacked the personal email account of CIA director John Brennan because the hacker disagreed with US foreign policy.

The hacker claimed to have tricked US carrier Verizon into providing Brennan’s personal information, which he then used to fool AOL support staff into resetting the password to the CIA director’s personal email account.

The teen then leaked screenshots of emails purportedly obtained from the account, which suggested Brennan had abused his authority. Brennan has since denied any wrongdoing on his part. That incident followed the doxing of an official from the Department of Homeland Security.

The attack against Brennan ultimately came down to well-known weaknesses in account recovery processes, in particular secret security questions whose answers can often be gleaned not only from social media profiles but a person's Internet service provider (ISP).

The FBI remarked that in a recent attack, “a threat actor typically contacts the ISP of the target, poses as an employee of the company, and requests details regarding the target's account.”

“Utilizing these details, the caller then contacts the target's email provider, successfully provides answers to security questions established for the email account, and is granted a password reset for the account. Ultimately, the actor gains access to the victim’s email account and begins to harvest personal or other information.”

Police officers, like all individuals, will find it near impossible to completely disconnect from social media, but the FBI warned officers should keep their “social media foot print to a minimum”.

So what should police and public officials do to protect their personal online email and social media accounts? Exactly what security experts have told consumers to do in order to prevent hackers from tearing up their online life.

The first of 19 recommendations by the FBI is to enable two-factor authentication on a personal email account.

Another suggestion, specific to police, is to “refrain from posting pictures showing your affiliation to law enforcement.”

“When posting on social media sites, do not provide details regarding your workplace, work associates, official position, or duties,” it wrote.

“Do not promote your personal or professional importance in online profiles or postings, as this may make you a potential target for adversaries to exploit.”

Read more: Australians among world's worst malware victims – but the death of APTs signals worse times ahead

As for handling security questions, which are often compulsory upon sign-up, the FBI advised police to "avoid choosing questions with answers that can be easily verified (e.g., "What is your mother's maiden name?")."

If a particular security question is imposed on the user, it recommended using "secret meanings, irony, metaphors, or even incorrect responses", the idea being that no one but the individual will be able to guess the right answer.


Want to know more? Why not become a CSO member and subscribe to CSO's mailing list. Get newsletters, updates, events and more right here.

Join the CSO newsletter!

Error: Please check your email address.

Tags John Brennanhactivistsbreachinternet service provider (ISP)law enforcementpolice​FBICSO Australiacybercrimecia

More about AOLCSOFBIVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place