Celebrity hacker Guccifer's confession gives us all a lesson in security

Marcel Lazar Lehel, 40, is escorted by masked policemen in Bucharest, after being arrested in Arad, 550 km (337 miles) west of Bucharest January 22, 2014. Lehel is allegedly the hacker using the nicknames "Guccifer" and "The Small Fume" and is suspected to have broken into several e-mail accounts of various politicians and celebrities and the head of Romania's Intelligence Service George Maior. Credit: REUTERS/Mediafax/Silviu Matei

Marcel Lazar Lehel, 40, is escorted by masked policemen in Bucharest, after being arrested in Arad, 550 km (337 miles) west of Bucharest January 22, 2014. Lehel is allegedly the hacker using the nicknames "Guccifer" and "The Small Fume" and is suspected to have broken into several e-mail accounts of various politicians and celebrities and ...

The activity of Romanian hacker Guccifer, who has admitted to compromising almost 100 email and social media accounts belonging to U.S. government officials, politicians and other high-profile individuals, is the latest proof that humans are the weakest link in computer security.

Marcel Lehel Lazar, 44, is not a hacker in the technical sense of the word. He's a social engineer: a clever and persistent individual with a lot of patience who a Romanian prosecutor once described as "the obsessive-compulsive type."

By his own admission, Lazar has no programming skills. He didn't find vulnerabilities or write exploits. Instead, he's good at investigating, finding information online and making connections.

Lazar pleaded guilty Wednesday in U.S. District Court for the Eastern District of Virginia to charges of unauthorized access to a protected computer and aggravated identity theft.

According to the Department of Justice, Lazar admitted that from at least October 2012 to January 2014, he gained unauthorized access to the email and social media accounts of around 100 Americans with the intention of obtaining their personal information and correspondence.

His victims included an immediate family member of two former U.S. presidents, a former U.S. Cabinet member, a former member of the U.S. Joint Chiefs of Staff, and a former presidential adviser, the DOJ said.

While the victims weren't named in the indictment, Guccifer is known to have released documents, pictures and information that were stolen from the personal email accounts of former U.S. Secretary of State Colin Powell and several members and friends of the Bush family, including Dorothy Bush Koch, daughter of 41st U.S. President George H.W. Bush and sister of 43rd U.S. President George W. Bush.

In an interview with online publication PandoDaily in 2015, Lazar said that he gained access to Powell's AOL email account by guessing the password, which was based on the former secretary of state's grandmother's name. There he found correspondence between Powell and a Romanian politician named Corina Cretu, which led to him targeting her as well.

In the same interview, Lazar claims that he broke into Cretu's Yahoo email account after guessing the answer to her security question: the street where she grew up. First he found the name of the primary school that she attended on her public Facebook page. Then he methodically tried out street names close to Cretu's childhood school until he found the right one, correctly assuming that she attended a school close to her home.

This shows how apparently harmless information like a school's name can help criminals and why people should be careful with what they disclose about their lives online.

Of course, celebrities, politicians and other public figures can't always avoid information about their personal lives appearing online. If they don't disclose it themselves, someone else probably will, in Wikipedia pages, news articles, gossip blogs, biographies and so on.

It might be a good idea then, especially for high-ranking politicians, to attend training courses on how to protect themselves and their online accounts from social engineering attacks. Other politicians whose personal email accounts were compromised in the past by hackers using social engineering techniques include former Alaska Governor Sarah Palin and CIA Director John Brennan.

Once they achieve a certain level of fame that could make them a target, everyone should go back and review their online accounts: Do those websites really need so much real personal information or can some be removed? Are passwords strong enough and different between accounts? Do the websites offer two-factor authentication? What account recovery or password reset options do they offer? Are they easy to bypass using public information? Are the answers to security questions for those accounts easily guessable? Are those accounts even needed anymore? If not, is there an account delete option?

These are good issues for anyone -- not just the rich and famous -- to address. It might be a time-consuming process, but not more than having to later deal with a potential data breach and having your private conversations with friends, family or past lovers dumped in the public domain.

Guccifer was extradited earlier this year to the U.S. from Romania, where he was already serving a prison sentence for hacking into the email accounts of various local public figures.

His sentencing in the U.S. is scheduled for Sept. 1. After that he could be returned to his home country to serve out his sentence there, as the Romanian courts granted extradition for a maximum of 18 months.

In Romania, Lazar is serving two prison sentences, for a total of seven years. In June 2014 he was sentenced to four years in prison for hacking into the personal email account of George Maior, the former head of the Romanian Intelligence Service and current Romanian ambassador to the U.S.

However, at that time he was already under a six-year supervised release term after receiving a three-year suspended prison sentence in 2012 for hacking into the email accounts of other Romanian celebrities. Because he violated the release terms, the older three-year prison sentence got activated and he must serve seven years.

It's not clear if the U.S. sentence, which can carry a punishment of between two and seven years in prison, will be served separately.

Join the CSO newsletter!

Error: Please check your email address.

Tags hackersIT SecuritypandodailyDepartment of JusticeGuccifersocial engineeringcyber securityprogramming tools

More about AOLBushDepartment of JusticeDOJFacebookWikipediaYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place