Listen to the Podcast here
Big news, people, the FBI just got hacked last week! On Friday, November 12th, over 100,000 people received emails from the official FBI address issuing a warning about fake cyberattacks.
We are bringing you a 2-minute summary of the biggest cybersecurity incident this month.
This is a weird one, because from what we currently know, the person who did this didn't do any damage beyond the massive email blast through the FBI servers. Details are still unclear, but an anonymous Twitter user by the name "Pompompurin" has taken responsibility for the hack. When Brian Krebs interviewed this person, they said they did the hack to point out the glaring flaws in the FBI's system.
The spam emails were clearly fake, with Pompompurin naming themselves in the emails. In the interview, they said that they used one of the FBI's online portals to orchestrate the attack. It seems that all they had to do was create a user account on the portal. When they were informed an email with a one-time password would be sent to them, the FBI's own website leaked the password in the HTML code on the webpage.
Pompompurin found that they could send emails to themselves from the official FBI address and even edit the subject field and body. They used a simple script to replace these and automated the sending of the hoax email to tens of thousands of people around the US.
It's kind of scary how easily they managed to do it, especially considering it's a website run by the FBI, one of the world's leading intelligence agencies. The fact that this person chose not to do anything actually damaging or malicious should be comforting, but somehow I’m just not feeling great about it.
If the alarm bells to take security seriously weren't ringing before, they better be now. This is right on the heels of the US announcing their support of the Paris Call, check out our previous episode for all about that. We can be sure there are thousands of other websites, apps, and services we use on a daily basis that have massive loopholes like this, and it's just a matter of time before someone finds it.
And not everyone will be as benign as the person who pulled off this attack.
Thanks so much for listening. We'll be bringing you short snippets just like this on the latest news in AppSec, Infosec, and the broader world of Cybersecurity. Follow us, stay tuned, and have a great day!