The activity of Romanian hacker Guccifer, who has admitted to compromising almost 100 email and social media accounts belonging to U.S. government officials, politicians and other high-profile individuals, is the latest proof that humans are the weakest link in computer security.
Marcel Lehel Lazar, 44, is not a hacker in the technical sense of the word. He’s a social engineer: a clever and persistent individual with a lot of patience who a Romanian prosecutor once described as “the obsessive-compulsive type.”
By his own admission, Lazar has no programming skills. He didn’t find vulnerabilities or write exploits. Instead, he’s good at investigating, finding information online and making connections.
Lazar pleaded guilty Wednesday in U.S. District Court for the Eastern District of Virginia to charges of unauthorized access to a protected computer and aggravated identity theft.
According to the Department of Justice, Lazar admitted that from at least October 2012 to January 2014, he gained unauthorized access to the email and social media accounts of around 100 Americans with the intention of obtaining their personal information and correspondence.
His victims included an immediate family member of two former U.S. presidents, a former U.S. Cabinet member, a former member of the U.S. Joint Chiefs of Staff, and a former presidential adviser, the DOJ said.
While the victims weren’t named in the indictment, Guccifer is known to have released documents, pictures and information that were stolen from the personal email accounts of former U.S. Secretary of State Colin Powell and several members and friends of the Bush family, including Dorothy Bush Koch, daughter of 41st U.S. President George H.W. Bush and sister of 43rd U.S. President George W. Bush.
In an interview with online publication PandoDaily in 2015, Lazar said that he gained access to Powell’s AOL email account by guessing the password, which was based on the former secretary of state’s grandmother’s name. There he found correspondence between Powell and a Romanian politician named Corina Cretu, which led to him targeting her as well.
In the same interview, Lazar claims that he broke into Cretu’s Yahoo email account after guessing the answer to her security question: the street where she grew up. First he found the name of the primary school that she attended on her public Facebook page. Then he methodically tried out street names close to Cretu’s childhood school until he found the right one, correctly assuming that she attended a school close to her home.
This shows how apparently harmless information like a school’s name can help criminals and why people should be careful with what they disclose about their lives online.
Of course, celebrities, politicians and other public figures can’t always avoid information about their personal lives appearing online. If they don’t disclose it themselves, someone else probably will, in Wikipedia pages, news articles, gossip blogs, biographies and so on.
It might be a good idea then, especially for high-ranking politicians, to attend training courses on how to protect themselves and their online accounts from social engineering attacks. Other politicians whose personal email accounts were compromised in the past by hackers using social engineering techniques include former Alaska Governor Sarah Palin and CIA Director John Brennan.
Once they achieve a certain level of fame that could make them a target, everyone should go back and review their online accounts: Do those websites really need so much real personal information or can some be removed? Are passwords strong enough and different between accounts? Do the websites offer two-factor authentication? What account recovery or password reset options do they offer? Are they easy to bypass using public information? Are the answers to security questions for those accounts easily guessable? Are those accounts even needed anymore? If not, is there an account delete option?
These are good issues for anyone — not just the rich and famous — to address. It might be a time-consuming process, but not more than having to later deal with a potential data breach and having your private conversations with friends, family or past lovers dumped in the public domain.
Guccifer was extradited earlier this year to the U.S. from Romania, where he was already serving a prison sentence for hacking into the email accounts of various local public figures.
His sentencing in the U.S. is scheduled for Sept. 1. After that he could be returned to his home country to serve out his sentence there, as the Romanian courts granted extradition for a maximum of 18 months.
In Romania, Lazar is serving two prison sentences, for a total of seven years. In June 2014 he was sentenced to four years in prison for hacking into the personal email account of George Maior, the former head of the Romanian Intelligence Service and current Romanian ambassador to the U.S.
However, at that time he was already under a six-year supervised release term after receiving a three-year suspended prison sentence in 2012 for hacking into the email accounts of other Romanian celebrities. Because he violated the release terms, the older three-year prison sentence got activated and he must serve seven years.
It’s not clear if the U.S. sentence, which can carry a punishment of between two and seven years in prison, will be served separately.