​FBI offers police 19 self-defence techniques to ward off hactivists

Following the breach of the CIA director's personal email account, the FBI has warned police to be wary of hacktivist threats and its chief advice is to enable two-factor authentication (2FA).

The bureau has issued some operational security advice for police and public officials, cautioning against the practice of posting online pictures in official garb that display name tags or other information identifying a particular department.

These details, it noted in a public service announcement on Wednesday, make it easier for hackers to connect images on the web to officers’ personal lives and family.

The FBI singled out hacktivists in the announcement, highlighting their habit of dumping personal data online, known in hacker lingo as “doxing”

“Hacking collectives are effective at leveraging open source, publicly available information identifying officers and public officials, their employers or associates, and their families,” the FBI said.

“With this in mind, officers and public officials should be highly aware of their email account security and their online presence and exposure.”

“Law enforcement personnel and public officials need to maintain an enhanced awareness of the content they post and how it may reflect on themselves, their family, and their employer, or how it could be used against them in court or during online attacks,” it continued.

The warning follows reports in October that a US male teenager had hacked the personal email account of CIA director John Brennan because the hacker disagreed with US foreign policy.

The hacker claimed to have tricked US carrier Verizon into providing Brennan’s personal information, which he then used to fool AOL support staff into resetting the password to the CIA director’s personal email account.

The teen then leaked screenshots of emails purportedly obtained from the account, which suggested Brennan had abused his authority. Brennan has since denied any wrongdoing on his part. That incident followed the doxing of an official from the Department of Homeland Security.

The attack against Brennan ultimately came down to well-known weaknesses in account recovery processes, in particular secret security questions whose answers can often be gleaned not only from social media profiles but a person's Internet service provider (ISP).

The FBI remarked that in a recent attack, “a threat actor typically contacts the ISP of the target, poses as an employee of the company, and requests details regarding the target's account.”

“Utilizing these details, the caller then contacts the target's email provider, successfully provides answers to security questions established for the email account, and is granted a password reset for the account. Ultimately, the actor gains access to the victim’s email account and begins to harvest personal or other information.”

Police officers, like all individuals, will find it near impossible to completely disconnect from social media, but the FBI warned officers should keep their “social media foot print to a minimum”.

So what should police and public officials do to protect their personal online email and social media accounts? Exactly what security experts have told consumers to do in order to prevent hackers from tearing up their online life.

The first of 19 recommendations by the FBI is to enable two-factor authentication on a personal email account.

Another suggestion, specific to police, is to “refrain from posting pictures showing your affiliation to law enforcement.”

“When posting on social media sites, do not provide details regarding your workplace, work associates, official position, or duties,” it wrote.

“Do not promote your personal or professional importance in online profiles or postings, as this may make you a potential target for adversaries to exploit.”

As for handling security questions, which are often compulsory upon sign-up, the FBI advised police to "avoid choosing questions with answers that can be easily verified (e.g., "What is your mother's maiden name?")."

If a particular security question is imposed on the user, it recommended using "secret meanings, irony, metaphors, or even incorrect responses", the idea being that no one but the individual will be able to guess the right answer.

Want to know more? Why not become a CSO member and subscribe to CSO's mailing list. Get newsletters, updates, events and more right here.