Deconstructing the Bush family email hack
Summary: Last week, a hacker released information about the Bush family, a family containing two former U.S. presidents. In this article, our own David Gewirtz takes us behind the scenes of the investigation.
On Thursday, The Smoking Gun ran an article describing the apparent hacking of email accounts belonging to the Bush family and family friends. Unlike other analysts, I’m not going to look at the contents of the messages disclosed. Instead, I’m going to spend a few minutes deconstructing the hack itself.
What got hacked?
According to the original article, six individual email accounts were compromised, although the Web site only enumerates five individuals. That point is, in and of itself, curious. The pattern of who was compromised is quite interesting as well, depending on whether you describe the individual as related to the first President Bush (George H.W.) or his son (George W.):
| Individual | Relationship to Bush 41 | Relationship to Bush 43 | Notes |
| Dorothy Bush Koch | Daughter | Sister | Her AOL account was apparently compromised |
| Scott Pierce | Barbara Bush's brother | Uncle | Mr. Pierce wasn’t named, but he’s Mrs. Bush’s only surviving brother. |
| Unspecified Sister-in-Law | Sister-in-law | Aunt | President Bush 41 has a number of siblings. Between Mrs. Bush’s siblings' surviving spouses and his, we can’t immediately guess who this person might be. |
| Williard Heminway | "Old friend" | Friend of his father | 79, of Greenwich, CT |
| Jim Nantz | "Longtime Bush family friend" | Family friend | CBS sportscaster |
| Unspecified | Unknown | Unknown | The sixth individual wasn’t specified either by name or description. There’s not enough information to speculate on identity |
The reason for the above chart is to help us see if there are any patterns. The original article from The Smoking Gun is (probably purposely) obtuse, but it seems to indicate that six accounts were compromised. Another possibility is that one account was compromised, but had a large collection of correspondence from the other accounts.
In any case, because the information released was – in the main – about Poppy Bush and correspondence related to his condition, and since the cluster of compromise is considerably closer to the elder President, if I were heading an investigation team, I’d start with those in 41’s circle of associates and see where there might be clues.
How did the hacker do it?
There are two key ways a hacker gains access to a public-cloud email account. The first is by figuring out the user name and the password. The second is by some form of meat-space interaction.
Let’s look at that second option first. At least three of the victims are in their 70s or older. The odds of them all having good password discipline is minimal. In fact, it’s entirely possible that at least one of them wrote their password down and left it out in the open. I’ve seen people who use physical yellow sticky notes and paste their account names and passwords on their monitors.
In the case of the victims, there is the possibility that this sort of error was made, and that someone in their circle, possibly a service provider, found the written password and account information and made use of it. It’s also possible that one of these service providers were actually given the login information, and asked to retrieve messages, and type back replies to correspondents.
In other words, the butler could have done it.
On the other hand, as with the Sarah Palin email hack, the hacker may have guessed the password for the account, either because of poor password hygiene on the part of a victim, or because of the availability of substantial publicly-retrievable information on the victims.
Why did the hacker do it?
While there’s always the possibility of a brilliant hacker who managed to tunnel in through miles and miles of secure defenses, I find that increasingly unlikely.
This wasn’t a strategically motivated hack. We have a long experience with hackers who penetrate a network or an email account and keep that information to themselves. Their purpose is espionage, the gathering of information – and they don’t want to let anyone know they’re there.
If this were a strategically motivated hack by another nation state or even a rival political player, we wouldn’t be reading about it now, and we certainly wouldn’t be reading about it because the hacker released his “take” for publication.
No, the hacker wanted bragging rights. This may be someone who has a personal grudge against the Bush family, as indicated by the statement in The Smoking Gun, “i have an old game with the [expletive deleted] bastards inside, this is just another chapter in the game.”
Of course, it's possible that the hacker is simply an individual who dislikes the Bushes and imagines a personal relationship of some kind with them, or who was simply showing off the fact that he or she was able to gain access.
How will this hack be investigated?
If I were leading this investigation, I’d look initially for someone who had regular, if intermittent contact with the Bushes, in a service-provider role. Although some of the information released was somewhat politically embarrassing (a statement made by Jeb about President Clinton, for example), most of the information and the photographs were deeply personal.
Releasing that sort of information would more likely to be done by someone with a personal grudge (and probably some level of access). The Bush family is a proud family, and releasing personal information about Poppy’s illness and how family and friends might deal with their grief should he succumb smacks far more of a personal grudge than a political one.
As for how this hack will be investigated, here’s a pretty simple answer: with the full might and power of the United States government. Personal and private details about the health and communications of two former Presidents, two former First Ladies, and a former governor were compromised.
Nothing – nothing – will stop the Secret Service and FBI from tracking this one down.
Will the hacker be caught?
I’ve been asked this question a lot in the past few days. In fact, I did an interview with NY Daily News, where I was asked that question: “Cybersecurity author David Gewirtz placed the odds of an arrest at 100%”
On the other hand, Daily News asked Eddie Schwartz, of cybersecurity firm RSA the same question. His answer: “Some hackers are very good at covering their tracks.”
I’m sure Mr. Schwartz is good at his job, but in this case, he’s wrong. The hacker has done very little to cover his tracks and – instead – seems more interested in showing off than in maintaining operational security.
This hacker will be caught. Of that, there’s no doubt.
By the way, if you want to know more about Bush administration email, you can read many more articles on the topic and my book (a free download) by clicking here.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Makes sense to me
Someone will be arrested and will be made an example of; my only fear would be that it might not be the perpetrator.
A case of irresponsible stereotyping
My experience with people that age is that while response time does slow down, at what point it interferes with life depends on the person.
Have you never seen a 30 year old that looks and acts like the stereotypical 90 or vice versa?
Do you think passwords are not misused by young users or that only 70 year olds use passwords like "password" or stick-it notes?
I haven't seen the numbers, but I assume the use of password safes increase to compensate for the occasional loss by those who already decided to use passwords well. Passwords, encryption, and mishandling secrets have been around for centuries, read Simon Singh's "The Code Book". It would have been better if you would suggest a plausible alternative instead of making false associations. It is not 70 year olds that are claiming it should be a crime to have a secret to keep like a password or credit card number.
I could say more about the age gap, but I refuse to take advantage of people's youth and lack of experience.
Stereotypes are often true
report the real facts, not just your opinions
"While there’s always the possibility of a brilliant hacker who managed to tunnel in through miles and miles of secure defenses, I find that increasingly unlikely." that quote is the dumbest thing i have ever heard coming from someone who supposedly keeps up with public hacks. how did you come up with the word increasingly? according to the details in the report, the fbi dont know whats goin on, so how can we rule out that it wasnt a legit experienced hacker, that decided to release the info at a stragegic time. you say that hackers dont publicize major hacks? how about the 10k passwords and logins to porn sites of government paid employees a few months back? did yall forget about that? or how about the personal hacks against the head of security for the pentagon, abdul something or other was his name. he was attacked for leaking information to the hackers via irc chatrooms. thus the LULZ BOAT became public and vengeful..... how about the call center directing all calls to the whitehouse and shutting down the phones with thousands of calls per minute. how about the servers that were used for keeping security holes open on millions of machines, that the fbi supposedly fixed...but not really. how about ussc. gov being turned into a game of asteroids and locking the government out of their own servers. THE FBI IS PISSED THEY CANT FIND THESE GUYS, AND ARE TRYIN TO MAKE THEMSELVES LOOK GOOD IN LIGHT OF THE SITUATION.
Prove me wrong, and i will eat my words
This looked like an opinion piece to me
A minor point ...
Please don't use "were" instead of the grammatically correct "was".
Done by someone with a grudge?
Is there a TMZ for politics?
.
Damn.....