Deconstructing the Bush family email hack

Last week, a hacker released information about the Bush family, a family containing two former U.S. presidents. In this article, our own David Gewirtz takes us behind the scenes of the investigation.
Written by David Gewirtz, Senior Contributing Editor

On Thursday, The Smoking Gun ran an article describing the apparent hacking of email accounts belonging to the Bush family and family friends. Unlike other analysts, I’m not going to look at the contents of the messages disclosed. Instead, I’m going to spend a few minutes deconstructing the hack itself.

What got hacked?

According to the original article, six individual email accounts were compromised, although the Web site only enumerates five individuals. That point is, in and of itself, curious. The pattern of who was compromised is quite interesting as well, depending on whether you describe the individual as related to the first President Bush (George H.W.) or his son (George W.):

Individual Relationship to Bush 41 Relationship to Bush 43 Notes
Dorothy Bush Koch Daughter Sister Her AOL account was apparently compromised
Scott Pierce Barbara Bush's brother Uncle Mr. Pierce wasn’t named, but he’s Mrs. Bush’s only surviving brother.
Unspecified Sister-in-Law Sister-in-law Aunt President Bush 41 has a number of siblings. Between Mrs. Bush’s siblings' surviving spouses and his, we can’t immediately guess who this person might be.
Williard Heminway "Old friend" Friend of his father 79, of Greenwich, CT
Jim Nantz "Longtime Bush family friend" Family friend CBS sportscaster
Unspecified Unknown Unknown The sixth individual wasn’t specified either by name or description. There’s not enough information to speculate on identity

The reason for the above chart is to help us see if there are any patterns. The original article from The Smoking Gun is (probably purposely) obtuse, but it seems to indicate that six accounts were compromised. Another possibility is that one account was compromised, but had a large collection of correspondence from the other accounts.

In any case, because the information released was – in the main – about Poppy Bush and correspondence related to his condition, and since the cluster of compromise is considerably closer to the elder President, if I were heading an investigation team, I’d start with those in 41’s circle of associates and see where there might be clues.

How did the hacker do it?

There are two key ways a hacker gains access to a public-cloud email account. The first is by figuring out the user name and the password. The second is by some form of meat-space interaction.

Let’s look at that second option first. At least three of the victims are in their 70s or older. The odds of them all having good password discipline is minimal. In fact, it’s entirely possible that at least one of them wrote their password down and left it out in the open. I’ve seen people who use physical yellow sticky notes and paste their account names and passwords on their monitors.

In the case of the victims, there is the possibility that this sort of error was made, and that someone in their circle, possibly a service provider, found the written password and account information and made use of it. It’s also possible that one of these service providers were actually given the login information, and asked to retrieve messages, and type back replies to correspondents.

In other words, the butler could have done it.

On the other hand, as with the Sarah Palin email hack, the hacker may have guessed the password for the account, either because of poor password hygiene on the part of a victim, or because of the availability of substantial publicly-retrievable information on the victims.

Why did the hacker do it?

While there’s always the possibility of a brilliant hacker who managed to tunnel in through miles and miles of secure defenses, I find that increasingly unlikely.

This wasn’t a strategically motivated hack. We have a long experience with hackers who penetrate a network or an email account and keep that information to themselves. Their purpose is espionage, the gathering of information – and they don’t want to let anyone know they’re there.

If this were a strategically motivated hack by another nation state or even a rival political player, we wouldn’t be reading about it now, and we certainly wouldn’t be reading about it because the hacker released his “take” for publication.

No, the hacker wanted bragging rights. This may be someone who has a personal grudge against the Bush family, as indicated by the statement in The Smoking Gun, “i have an old game with the [expletive deleted] bastards inside, this is just another chapter in the game.”

Of course, it's possible that the hacker is simply an individual who dislikes the Bushes and imagines a personal relationship of some kind with them, or who was simply showing off the fact that he or she was able to gain access.

How will this hack be investigated?

If I were leading this investigation, I’d look initially for someone who had regular, if intermittent contact with the Bushes, in a service-provider role. Although some of the information released was somewhat politically embarrassing (a statement made by Jeb about President Clinton, for example), most of the information and the photographs were deeply personal.

Releasing that sort of information would more likely to be done by someone with a personal grudge (and probably some level of access). The Bush family is a proud family, and releasing personal information about Poppy’s illness and how family and friends might deal with their grief should he succumb smacks far more of a personal grudge than a political one.

As for how this hack will be investigated, here’s a pretty simple answer: with the full might and power of the United States government. Personal and private details about the health and communications of two former Presidents, two former First Ladies, and a former governor were compromised.

Nothing – nothing – will stop the Secret Service and FBI from tracking this one down.

Will the hacker be caught?

I’ve been asked this question a lot in the past few days. In fact, I did an interview with NY Daily News, where I was asked that question: “Cybersecurity author David Gewirtz placed the odds of an arrest at 100%”

On the other hand, Daily News asked Eddie Schwartz, of cybersecurity firm RSA the same question. His answer: “Some hackers are very good at covering their tracks.”

I’m sure Mr. Schwartz is good at his job, but in this case, he’s wrong. The hacker has done very little to cover his tracks and – instead – seems more interested in showing off than in maintaining operational security.

This hacker will be caught. Of that, there’s no doubt.

By the way, if you want to know more about Bush administration email, you can read many more articles on the topic and my book (a free download) by clicking here.

Editorial standards