Article by Chris Wysopal
At corporations and government offices around the world a security failure happens every day.
Employees forward confidential calendar events and messages to personal calendars and personal email accounts. This may make their jobs easier but it can put their companies at risk.
A recent security incident involving the FBI can teach us something about corporate security.
Excerpts in italics from Hackers Intercept FBI Call With U.K.:
The Federal Bureau of Investigation said cybercriminals hacked into a cybercrime conference call between its agents and law enforcement officials overseas.
The 16-minute call was posted on the Internet on Friday. The hacker collective Anonymous claimed responsibility, though the FBI didn’t name the group and said a criminal investigation was under way.
As a security person I am not content to know what happened. I need to know how it happened. Without understanding the how, we can’t prevent it in the future. In reading the news stories it has become clear how this happened.
The FBI said the breach wasn’t made on the agency’s secure email or other computer systems. Instead it appeared to be result of a law enforcement officer overseas who was invited to be on the FBI call and who forwarded the information to his private email account, which was compromised by hackers.
Anonymous had been working to compromise the personal email accounts (gmail, yahoo, hotmail, etc) of federal agents from multiple countries. Personal accounts are MUCH easier to compromise than corporate/internal mail accounts:
- The authentication and password reset forms can be reached by any attacker over the internet
- There is typically no password strength enforcement
- Users reuse passwords and the password associated with this email account may have been compromised in another breach
- There are automated password reset mechanisms.
Anonymous successfully compromised at least one agent’s personal email account. When you have a large group as a target all you need is one weak account.
An international law enforcement conference call was scheduled to discuss the Anonymous investigation. A few dozen agents from 5 countries were sent meeting invitations over secure email channels to their internal official accounts. These invitations contained the dial in number and passcode to a conference bridge.
At least one of the agents forwarded the invitation to their personal email account. At least one of the agent’s personal email account had already been compromised by Anonymous.
Now Anonymous had the conference bridge information. They dialed into the conference call. The agents running the call did not audit individuals joining the call. Anonymous was able to eavesdrop on the call and deal an embarrassing setback to the investigation.
There are a few lessons we can learn from this besides not forwarding confidential mail to personal email accounts. You need a strong password on personal email, and ideally use 2 factor authentication (like Google supports) if available. Make sure you are using the strongest password reset mechanism if there are multiple offered.
Don’t use a secret question where the answer is public information or easily guesable. Paris Hilton used “What is the name of your dog?” on her T-Mobile account. Not a good choice.
Finally, if sensitive information is discussed on a conference bridge, audit the people joining the call. There is a reason the service beeps when people join.
As you can see the attackers are crafty and unrelenting. You need to stick to secure operating procedures or you will be easily compromised.
Cross-posted from Veracode Blog