FBI Bitten by Operational Security

Monday, February 13, 2012

Fergal Glynn

68b48711426f3b082ab24e5746a66b36

Article by Chris Wysopal

At corporations and government offices around the world a security failure happens every day.

Employees forward confidential calendar events and messages to personal calendars and personal email accounts. This may make their jobs easier but it can put their companies at risk.

A recent security incident involving the FBI can teach us something about corporate security.

Excerpts in italics from Hackers Intercept FBI Call With U.K.:

The Federal Bureau of Investigation said cybercriminals hacked into a cybercrime conference call between its agents and law enforcement officials overseas.

The 16-minute call was posted on the Internet on Friday. The hacker collective Anonymous claimed responsibility, though the FBI didn’t name the group and said a criminal investigation was under way.

As a security person I am not content to know what happened. I need to know how it happened. Without understanding the how, we can’t prevent it in the future. In reading the news stories it has become clear how this happened.

The FBI said the breach wasn’t made on the agency’s secure email or other computer systems. Instead it appeared to be result of a law enforcement officer overseas who was invited to be on the FBI call and who forwarded the information to his private email account, which was compromised by hackers.

Anonymous had been working to compromise the personal email accounts (gmail, yahoo, hotmail, etc) of federal agents from multiple countries. Personal accounts are MUCH easier to compromise than corporate/internal mail accounts:

  • The authentication and password reset forms can be reached by any attacker over the internet
  • There is typically no password strength enforcement
  • Users reuse passwords and the password associated with this email account may have been compromised in another breach
  • There are automated password reset mechanisms.

Anonymous successfully compromised at least one agent’s personal email account. When you have a large group as a target all you need is one weak account.

An international law enforcement conference call was scheduled to discuss the Anonymous investigation. A few dozen agents from 5 countries were sent meeting invitations over secure email channels to their internal official accounts. These invitations contained the dial in number and passcode to a conference bridge.

At least one of the agents forwarded the invitation to their personal email account. At least one of the agent’s personal email account had already been compromised by Anonymous.

Now Anonymous had the conference bridge information. They dialed into the conference call. The agents running the call did not audit individuals joining the call. Anonymous was able to eavesdrop on the call and deal an embarrassing setback to the investigation.

There are a few lessons we can learn from this besides not forwarding confidential mail to personal email accounts. You need a strong password on personal email, and ideally use 2 factor authentication (like Google supports) if available. Make sure you are using the strongest password reset mechanism if there are multiple offered.

Don’t use a secret question where the answer is public information or easily guesable. Paris Hilton used “What is the name of your dog?” on her T-Mobile account. Not a good choice.

Finally, if sensitive information is discussed on a conference bridge, audit the people joining the call. There is a reason the service beeps when people join.

As you can see the attackers are crafty and unrelenting. You need to stick to secure operating procedures or you will be easily compromised.

Cross-posted from Veracode Blog

Possibly Related Articles:
6143
Network Access Control
Information Security
Email Passwords Authentication Enterprise Security Access Control FBI Anonymous hackers Law Enforcement OpSec Chris Wysopal
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.