Sophos Cloud Optix
Last month, we reported how a conference call, between the FBI and Scotland Yard, discussing their investigation into Anonymous hackers had been secretly recorded by the hacking collective and published on the net.
We surmised at the time that the unknown hackers might have secretly accessed the call by compromising a police investigator’s email account, as the call-in details and passcode were posted by Anonymous on their usual dumping ground – the PasteBin website.
Yesterday’s announcement by the FBI about the prominent LulzSec hacker Sabu, and other alleged hacktivists, has revealed more details about what actually happened.
According to an FBI press release, a Garda (Irish police) officer who was invited to attend the conference call about ongoing hacking investigations forwarded the message to a personal email account.
Unfortunately, that personal email account was compromised by a hacker.
The Irish police officer didn’t participate in the snooped-upon conference call, but because a hacker had lifted the login details from the officer’s account it made no difference. The call was secretly recorded.
19-year-old Donncha O’Cearrbhail, from Birr, was arrested by Irish police yesterday. He is charged with intentionally disclosing an unlawfully intercepted wire communication, as well as conspiring to hack the likes of Fox Broadcasting, Sony Pictures and PBS.
Are you careful with your conference call details?
The “hack” of the FBI / Scotland Yard’s secret conference call raises some important questions for all of us. Not only about the risks of forwarding work emails to private accounts, but also how careful are we with our conference call details?
You may think that you can afford to be lackadaisical with the call-in numbers and passcodes, but if they fell into unauthorised hands they could be used to secretly spy on your confidential business discussions.
After all, all someone has to do is dial in at the right time, and ensure that their “mute” button is enabled. Would you even notice there is one more person than there is supposed to be listening in on the line?
Image credit: Headset man from Shutterstock.
Why would you even use publicly accessible conference lines if you're the FBI discussing a major hackers-group? This is an almost classic using the most basic form of phreaking, I guess.
This is not to justify listening in to these calls, but this sounds like something that could have been avoided, even with forwards and a personal -compromised- mail account. (?)
Most likely you would notice for the service we use, because anytime someone calls in they have to give a name, and that name is announced before it allows them in, so if the person is not suppose to be there someone would know.
In my experience, some conference call systems require you to give your name and then *don't* play the name to anyone!
Hence, I have been known to announce myself to the conference call service as "Beyoncé".
Furthermore, what if the hacker joins the conference call before the other attendees arrive. I don't recall being on a conference call where I'm automagically told the name of everyone else on it… (and I can imagine how that would be quite annoying)
Anyway, I'm not an expert in such things. I try to avoid conference calls whenever possible. I suggest you do the same..
Certainly agree about avoiding conference calls. In instances of virtual eavesdropping, the most costly risk is that of a corporate manslaughter conviction after the interlopers die of boredom.
If you have Cisco's Webex – no problem. You can see each attendee on the call right on your screen – ensuring there are no unwanted guests. Perhaps the problem is an inadequate conference calling application.
I have to question the wisdom of law enforcement who use the telephone for conference calls. Not only can anyone with the passcodes and a phone join the conference but the conference attendees have no way of knowing it there is an extra person on the line.
If they had used any solution with a visual interface they would have at least seen that there was an unknown party online.
Has nobody noticed, that this seemed a very good way to actually pull them in? The FBI already knew whose account was hacked(they had a mole in the anonymous team) and ensured that they use a bridge which can be assessed by anyone. As others have commented, if FBIwanted they could have used a more secure way of conferencing.
Honeypot line. It gave the authorities a better case against the person they were looking for at the time. Now they can charge them for illegal wiretapping, and its a solid charge.
If the hackers lifted the info from an E-Mail what stops them from logging into the call and pretending to be that person to Webex?
One answer is better education around Chairs' codes and Participants' codes. People are very careless about the former, which will often let people set up a teleconference for their own use. Once, working at a global multinational, I booked out a conference number and set up a late night conference to speak with colleagues on the West Coast of the USA. When I dialled in I found it already in use, by a group one of whom who'd been sent the chair's code in error several year's ago and had used it for late night conference calls every week since. They later made a substantial donation to charity!
If you are the chair it is worth trying the #1 function. For some teleconference systems that will list the callers – if there is an extra one…
They even call its a Bridge.. That's surprising.. Uhm, whats next.. Using ATT Alliance Tele-Conf (does this even exist? haha, use to get those calls at 2am 20 some years ago! I mean you would think the FBI has idiot proofed secure lines for these types of things. Hell, if I was 16 again, you would all be in deep do-do. 😉