Last Friday, 16 minutes of a conference call between the U.S. Federal Bureau of Investigation and the London Metropolitan Police, during which the law enforcement agencies discussed their investigation into hacking incidents believed to be the handiwork of the hacker group Anonymous, was posted on the Internet by—you guessed it—Anonymous. The Wall Street Journalquoted a New Scotland Yard spokesperson as saying, "no operational risks have been identified" by the disclosure. But security lapses that could tarnish the agencies' reputations certainly were.
The FBI insisted in a story published in the New York Times that the call wasn't "hacked" which may be technically true but a bit irrelevant. This story in the today's Macworld.UK says that "it appears the hackers obtained an e-mail sent on Jan. 13 to law enforcement agents in the U.S., U.K., Ireland, the Netherlands, France, Germany and Sweden. The e-mail, titled 'Anon-Lulz International Coordination Call,' contained the dial-in number and access code needed for a participant to join the conference, which took place on Jan. 17." The e-mail, which is posted online, contains a list of e-mail addresses for law enforcement personnel, which I suspect are being quickly changed.
New Scotland Yard and the FBI are said to be investigating the "illegal" eavesdropping and are refusing to comment further on the matter.
The episode demonstrates once again how easy it is to gain access to unsecured corporate communications. (The on-going UK News of the World scandal has highlighted how easy it is to gain access to voicemail systems.) There was a story a few weeks back in the New York Times about how videoconferencing systems were also vulnerable to unauthorized access. According to the story, an IT security company was able to find and potentially access "5000 [electronically] wide-open conference rooms at law firms, pharmaceutical companies, oil refineries, universities and medical centers."
While many video-conferencing systems come with security features, they are often left unactivated or are never configured properly, the Times story says.
In another communications security story from last week, the London Telegraphreported that two professors from Ruhr University Bochum in Germany have published a paper called "Don't Trust Satellite Phones." The researchers report that they "cracked two encryption systems [GMR-1 and GMR-2] used to protect satellite phone signals and that anyone with cheap computer equipment and radio could eavesdrop on calls over an entire continent."
The professors told the Telegraph that they were able to reverse engineer the encryption algorithms, and that with about US $2000 in equipment and software, they could decrypt a prerecorded satellite call using either of the two encryption standards in about 30 minutes. A country's intelligence service, which would have access to much more sophisticated equipment, could perform the decryption in real-time.
The Telegraph article states that the professors published the details of their research in hopes of prompting "ETSI (European Telecommunications Standards Institute), the organization that sets the standards, to create stronger algorithms."
Finally, in probably the most distressing IT security news from last week, VeriSign, the company that operates two of the Internet's 13 root name servers, admitted in its 10-Q filing to the U.S. Securities and Exchange commission that, "We experienced security breaches in the corporate network in 2010 which were not sufficiently reported to management."
Note the word "breaches."
According to a Reutersstory that made the disclosure widely known (the 10-Q was filed on 28 October:
"The VeriSign attacks were revealed... [following the institution of ] new guidelines on reporting security breaches to investors... Ken Silva, who was VeriSign's chief technology officer for three years until November 2010, said he had not learned of the intrusion until contacted by Reuters."
The VeriSign 10-Q states that "access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our Domain Name System ('DNS') network... However, given the nature of such attacks, we cannot assure that our remedial actions will be sufficient to thwart future attacks or prevent the future loss of information. In addition, although the Company is unaware of any situation in which possibly exfiltrated information has been used, we are unable to assure that such information was not or could not be used in the future."
Reuters also says that "VeriSign's domain-name system processes as many as 50 billion queries daily. Pilfered information from it could let hackers direct people to faked sites and intercept e-mail from federal employees or corporate executives." Classified government data, said the article, moves through more secure channels.
Upon hearing the news, Stewart Baker, former assistant secretary of the U.S. Department of Homeland Security and one-time top lawyer at the U.S. National Security Agency, was quoted as saying:
"Oh my God. That could allow people to imitate almost any company on the Net."
Apparently, VeriSign's security staff discovered and responded to the attacks but for some unexplained reason failed to alert top company management until September of last year. I guess they didn't think it was important enough to bother anyone in management.
VeriSign (which sold its security business to Symantec in 2010 and states categorically that none of the acquired products have been compromised) is not providing any more details about the breaches. Maybe like the FBI and New Scotland Yard, saying anything would only embarrass them more.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.