FBI call participants ‘made it easy’ for Anonymous to break in

It was supposed to be a confidential conference call last week that included two of the top law enforcement agencies in the world — the FBI and Scotland Yard — and possibly officials from France, Germany, Ireland, the Netherlands and Sweden.

The agenda was a private discussion of the ongoing investigations into the international hacker group Anonymous and related splinter groups including Lulzsec, Antisec and others.

Also on the line, listening in, was Anonymous itself.

Now, also listening in, is the rest of the world, after Anonymous posted a nearly 17-minute recording of the call on YouTube and other sites.

The FBI confirmed that the recording was authentic, stated the obvious — that it was “illegally obtained” — and that “a criminal investigation is under way to identify and hold accountable those responsible.”

Anonymous does not appear to be worried. The group also posted an e-mail, apparently from the FBI, that showed the e-mail addresses of the invited participants.

That was not the only breach over last weekend. Anonymous also attacked the website of the Greek justice ministry in protest of the country’s fiscal reforms, and a site operated by the Boston Police Department.

In the case of the hacked call, investigators surmise that somebody on the secure e-mail network e-mailed to his or her private e-mail account the location number and password of the conference call, and that private e-mail account was hacked.

If true, it would confirm what most security experts say — that the weakest links in cyber security systems are the humans who use it.

James Arlen, security consultant with Taos, says he doubts that the hack by Anonymous required any major sophistication. “I don’t think that there is really anything here other than plain old ‘Hackers: The Movie’ level sophistication,” he says.

Arlen says there are several possibilities for how the breach happened: The group could know where an agent lives who would be joining the call from home and recording from unencrypted wireless phone or an easily violated GSM phone; it might gain access to a recording by violating a law-enforcement computer; gain access to the conference calling system’s computer as an administrator; or simply find the conference code by some means and join it as a participant.

But he says the most likely scenarios are, “ones we’ve seen a million times. When you start using COTS (Common Off The Shelf) equipment and services in an environment that has traditionally relied on security by obscurity and by propriety without changing your modes of thinking about threats, you get stupid mistakes like this.

Indeed, the New York Times reported several weeks ago that many of today’s videoconferencing systems, which now use IP instead of closed, high-speed phone lines, have been, “designed with visual and audio clarity — not security — in mind.”

While the units may have security capabilities, “administrators are setting them up outside the firewall,” for more convenience, the Times said.

The FBI/Scotland Yard hack was only audio, but Kevin McAleavey, cofounder and chief architect of the KNOS Project near Albany, NY, says, “No video only indicates that they didn’t fire up the camera — those tend to have a red light on the nose.”

McAleavey says the hackers, “probably didn’t hit the FBI’s teleconference system, because all they needed to do was get into the system of one of the participants in the group call.

“If there’s any blame to be placed for the compromise,” he says, “it has to be laid at the feet of those who configured the teleconferencing systems that answered the phone without screening the calls first.”