I am pretty sure that everybody knows that the FBI and Scotland Yard were embarassed recently by the notorious hacking group, Anonymous, when they spilled the beans that they were now watching the watchers, listening in to a confidential phonecall taking place between investigators accross the pond. If you haven’t heard it, find it here. The New Statesman has an overheated article here that can provide additional details.
So how did this brazen and seemingly high tech hack take place? A conference call was arranged two weeks earlier by FBI agent Timothy Lauster, who wanted to discuss on-going investigations into Anonymous and other hacktivist groups. In an email to Scotland Yard’s e-crimes unit, the time, date and phone number to call were provided, along with the pass code for entry.
This email correspondence was intercepted by the hackers. All they had to do was dial the number, enter the pass code, mute the phone, and listen-in. This “hack” needs to be put into perspective. No telephone exchange appears to have been broken into, no phonelines were tapped, and it appears so far that this was the only call that was intercepted. The email was most likely forwarded to a personal email account for convenience, and was either compromised on the wire as it was routed to the email server or to the PC, or the personal email account it was forwarded to was compromised.
Both of these poor practices are common place in business today. Including the meeting pass code in the email was like writing the PIN on the front of a credit card in thick black marker. Forwarding it to a personal email address would be like giving it to a criminal to hold onto for you. Yes, it is convenient to have that invite on your personal PDA of choice, or to use free wireless to retrieve it, but it may also be convenient for others as well. If you don’t control the network, and aren’t using reliable encryption, your information is in the clear.
Think about that the next time you forward a meeting invite to your hotmail account for later retrieval accross that wireless connection…