At corporations and government offices around the world a security failure happens every day. Employees forward confidential calendar events and messages to personal calendars and personal email accounts. This may make their jobs easier but it can put their companies at risk. A recent security incident involving the FBI can teach us something about corporate security.

Excerpts in italics from Hackers Intercept FBI Call With U.K.

The Federal Bureau of Investigation said cybercriminals hacked into a cybercrime conference call between its agents and law enforcement officials overseas.

The 16-minute call was posted on the Internet on Friday. The hacker collective Anonymous claimed responsibility, though the FBI didn't name the group and said a criminal investigation was under way.

As a security person I am not content to know what happened. I need to know how it happened. Without understanding the how, we can’t prevent it in the future. In reading the news stories it has become clear how this happened.

The FBI said the breach wasn't made on the agency's secure email or other computer systems. Instead it appeared to be result of a law enforcement officer overseas who was invited to be on the FBI call and who forwarded the information to his private email account, which was compromised by hackers.

Anonymous had been working to compromise the personal email accounts (gmail, yahoo, hotmail, etc) of federal agents from multiple countries. Personal accounts are MUCH easier to compromise than corporate/internal mail accounts:

  • The authentication and password reset forms can be reached by any attacker over the internet
  • There is typically no password strength enforcement
  • Users reuse passwords and the password associated with this email account may have been compromised in another breach
  • There are automated password reset mechanisms.

Anonymous successfully compromised at least one agent’s personal email account. When you have a large group as a target all you need is one weak account.

An international law enforcement conference call was scheduled to discuss the Anonymous investigation. A few dozen agents from 5 countries were sent meeting invitations over secure email channels to their internal official accounts. These invitations contained the dial in number and passcode to a conference bridge.

At least one of the agents forwarded the invitation to their personal email account. At least one of the agent’s personal email account had already been compromised by Anonymous. Now Anonymous had the conference bridge information. They dialed into the conference call. The agents running the call did not audit individuals joining the call. Anonymous was able to eavesdrop on the call and deal an embarrassing setback to the investigation.

There are a few lessons we can learn from this besides not forwarding confidential mail to personal email accounts. You need a strong password on personal email, and ideally use 2 factor authentication (like Google supports) if available. Make sure you are using the strongest password reset mechanism if there are multiple offered. Don’t use a secret question where the answer is public information or easily guesable. Paris Hilton used “What is the name of your dog?” on her T-Mobile account. Not a good choice. Finally, if sensitive information is discussed on a conference bridge, audit the people joining the call. There is a reason the service beeps when people join.

As you can see the attackers are crafty and unrelenting. You need to stick to secure operating procedures or you will be easily compromised.

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (2)

Steve Manzuik | February 7, 2012 11:32 am

The forwarding of emails has become very common and the explosion of smart phones has actually made it much worse. End users are not willing to wait for IT to support corporate mail to their new wizbang pocket toy so they either do basic mailbox rules on their corporate mail to auto forward to a personal account or they sign up for one of the many services that does this for them automatically. At this point they might as well just post all their corporate emails to pastebin themselves and be done with it.

Of course now we are seeing all the major smartphone manufacturers support the various corporate email options but there is nothing compelling those who already have an auto-forward setup to revert plus, at least in my experience, setting up corporate email on a personal device typically means giving up some access to that device (ie: allow remote wipe, etc) which many users also attempt to avoid.

We all know that this problem is actually much worse than just email. How many developers or other key technical staff forward code, documents, and other corporate IP to their personal accounts so that they can easily work remotely without the hassle of the corporate VPN.

On a technical level it would be very easy to identify which users are doing this by simply analyzing mail logs for the obvious patterns but on a corporate culture level -- its a tough battle.

Steven Hoober | February 7, 2012 12:30 pm

>> did not audit individuals joining the call

Security is layered. You loose your house keys. The neighbors wonder who the stranger is at your house. The neighbors are /sure/ he shouldn't be taking your TV, etc.

For a secure meeting, even in the corporate world, even something as simple as pushing the button to tell you how many people are on the call is pretty standard. If more than you expect, and you cannot immediately find out why (it was forwarded, that guy is actually on) then we hang up and start over.

I presume sometimes it's just a glitch, or someone from the previous hour or whatever, but you track this stuff. Nice that international LE cannot remember these fairly trivial procedures.

Forwarding to personal email is just ONE part of the failure chain here. And a sadly understandable one with terrible email, calendar, etc. systems and synch. I send a lot of company meetings to my personal email so it goes on my personal calendar. I anonymize if truly secret, and would like to think I wouldn't do that if I worked national security, anti-hacking or law enforcement, but I get it. Yelling at them and adding policy won't stop it.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.