Hackers describing themselves as part of the group Anonymous posted on the Internet Friday a recording of a conference call between FBI and Scotland Yard officials discussing the legal cases against individuals believed to be part of the group.
The roughly 15-minute recording includes banter between agents, some laughter, and then detailed discussions about how best to coordinate the developing investigations of several individuals who have been arrested.
The Federal Bureau of Investigation confirmed that the recording "was intended for law enforcement officers only and was illegally obtained," the Associated Press reported. But the agency also told AP that no FBI systems were breached and that "a criminal investigation is under way to identify and hold accountable those responsible."
So just how could Anonymous get a recording without invading a computer network? While it's too early to know definitively what cyber chink in the armor Anonymous exploited, e-mail insecurity is one top suspect. The Department of Defense, military contractors, and federal agencies have all had e-mail breaches. In fact, e-mail problems have reached such a point that top companies and experts are rallying to attempt solutions.
"The most plausible scenario is that someone with Anonymous had access to an e-mail account with [a stolen password] and was checking it for some time," says Aaron Higbee, chief technology officer for PhishMe, a company based in Chantilly, Va., that works with organizations to block e-mail attacks. "They've been going after law enforcement for some time."
Indeed, Anonymous, LulzSec, and others have consistently targeted the e-mail servers of law-enforcement groups. Among others, state police departments have seen their e-mail servers – typically the least guarded – cracked by cyber intruders, who appear to have guessed just one password or simply stole it from another account. Once inside, the intruders downloaded the e-mail addresses and passwords for thousands of other law-enforcement officers.
Sitting on those massive e-mail and password "dumps," the group can then quickly go to work breaking into e-mail accounts. It can also set up shop inside the e-mail servers so even if many e-mail accounts are shut down or passwords are changed, the group can still get back in and monitor accounts.
This sort of thing is just what experts say could have happened in the latest incident.
An unnamed law-enforcement source told AP that the conversation was intercepted after a private e-mail account of one of the invited participants was broken into. An e-mail setting up the conference call provided the time, telephone number, and passcode for the call.
Sophos had seen this scenario already, with InfraGard, a nonprofit group that calls itself an interface between the private sector and the FBI. After LulzSec hacked the group's e-mail servers, it dumped 180 usernames, passwords, e-mail addresses, and names.
Similar attacks reportedly hit the global intelligence company Stratfor, with e-mail addresses and credit-card information being grabbed this past Christmas. The company is now up and running – but with a much-bolstered system, its officials say.
Of course, the problem is that e-mail, like the Internet itself, wasn’t designed with security in mind. E-mail works so well at getting to its destination that everyone loves it – except when bad stuff arrives or someone hacks an all-too-easy-to-invade e-mail server. For years, technology groups have tried to graft security fixes onto e-mail like encryption and authentication systems. But it hasn't worked.
One group of 15 large entities, including AOL, Gmail, and Yahoo Mail as well as PayPal, Fidelity, and Bank of America last month unveiled DMARC – a system to help e-mail users tell if the message they were sent really comes from the source indicated in the e-mail. Such "spoofing" is standard procedure in phishing attacks against corporations and individuals.
"Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole," said Brett McDowell, chair of DMARC.org and senior manager of customer security initiatives at PayPal. "Industry cooperation – combined with technology and consumer education – is crucial to fight phishing."
But while DMARC is a brave step forward, a more basic problem is simply getting people (including law enforcement) to use better – and different – passwords for their e-mail and other accounts. Hackers have a field day because many people use the same password across many accounts – e-mail, online banking, credit cards, etc. So cracking one e-mail account leads to access to multiple accounts.
It’s hard to remember passwords – but many security programs now offer password managers, so the excuse for having weak or duplicate passwords is getting feeble.
"There's really no silver bullet here," says Ed Skoudis, co-founder of the cybersecurity firm InGuardians. "But even if there's no panacea, it would go a long way toward making it tougher for hackers if people would use different passwords.... That would help a lot."