How did Anonymous hackers eavesdrop on FBI and Scotland Yard?

The FBI and Scotland Yard said no systems were breached, which suggests Anonymous might have hacked an e-mail account and stolen information to listen to a conference call. 

Jane Mingay/AP/File
A sign indicates the Metropolitan Police headquarters, New Scotland Yard in London's Westminster.

Hackers describing themselves as part of the group Anonymous posted on the Internet Friday a recording of a conference call between FBI and Scotland Yard officials discussing the legal cases against individuals believed to be part of the group.

The roughly 15-minute recording includes banter between agents, some laughter, and then detailed discussions about how best to coordinate the developing investigations of several individuals who have been arrested.

The Federal Bureau of Investigation confirmed that the recording "was intended for law enforcement officers only and was illegally obtained," the Associated Press reported. But the agency also told AP that no FBI systems were breached and that "a criminal investigation is under way to identify and hold accountable those responsible."

So just how could Anonymous get a recording without invading a computer network? While it's too early to know definitively what cyber chink in the armor Anonymous exploited, e-mail insecurity is one top suspect. The Department of Defense, military contractors, and federal agencies have all had e-mail breaches. In fact, e-mail problems have reached such a point that top companies and experts are rallying to attempt solutions.

"The most plausible scenario is that someone with Anonymous had access to an e-mail account with [a stolen password] and was checking it for some time," says Aaron Higbee, chief technology officer for PhishMe, a company based in Chantilly, Va., that works with organizations to block e-mail attacks. "They've been going after law enforcement for some time."

Indeed, Anonymous, LulzSec, and others have consistently targeted the e-mail servers of law-enforcement groups. Among others, state police departments have seen their e-mail servers – typically the least guarded – cracked by cyber intruders, who appear to have guessed just one password or simply stole it from another account. Once inside, the intruders downloaded the e-mail addresses and passwords for thousands of other law-enforcement officers.

Sitting on those massive e-mail and password "dumps," the group can then quickly go to work breaking into e-mail accounts. It can also set up shop inside the e-mail servers so even if many e-mail accounts are shut down or passwords are changed, the group can still get back in and monitor accounts.

This sort of thing is just what experts say could have happened in the latest incident.

An unnamed law-enforcement source told AP that the conversation was intercepted after a private e-mail account of one of the invited participants was broken into. An e-mail setting up the conference call provided the time, telephone number, and passcode for the call.

"Even my ironing lady could have rung in and silently listened to the call just like Anonymous did," Graham Cluley, an expert with the data security company Sophos, told AP.

Sophos had seen this scenario already, with InfraGard, a nonprofit group that calls itself an interface between the private sector and the FBI. After LulzSec hacked the group's e-mail servers, it dumped 180 usernames, passwords, e-mail addresses, and names.

Similar attacks reportedly hit the global intelligence company Stratfor, with e-mail addresses and credit-card information being grabbed this past Christmas. The company is now up and running – but with a much-bolstered system, its officials say.

Of course, the problem is that e-mail, like the Internet itself, wasn’t designed with security in mind. E-mail works so well at getting to its destination that everyone loves it – except when bad stuff arrives or someone hacks an all-too-easy-to-invade e-mail server. For years, technology groups have tried to graft security fixes onto e-mail like encryption and authentication systems. But it hasn't worked.

One group of 15 large entities, including AOL, Gmail, and Yahoo Mail as well as PayPal, Fidelity, and Bank of America last month unveiled DMARC – a system to help e-mail users tell if the message they were sent really comes from the source indicated in the e-mail. Such "spoofing" is standard procedure in phishing attacks against corporations and individuals.

"Email phishing defrauds millions of people and companies every year, resulting in a loss of consumer confidence in email and the Internet as a whole," said Brett McDowell, chair of and senior manager of customer security initiatives at PayPal. "Industry cooperation – combined with technology and consumer education – is crucial to fight phishing."

But while DMARC is a brave step forward, a more basic problem is simply getting people (including law enforcement) to use better – and different – passwords for their e-mail and other accounts. Hackers have a field day because many people use the same password across many accounts – e-mail, online banking, credit cards, etc. So cracking one e-mail account leads to access to multiple accounts.

It’s hard to remember passwords – but many security programs now offer password managers, so the excuse for having weak or duplicate passwords is getting feeble.

"There's really no silver bullet here," says Ed Skoudis, co-founder of the cybersecurity firm InGuardians. "But even if there's no panacea, it would go a long way toward making it tougher for hackers if people would use different passwords.... That would help a lot."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to