Aug 21 2008

FEMA: Old school hacks are less embarrassing?

Published by at 5:30 am under Government,Hacking

Someone broke into a FEMA PBX system over the weekend and made over $12,000 worth of calls to Asia. The article tries to pass this off like it’s just some old school attack that’s no big deal, but to me that’s more embarrassing than if they’d been hacked using some zero-day no one had ever heard of. Getting owned because you forgot to change a password is incompetence, which is much worse than getting hit by something you had no way of defending against.

It sounds like someone was upgrading the system and forgot to change a default password over the weekend. At that point all it would take is a scan of the system with an automated tool getting lucky and finding the right phone line. Likely there’d be little or no skill involved, just having the right tools at the right time. I’m betting there’s a consultant somewhere in Maryland looking for a new client.

Oh, and FEMA (Federal Emergency Management Agency) is a branch of the Department of Homeland Security. Good job guys.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

3 responses so far

3 Responses to “FEMA: Old school hacks are less embarrassing?”

  1. Bozidar Spirovskion 21 Aug 2008 at 12:19 pm

    Spot on comment! Being hacked by a wardialer simply indicates a gross incompetence on the side of the installer. But it’s not only the installer that should worry.

    FEMA procedures should MANDATE change of all default passwords on all equipment, so the FEMA Chief Security Officer has an investigation to make, and probably a lot of explaining to do to his boss.

    Another thing – a good hacker may still have access to the system, or has expanded to other areas of the systems so this will be a lot of work for Homeland Security

    Bozidar Spirovski
    http://www.shortinfosec.net

  2. Martinon 21 Aug 2008 at 12:34 pm

    You bring up a good point, Bozidar: a good hacker will have used the PBX as a starting point and moved on to other systems from their. I wouldn’t want to be the one explaining how this had happened in the first place, whether it was the result of a consultant or an employee.

    Fun stuff.

  3. SecurePuteron 26 Aug 2008 at 7:24 am

    This is reminiscent of the “old school” Mathew Broderick tactics in Wargames. I bet you could still use a paper clip to get a free call on a pay phone, albeit if you could find one.

Trackback URI | Comments RSS

Leave a Reply

%d bloggers like this: