Aug 21 2008
Someone broke into a FEMA PBX system over the weekend and made over $12,000 worth of calls to Asia. The article tries to pass this off like it’s just some old school attack that’s no big deal, but to me that’s more embarrassing than if they’d been hacked using some zero-day no one had ever heard of. Getting owned because you forgot to change a password is incompetence, which is much worse than getting hit by something you had no way of defending against.
It sounds like someone was upgrading the system and forgot to change a default password over the weekend. At that point all it would take is a scan of the system with an automated tool getting lucky and finding the right phone line. Likely there’d be little or no skill involved, just having the right tools at the right time. I’m betting there’s a consultant somewhere in Maryland looking for a new client.
Oh, and FEMA (Federal Emergency Management Agency) is a branch of the Department of Homeland Security. Good job guys.