According to news sources, on January 17 of this year the FBI team responsible for investigating the hacktivist group ‘Anonymous’ held a conference call with their colleagues at Scotland Yard. The conversation that was said to be somewhat sensitive, included a discussion of Scotland Yard secretly seeking judicial permission to delay the arrest of two British suspects while the FBI gathered more evidence against the rest of the group. According to reports, the FBI felt that allowing the contents of the call to become public would damage the investigation and embarrass both organizations, so they took steps to password protect the call.
How did this become public knowledge?
According to various news stories, it turns out ‘Anonymous’ was listening in on the call. On February 3 they posted an audio recording of the call on YouTube—it’s still there, but it’s a very boring listen. The FBI’s secret call had been infiltrated by the very people they were investigating!
How does something like that happen?
After taunting the FBI a bit on Twitter, ‘Anonymous’ themselves cleared things up a bit by posting a copy of the email invitation for the call, complete with the required password. Hackers hadn’t compromised the conference calling service, they simply logged in like everyone else.
This shouldn’t have happened… what went wrong?
There are many ways to intercept email, including:
- obtaining users’ password to their email account
- placing spyware on any of the devices they use to check the mail
- taking over one of the servers routing their mail
Email is simply insecure – some of these techniques are essentially invisible to the user.
According to news reports, not only the FBI and Scotland Yard were copied in on the invitation, but also included were law enforcement entities from several countries. Any one of the recipients, or any of the mail servers they are using, could have been the problem. Hackers only had to have access to one of these machines in order to get the email, and the user may never have known about it.
How does this affect you?
It underlines the vulnerability posed by email and ought to be a call to action. Rep-advisors don’t often spend their day fighting international cybercrime, but the general activity here ought to be familiar to many of you. Meetings, conference calls, and webinars are almost always scheduled and confirmed via email. For many rep-advisors, email is their most common form of communication. It is used often, in many places, and on many devices. It’s often a key part of online identity – email is generally used as way to verify users or help reset passwords. In most security setups, email is the weakest link. If it is compromised almost anything else can be taken.
What should you do about it?
Act carefully. Your behavior is key to email security, so it’s a good idea to follow a few tips:
- Use a strong password, including uppercase letters, lowercase letters, and numbers. Make it as long as you can remember… then make it a little longer. You’ll use it a lot so it ought to be easy to memorize.
- Change your password regularly, even if your system doesn’t require it.
- Don’t re-use passwords for multiple services.
- Don’t use public machines to check your email, even if your system allows you to. There are risks from malware or keyloggers in hotel business centers and so forth. If you need email on the go, that’s what mobile devices are for.
- Secure your mobile devices by encrypting their memory and adding a password. Consider the use of tools to remotely wipe the device if it is stolen.
- Keep an eye out for odd behavior in your mailbox. Not all hacks leave visible traces, and not all weird behavior is the result of hackers… but you shouldn’t ignore unusual activity. Spammers will sometimes pretend to send messages from you and there is little you can do about it, but if you see messages in your sent folder that you didn’t send, it’s a problem you can solve. Change your password and contact your IT professional immediately.
- Use secure tools to send sensitive information. SmarshEncrypt is a great example.
- Consider giving out key passwords verbally, instead of using unsecure email. This includes passwords for conference calls or webinars. Or, if you must, never send the password/phone number in the same unsecure email…with a disclaimer that it’s still not secure but better than serving it all up in one place…
- Use the attendee verification tools provided by your conference bridge or webinar provider. Most providers have tools to report on the number of attendees and some can verify their identity. You never know who might be listening in!
Act carefully and think twice before using email to share private information. Do you have suggestions or stories that others could benefits from? Comment on this post to start the conversation!