A week ago today, Anonymous-aligned operators posted a recording of a 17 January conference call between the FBI and the UK Met Police's e-Crime Unit, on YouTube and Twitter. The call, which lasted approximately eighteen minutes, discusses then-ongoing investigations into Anonymous and LulzSec activity — including the Ryan Cleary case here in the UK and the parallel US prosecutions — and contains the kind of inter-agency operational detail that would normally not appear in any public document for a decade or more. The FBI confirmed authenticity within hours; the Met has been quieter about it but has not denied the call took place. The narrower question of how the recording was obtained is the one I want to write down because it is so depressingly mundane.
The recording was made by an Anonymous-affiliated operator who joined the conference call using a dial-in number and PIN obtained from an email invitation sent to one of the participating investigators. The invitation had been sent through standard email — not an encrypted channel, not a secure briefing platform, just a meeting invite with the call-in details — and was intercepted somewhere along the way, presumably from an investigator's email account that had been compromised earlier in the campaign. The investigator dialled in at the scheduled time. Anonymous dialled in too, on mute, and recorded eighteen minutes of an FBI agent and a Met DCI discussing arrests and prosecution timelines. Nobody on the call asked who else was on the line. The PIN, which is supposed to be the protection mechanism for the call, was the one in the invitation, and the invitation was the part that had been intercepted.
This is not a sophisticated attack. It is a procedural failure in a piece of routine collaboration infrastructure that is used everywhere, by every government and most large companies, and it is the kind of failure that I have been writing about in pen-test reports for years without it ever quite landing. Conference-call infrastructure is treated as a commodity utility; nobody thinks of the dial-in PIN as a serious access-control mechanism; the meeting invitations themselves are treated as routine email and not as sensitive material. The result is that any sufficiently-motivated attacker who has compromised any of the participants' email accounts has a free pass to listen in on whatever the call is about.
For the engagements, this incident has reframed a conversation I have been having for a year. Several of the secondment clients run sensitive cross-organisational coordination calls — board meetings, regulatory discussions, customer briefings — through the same general class of conference-call infrastructure that the FBI was using. The questions that need to be answered are: who has the dial-in PIN; how is the dial-in PIN distributed; how would you know if someone unauthorised joined the call; and what is the cost if the answer to the third question is "you wouldn't". For most clients, the answers are: anyone with the meeting invitation; through standard email; you wouldn't know; and the cost varies widely depending on the topic. The Browne Jacobson engagement and the News International work both turn out to have substantial exposure to this class of issue, and I have been working through compensating controls — number-of-participants alerts, named-roll-call discipline at the start of sensitive calls, dial-in PINs that change for each call rather than being reused, and where possible moving sensitive discussions onto platforms with proper access control rather than commodity conference bridges.
The wider point about the Anonymous campaign is that it has now demonstrated a sustained operational capability of the same shape that state-level intelligence services are presumed to have — patient compromise of email accounts belonging to people inside the organisations they are interested in, followed by careful exploitation of the access for either embarrassment or operational disruption. The shape is the same as the HBGary Federal pattern but at a different scale of target. The defensive answer is the same: assume that some of your investigators' email accounts are compromised, and design your sensitive-coordination infrastructure on that assumption. Most law-enforcement agencies in 2012 are not designing on that assumption. The FBI, on present evidence, was not.
The operational consequence for the Anonymous prosecution itself is that several of the cases discussed on the call are now thought to have been compromised — defendants whose names came up will have a defence argument about prejudice; the timing of operations may have been disrupted; the cooperation between US and UK agencies may be more cautious going forward. The FBI's response has been to launch an internal investigation into how the call was compromised, which is the right response but is also slow. The Met has been similarly focused on identifying the original email-account compromise, as Kim Zetter at Wired has been reporting.
For my own continued reading and the Hedgehog work, this incident is going on the engagement-team list of "things to make boards understand", because it illustrates with unusual clarity the gap between "we use a commercially-available conference-call service like everybody else" and "we have meaningful access control around our sensitive verbal coordination". Most clients are firmly in the first category and have not understood that the second is what they need.
The next post will probably be the Symantec source-code situation, which is heading towards a public ransom-or-don't-pay confrontation and is going to set some interesting precedents either way.