FEMA, the Federal Emergency Management Agency, is scrambling to find out how hackers got into the voice mail system at its training center in Emmitsburg, Md., over the weekend and placed $12,000 worth of calls to the Middle East and Asia.
The attackers got in through a vulnerability in the Private Branch Exchange (PBX)
“We were alerted by our telecommunications contractor, Sprint, on Saturday the 15th of August of a problem at our training center, so we immediately blocked the capability for all international calls and monitored long-distance calls,” FEMA spokesperson Debbie Wing told InternetNews.com.
Sprint (NYSE: S) spokesperson Matt Sullivan told InternetNews.com that the company did not own the PBX. “If there was a breach, there was no breach of our network,” he added.
According to Wing, preliminary evidence “points to the conclusion that there was a contractor error on the work with the line.” She added that FEMA “immediately corrected it and is taking all steps to ensure this doesn’t recur.”
Wing could not name the contractor but confirmed the attackers breached a PBX. However, she could not say whether the equipment was a standard PBX or one using the voice over Internet protocol (VoIP)
FEMA’s chief information officer, in the agency’s Washington, D.C. offices, is investigating the breach. While Wing could not say when the investigation would end, “we want to do this as expeditiously as possible but efficiently and accurately as well,” she said.
The investigation is being conducted internally for now, and FEMA has not contacted any law enforcement agencies yet, according to Wing. In the meantime, agency staff will conduct daily checks on all ongoing telecommunication system projects to “ensure they’re in a secure state at the end of the day,” Wing said.
There was no mention about the security breach in any of the FEMA news releases for the month of August on the Agency’s Website.
Phreaking out at FEMA
FEMA’s Emergency Management Institute, where the breach occurred, runs courses in program management and control simulation, homeland security exercise and evaluation, and continuity of operations.
The attack on the PBX is called phreaking
Phreakers are keeping up with advances in phone technology. New York telecom company Stealth Communications has been quoted as saying that phreakers steal 200 million minutes of telephone time a month from telephone carriers’ VoIP systems, worth $26 million. Much of this is resold to smaller telephone companies.