FEMA Gets a Lesson in Security

FEMA, the Federal Emergency Management Agency, is scrambling to find out how hackers got into the voice mail system at its training center in Emmitsburg, Md., over the weekend and placed $12,000 worth of calls to the Middle East and Asia.

The attackers got in through a vulnerability in the Private Branch Exchange (PBX) installed by FEMA’s contractor during a recent phone system upgrade. They made calls to several countries, including Afghanistan, Saudi Arabia, Yemen and India.

“We were alerted by our telecommunications contractor, Sprint, on Saturday the 15th of August of a problem at our training center, so we immediately blocked the capability for all international calls and monitored long-distance calls,” FEMA spokesperson Debbie Wing told InternetNews.com.

Sprint (NYSE: S) spokesperson Matt Sullivan told InternetNews.com that the company did not own the PBX. “If there was a breach, there was no breach of our network,” he added.

According to Wing, preliminary evidence “points to the conclusion that there was a contractor error on the work with the line.” She added that FEMA “immediately corrected it and is taking all steps to ensure this doesn’t recur.”

Wing could not name the contractor but confirmed the attackers breached a PBX. However, she could not say whether the equipment was a standard PBX or one using the voice over Internet protocol (VoIP) . VoIP is the technology used in the Skype Internet telephony technology that lets users make phone calls through their PCs or laptops.

FEMA’s chief information officer, in the agency’s Washington, D.C. offices, is investigating the breach. While Wing could not say when the investigation would end, “we want to do this as expeditiously as possible but efficiently and accurately as well,” she said.

The investigation is being conducted internally for now, and FEMA has not contacted any law enforcement agencies yet, according to Wing. In the meantime, agency staff will conduct daily checks on all ongoing telecommunication system projects to “ensure they’re in a secure state at the end of the day,” Wing said.

There was no mention about the security breach in any of the FEMA news releases for the month of August on the Agency’s Website.

Phreaking out at FEMA

FEMA’s Emergency Management Institute, where the breach occurred, runs courses in program management and control simulation, homeland security exercise and evaluation, and continuity of operations.

The attack on the PBX is called phreaking , and practitioners of this kind of attack are called phreakers. Phreakers study and experiment with telephone systems, doing things like using the free whistles given out in Cap’n Crunch cereal boxes to take over a phone company trunk line and make free calls. The whistles produced a tone at 2.6 kHz that was an internal telephone company signal to take over a trunk line.

Phreakers are keeping up with advances in phone technology. New York telecom company Stealth Communications has been quoted as saying that phreakers steal 200 million minutes of telephone time a month from telephone carriers’ VoIP systems, worth $26 million. Much of this is resold to smaller telephone companies.

News Around the Web