Hacker Breaks into FEMA Phone System, Makes $12,000 Worth of Calls
I just came across an amusing news excerpt about the Federal Emergency Management Agency or FEMA, which is a part of Homeland Security. For those of you who don't know, Homeland Security is a Cabinet department of the U.S. federal government with the responsibility of protecting the territory of the U.S. from terrorist attacks and responding to natural disasters. At least, that's the Wikipedia definition.
FEMA recently installed a new voicemail system in their Maryland Training Center, which uses the Private Branch Exchange or PBX phone network. This kind of system is used by thousands or maybe even millions of companies throughout the world.
Last weekend though, a hacker broke into the network and made over 400 international calls, totaling up to $12,000. Calls were made to various countries in the Middle East and Asia (ironic, huh) and lasted anywhere from 3 to 10 minutes per call.
When the fraud was discovered, all outgoing long-distance calls from FEMA's National Emergency Training Center were halted. What's even more embarrassing is that according to John Jackson, a security consultant, this type of attack is very old-school and used to take place around 15 years ago. Most telecommunications security administrators now know to configure security settings, such as having individual users create unique passwords and not continue to use the initial password assigned to users.
FEMA is busy investigating the situation, trying to determine who made the calls as well as the people who received them. As of now, it looks like a "hole" was left open by the contractor when the voicemail system was being upgraded. The agency refused to specify what the hole was or the name of the contractor believed to be responsible.
For something like this to happen to an organization like FEMA, it's extremely embarrassing. It also underscores just how vulnerable a phone system is, which is why companies are shifting to Voice Over Internet Telephony services (VOIP).
In all likelihood, this is a practical joke that went a bit too far and the person responsible is just a fresh-faced kid who was fooling around. Then again, maybe not, considering the destinations of the calls. What do you think?