This past Friday (February 3, 2012) Anonymous released a call recording regarding an assumed confidential conference call between two FBI field offices and a official UK investigation office regarding status on Anonymous, AntiSec, Lulzsec and other splinter cyber groups. It was released on ThePirateBay, YouTube and Pastebin, and from the Pastebin posts, the conference call appears to have been related to a meeting invite for a call on January 17, 2012 that was sent on January 13, 2012 to nearly 50 people from France, UK, Netherlands, Ireland, Germany, Sweden and hosted by US to coordinate internationally. The posts were made by anonymous as part of their #FFF (F@$K FBI Friday) releases which has been going on almost regularly for over a year now.
It is unclear through YouTube audio if the call was from January 20, or a more recent conference call between the governments. I think that this was probably only released because the hacking groups found no more use in that bridge number. In listening to the call, one can gain insight into the global workings of the fight against cyber crime, as two current cases were lightly discussed. Insight was also sought regarding other persons of interest concerning breaches reported to government authorities. I found the lack of care around people joining the call interesting as I could hear the extra beep that was missed by the call parties and I assume it was ‘Anonymous’ recording the call.
Few facts can be gathered around how anonymous gained the electronic invitation for the meeting. After the Pastebin post with conference bridge call number and password, it does not seem that the conference system or software was hacked to gain access for the call. One might assume that an email account or system on the distribution list could have been compromised to gain the conference details or some form of social engineering was used in the attack. Either way, anonymous has again provided a reason for government and private industry to rethink their communication processes for distributing sensitive call meetings. In future calls, I would think that every time the system beeps for a new attendee on the call there will be a stop to ask who had just joined the conference, especially when discussing active investigations or sensitive information.
While there is a need to share passwords for conference calls it is important to mitigate any risk in the process to overcome the shared password. Typically this is done on conference calls by paying a very close attention to people joining the call and stopping conversation when the system makes a beep for a new participant joining the call. If the conference call is of sensitive or classified information then the call should be halted or stopped if all parties are not able to be identified on the conference system.
Also, all parties need to read The New York Times article about board rooms being open up to hackers through weak implementation security as it has some relevance here.