The press is widely reporting on Anonymous eavesdropping on a phone call between the FBI and Scotland Yard and other non-U.S. police agencies. The sixteen minute phone call is currently posted here.
How did Anonymous do it? The FBI sent the link to the conference call to more than three dozen people at the FBI, Scotland Yard, and agencies in France, Germany, Ireland, the Netherlands and Sweden. One of the people who received the conference call log-in data forwarded the email to his personal account. That personal account had been hacked by Anonymous. By accessing the hacked email account, Anonymous obtained the log-in credentials required to participate in the phone call.
The New York Times reports on the FBI reaction to the compromised phone call,
“It’s not really that sophisticated,” said the official, who would discuss the episode only on condition of anonymity. He said no Federal Bureau of Investigation system was compromised but noted that communications security was more challenging when agencies in multiple countries were involved.
The unnamed FBI official’s observation that the attack was not that sophisticated and no systems were compromised missed the crucial lesson of this incident — a successful cyberattack doesn’t have to be technically sophisticated in order to be successful. This incident demonstrates an important principle of security — attack the people because it is easier to hack people than systems.
How hard is it to hack a person? As we noted in our posting Hackers for Hire, all that is needed is a little information about the target to trick the target into unwittingly being compromised. As we noted in our posting How To Infiltrate A Network Using Spearphishing, all that is needed to successfully attack an enterprise is the compromise of a single person. And, as we noted in Social Media Outs CIA Agent, using widely available internet resources, even the identity of CIA agents can be discovered. In this phone call case, a successful attack on the FBI was accomplished by compromising the personal email account of a person who collaborates with the FBI.
Employees must be empowered to defend against cyberattacks. When the cyberattacks target the human, the human must be hardened. A tool that hardens the human is available now from Iconix. That tool is SP Guard from Iconix.
SP Guard provides the recipient with three confirmations that a message is real:
- List View. There is an integrity indicator in the list view of the email client.
- Message. The open message has a further indicator of authenticity.
- Mouseover. Mousing over the authentication indicator in the message prompts the display of a certificate that further identifies the sender.
SP Guard now offers a fraud filtering enhancement. This additional protection is becoming increasingly important given the latest generation of highly targeted spear-phishing emails which are so well crafted that users cannot tell real from fake.
SP Guard is available now from Iconix. For further information, contact us at 408-727-6342, ext 3 or use our online form.