Slashdot Mirror
FEMA Phones Hacked, Calls Made To Mideast and Asia
purplehayes writes "A hacker broke into a Homeland Security Department telephone system over the weekend and racked up about $12,000 in calls to the Middle East and Asia.
The hacker made more than 400 calls on a Federal Emergency Management Agency voicemail system in Emmitsburg, Md., on Saturday and Sunday, according to FEMA spokesman Tom Olshanski."
The hacker was in New Orleans. So they were obligated by official policy to ignore his calls.
SJW: Someone who has run out of real oppression, and has to fake it.
In an age of IP Telephony it seems kind of silly and ends up just being vandalism
"Would you, could you, with a goat?" Dr Seuss
Shouldn't this be 'phreaker'? The article even states the break-in was over their PBX (i.e. a convential phone system, not VoIP).
ilovegeorgebush
I never understood why someone would or could make exhorbatent amin long distance phone calls. The only thing I can figure out is that some nerd was busy talking to his girlfriend on vacation.
While (Idiot.onphone) {
"Hang up!"
"You!"
"No You!"
"No You Hang up!"
}
Twelve Grand?! Is this another indicator of inflation? Who is billing this out? For 12 grand the phone companies should give you a phone that will work for life, from anywhere, to anywhere. Are the same people responsible for claiming that a quarter of schwag has a "street value" of fifty grand?
He kept calling that damned annoying Verizon guy.
"You're in Thailand now? Can you hear me now?"
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
There used to be people standing beside pay phones in Chinatown, give them ten bucks and they'll give you a stolen calling card, with which you could make as long a call as you liked. Whole villages would line up and call home, 48-72 hour calls were not unheard of. But now? Skype, VOIP, and a whole forest of cheap calling cards.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
So he doesn't have a Skype account?
I don't read your sig. Why are you reading mine?
DHS is like the laughing stock of government security. Being PBX Phreaked with a 15 year old hack is just bad... Hope the next administration isn't this incompetent.
Where is the "Ignorant" mod tag?
What are the odds he/she used a default password to gain access? I mean this is the government we are talking about here.
The 400 calls aren't necessarily consecutive.
Many times these hacks are done to provide low cost calling to immigrants calling back home. $20 bucks can buy you almost unlimited phone time to talk to your entire village back home.
Man and I thought my iPhone bill was expensive...
400 calls totalling $12,000.
That is, about $30 per call.
And from the article: "Most of the calls were about three minutes long, but some were as long as 10 minutes."
As long as 10 minutes? Not only did FEMA have a badly configured phone system, they must have had some of the crappiest call plans I could possibly imagine. I mean, where were the calls terminating? The moon?
Your tax dollars at work.
Do you or your partner snore? - Visit www.snoring.com.au
Ahhahhahha. What terrorist is dumb enough to route the calls directly through the DHS and FEMA monitored lines! Somehow, i doubt it. This sounds like the "good" kind of hacking, showing a major security hole, doing a proof of the work, not destroying anything, but making the DHS look closer at their security. Poor Hacker though, I imagine he's in Guitmo already as an "enemy combatant".
Whether or not there is some sort of god, I'm not supposed to say/god is a word and the argument ends there-Smog
You're doing a heck of a job.
Please help metamoderate.
The $12,000 is not that hard to believe given the following:
1. have you ever seen what the "regular" phone company charges for international calls? Why do you think that there is such a huge market for things like Skype and the "International Phone Cards" you see in every gas station here in SC?
2. Many countries' phone companies add charges to the phone calls, and of course the phone companies pass those back to the customer. Why should it cost more to call Japan than to call China? It does, because the Japanese phone company charges extra fees, and it's worse if you call a Japanese mobile phone from the US. (It's funny, in many cases it's actually _cheaper_ to call a Chinese mobile phone than to call a Chinese land-line.)
3. Time of the call - the charges discussed above vary based on the time of day. Usually, during "daylight" hours and "work days", calls are more expensive. Given the places called, you're pretty much hosed because unless you timed it carefully, you fit at least one of those conditions either at the origin or the destination.
4. Connection charges. Come phone companies have a "connection" charge for making an international call - an up-front charge before they even start tallying minutes. (Also, most companies round up to the next whole minute, so if you talk for 1 min 1 sec, you're billed for 2 minutes.
So, yes, $12,000 is quite believeable.
CNN had a front page article about how a cyber attack could do more damage than any other act of terrorism. Now this...
Bye-bye internets...get ready for broadcast with tracked user clicks.
If anybody ever doubted that these clowns are better at sucking up tax dollars and destroying the US Constitution than providing security, look no further for the proof.
Osama must be laughing his ass off.
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Maybe he was calling the middle east prophets to invoke another hurricane on New Orleans.
slashdot rocks
Hacking PBXes was ok 15 years ago.
Hacking them now is pretty much guaranteed to get him caught.
Oh well...
Olshanski did not know who the contractor was or what hole specifically was left open, but he assured the hole has since been closed.
"I don't know who it was or what they did or didn't do, but I assure you they fixed it."
Its quite possible the person who broke into the PBX also sold the information on how to make 'free' calls to wherever which would result in multiple people accessing it simultaneously thus making it possible to rack up $12,000+ in very short periods of time.
09F911029D74E35BD84156C5635688C0
+2 Troll is Slashdot's way of saying groupthink is confused
I mean really, I know the /. janitors are determined to bring tabloid-standard reading levels in, but you'd think they'd at least get *that* bit right.
Assuming the phone was "off the hook" for the entire 48 hours and only one call is placed at any given time, that's 2880 minutes, or $4.17 a minute. Any phone company charging that kind of rate per minute will get call into the capital by state utility commission (AT&T charges just over a buck a minute for cellphone roaming calls originating in Asia.)
ELOI, ELOI, LAMA SABACHTHANI!?
So, while illegally wiretapping citizen lines, the government *should* have been wiretapping itself...
What sort of crap is this story?
With my long distance plan I pay $0.05 per minute anywhere in North America and ditto even into Australia.
$0.05 * 60 * 24 = $72 per day.
Saturday + Sunday = 2 days.
What part of this story makes no sense?
I noticed a weird account in our VM system; on investigation it was trying to call an overseas toll line repeatedly. Our phone vendor said that the hacker will do this to get a kickback on the charges. Luckily, we had overseas calls blocked by our provider, so we didn't have any real problems, but we're strict about everyone having passwords now.
As has been said before: language changes
And has also been said before: So what - that doesn't cause random errors made by uninformed ignoramuses to magically become correct usage.
That's exactly the process by which language changes, dude. When people start using terms incorrectly and people don't understand what they mean, those people are wrong. When the incorrect usage overtakes the correct usage and more people will understand the "incorrect" usage, then it's no longer "incorrect." Use of the outdated form may in fact come to be incorrect later on.
Language is about conveying meaning. Any language rules that exist, exist to standardize and facilitate communication. That means that what the most people understand something to mean is what it actually means. If you have to explain the terms you're using by using extra language, you're doing it wrong.
It's entirely possible to have a niche vocabulary among nerds that holds the old usage of crackers, phreakers, and hackers. To expect an AP article to use those terms is stupid. The majority of people reading the article wouldn't understand what they mean, but they do in fact understand precisely what they meant by the word "hacker."
Warning: Opinions known to be heavily biased.
Note that all the calls went to middle east countries, including Afghanistan and Yemen, both Taliban havens.
That's a mighty big assumption. How do you know they weren't trying to stuff the phone ballot boxes for "Afghani Idol" and "Yemeni Idol"?
With that little bit of semantics out of the way, I wonder what system they were running. Audix perhaps?
Years ago (late '80s) someone discovered a non-password protected user extension on our System 85 PBX, and used the standard Audix dial out request to make a bunch of calls to Central America. This was a common practice by phone thieves at the time. Find an unlocked Audix account on any corporate phone system and use it to call out to foreign phone numbers. The perpetrator would typically charge multiple users through the course of an evening to allow them to call home. Generally it would not be noticed by the victim until the monthly billing cycle, and in the case of our office, by the time internal billing passed that on to the individual at the departmental level, that was two months. At that point they would finally convince the end user to the importance of setting a user password. Duh.
Internally, we used to search for open extensions internally and use it to change their greeting message or to pull some other sophomoric prank like reprogram all their speed dial buttons to the local 'psychic hotline' or the VP of the division.
Also, in many hacking cases the quoted damages include the cost of hiring someone to patch the security vulnerability. I'm sure that in this situation that is also true; i.e., that $12,000 is a $500 phone bill and a $11,500 consultant fee.
-b
No offense, but I've stopped responding to AC's.
I think FEMA is actually looking pretty smart here. Clearly, they don't pay $5-10/minute for phone calls. So that $12,000 must include the cost to patch the security holes, hunt down lingering trojans, etc.
That seems pretty cheap to me. They could have paid somebody $75,000 to design their system up front, and keep paying their salary to maintain the system.
Or they could cross their fingers and hope nobody exploits their lack of design. If somebody does manage to find their weakness and exploit it, $12,000 in emergency response is a small fee to pay.
It was a lot cheaper than paying for responsible design. They can afford six of these incidents each year and still save money.
Emmittsburg, MD? There is only one major FEMA facility there, The US Fire Administration National Fire Academy. Happens I am going to be there for a week next month. Wonder if the phreaker will offer instructions so that I can call home free too. Beautiful campus btw, about 3 miles from Camp David
"This illegal activity enables unauthorized individuals anywhere in the world to communicate via compromised U.S. phone systems in a way that is difficult to trace," lol. Well of course its difficult to trace. Anyone with enough cajoles knows this. All you have to do is go to a phone box out in the middle of nowheresville and patch into it (illegal of course) and make calls. Its all untracable to the actual person who did it, but not untraceable to the poor schmuck who has to pay for the bill the calls were made from. Of course there are more ways to do this then the one described, but my point is it is completely feasible to do this so the person is completely untraceable. The fact that these are known issues in the PBX system and have been known for, oh 20yrs, is ridiculous that they're able to still occur. I've read many a story both online, in 2600, and when reading about Mitnick's escapades and those things usually happened back in the 80s. Hell, find a lineman's handset clip it to any phone line and viola free phone calls at least for you. Really....its not *that* hard.
"When the people fear the government, there is tyranny. When the government fears the people, there is liberty."
It was Captain Crunch
Actually, this is /. I suppose I didn't really need that link did I?
America, Home of the Brave.
is this terrorism? or just plain old hacking?
what's the point of breaking into a federal telephone system to call asia and the middle east?
surely if you have the know-how to pull that off, you could have gotten the calls for free anyway?
so what was the point? was it a diversion? or a lesson hack?
They're using their grammar skills there.
Assuming the calls average out at 4 minutes (most were ~3 but some were ten) that's $7.50 a minute. Either way completely ridiculous.
Failure formatting five FAQs of financial facts.
Obviously we need a bigger Security Fence.
Actually, no--I mean precisely what I said.
Our exercise in Iraq was successful--in that it did effect regime change. It was not successful--in that it did not preserve governmental infrastructure (which was a goal at the time of invasion). And it's success is as yet undetermined--in that Iraq is not yet stable (and there is some doubts if it will be stable under the current regime).
In language, context is important. Changes in language take place through many different mechanisms--erroneous re-definition is one of those mechanisms, and rarely a "popular" one. But it is a mechanism of language change ... and those who wish to pick a fight with the tide of language change would do well to remember Knut.
If you haven't been down-modded lately, you aren't trying.
Sacred cows make the best hamburger.
Sure, sure. We all get the idea that after years of uncorrected usage a word as-good-as-means something else. And that we call that language and it's correct by definition because it works.
But erroneous usage is, well, erroneous. And I'll thank you fancy-pants linguistic scientists to stay the hell out of my living, breathing, language while I apply a bandage in the form of correcting errors. If caught early we can remove the tumor, instead of hoping it grows into something useful.
After all, there's another word for ongoing erroneous usage. "Wrong".
But erroneous usage is, well, erroneous.
That is, indeed, the crux of the issue: is the usage actually erroneous?
Phreak (and its cognates) was used in the 1970s, of course, while the earliest I can trace "hacker" in the computer security sense is 1983. Which leads to several questions.
1. When was "cracker" first used for someone who breaks into computer systems?
2. Have the words "phreak" and "hacker" ever been legitimately used as synonyms? (Hint: yes.)
3. Why was the word "cracker" developed? (Hint: it was to disassociate the word "hacker" from criminal activities.)
4. If the word "hacker" is, indeed, the correct word for someone who breaks into systems (especially to find out how they work, whether or not they are trying to make a financial advantage), then why are you fussing?
One more thing: if you want to object to the use of the word "hack" to indicate computer intrusion, you might want to start with "Emmanuel Goldstein" and 2600 magazine.
If you haven't been down-modded lately, you aren't trying.
Sacred cows make the best hamburger.
It wasn't actually hacker that I object to.
I object to the argument you used, about how wrong usage is just future correct usage. I've heard it before about other words, such as decimate, where the usage is more obviously wrong. (Using it to mean totally destroyed.) Some amateur linguist steps in and argues that because language is evolving we should all stop trying to correct it because it's by definition correct. As if mutations are always beneficial, and as if we aren't the very forces that shape language.
It wasn't actually hacker that I object to.
Good thing--because your counter-argument is based on an incorrect premise: that "hacker" is incorrect usage. That dog won't hunt.
I object to the argument you used, about how wrong usage is just future correct usage.
Perhaps you would do better in offering counter-arguments if you actually read my argument.
I do not state that "wrong usage is just future correct usage." A wrong usage that becomes the mainstream usage is one natural (and not uncommon) mechanism of language mutation: other examples of this type of mutation include the words "aspirin" and "xerox," where brand-names were wrongly generalized until they became generic.
At what point does "wrong usage" that mutates the language become correct usage? Such a question is probably best suited for the professional philologist. In this case, however, the arguments provided above that "hacker does not mean someone who breaks into computers" fail in their premise: the usage is not "wrong," therefore the question of "When does a 'wrong usage' become 'correct usage'" is moot.
If you haven't been down-modded lately, you aren't trying.
Sacred cows make the best hamburger.
It wasn't actually hacker that I object to.
Good thing--because your counter-argument is based on[...]
No, my counter-argument isn't based on 'hacker'. That's what I meant, "wasn't actually".
Your examples of generalized names, asprin for instance, aren't very wrong. Names are subtle things, and the people who refer to things the most do name them.
Other words like decimate have a more fixed meaning. Even where that meaning is slippery (can you decimate cake?) the 1/10th aspect is still obvious. Use of the word to mean other amounts is wrong, even if absolutely common.
fancy-pants linguistic scientists to stay the hell out of my living, breathing, language
Besides, even if you overlook my joking tone, my point is that our language isn't fixed in history, where today's usage is merely an example of how it got some other way. Today's usage is being used today and we have as much of a say over the rightness (or wrongness) of it as anyone else.
Other words like decimate have a more fixed meaning. Even where that meaning is slippery (can you decimate cake?) the 1/10th aspect is still obvious. Use of the word to mean other amounts is wrong, even if absolutely common.
Even here, I have to disagree, but I honestly believe our disagreement is not one of definitions, but of context.
The word decimate is clearly related to 1/10th, provided that you know where the word comes from. To say that a 10% tax "decimates" my paycheck is entirely correct. But the word has changed meaning since the time of the Romans. In common parlance (and in math and signals processing, incidentally), the word decimate simply stands for "drastic reduction."
It's my assertion that this change may have started with an erroneous usage (I of course do not know the actual history), but that such usage is so widespread to no longer be erroneous--at least, in common parlance. Yes, if I'm speaking with precision (something I strive to do but don't always succeed in), it's at worst "wrong," and at best "imprecise," but when I speak "common English," it's correct to say "Uncle Sam decimated my paycheck," even if my tax rate differs from 10%.
fancy-pants linguistic scientists to stay the hell out of my living, breathing, language
Besides, even if you overlook my joking tone
I occasionally suffer from acute pedantry.
...
OK, it's more than "occasionally." :)
If you haven't been down-modded lately, you aren't trying.
Sacred cows make the best hamburger.
Well, I'd say that the metric system makes Latin prefixes more relevant.
Decimate was a precise word, Murdelate (to coin an example) is not. If we "Murdelated the losing army" that could drift in percentage without problem. But decimate has a precise meaning which is merely not being used.
At what point does referring to a hamburger as arachnophobia become right? If I use it myself? If I can teach it to a whole class of children? A whole nation? Only once used for a hundred years?
But my overall point though, was that saying "language drift is natural and correct" is a linguistic thing to say, when looking at a language in a semi-historical context. But it's not relevant to the language at any given moment - right now, "irregardless" is an error. By taking a historical context to a living problem you negate the problem in the here and now by implying a future where the mistake has been patched over by the collective doublethink of generations.
It's sort of like saying "War is natural". I mean, it is - if there's only food for one person, two or more will eventually come to blows. But there's a "let it be" feeling to the statement, like "they'll tire themselves out eventually", that isn't appropriate to the current (not historic) people caught in the events. To them, war is murder, yet to be writ large.
So imho, decimate is wrong because I, a native speaker of English and user of the Metric system, feel that it is. Whereas if we were archaeologists a thousand years into the future it would be different - it already would have morphed - that war would have been fought and become history.