FEMA Gets a Lesson in Security
Phone hackers exploit a vulnerability caused by a contractor to make free phone calls.
FEMA, the Federal Emergency Management Agency, is scrambling to find out how hackers got into the voice mail system at its training center in Emmitsburg, Md., over the weekend and placed $12,000 worth of calls to the Middle East and Asia.
The attackers got in through a vulnerability in the Private Branch Exchange (PBX) (define) installed by FEMA's contractor during a recent phone system upgrade. They made calls to several countries, including Afghanistan, Saudi Arabia, Yemen and India.
"We were alerted by our telecommunications contractor, Sprint, on Saturday the 15th of August of a problem at our training center, so we immediately blocked the capability for all international calls and monitored long-distance calls," FEMA spokesperson Debbie Wing told InternetNews.com.
Sprint (NYSE: S) spokesperson Matt Sullivan told InternetNews.com that the company did not own the PBX. "If there was a breach, there was no breach of our network," he added.
According to Wing, preliminary evidence "points to the conclusion that there was a contractor error on the work with the line." She added that FEMA "immediately corrected it and is taking all steps to ensure this doesn't recur."
Wing could not name the contractor but confirmed the attackers breached a PBX. However, she could not say whether the equipment was a standard PBX or one using the voice over Internet protocol (VoIP) (define). VoIP is the technology used in the Skype Internet telephony technology that lets users make phone calls through their PCs or laptops.
FEMA's chief information officer, in the agency's Washington, D.C. offices, is investigating the breach. While Wing could not say when the investigation would end, "we want to do this as expeditiously as possible but efficiently and accurately as well," she said.
The investigation is being conducted internally for now, and FEMA has not contacted any law enforcement agencies yet, according to Wing. In the meantime, agency staff will conduct daily checks on all ongoing telecommunication system projects to "ensure they're in a secure state at the end of the day," Wing said.
There was no mention about the security breach in any of the FEMA news releases for the month of August on the Agency's Website.