Over the weekend, a hacker broke into FEMA’s new PBX voicemail system, made over 400 overseas phone calls to Asia and the Middle East, and ran up a $12,000 bill. The low tech hack took advantage of a “hole” that was not covered when a contractor upgraded the voicemail system. FEMA is currently conducting its own internal investigation, but FEMA spokesman [Tom Olshanski] did not have any information about the contractor responsible or what specific hole was the cause of the breach. Ironically, Homeland Security, of which FEMA is a part, had issued a warning in 2003 about the very same vulnerability.
[photo: silas216]
Phreakers in the modern age!
$20 says that the hole = default password.
I’m sure the name of the contractor will come out in due course. But, for those that want to speed that process, a bit of web search on FEMA, PBX, voicemail, and either the “Emergency Management Institute”, “National Emergency Training Center”, the “U.S. Fire Administration”, “Chenega Federal Systems” (a contractor), or anything else at 16825 south seton avenue, emmitsburg, md 21727 should provide some leads.
does anybody know exactly what “hole” they’re alluding to? could it be the tech didn’t change the default password after the upgrade?
A better question would be, how did he manage to rack up that big a bill. It would need an average of about $30 per call…..
Bush was given fair and advanced warning about Osama’s people flying a hijacked plane into a building on US soil. If anything, the FAA cut back on security. Gov’t laptops go missing every month. Voting machines fail to record the votes of citizens. FEMA is in the shitter. Yeah. Vulnerabilities have not been addressed.
And I thought the phreaking age had long since passed.
who knows what the truth is. likely much worse than reported. irs misplaced 500 laptops. was probably more. our tax returns on CD are probably being sold by street vendors in tashkent
thats a callmaster iv. to enable mute press select mute *87 1 to enable then mute again. pull out the head seat first
Phreaking, hacking, whatever one calls it, this is a stupid activity to engage in this new era. The era of be afraid, VERY afraid, the industrial military complex depends on it. No doubt they know who the contractor was and what hole was plugged. That information is only for those who need to know. The people, in the government by the people for the people, aren’t those who need to know.
So at the average price of $30 per long distance call, this can go along with those $640 toilet seats and $400 hammers. Your tax dollars at work!
That’s also 400 calls over 48 or so hours, meaning that if the one guy avoided sleep, he’d have to make over 8 calls an hour.
I think he had help. And why can’t The Canadian Press do some basic investigative reporting/math?
I am going with the default password idea as well.
On older phone systems you could call a voice mail box, wait to the announcement to play, wait until the system was done recording your message, then you could transfer out and make calls.
I remember those days of analog cellphones and voicemail boxes with default passwords. At the time, cell phones cost over $1,000. Remember writing basic code to tumble through a callingcard template or credit card. Remember threatening people by using above method to call local operator to place a call anywhere. Nothing they could do then.
Thanks allot for sharing this useful post.!
Here, I found a youtube video about xbox live hacks, that I would like to share- xbox live Hacks.
but seriously, great post and thanks alot !!
I look ahead to your next article !
;-)