2012-02-03

Conference call security

There's no such thing as security on a conference call, as the FBI and Scotland Yard are discovering.

I'd bet the public number and 6-9 digit access code for the call was widely circulated internally (deliberately or inadvertently) by the FBI; someone passed the info on to Anonymous, who dialled in from a compromised phone line - kerching, they get to record the call with no personal risk.

A secret's security varies as the inverse square of the number of participants. If you don't want someone to hear what you're saying, the discussion needs to be between a small number of participants who must individually authenticate onto the call, where access points are strictly limited. This is awkward to arrange, especially internationally, and costs serious money. It also requires participants who really care about security, and these are much harder to find than you might think.

Better yet, fly over and have the meeting in person. Or shut up.

Update: the FBI confesses:

...an F.B.I. official said Anonymous had not in fact hacked into it or any other bureau facilities. Instead, the official said, the group had simply obtained an e-mail giving the time, telephone number and access code for the call. The e-mail had been sent on Jan. 13 to more than three dozen people at the bureau, Scotland Yard, and agencies in France, Germany, Ireland, the Netherlands and Sweden. One recipient, a foreign police official, evidently forwarded the notification to a private account, he said, and it was then intercepted by Anonymous.

D'oh!

No comments:

Post a Comment

All comments are subject to retrospective moderation. I will only reject spam, gratuitous abuse, and wilful stupidity.