Anonymous then used this information to
their advantage to turn the tables on the FBI and Scotland Yard by recording
the scheduled call and posting it on YouTube.
You can listen to the recording of this call, made by Anonymous, on YouTube
Read a rough transcription of the conversation here.
So how was Anonymous able to intercept an e-mail which should have been both encrypted prior to sending and sent via an encrypted network?
The answer lies in the fact that all
e-mail is sent as PLAIN TEXT across the Internet. Unless the message is encrypted, either at
the workstation, or via the e-mail server software, it is PLAIN TEXT and can be
read by anyone who can capture the data during its journey.
Short answer: Either someone at the FBI got lazy, and there was no SSL/TLS on the FBI e-mail servers or one or more of the recipients has a very poor password on their e-mail account.
Whether the original sender of the message “forgot” to encrypt, his workstation was not equipped to encrypt, the connection between his workstation was not encrypted, or the FBI is not equipped to encrypt, this incident is unforgivable and, once an investigation has been completed, the responsible parties be should terminated.
In fact, this should not be under the control of the sender of the e-mail at all. With any government security agency, or even with any business, the process of encrypting e-mail should be fully automatic and transparent to the users.
E-mail, unless encrypted, is sent as plain text over the public Internet, I always advise both my hosted and consulting clients to “never write anything in an e-mail message you would not want to see in the newspaper or on TV.” They usually laugh when I say that but my concerns are being borne out by both the reports which have so frequently appeared in the new and the fact that there are so many new legal requirements mandating e-mail encryption in the banking, healthcare, legal, and ever increasing numbers of other business groups.
So, now that the proverbial cat is out of the bag at the FBI, what can you do to prevent your e-mail from getting into the wrong hands?
At ChicagoNetTech we run TLS on our SmarterMail e-mail server product. TLS is an extension of the SSL encryption protocol which actually allows our clients to both make an SSL connection to the e-mail server to originate their e-mail via POP, IMAP, ActiveSync, or our SSL encrypted web interface if so desire, originate their e-mail message, and send it through the Internet via the TLS security protocol.
TLS is a relatively new encryption capability on many e-mail systems and, as part of the transmission process, encrypts inter-e-mail server data traffic so it cannot be easily intercepted.
Whether or not TLS is supported by an
e-mail server is very easily tested. In
the case of e-mail sent to and from Timothy Lancaster, the originator of the
conference call intercepted by Anonymous, we see the following results:
The
US
TestReceiver
CheckTLS Confidence
Factor for "Timothy.Lauster@ic.fbi.gov": 0
MX Server
|
Pref
|
Con-
nect |
All-
owed |
Can
Use |
TLS
Adv |
Cert
OK |
TLS
Neg |
Sndr
OK |
Rcvr
OK |
mail.ic.fbi.gov
[153.31.119.142] |
10
|
OK
(85ms) |
OK
(786ms) |
OK
(74ms) |
FAIL
|
FAIL
|
FAIL
|
OK
(1,020ms) |
OK
(76ms) |
Average
|
100%
|
100%
|
100%
|
0%
|
0%
|
0%
|
100%
|
100%
|
The results in the grid above show that the FBI’s e-mail server FAILS the most basic of Internet e-mail security, TLS. The e-mail server used for the FBI’s domain, IC.FBI.GOV does not have even the most basic of security enabled.
Repeating this TLS check test for Stewart.Garrick@met.police.uk shows the same thing:
TestReceiver
CheckTLS Confidence
Factor for "Stewart.Garrick@met.police.uk": 0
MX Server
|
Pref
|
Con-
nect |
All-
owed |
Can
Use |
TLS
Adv |
Cert
OK |
TLS
Neg |
Sndr
OK |
Rcvr
OK |
mail3.met.police.uk
[212.74.97.198] |
15
|
OK
(180ms) |
OK
(167ms) |
OK
(169ms) |
FAIL
|
FAIL
|
FAIL
|
OK
(682ms) |
OK
(163ms) |
mail4.met.police.uk
[212.74.97.212] |
15
|
OK
(181ms) |
OK
(165ms) |
OK
(164ms) |
FAIL
|
FAIL
|
FAIL
|
OK
(673ms) |
OK
(165ms) |
mxbackup.uk.cw.net
[195.92.195.234] |
20
|
OK
(155ms) |
OK
(241ms) |
OK
(144ms) |
FAIL
|
FAIL
|
FAIL
|
OK
(686ms) |
OK
(782ms) |
Average
|
100%
|
100%
|
100%
|
0%
|
0%
|
0%
|
100%
|
100%
|
The e-mail servers for the domain
MET.POLICE.UK FAIL the TLS test and do not have the capability to encrypt
inter-domain e-mail messages.
Validating against other domains
included in the e-mail message intercepted by Anonymous, we the following
results on the part of the e-mail servers used by other high-level security
officials in other countries who were invited to participate in the conference
call:
FRANCE
PASSES:
TestReceiver
CheckTLS Confidence
Factor for "olivier.nael@interieur.gouv.fr": 90
MX Server
|
Pref
|
Con-
nect |
All-
owed |
Can
Use |
TLS
Adv |
Cert
OK |
TLS
Neg |
Sndr
OK |
Rcvr
OK |
tigre.interieur.gouv.fr
[212.234.218.76] |
10
|
OK
(172ms) |
OK
(337ms) |
OK
(162ms) |
OK
(161ms) |
FAIL
|
OK
(1,433ms) |
OK
(163ms) |
FAIL
|
Average
|
100%
|
100%
|
100%
|
100%
|
0%
|
100%
|
100%
|
0%
|
Note:
Cert failures do not affect TLS encryption, but may mean the site isn't who
they say they are.
NOTE
that the CERT failure means that the TLS test was unable to verify the e-mail
address. They may be because it was
changed since being published by Anonymous or that the domain INTERIEUR.GOUV.FR
runs Greylisting. If we test in a few
minutes and the CERT OK changes to PASS, then we will know they run
Greylisting.
The NETHERLANDS PASSES:
TestReceiver
CheckTLS Confidence
Factor for "michel@nhtcu.nl": 90
MX Server
|
Pref
|
Con-
nect |
All-
owed |
Can
Use |
TLS
Adv |
Cert
OK |
TLS
Neg |
Sndr
OK |
Rcvr
OK |
pochta3.nhtcu.nl
[83.149.67.40] |
8
|
OK
(154ms) |
OK
(688ms) |
OK
(144ms) |
OK
(143ms) |
FAIL
|
OK
(1,663ms) |
OK
(150ms) |
OK
(149ms) |
pochta4.nhtcu.nl
[83.149.94.112] |
9
|
OK
(154ms) |
OK
(159ms) |
OK
(144ms) |
OK
(145ms) |
FAIL
|
OK
(1,138ms) |
OK
(150ms) |
OK
(151ms) |
Average
|
100%
|
100%
|
100%
|
100%
|
0%
|
100%
|
100%
|
100%
|
GERMANY
PASSES:
TestReceiver
CheckTLS Confidence
Factor for "andre.dornbusch@iuk.bka.de": 90
MX Server
|
Pref
|
Con-
nect |
All-
owed |
Can
Use |
TLS
Adv |
Cert
OK |
TLS
Neg |
Sndr
OK |
Rcvr
OK |
smtp.ts-businessmail.de
[217.150.155.10] |
100
|
OK
(209ms) |
OK
(696ms) |
OK
(174ms) |
OK
(175ms) |
FAIL
|
OK
(1,934ms) |
OK
(404ms) |
FAIL
|
Average
|
100%
|
100%
|
100%
|
100%
|
0%
|
100%
|
100%
|
0%
|
SWEDEN FAILS:
TestReceiver
CheckTLS Confidence
Factor for "peter.ericson@rkp.police.se": 0
MX Server
|
Pref
|
Con-
nect |
All-
owed |
Can
Use |
TLS
Adv |
Cert
OK |
TLS
Neg |
Sndr
OK |
Rcvr
OK |
mail.telia.com
[62.20.233.128] |
10
|
OK
(193ms) |
OK
(182ms) |
OK
(178ms) |
FAIL
|
FAIL
|
FAIL
|
OK
(1,118ms) |
FAIL
|
Average
|
100%
|
100%
|
100%
|
0%
|
0%
|
0%
|
100%
|
0%
|
Getting back to that "what happened" question asked at the top of this posting, it looks like neither the FBI, nor several other high-security installations run TLS!
While I would certainly not consider
TLS to be the only security protocol implemented for communications between
international security agencies, it should, at the very least, be a jumping off
point for any secure e-mail communication.
No matter what kind of e-mail server you are running, or what purpose you are running your e-mail for: personal, business, not-for-profit, whatever the use, always remember that e-mail is transmitted as plain text across the internet and should always be encrypted.
The level of encryption depends on both regulatory requirements and what your business does. HIPAA / HITECH, Sarbanes Oxley, and government regulations all have similar, and, because of highly publicized incidents like the one outlined above, merging requirements.
Protect yourself now. Check the status of your e-mail encryption and make certain you are running TLS on your mail servers – as a very MINIMUM requirement.
You can check your e-mail server's TLS capabilities at: http://www.checktls.com/perl/TestReceiver.pl.
Select "CertDetail" from the drop-down box for intensive result reporting.
If you have any questions, please feel free to contact me
and we can discuss your e-mail and network security to make certain your
business is protected.
Now for the fun part, the actual e-mail intercepted by Anonymous is listed below.
NOTE: Because this has been previously published on the Internet by Anonymous, we decided to keep all of the data exactly as previously published:
======================================
MIME-Version: 1.0
acceptlanguage: en-US
Accept-Language: en-US
Content-class: urn:content-classes:message
Subject: Anon-Lulz International Coordination Call
Date: Fri, 13 Jan 2012 19:21:49 -0000
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
thread-topic: Anon-Lulz International Coordination Call
From: "Lauster, Timothy F. Jr." Timothy.Lauster@ic.fbi.gov To: "Reichard, Gerald A." Gerald.Reichard@ic.fbi.gov,
paul.hoare2@met.police.uk,
Raymond.Massie@met.police.uk,
trevor.dickey@met.pnn.police.uk,
Stewart.Garrick@met.police.uk,
"Gillen, Paul G" paul.g.gillen@garda.ie,
"Gallagher, Colm" colm.gallagher@garda.ie,
pim@nhtcu.nl,
Gea@nhtcu.nl,
michel@nhtcu.nl,
olivier.nael@interieur.gouv.fr,
olivier.moalic@interieur.gouv.fr,
thierry.mezenguel@interieur.gouv.fr,
andre.dornbusch@iuk.bka.de,
peter.ericson@rkp.police.se,
stefan.kronqvist@rkp.police.se,
ulrika.sundling@rkp.police.se,
Jaap.Oss@europol.europa.eu,
valentin.gatejel@europol.europa.eu,
"Helman, Bruce C. Jr." Bruce.Helman@ic.fbi.gov,
"Sporre, Eric W." Eric.Sporre@ic.fbi.gov,
"Buckler, Lesley" Lesley.Buckler@ic.fbi.gov,
"Geeslin, Robert C." Robert.Geeslin@ic.fbi.gov,
"Plunkett, William R." William.Plunkett@ic.fbi.gov,
"Roberts, Stewart B." Stewart.Roberts@ic.fbi.gov,
"Brassanini, David" David.Brassanini@ic.fbi.gov,
"Stangl, Christopher K." Christopher.Stangl@ic.fbi.gov,
"Patel, Milan" Milan.Patel@ic.fbi.gov,
"Ng, William T." William.Ng@ic.fbi.gov,
"Adams, Melanie" Melanie.Adams@ic.fbi.gov,
"Culp, Mark A." Mark.Culp@ic.fbi.gov,
"Arico, Nicholas J." Nicholas.Arico@ic.fbi.gov,
"Tabatabaian, Ramyar" Ramyar.Tabatabaian@ic.fbi.gov,
"Penalosa, Jensen" Jensen.Penalosa@ic.fbi.gov,
"Bales, Will" Will.Bales@ic.fbi.gov,
"Burton, Kevin C." Kevin.Burton@ic.fbi.gov,
"Nail, Michael A." Michael.Nail@ic.fbi.gov,
"Grasso, Thomas X." Thomas.Grasso@ic.fbi.gov,
"Thomas, Christopher T." Christopher.Thomas@ic.fbi.gov,
"Caruthers, John" John.Caruthers@ic.fbi.gov,
"Phoenix, Conor I." Conor.Phoenix@ic.fbi.gov,
"Hunt, Chad R." Chad.Hunt@ic.fbi.gov,
"Willett, Bryan G." Bryan.Willett@ic.fbi.gov,
"Patrick, Kory D." Kory.Patrick@ic.fbi.gov
All,
A conference call is planned for next Tuesday (January 17, 2012) to discuss the on-going investigations related to Anonymous, Lulzsec, Antisec, and other associated splinter groups
The conference call was moved to Tuesday due to a US holiday on Monday.
Date: Tuesday, January 17, 2012
Time: 4:00 PM GMT=20
BridgeTN: 202-393-2430
Access Code: 6513211#
Please contact me if you have any questions.Protect your e-mail server today
Regards,
Tim
SSA Timothy F. Lauster, Jr
Federal Bureau of Investigation
202-651-3211 (w)
202-651-3193 (f)
- ENCRYPT YOUR COMMUNICATIONS!
======================================If you have any questions on how to do so, or are looking for hosted solutions, please feel free to contact me.
Copyright © 2012, Bruce Barnes, ChicagoNetTech Inc, All Rights Reserved
