All Rights Reserved

More than 400 calls, worth $12,000, made through agency system

Grand Rapid Press

WASHINGTON — The FBI is investigating more than $12,000 in calls to the Middle East and Asia that were made when a hacker broke into the Federal Emergency Management Agency's phone system two weeks ago.

The hacker made more than 400 calls on a FEMA voice-mail system in Emmitsburg, Md., on Aug. 16 and 17. FEMA said it appears a "hole" was left open by the contractor when the voice-mail system was being upgraded. A FEMA spokesman said the gap in the system has since been closed.

Saudi Arabia, Yemen called

"We are investigating it," FBI spokesman Jason Pack said. "We are working with FEMA."

One security expert called this type of hacking low-tech and "old school" -- something popular 10 to 15 years ago.

Afghanistan, Saudi Arabia, India and Yemen are among the countries that calls were made to. Most of the calls were about three minutes long, but some were as long as 10 minutes.

Sprint caught the fraud and halted all outgoing long-distance calls from FEMA's National Emergency Training Center in Emmitsburg.

FEMA is part of the Homeland Security Department, which in 2003 warned about this very vulnerability.

"This illegal activity enables unauthorized individuals anywhere in the world to communicate via compromised U.S. phone systems in a way that is difficult to trace," according to Homeland Security's 2003 bulletin.

The voice-mail system that was hacked is a Private Branch Exchange, or PBX, a traditional corporate phone network that is used in thousands of companies and government offices. Many companies are moving to a higher tech version.

"In this case, it's sort of embarrassing it happened to FEMA themselves -- FEMA being a child of DHS, with calls going to the Middle East," John Jackson, a St. Louis-based security consultant, said last week when he learned of the hacked system.

Copyright 2008 Grand Rapids Press