http://www.sfgate.com/cgi-bin/article.cgi?f=/chronicle/archive/2002/04/11/BU180707.DTL Henry Norr Chronicle Staff Writer Thursday, April 11, 2002 Hewlett-Packard isn't saying much about how voice mail between its top executives came to be splashed across newspaper front pages, but virtually every company is vulnerable to similar leaks, security experts warn. Voice mail theft is "more common than you'd think," said Jon Callas, a software engineer and security expert at Searchsecurity.com, a Web site focusing on vulnerabilities in information systems. Systems are designed to make it easy for the intended recipient to retrieve messages from any phone anywhere, but that means anyone else who knows or can guess the user's password can gain access with equal ease. The leak, made public yesterday, involved a message HP Chief Executive Officer Carly Fiorina sent on March 17 to one of her top lieutenants, Chief Financial Officer Bob Wayman. Spokeswoman Rebeca Robboy declined to say how HP's voice mail system works or how company officials believe the message was leaked. "HP does not by practice disclose details of our internal communications processes," she said. "The incident regarding unauthorized disclosure of a company voice mail is a very serious matter, and we are taking the necessary steps." Modern voice mail systems are basically just specialized server computers that store messages in digital form on a hard drive. A system administrator with physical access to the server could retrieve a message -- even one deleted by the recipient -- in essentially the same way that inadvertently erased word processing files can often be recovered. Conceivably, other tech-savvy company employees or an outside hacker who managed to penetrate HP's internal data network could do the same thing. It's also possible that someone on Wayman's team who secretly opposes the merger plan delivered it to the news media in hopes of bolstering Hewlett's case, which is scheduled to go to trial on April 23, or that it was accidentally forwarded to a merger opponent. But the most likely explanation, experts polled yesterday guess, is that a snoop inside or out of the company simply dialed up HP's voice mail system and entered Wayman's extension and password before he deleted the message. "A lot of people don't take their voice mail password seriously," said Mandy Andress, president of ArcSec, a San Mateo security company. Systems are often set up with an easily guessed default password -- the user's extension or a simple sequence such as 1-2-3-4. Many users simply leave those passwords in place, she said, or switch to something else an intruder would have a good chance of guessing, such as a birthday or home address. "It's a well-known problem that we don't have good voice mail passwords," Callas said. "After all, we want something we can remember." Few companies have done much to impose strict security on their voice mail systems, despite increasing awareness of computer security risks. "Companies are being more proactive about securing things that are relatively easy to get to, like Web servers, but they're ignoring other systems," Andress said. Part of the problem, according to Rick Shaw, president of CorpNet Security in Lincoln, Neb., is that most company executives and security administrators "haven't thought about how critical the information on voice mail can be." "Obviously, this episode serves as a wake-up call," he said. It's not the first time, however, that a major company has been embarrassed by a voice mail leak. In 1998, the Cincinnati Enquirer published an 18-page expose of Chiquita Banana's labor practices on its Central American farms. A month later, the paper renounced its stories, fired its lead reporter, issued an apology and paid Chiquita more than $10 million, after it was revealed that the stories were derived in part from stolen voice mail. Both the reporter and a former Chiquita lawyer who helped him gain access to the company's voice mail were eventually convicted in the case. E-mail Henry Norr at hnorrat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 03:44:15 PDT