[ISN] Voice mail systems have few safeguards

From: InfoSec News (isnat_private)
Date: Fri Apr 12 2002 - 01:07:05 PDT

  • Next message: InfoSec News: "[ISN] Free Speech Online and Offline, by Ross Anderson"

    http://www.sfgate.com/cgi-bin/article.cgi?f=/chronicle/archive/2002/04/11/BU180707.DTL
    
    Henry Norr 
    Chronicle Staff Writer 
    Thursday, April 11, 2002 
    
    Hewlett-Packard isn't saying much about how voice mail between its top 
    executives came to be splashed across newspaper front pages, but 
    virtually every company is vulnerable to similar leaks, security 
    experts warn. 
    
    Voice mail theft is "more common than you'd think," said Jon Callas, a 
    software engineer and security expert at Searchsecurity.com, a Web 
    site focusing on vulnerabilities in information systems. 
    
    Systems are designed to make it easy for the intended recipient to 
    retrieve messages from any phone anywhere, but that means anyone else 
    who knows or can guess the user's password can gain access with equal 
    ease. 
    
    The leak, made public yesterday, involved a message HP Chief Executive 
    Officer Carly Fiorina sent on March 17 to one of her top lieutenants, 
    Chief Financial Officer Bob Wayman. 
    
    Spokeswoman Rebeca Robboy declined to say how HP's voice mail system 
    works or how company officials believe the message was leaked. 
    
    "HP does not by practice disclose details of our internal 
    communications processes," she said. "The incident regarding 
    unauthorized disclosure of a company voice mail is a very serious 
    matter, and we are taking the necessary steps." 
    
    Modern voice mail systems are basically just specialized server 
    computers that store messages in digital form on a hard drive. A 
    system administrator with physical access to the server could retrieve 
    a message -- even one deleted by the recipient -- in essentially the 
    same way that inadvertently erased word processing files can often be 
    recovered. 
    
    Conceivably, other tech-savvy company employees or an outside hacker 
    who managed to penetrate HP's internal data network could do the same 
    thing. 
    
    It's also possible that someone on Wayman's team who secretly opposes 
    the merger plan delivered it to the news media in hopes of bolstering 
    Hewlett's case, which is scheduled to go to trial on April 23, or that 
    it was accidentally forwarded to a merger opponent. 
    
    But the most likely explanation, experts polled yesterday guess, is 
    that a snoop inside or out of the company simply dialed up HP's voice 
    mail system and entered Wayman's extension and password before he 
    deleted the message. 
    
    "A lot of people don't take their voice mail password seriously," said 
    Mandy Andress, president of ArcSec, a San Mateo security company. 
    Systems are often set up with an easily guessed default password -- 
    the user's extension or a simple sequence such as 1-2-3-4. Many users 
    simply leave those passwords in place, she said, or switch to 
    something else an intruder would have a good chance of guessing, such 
    as a birthday or home address. 
    
    "It's a well-known problem that we don't have good voice mail 
    passwords," Callas said. "After all, we want something we can 
    remember." 
    
    Few companies have done much to impose strict security on their voice 
    mail systems, despite increasing awareness of computer security risks. 
    "Companies are being more proactive about securing things that are 
    relatively easy to get to, like Web servers, but they're ignoring 
    other systems," Andress said. 
    
    Part of the problem, according to Rick Shaw, president of CorpNet 
    Security in Lincoln, Neb., is that most company executives and 
    security administrators "haven't thought about how critical the 
    information on voice mail can be." 
    
    "Obviously, this episode serves as a wake-up call," he said. 
    
    It's not the first time, however, that a major company has been 
    embarrassed by a voice mail leak. In 1998, the Cincinnati Enquirer 
    published an 18-page expose of Chiquita Banana's labor practices on 
    its Central American farms. 
    
    A month later, the paper renounced its stories, fired its lead 
    reporter, issued an apology and paid Chiquita more than $10 million, 
    after it was revealed that the stories were derived in part from 
    stolen voice mail. Both the reporter and a former Chiquita lawyer who 
    helped him gain access to the company's voice mail were eventually 
    convicted in the case. 
    
    E-mail Henry Norr at hnorrat_private 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 03:44:15 PDT