[LINK] Murdoch hacking scandal just gets worse.

Kim Holburn kim at holburn.net
Thu Dec 1 09:01:25 AEDT 2011


At last someone pointing out the bleeding obvious, which I've pointed out on link before:  Why isn't anyone sheeting some of this home to the abysmal security put in place by the phone companies? 

As they say in this article: the security implications of bad carrier policy are mind boggling.

https://www.securityweek.com/hacking-scandal-spreads-government-are-you-four-digits-away-security-breach

> New York Times headline proclaimed, stating further, "Britain's hacking scandal was reported on Tuesday to have broadened significantly into areas of national security with police investigating whether private detectives working for the Murdoch media empire hacked into the computer of a government minister responsible for Northern Ireland."
> 
> Scary stuff, yet the enterprise security community seems strangely quiet on the topic, aside from showing other journalists how easy it is to do. The irony! It's almost as though there is an unspoken understanding that this doesn't fall into the Information Security arena.
> 
> This is utterly mind-boggling, considering the revelation of risk involved.
> 
> The main thing we learned from this is that most voicemail systems are not secure. Essentially, a bunch of technically unskilled attackers managed to circumvent the national security precautions of the United Kingdom by exploiting an unsecured 3rd party.
> 
> Here is the kicker! Aside from not using the feature, there is not a single thing anyone (except for the carrier) could have done to prevent it.
> 
> When you read the security precautions offered by carriers for voicemail, you can only weep and cry and scream in desperation. Essentially, from the perspective of an attacker, there aren't any  precautions per-se, just a few inconveniences.
> 
> It boggles the mind even more, because the issues are fundamentally the same as with PBX's, and these were already known, documented and encountered sufficiently in the 1980s.
> 
> So what we learned about the carriers is that they have learned nothing in that regard in almost 30 years.
> 
> We also learned that we are possibly four digits away from a compromise. If we are lucky that is, and even that simple precaution has not been disabled.
> 
> Now, who has mobile phones in their organization? Who carries them? Your Consultants? Your Salespeople? Your CTO/CSO/COO/CFO? Your legal counsel? Or maybe, just maybe, your Minister or Brigadier General. In addition of course, to all of those BYODs. That probably amounts to a lot of voice-mail likely containing a lot of sensitive information.
> 
> Does your security policy take the carrier into consideration? Does your security policy make a point of your users changing the default pin (or in some cases, actually activating the pin in the first place) and setting a password. Even, or especially, in the case of BYOD. Can you legally even do that? Do you instruct employees not to relay sensitive information via voicemail? No?
> 
> Then you may just have a gap in your Security Strategy, and if you are in any way important in some industry, region or market, chances are you have already had a data breach and security incident and you never even knew, and will unlikely be able to verify this even if you had a hunch or suspicion.

...

> The implications in how easily the perpetrators were able to social engineer the carrier's customer service agents is worrying. If the alarm bells do not go off when dealing with a prominent celebrity’s customer account, it does not bode well that they may perk up for plain John or Jane Doe. Nor did any of the carriers become aware of the compromises, which is also incredibly concerning considering the scale and duration. One can only guess how many occurrences of this form of attack take place; The carriers can’t tell us either apparently.


-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request 







More information about the Link mailing list