Voice mail systems have few safeguards

[InfoSec News <isn () c4i org>]

http://www.sfgate.com/cgi-bin/article.cgi?f=/chronicle/archive/2002/04/11/BU180707.DTL

Henry Norr 
Chronicle Staff Writer 
Thursday, April 11, 2002 

Hewlett-Packard isn't saying much about how voice mail between its top 
executives came to be splashed across newspaper front pages, but 
virtually every company is vulnerable to similar leaks, security 
experts warn. 

Voice mail theft is "more common than you'd think," said Jon Callas, a 
software engineer and security expert at Searchsecurity.com, a Web 
site focusing on vulnerabilities in information systems. 

Systems are designed to make it easy for the intended recipient to 
retrieve messages from any phone anywhere, but that means anyone else 
who knows or can guess the user's password can gain access with equal 
ease. 

The leak, made public yesterday, involved a message HP Chief Executive 
Officer Carly Fiorina sent on March 17 to one of her top lieutenants, 
Chief Financial Officer Bob Wayman. 

Spokeswoman Rebeca Robboy declined to say how HP's voice mail system 
works or how company officials believe the message was leaked. 

"HP does not by practice disclose details of our internal 
communications processes," she said. "The incident regarding 
unauthorized disclosure of a company voice mail is a very serious 
matter, and we are taking the necessary steps." 

Modern voice mail systems are basically just specialized server 
computers that store messages in digital form on a hard drive. A 
system administrator with physical access to the server could retrieve 
a message -- even one deleted by the recipient -- in essentially the 
same way that inadvertently erased word processing files can often be 
recovered. 

Conceivably, other tech-savvy company employees or an outside hacker 
who managed to penetrate HP's internal data network could do the same 
thing. 

It's also possible that someone on Wayman's team who secretly opposes 
the merger plan delivered it to the news media in hopes of bolstering 
Hewlett's case, which is scheduled to go to trial on April 23, or that 
it was accidentally forwarded to a merger opponent. 

But the most likely explanation, experts polled yesterday guess, is 
that a snoop inside or out of the company simply dialed up HP's voice 
mail system and entered Wayman's extension and password before he 
deleted the message. 

"A lot of people don't take their voice mail password seriously," said 
Mandy Andress, president of ArcSec, a San Mateo security company. 
Systems are often set up with an easily guessed default password -- 
the user's extension or a simple sequence such as 1-2-3-4. Many users 
simply leave those passwords in place, she said, or switch to 
something else an intruder would have a good chance of guessing, such 
as a birthday or home address. 

"It's a well-known problem that we don't have good voice mail 
passwords," Callas said. "After all, we want something we can 
remember." 

Few companies have done much to impose strict security on their voice 
mail systems, despite increasing awareness of computer security risks. 
"Companies are being more proactive about securing things that are 
relatively easy to get to, like Web servers, but they're ignoring 
other systems," Andress said. 

Part of the problem, according to Rick Shaw, president of CorpNet 
Security in Lincoln, Neb., is that most company executives and 
security administrators "haven't thought about how critical the 
information on voice mail can be." 

"Obviously, this episode serves as a wake-up call," he said. 

It's not the first time, however, that a major company has been 
embarrassed by a voice mail leak. In 1998, the Cincinnati Enquirer 
published an 18-page expose of Chiquita Banana's labor practices on 
its Central American farms. 

A month later, the paper renounced its stories, fired its lead 
reporter, issued an apology and paid Chiquita more than $10 million, 
after it was revealed that the stories were derived in part from 
stolen voice mail. Both the reporter and a former Chiquita lawyer who 
helped him gain access to the company's voice mail were eventually 
convicted in the case. 

E-mail Henry Norr at hnorr () sfchronicle com. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.