Telephone Hacking Simplified

February 4, 2005

In today’s world of interconnected systems, how many corporate voice-mail systems interact with e-mail, fax servers, or have call forwarding features? Well, it’s becoming that most vendors now offer products that have all the bells and whistles ready to roll out of the box. These features can provide some great productivity benefits, but when they’re tied together in one system, it can easily create a weak link in your security.

Say I’m a hacker. Dialing into the local credit union I get the main prompt: “Press 1 if you know your party’s extension. Press 2 to check your balance. Press 3 to hear you last five cleared checks. Press 4 to speak to a representative.” I hit 5—nothing happens. Six, seven, eight, nine, star, and then . . . “enter your mailbox number.”

I enter 1234.

“Hi, this is Linda in Member Services. I’m unable to answer your call—“

I hit #: “Enter your password.”

I enter 1234.

“You have no new voice messages and one saved voice message. Two new e-mail messages and 127 saved e-mail messages. Press 2 to hear saved voice messages, 3 to hear new e-mail messages, 4 to hear saved e-mail messages.”

I’ve hit the jackpot! I can listen to Linda’s e-mails:

“When will you be home for dinner?” asks Linda’s husband. Stud327@yahoo.com. Sent 3:45 p.m. January 01.

“FYI: I’ll be leaving early for a doctor’s appointment—see you all tomorrow.” brian.smith@noname-CreditUnion.org. Sent 3:30 p.m. January 01.

After listening for a while I realize Linda just isn’t someone with any real dirt to share, until I get to this whimsical e-mail from one of Linda’s coworkers about how cute the FedEx guy is, and how it’s so unfair that he’s wearing a wedding ring.

I have four choices:

1. Use the system to forward this message to everyone in the credit union just for kicks, possibly making Linda’s coworker think she did it.

2. Forward Linda’s phone to an outside number (maybe 911—that’s always fun).

3. Just simply check back another time for something more interesting, like member data.

4. If information gathering for identity theft isn’t my thing, let’s just change Linda’s inbound recording. In my best Charlton Heston impersonation I could say, “Effective immediately Linda is no longer with No-Name Credit Union. Please press zero and ask for Brian Smith.”

As Brian Smith has gone home for the day, employees and members alike will think Linda is no longer employed. How long will it take Linda to find out that her voice-mail message says she no longer works there? And once she does, how amused do you think Linda and the personnel director at No-Name Credit Union will be?

You would never set a network password to 1234. It is just as important not to do that with voice mail. When creating a new voice-mail box (whatever the system), assign an 8-10 random character password to the box. Don’t use a default, expecting employees to change it. If your system vendor allows you to generate a password policy including length requirements and forcing changes after so many days, use it. If you don’t have this kind of setup, call the vendor and ask for these features in the next release.

Also audit all the passwords. First try all the boxes using the extension as a password; then try using the employee’s birthday, since birthdays aren’t a secret in most organization.

Last but not least: Educate employees about the dangers of weak passwords! Educate the users about the dangers of weak passwords! Oops, did I say that twice? That’s okay—you can’t repeat it too often: Educate employees. . . .

Jon Hallberg is network telecom manager for US Federal Credit Union in Burnsville, Minnesota. Contact him at Jon.Hallberg@usfed.org.

Post this page to:

Comments