Modernizing Authentication — What It Takes to Transform Secure Access
Much of the world has been entranced by an emerging story of espionage, data theft, misdirection and cover-up at one of the world’s most popular and successful newspapers. It’s not a new James Bond story though the reports of private investigators intercepting cell phone messages and tracking down the private communications details of people of interest seem to align with the pages of a spy novel rather than a Sunday newspaper.
However, the phone hacking allegations and other claims of data intrusion that have been leveled at the UK’s News of the World newspaper, its parent company News International (the UK publishing arm of Rupert Murdoch's News Corporation), and a number of freelance reporters, private investigators and other paid sources, have resulted in one of the oldest and most successful newspapers in the world being shut down after its credibility evaporated and public opinion soured in less than a week.
Initial tales of celebrities and politicians being targeted by hackers desperate for an exclusive have quickly broadened to include everyday folks, including victims of terrorism and their families, murder victims, and families of British servicemen killed in action.
The reports of alleged phone hacking, and emerging claims that other forms of data theft and interception may have taken place, have highlighted a worrying issue. The News of the World case has revealed just how easy it is for unskilled individuals -- often with no specialist equipment -- to gain access to voicemail and other mailboxes, largely by just taking advantage of the user failing to change the default password or PIN number used by the service.
For example, the vast majority of cell phone services, along with landline telephone providers, create voicemail mailboxes with the same default password for all users, quite often something as simple as 0000 or 1234 (this is public information that is usually contained in the help section of the vendor’s website or instruction manual that comes with airtime accounts). In the majority of cases, investigators were opportunistically dialing into mailbox retrieval numbers, keying in the phone number of the target, and then simply trying a list of known default PIN numbers used by the service providers, followed by a list of the most common user-created PIN numbers. More often than not, the default had not been changed and the investigator gained full and unrestricted access to any and all stored messages.
The News of the World case was further complicated when it emerged that unskilled private investigators were allegedly using these methods to gain access to the cell phone voicemail mailbox of Milly Dowler, an English schoolgirl who was abducted on her way home from school at the age of 13 and subsequently murdered.
While Dowler was still listed as missing, investigators and the newspaper were listening to voicemails left by friends and other acquaintances in an effort to gain exclusive information that could be used for front page news stories. When the mailbox filled, they deleted messages -- compromising the police investigation and giving Dowler’s family a false sense of belief that it was in fact Milly deleting them and leading them to think she was still alive.
These alleged activities have shown that it is not just high profile celebrities and politicians that can find their voicemail, email and other communications accounts hacked by an outside entity. Everyday members of the public are just as much at risk of having their personal communications compromised, not so much by newspapers, but by criminals using exactly the same tactics as were used by those working for News of the World .
This unfolding story reveals people's cavalier attitude towards data security and illustrates how easy it is for an opportunistic hacker, identity thief or fraudster to infiltrate and intercept sensitive communications for their own criminal and malicious gain.
If there is anything we can all learn from these reports of phone hacking, it is that everyone needs to take simple, but long overdue steps to protect their data and access, and to be careful about how they protect their information and communications in the future.
Changing default PIN numbers on cell phones and home landline voicemail is an absolute must, as is changing the default passwords on wireless routers. It is also essential to turn off file sharing on laptops when connected to public networks, such as wireless networks in coffee shops, restaurants and airports.
While malware remains one of the biggest threats to personal information security, complex passwords for email accounts are incredibly important; especially when using a prominent, free email service like Gmail or Hotmail that is potentially easier to track down and target than customized email services with less obvious server names. There are many examples of rogue software (such as the recently shut down Coreflood botnet) that are designed to illicitly log keystrokes or install back-door access to your PC in order to harvest username and passwords for online banking and retailers where you might have stored payment details.
Additionally, it is imperative that users refrain from saving sensitive passwords in Web browsers. If a laptop or phone is lost or stolen, especially if it isn’t password protected, a thief would have easy access to an annotated list of passwords and personal information that could be used for malicious activity.
The News of the World’s downfall has highlighted these security threats and tactics, but it is important to remember that it is not just a few rogue newspaper investigators doing this; these same tactics are regularly in use by criminal gangs and individual fraudsters trying to rip-off the general public.
Christopher Boyd is senior threat researcher at GFI Software, a provider of security and IT solutions to the mid-market.