William.Degnan@p5.f39.n382.z1.fidonet.org (William Degnan) (10/08/90)
An Associated Press article recently reported that in Kingsport, TN, a
"computer hacker is tapping into voice mail telephone messages and
replacing them with explicit sexual descriptions. A United Telephone
Co. Spokesman said they had received 70 complaints. "It's the first
time we've had a problem to this degree," he said. The company began
offering the service two years ago and has had a few isolated
incidents like this.
The FBI and local police have been asked to investigate.
How does this happen? United Telephone says subscribers frequently use
the last four digits of their telephone number as their access code.
It is easy to remeber, but just as easy to crack.
We have written often about passwords, and access codes. But, United
Telephone is not our client and they have apparently not adaquately
stressed the importance of having access codes that aren't easily
guessable -- until now.
They say someone is using a computer to figure out the codes. Perhaps
that is true, but it doesn't take a computer ... or a mental giant to
do it. If it is a four-digit code, there aren't that many combinations
to try. "1234" and "4321" are always real good "first guesses".
What security measures did United Telephone take to protect their
subscribers? With 70 complaints (this time), probably very few
measures were taken.
What can system managers do to help secure systems?
Make your codes long enough to be difficult to crack. (Four digits are
_not_ enough.)
Permit variable-length codes (requiring at least six digits). This adds
additional combinations. Individuals wishing to have better security
can choose longer access codes.
Change codes more frequently than you now do. In some cases, changing
codes _once_ is more often than you do now. You know who you are.
(Does somebody else know, too?)
Is a mailbox access number predictable from the its phone number? Is
the access code predictable too?
How many attempts with a bad passcode will trigger a security
response?
Is the system "too" user friendly?
As business become more and more dependent on electronic communications,
it becomes increasingly important to business survial to insure that
these assets are protected.
William Degnan -- via The Q Continuum (FidoNet Node 1:382/31)
UUCP: ...!natinst!tqc!39.5!William.Degnan
ARPA: William.Degnan@p5.f39.n382.z1.FidoNet.Org