William.Degnan@p5.f39.n382.z1.fidonet.org (William Degnan) (10/08/90)
An Associated Press article recently reported that in Kingsport, TN, a "computer hacker is tapping into voice mail telephone messages and replacing them with explicit sexual descriptions. A United Telephone Co. Spokesman said they had received 70 complaints. "It's the first time we've had a problem to this degree," he said. The company began offering the service two years ago and has had a few isolated incidents like this. The FBI and local police have been asked to investigate. How does this happen? United Telephone says subscribers frequently use the last four digits of their telephone number as their access code. It is easy to remeber, but just as easy to crack. We have written often about passwords, and access codes. But, United Telephone is not our client and they have apparently not adaquately stressed the importance of having access codes that aren't easily guessable -- until now. They say someone is using a computer to figure out the codes. Perhaps that is true, but it doesn't take a computer ... or a mental giant to do it. If it is a four-digit code, there aren't that many combinations to try. "1234" and "4321" are always real good "first guesses". What security measures did United Telephone take to protect their subscribers? With 70 complaints (this time), probably very few measures were taken. What can system managers do to help secure systems? Make your codes long enough to be difficult to crack. (Four digits are _not_ enough.) Permit variable-length codes (requiring at least six digits). This adds additional combinations. Individuals wishing to have better security can choose longer access codes. Change codes more frequently than you now do. In some cases, changing codes _once_ is more often than you do now. You know who you are. (Does somebody else know, too?) Is a mailbox access number predictable from the its phone number? Is the access code predictable too? How many attempts with a bad passcode will trigger a security response? Is the system "too" user friendly? As business become more and more dependent on electronic communications, it becomes increasingly important to business survial to insure that these assets are protected. William Degnan -- via The Q Continuum (FidoNet Node 1:382/31) UUCP: ...!natinst!tqc!39.5!William.Degnan ARPA: William.Degnan@p5.f39.n382.z1.FidoNet.Org