root@crdgw1.ge.com (Paul Schmidt -) (10/04/90)
From the JOHNSON CITY PRESS, Wednesday, October 3, 1990
HACKER ALTERING RECORDED PHONE MESSAGES
By Leslie Loyd
Associated Press Writer
KINGSPORT, TN - A computer hacker is tapping into voice mail telephone
messages and replacing them with explicit sexual descriptions, a
telephone company spokesman said Tuesday.
Phil Timp, a spokesman for United Telephone Co., said the
company has received 70 complaints.
"All of the sudden in the last two weeks, we've had a barrage
of complaints," Timp said. "What the motive is we don't know...
Obviously they're very disturbed."
The FBI and Kingsport police were called in Tuesday to investigate.
... (portion omitted describing voice mail) ...
"(Subscribers) are checking their messages and hearing this,"
Timp said. "Imagine if your mother called."
He said subscribers frequently use the last four digits of
their telephone number as their access code because it is easy to
remember. But that also makes the code easy to break. Timp said
subscribers should check messages and change access code frequently.
Timp said someone is using a computer to tap into the system
and figure out the codes.
"It's a knowledgable user," Timp said.
He said he doesn't know if any subscribers have canceled
because of the explicit messages.
"We're doing everything we can to make sure these people can
continue their voice mail service," Timp said.
"It's the first time we've had a problem to this degree," he
said. The company began offering the service two years ago and has
had a few isolated incidents like this.wdc@athena.mit.edu (Bill Cattey) (10/05/90)
Making your personal access password easily guessable is a mistake. Users should be educated by the vendor to choose better passwords. The problem in Kingsport TN will go away when everyone picks reasonable passwords. They should consider themselves lucky... According to friends of mine who have been there when voice mail was installed at the compannies where they work, there are three common policies that make it particularly easy for crackers to do much worse things to voice mail than changing message text: 1. The installing companies often keep the same master password for all the systems they install, and never change it. 2. They never disconnect the maintenance console dial-in. That's right! There are voice mail systems that allow anybody who knows the telephone number to dial in and modify it. 3. The installing company insists on keeping secret how simple it is to change the phone system with a few simple commands. I hope that voice mail system providers and purchasers begin QUICKLY to take the same precautions they take with their other computer systems: 1. SECRET passwords. (both at the user and system levels) Changed often. 2. Physical security: Don't have a publicly accessible maintenance console. At the very least, leave it un-plugged until you NEED to receive an AUTHORIZED remote maintance call. 3. A hierarchy of commands and privileges so that someone getting in to the maintenance programs still needs higher levels of privileged (discretionary) access to do things. wdc