Speaker: The great New Zealand phone hacking scandal
40 Responses
First ←Older Page 1 2 Newer→ Last
-
I well remember a person I can't name blogging some years ago about their hobby of getting access to Telecom landline voicemail boxes, which in the old days* used to have a default PIN of the last four digits of the phone number.
Because they were fundamentally a naughty, rather than an evil person, they got their jollies by carefully transcribing people's greetings and then re-recording them in a silly voice.
What Juha says about the default protocols internalised by geeks is correct. At the time I first set up voicemail on my landline I remembered thinking that this was a poor choice of default but I was way too brainwashed by working in enterprise IT to even consider capitalising on it to snoop.
*they don't do that any more, right? Right?
-
We did a much better job than general media, which got hung up on the teenager being a “whizz kid” going on a “hacking” and “phreaking” spree when all he did was to stumble on gaping security left open because of… convenience.
Yes, I remember half of a university lecture once, dedicated to debunking the myths surrounding hacking. It was quite interesting, actually the most valuable thing I learned in that paper.
Ever since, I'm continually amused by the popular conflation of hacker with computer genius. It's not quite "never the twain shall meet", but there's very little, if any, correlation. It doesn't really take much smarts to violate security, any more than it does to break into a car or house. And in some ways it's less smart than either one, since the main purpose seems to be to gain notoriety for doing damage. It's a lot more like vandalizing a car. If they were people who actually put thought into how to profit by hacking, they wouldn't be hacking, they'd just get a job in computing, which pays well anyway.
ETA ... and computer security pays especially well.
-
It doesn't really take much smarts to violate security, any more than it does to break into a car or house
Depends on the security, really. If the car's a late model BMW bristling with Thatcham Cat 1 alarms, then it would be pretty impressive to be able to twoc it.
It's the same if someone found out how to break Snapper and ride the buses for free, for instance.
-
Andre Alessi, in reply to
they don't do that any more, right? Right?
Now it's 1234. Seriously. And that change wasn't made in response to the security breaches above, it was because of an upgrade to the aging voicemail platform, replacing it with a newer version.
However when someone dials in to the mailbox for the first time, it requires that the PIN is changed to something else before anything else can be done with the mailbox, and the mailbox also cannot recieve messages until this happens. This is the case for both landlines and cellphones, as the voicemail platform is the same for both.
Unfortunately, this was during the Gattung era and Telecom’s head PR person was at best unhelpful to deal with when he wasn’t just plain unpleasant. He refused to believe us until we gave some supplied details of a message left for him by his wife on his voice mail (no, we didn’t listen to the message).
Not remotely suprised by any of that, sadly. Telecommunications has always had its fair share of managers who choose to be wilfully ignorant of the nature of the services their companies sell, and how they can be used and abused. They're anti-geeks.
I'm still waiting patiently to hear the first real scandal involving the devolution of Telecom's provisioning tools to 3rd party providers (via Wireline.) It hasn't happened yet (that kerfuffle involving Slingshot/Call Plus last year was more about inappropriately providing unauthorised individuals with read-only Wireline access, not the stuff that could happen.) Those tools could be used in ways that make even the VM hacking we've seen seem minor in comparison.
Full disclosure: I worked at Telecom for a couple of years after the VM hacking story first broke. I wasn't involved in any of the discussions around voicemail security beyond what the entire company heard about it through company communications and the media.
-
Ever since, I'm continually amused by the popular conflation of hacker with computer genius. It's not quite "never the twain shall meet", but there's very little, if any, correlation
Writing the code that finds security exploits, is, I assume, fairly difficult, but a matter of expertise and time, not genius. I think most 'hackers' just torrent said files and run them.
-
BenWilson, in reply to
Writing the code that finds security exploits, is, I assume, fairly difficult, but a matter of expertise and time, not genius. I think most 'hackers' just torrent said files and run them.
Yup, if you could crack public key encryption, you'd be a genius, and worth billions. But if you like throwing common passwords at security systems for hours, or phishing for mail passwords, then sifting through it for foolish security weaknesses, then you're neither smart nor wise. But you will break a lot of systems.
Depends on the security, really. If the car's a late model BMW bristling with Thatcham Cat 1 alarms, then it would be pretty impressive to be able to twoc it.
Not really. All you have to do is nick the owner's bag and steal their keys. This is what people don't get about security. Most of it is down to simple shit.
-
Peter Griffen sounds like a total knob.
-
Lucy Stewart, in reply to
Most of it is down to simple shit.
Most of it is down to people. Which is why nothing involving them will ever be 100% secure.
-
Fooman, in reply to
-
BenWilson, in reply to
Most of it is down to people. Which is why nothing involving them will ever be 100% secure.
It's also why most hackers get caught. They're people too.
-
Or just DOS his car by continually setting off the alarm ....
-
stephen walker, in reply to
i agree
-
James Butler, in reply to
Not really. All you have to do is nick the owner's bag and steal their keys. This is what people don't get about security. Most of it is down to simple shit.
Indeed. The HBGary Hack for example was a little more involved than most, but one of Anonymous's biggest exploits in that instance was pure social engineering:
From: Greg
To: Jussi
Subject: need to ssh into rootkit
im in europe and need to ssh into the server. can you drop open up
firewall and allow ssh through port 59022 or something vague?
and is our root password still 88j4bb3rw0cky88 or did we change to
88Scr3am3r88 ?
thanks
-------------------------------------
From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
hi, do you have public ip? or should i just drop fw?
and it is w0cky - tho no remote root access allowedetc.. Password discovered, firewall unlocked.
-
Ok, so what were the Bletchley Park team? Geniuses or script kiddies?
The Germans made a schoolboy error – no letter could be encoded as itself – which opened Enigma up to attack through frequency analysis, along with the system enabling various Wehrmacht grunts to make further operating errors (I summarise here).
They then built a huge infrastructure to brute force their way into the keys.
And is the traditional classification of them as geniuses influenced by them being on the Right Side?
-
Matthew Poole, in reply to
I think most 'hackers' just torrent said files and run them.
There is a reason that the computer security vernacular includes the highly disparaging term "script kiddie". The real geniuses find their own holes, and craft their own exploits. The lesser geniuses follow the instructions for finding the holes but still roll their own exploits. And the kiddies just torrent the exploits and call themselves hackers.
-
Can you link to the Computerworld article, please?
Thanks
-
the system enabling various Wehrmacht grunts to make further operating errors
If I recall correctly from a doco I saw some years ago, one of the 'handshake' protocols when sending a message was to send five or so random characters to the recipient, who would have to send them back as an acknowledgement that a connection had been established (or something like that).
One particularly lazy operator used to just repeatedly hit the nearest key (E), rather than attempt a random string. The result was that the crackers had an instant 'in' for the frequency analysis.
-
Juha Saarinen, in reply to
Fixed now...
-
Who here remembers the Auckland Harbour Board hacking from 1985?
-
Russell Brown, in reply to
Can you link to the Computerworld article, please?
Thanks
It's in there now. Vagaries of importing MS Word hyperlinks ...
-
B Jones, in reply to
Another crack in Enigma's armour, I think, was the practice of repeating the three-letter callsign of the operator. The users got too focused on the clarity of the message at the expense of its security.
-
Keith Ng, in reply to
It's also why most hackers get caught. They're people too.
Ahem, that's why most of the hackers who get caught end up getting caught. I'm not sure if the ones who don't get caught are the same kind of benign(ish), not-for-profit braggards.
-
I'm not sure if the ones who don't get caught are the same kind of benign(ish), not-for-profit braggards
Well, there are the ones that work for, inter alia: the Chinese secret service, NSA, GCHQ, GCSB, the Russian mafia, News International or various permutations of the above.
(In the days of the former Soviet Union, the Russians had a bank, Moscow Narodny. [it still exists]. They were very successful on the money markets, which was generally thought to be due to their access to information collected by the KGB).
-
BenWilson, in reply to
Yup, and just as with hackers, the majority of cyber-espionage is also rather less than brilliant. Guess the password, break in and steal the password/install a keystroke logger, demand the password via legal means, beat the password out of the target. All of these are usually cheaper and quicker than trying to directly or indirectly crack the networks of anyone worth their attention. Also, avoiding them seems to be just as easy, and not particularly hi-tech. You wouldn't bother with wicked encryption and all that crap when you can just organize to meet in person if you ever want to pass complex information. The main protection against intelligence organizations is likely to be obscurity. I remember a particularly crooked acquaintance of mine telling me his awesome method for negotiating in secret with his crooked colleagues, when he was paranoid about being busted. He invited them over, and then did the dealing on his kid's Etch-E-Sketch. Two swipes and it's all gone.
-
I've got nothing pertinent to say, except this article and everybody's comments are really fascinating! So much good stuff on PA lately.
Post your response…
This topic is closed.