Slashdot Mirror
News Corp. Hacking Scandal Spreads To Government
wiredmikey writes "The scandal revolving around the News Corporation's now defunct British tabloid, News of the World, has entered a new phase with news that the hacking extended into areas of national security, as detectives working for the Murdoch media empire may have hacked into the computer of a government minister responsible for Northern Ireland. Scary stuff, yet the enterprise security community seems strangely quiet on the topic, aside from showing other journalists how easy it is to do. Potentially, if you know the correct mobile number and you can guess four digits, you too can be listening to your elected leaders' personal messages. The chances are pretty good that it could be their birthday."
About 6 years ago when this all originally flared up, it became clear people were simply not changing their default voicemail pin-codes from the network supplied default. All you needed to do was call the mobile number, listen for which operator it was that was which was responsible for the voicemail, then punch in the default pin-code for that network operator.
At the time, this caused a few MNOs to change their systems so that you could not use remote voicemail until the user had set a new pin-code other than the default. In fact, its sad that operators were not somehow made partially liable for all this in the first place!
Watching the Leveson inquiry over the last couple of weeks has been one of the most depressing things I've ever done; the lowlight was probably former NOTW journalist Paul McMullen saying the following on the subject of privacy:
In 21 years of invading people's privacy I've never actually come across anyone who's been doing any good. Privacy is the space bad people need to do bad things in.
Privacy is evil; it brings out the worst qualities in people.
Privacy is for paedos; fundamentally nobody else needs it.
Basically the papers are full of amoral arseholes (Not just NI papers either, it's clear that the Daily Mail and others have been up to it as well), the Police and the ICO have been shamefully complicit and the government didn't want to look into it in case it upset Murdoch and he told his papers not to support them any more.
Makes you proud to be British really...
Social Engineering.
I hate to be the bearer of obvious news, but the DEFAULT password on everyones voicemail is usually 1234, 1111 or something. Every place I worked it was the same. Every cell carrier, landline and VoIP... they use the same default password, not random ones.
Plus there are people who have the voicemail password programmed into their cell phone. That sets the stage for hacking the voicemail without doing much at all. Just call in via a landline and try the defaults first, then try their birthday and family birthdays. You'll get most peoples PIN's this way.
The only reason there isn't large amounts of chip+pin/ATM pin fraud is because ATM's eat cards after 3 wrong answers, but if you have access to a POS system to keep trying, keep trying PIN's. Keep buying sticks of gum from gas stations and 711's until you guess the pin.
In voicemail systems, the voicemail retrieval number is easily found, and everyone STUPIDLY puts their full name in the voicemail greeting. NEVER DO THIS. Your voicemail message should not be in your voice, and should not have your full name in it. Better yet, only list the extension. The reason is that you make yourself a voicemail hacking target for social engineering by having your name on the voicemail.
Say I'm a hacker wanting to get the PIN to someone elses voicemail. I keep trying voicemail boxes until I find someone with a name that works their. Next thing I do is get ahold of the technical service desk and ask for them to reset the voicemail PIN and say I'm the person on the voicemail greeting. Oversimplified (if they're doing their job they'll ask for the employee badge number, but oh, that can be socially engineered too.)
When I worked for (CELL PHONE CARRIER), it's easy to reset passwords, just call in, verify the SSN and the password will be reset. Such horrible abuse of personal information.
When I worked for (INTERNET SERVICES), someone tried to social engineer me using the voicemail. Fortunately my name isn't easy to spell. Someone went through the phone directory and left messages asking to be called back to deal with their account. As the customer was in the US and I was not handling US customers it raised a red flag right away.
This is a British cultural problem, not a Murdoch problem.
Don't know where you live, mate, but Murdoch's (Rupert and Prince James, the News International heir apparent) have control over London Times, The Sun and News Of The World (now defunct) and wrote the cheques and managed the managers who made all this possible.
Any editor worth his pay packet, when presented with an astounding story, based upon what appears to be inside information, has to ask, "Where did you get this information?" When you are in James' place, overseeing the British arm of News International (incorrectly stated as News Corp in the article above) you have to do more than gaze in wonder at what a talented and resourceful lot you have under you. You should be paying the occasional visit to your managing editors and ask, "Where are we getting this?"
There has always been the ability of the government to enquire, which they've done a poor job of, just how the news knows some things. Dave's doing his best CYA, but it keeps going along. What are you going to do about foreign ownership of a large part of your media, Dave? Learning anything important, Dave?
A feeling of having made the same mistake before: Deja Foobar
You could certainly argue that this is a problem with the culture and practices of the press and not one specifically with Murdoch. That said, when a significant portion of the popular press is in fact owned by Murdoch the distinction seems moot.
I heard this on the radio yesterday and it seems pertinent: Charlotte Church (a singer - just think 'Bieber' but with classical training and a proper excuse for looking like a girl) was asked to perform at a Murdoch birthday party. She was told that if she waived her usual fee she would be treated "favourably" in News Int. papers. Now, maybe I'm being too cynical but that sounds rather a lot like extortion. It's even worse when you bear in mind we're talking about a girl who was in her early teens at the time.
If God forks the Universe every time you roll a die, he'd better have a damned good memory.
I'm not convinced that Britain has anything to do with it, besides merely being where the story was first exposed. Do you suppose the Italian press (mostly owned by their soon-to-be-ex-leader) has never hacked into the phones of people Berscolini wanted discredited? Perhaps you imagine Fox News and TMZ are wholly innocent of any kind of malpractice in the United States? Clear Channel Radio is, of course, wholly innocent of any wrongdoing, right?
It seems to me that most nations have press scandals that they've either successfully suppressed or don't need to suppress because they own all the media that matters.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
" (incorrectly stated as News Corp in the article above) "
There is a lot of that. The Murdoch Empire (probably the most correct name possible) moved quickly to attach the stigma of "hacking" to those few select managers at one specific newspaper, then closed that one newspaper. The naive are supposed to conclude that those few select managers were rogues, and that they were punished by the Murdoch Empire. And, the naive have mostly come to that conclusion. Amazing, that Rupert is so good at manipulating the gullible masses.
One thing that can't be dismissed, is that Rupert personally paid multiple settlements, out of pocket, long before the scandal really broke. Many people overlook it, but no one can dismiss that fact. Rupert Murdoch was intimately familiar with the details of this hacking operation. Rupert Murdoch personally approved of the operations, or they would have been shut down to prevent the necessity of paying out more settlements.
I can't fault you for naming names in the manner you used. But, I insist that "Murdoch Empire" is most appropriate, and that the Emperor is entirely responsible for all misconduct. This particular emperor seems to hate delegating any authority, to anyone.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
.
Be very careful how much respect you gain for both Campbell and Leveson - the inquiry has one aim and one aim only, and that is to come up with a framework for press and internet reporting restrictions. Campbell is only one of the chosen witnesses whose statements will be used to this end.