Monday, July 18, 2011

Phone Hacking?

Hey, guys! It's not "phone" hacking. It is "voice-mail" hacking."

How many, besides me, have been hooked this weekend by a headline about "phone hacking" only to say, "Oh, that's what they mean. That's not what I thought they were talking about." I am still doing it. I have done it twice since I got up. Even when I understand that they are simply talking voice-mail, my brain wants to interpret "hacking" as some sophisticated access to the mailbox from the computer side. This does not even involve brute force attacks against the password from the public switched telephone network.

Now you say that I only make this mistake because I am a geek. Perhaps. On the other hand, the average consumer of news may have even less of an idea what the term "phone hacking" means, much less what they ought to do about it. Parsing the words ought to get them closer to an understanding instead of further away.

The popular press does not serve us well when they do this. What language will they use when someone really hacks a phone, like "remote code execution," over the network?

We owe it to the innocent public to identify these attacks in a manner that informs them as to how to address the vulnerability.

"There is no such corrupting lie as a problem poorly named." Using the wrong words to describe something is counter-productive, not to say, destructive. Take, for example, calling cross-site scripting and buffer over-flows "vulnerabilities" rather than "attacks." The real vulnerability is "unchecked inputs." Perhaps one reason that these vulnerabilities are not only persistent, but growing, is that by naming them wrong we obscure the remedy.

Note that the voice-mail boxes are not being hacked via the application programming interface, API, but via the user interface, the UI. Our colleague, Brian Honan, reports from across the pond, that most of these "hacks" are simply using either the default password, or an easily guessed password. Can you say 1111?

We need to describe the vulnerability in a way that helps people protect themselves. I do not use 0416 because that is my birthday. I do not use your birthday either. I do not use any date because a "dictionary" of four digit passwords is going to contain those 365 numbers and will try them right after 1111, 2222,......1234, etc.

I do not do this because I think that a four-digit password is too short; for most people it is probably just fine. However, there are only ten thousand numbers in a four digit-lock-code; on average 5000 (automated) trials should be sufficient to find yours. For most of us, that is probably adequate. It helps if your carrier limits the number of trial.

For celebrities, four digits may not be adequate. As recent events demonstrate, any of us might become a celebrity at any time. Some of us may not want to use standard voice mail and some of us should not. There are viable alternatives.

While I an not a celebrity, I do not use my phone company voice mailbox at all. All of my phone numbers are forwarded to Skype-in. Access to that voice mail box requires a Skype client, my e-mail address, and my 9 character Skype password. Blackberry users can use longer lock-codes chosen from the full character set of the alpha-numeric keyboard. Longer lock-codes do not raise our work factor very much but they raise the cost of attack dramatically.

Four thousand victims of News of the World is a problem, a few of the victims even tragic. There are probably three or four times that many victims of less organized attacks. Good practice can eliminate a large percentage of these. For the rest, there are alternatives. However, the problem is likely to persist until we name and describe the problem in a constructive manner.

No comments:

Post a Comment