NOTW Phone-Hackling Scandal Is Kid’s Stuff

Phone Hacking

Hacking, what hacking? This is what a lot of IT security professionals like myself have probably been saying for the last few months. When someone says hacking, we think of Gary McKinnon hacking into the US military and NASA computer systems or websites being drained of information or defaced.

Of course the actions of all involved is shocking and we cannot condone them but the terminology used over the last few years is not totally correct.

To call the NOTW phone hacking scandal ‘hacking’ is almost an offence to the word hacking. Really it is so simple that a ten-year-old could have done what the private investigators did. If it’s not really hacking then what is it? The oldest trick in the book … a default configuration attack.

The media of course love to make stories sell and sound sexy. As often happens, the terminology in this case was quite incorrect. Ryan Cleary of Lulzsec was accused of ‘hacking’ into the CIA, SOCA and the Brazilian government website.

All that really happened is that a DDoS attack was launched. DDoS is often a ‘give up’ attack if penetration fails. The websites were simply overloaded and taken offline for a short while and not compromised.

What is a default configuration attack you may ask? In layman’s terms it’s the same as when you buy a Kensington laptop lock, use a hotel’s digital safe, a home digital safe, a bike lock or even a household alarm … the default pin is often 0000, 1111, 1234 and so on. If you know the default pin and know someone is using that device, it’s really quite simple … in the real world people will often change the pin but in the digital world people often do not.

The instructions of ‘how to hack’ a mobile phone’s voicemail is even listed on some major UK mobile network providers. Of course they do not list the default pin but it takes you 75% of the way. Once someone knows a network’s default pin and the victim’s phone number, the rest it is quite simple to pull off. Pretty straightforward really and you don’t need a huge amount of skill to do something like this.

It’s quite literally child’s play!

The real problem is getting the victim’s mobile number and here social engineering and a bit of research can help. A search of Google’s, business marketing listings is an obvious first step. But what about social engineering … and what is it exactly?

Social engineering is usually a non-technical ‘attack’ where an individual uses his or her social skills to exploit helpful people. Private investigators, on the other hand, are likely to have contacts within phone networks, someone they can pay £100 to get hold of a mobile number.

The moral of the story … change your voicemail pin.

Real “hacking” also exists (GSM hacking) interception also exist. Governments worldwide, private companies and individuals (legal or otherwise) can get hold of GSM interceptors which can be used to listen in to phone calls or intercept text messages.

The more unethical, corrupt, authoritarian or unstable a country is, the more chance there is of interception … you could be discussing an important deal with your board of management and an unscrupulous rival finds out and beats you to the contract.

You will never know if someone has or will ever intercept a call, but you should assume its happening and protect yourself. That said, even France admitted it used to (and perhaps still does) listen in to calls – “The former head of the DGSE, France’s foreign intelligence service, has admitted for the first time that his spies snooped on foreign commercial companies and passed on vital business and technical information to French firms.” – The Independent, 1996.

The lead ‘IT Security Specialist and Trainer’ at Data Defender and Information Technology Consortium, Graeme is regularly asked for input and quotes for media articles and was recently quoted in the Scotsman. Graeme is triple certified in computer security, CEH (Certified Ethical Hacker), CHFI (Computer Hacking Forensic Investigator) and Comptia Security+.