http://www.sfgate.com/cgi-bin/article.cgi?f=/chronicle/archive/2002/04/11/BU180707.DTL

Henry Norr
Chronicle Staff Writer
Thursday, April 11, 2002

Hewlett-Packard isn't saying much about how voice mail between its top
executives came to be splashed across newspaper front pages, but
virtually every company is vulnerable to similar leaks, security
experts warn.

Voice mail theft is "more common than you'd think," said Jon Callas, a
software engineer and security expert at Searchsecurity.com, a Web
site focusing on vulnerabilities in information systems.

Systems are designed to make it easy for the intended recipient to
retrieve messages from any phone anywhere, but that means anyone else
who knows or can guess the user's password can gain access with equal
ease.

The leak, made public yesterday, involved a message HP Chief Executive
Officer Carly Fiorina sent on March 17 to one of her top lieutenants,
Chief Financial Officer Bob Wayman.

Spokeswoman Rebeca Robboy declined to say how HP's voice mail system
works or how company officials believe the message was leaked.

"HP does not by practice disclose details of our internal
communications processes," she said. "The incident regarding
unauthorized disclosure of a company voice mail is a very serious
matter, and we are taking the necessary steps."

Modern voice mail systems are basically just specialized server
computers that store messages in digital form on a hard drive. A
system administrator with physical access to the server could retrieve
a message -- even one deleted by the recipient -- in essentially the
same way that inadvertently erased word processing files can often be
recovered.

Conceivably, other tech-savvy company employees or an outside hacker
who managed to penetrate HP's internal data network could do the same
thing.

It's also possible that someone on Wayman's team who secretly opposes
the merger plan delivered it to the news media in hopes of bolstering
Hewlett's case, which is scheduled to go to trial on April 23, or that
it was accidentally forwarded to a merger opponent.

But the most likely explanation, experts polled yesterday guess, is
that a snoop inside or out of the company simply dialed up HP's voice
mail system and entered Wayman's extension and password before he
deleted the message.

"A lot of people don't take their voice mail password seriously," said
Mandy Andress, president of ArcSec, a San Mateo security company.
Systems are often set up with an easily guessed default password --
the user's extension or a simple sequence such as 1-2-3-4. Many users
simply leave those passwords in place, she said, or switch to
something else an intruder would have a good chance of guessing, such
as a birthday or home address.

"It's a well-known problem that we don't have good voice mail
passwords," Callas said. "After all, we want something we can
remember."

Few companies have done much to impose strict security on their voice
mail systems, despite increasing awareness of computer security risks.
"Companies are being more proactive about securing things that are
relatively easy to get to, like Web servers, but they're ignoring
other systems," Andress said.

Part of the problem, according to Rick Shaw, president of CorpNet
Security in Lincoln, Neb., is that most company executives and
security administrators "haven't thought about how critical the
information on voice mail can be."

"Obviously, this episode serves as a wake-up call," he said.

It's not the first time, however, that a major company has been
embarrassed by a voice mail leak. In 1998, the Cincinnati Enquirer
published an 18-page expose of Chiquita Banana's labor practices on
its Central American farms.

A month later, the paper renounced its stories, fired its lead
reporter, issued an apology and paid Chiquita more than $10 million,
after it was revealed that the stories were derived in part from
stolen voice mail. Both the reporter and a former Chiquita lawyer who
helped him gain access to the company's voice mail were eventually
convicted in the case.

E-mail Henry Norr at hnorrsfchronicle.com.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoattrition.org with 'unsubscribe isn' in the BODY
of the mail.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]