NotW Hacks Reveal Danger Of Weak Passwords

The reason British tabloids were able to hack into so many voice mail accounts is because it was insanely easy, says Wayne Rash

Unless you’ve been living under a rock for the past few weeks, you’ll have heard about the scandal in which employees of Rupert Murdoch’s News of the World, Sunday Times and other publications obtained illegal access to a wide variety of people’s voice mail accounts. Some of those affected were former Prime Minister Gordon Brown, a wide variety of celebrities, kidnapped teen Milly Dowler, and soldiers killed in combat in Afghanistan. As a result of this reprehensible activity, the News of the World has been shut down.

Now, it appears that the scandal is spreading beyond the UK. Recent revelations include the possibility that the same organisations hacked into the phones of victims of the 9/11 terror attacks on New York City and the Pentagon. Some of the reporters alleged to be responsible for the hacking have been arrested, although the editor of each of the publications at the time the hacking took place, Rebekah Brooks, unaccountably remains free.

This voice mail hacking apparently was a sort of open secret – many of the victims apparently knew that their phone passwords had been compromised. Brown, for example, reported that he was called by Brooks, who confronted him with the fact that his child had cystic fibrosis, information that could only have been obtained from voice mail.

Secure your voice mail

For reasons that remain obscure, few of the people affected did anything about the voice mail hacking. But just because they didn’t do anything to increase the security of their voice mail doesn’t mean you shouldn’t. It’s actually fairly easy to secure your phone, your voice mail and your cell phone account, but you have to actually do it.

T-Mobile, the only US mobile phone carrier that would actually discuss security with eWEEK, sent over a list of suggestions. The first suggestion is to set a password for your voice mail and your phone. T-Mobile requires a password on voice mail before they’ll let you use it. You can also set a password or PIN for the phone itself in most cases and the company requires a PIN before you can access your account. T-Mobile suggests you do not use the same password or PIN for any of these items.

Part of the problem is that people tend to be really lazy when it comes to securing their phones. One study suggests that about 1 in 7 phones can be hacked with one of the top 10 lame mobile PIN codes: 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212 and 1998.

If you’re using one of those codes, you should change it immediately. Even if News of the World is closed, the rest of Murdoch’s employees are out there.

Don’t become a victim of laziness

Craig Mathias, Principal Analyst at Farpoint Group told eWEEK that it’s important to pick a password or PIN that’s not easily guessed, which means don’t use your birthday or a relative’s birthday, your children’s names or other easy to find out names or numbers. He also suggest using a PIN longer than four digits. T-Mobile suggests the same thing, and also suggests changing PINs every 60 days. The company has a web page that provides help for keeping your password secure and the advice doesn’t just apply to T-Mobile customers.

Mathias also suggested that you set your voice mail so that a password is required even when you call from your mobile phone. While some voice mail systems will let you turn off passwords when calling from the phone itself, Mathias said that this is a security risk.

T-Mobile also notes that hacking into your cell phone voice mail is a criminal act and suggests that if you know this has happened, you should call the police. Of course, you should also immediately change your PIN or password.

If all of this sounds familiar, it should. The same advice applies to securing your Wi-Fi access point. Far too many people simply plug in the AP and go, meaning that it’s remarkably easy to find open access points with SSIDs of “linksys” or the like near virtually any office building or apartment complex. The reason is that people don’t like to take the time to set up even minimal security.

The same basic laziness affects mobile phone users who apparently are in far too much of a hurry to protect themselves, or who must believe such hacking will never happen to them. The truth is of course that it does happen and you don’t have to be a target of News Corp for it to happen. You could be the target of other types of cyber criminals, people who are angry with you, who want something you have (like information from your office) or who are part of a relationship gone wrong.

The bottom line is simple. Create a password or PIN for your voice mail. Don’t make it the same as your other passwords or PINs. Make it hard to guess. Don’t tell anyone what it is. Change it from time to time. It’s that simple.