Speaker by Various Artists

Read Post

Speaker: The great New Zealand phone hacking scandal

40 Responses

First ←Older Page 1 2 Newer→ Last

  • Stephen Judd,

    I well remember a person I can't name blogging some years ago about their hobby of getting access to Telecom landline voicemail boxes, which in the old days* used to have a default PIN of the last four digits of the phone number.

    Because they were fundamentally a naughty, rather than an evil person, they got their jollies by carefully transcribing people's greetings and then re-recording them in a silly voice.

    What Juha says about the default protocols internalised by geeks is correct. At the time I first set up voicemail on my landline I remembered thinking that this was a poor choice of default but I was way too brainwashed by working in enterprise IT to even consider capitalising on it to snoop.

    *they don't do that any more, right? Right?

    Wellington • Since Nov 2006 • 3122 posts Report Reply

  • BenWilson,

    We did a much better job than general media, which got hung up on the teenager being a “whizz kid” going on a “hacking” and “phreaking” spree when all he did was to stumble on gaping security left open because of… convenience.

    Yes, I remember half of a university lecture once, dedicated to debunking the myths surrounding hacking. It was quite interesting, actually the most valuable thing I learned in that paper.

    Ever since, I'm continually amused by the popular conflation of hacker with computer genius. It's not quite "never the twain shall meet", but there's very little, if any, correlation. It doesn't really take much smarts to violate security, any more than it does to break into a car or house. And in some ways it's less smart than either one, since the main purpose seems to be to gain notoriety for doing damage. It's a lot more like vandalizing a car. If they were people who actually put thought into how to profit by hacking, they wouldn't be hacking, they'd just get a job in computing, which pays well anyway.

    ETA ... and computer security pays especially well.

    Auckland • Since Nov 2006 • 10657 posts Report Reply

  • Rich of Observationz,

    It doesn't really take much smarts to violate security, any more than it does to break into a car or house

    Depends on the security, really. If the car's a late model BMW bristling with Thatcham Cat 1 alarms, then it would be pretty impressive to be able to twoc it.

    It's the same if someone found out how to break Snapper and ride the buses for free, for instance.

    Back in Wellington • Since Nov 2006 • 5550 posts Report Reply

  • Andre Alessi, in reply to Stephen Judd,

    they don't do that any more, right? Right?

    Now it's 1234. Seriously. And that change wasn't made in response to the security breaches above, it was because of an upgrade to the aging voicemail platform, replacing it with a newer version.

    However when someone dials in to the mailbox for the first time, it requires that the PIN is changed to something else before anything else can be done with the mailbox, and the mailbox also cannot recieve messages until this happens. This is the case for both landlines and cellphones, as the voicemail platform is the same for both.

    Unfortunately, this was during the Gattung era and Telecom’s head PR person was at best unhelpful to deal with when he wasn’t just plain unpleasant. He refused to believe us until we gave some supplied details of a message left for him by his wife on his voice mail (no, we didn’t listen to the message).

    Not remotely suprised by any of that, sadly. Telecommunications has always had its fair share of managers who choose to be wilfully ignorant of the nature of the services their companies sell, and how they can be used and abused. They're anti-geeks.

    I'm still waiting patiently to hear the first real scandal involving the devolution of Telecom's provisioning tools to 3rd party providers (via Wireline.) It hasn't happened yet (that kerfuffle involving Slingshot/Call Plus last year was more about inappropriately providing unauthorised individuals with read-only Wireline access, not the stuff that could happen.) Those tools could be used in ways that make even the VM hacking we've seen seem minor in comparison.

    Full disclosure: I worked at Telecom for a couple of years after the VM hacking story first broke. I wasn't involved in any of the discussions around voicemail security beyond what the entire company heard about it through company communications and the media.

    Devonport, New Zealand • Since Nov 2006 • 864 posts Report Reply

  • Danyl Mclauchlan,

    Ever since, I'm continually amused by the popular conflation of hacker with computer genius. It's not quite "never the twain shall meet", but there's very little, if any, correlation

    Writing the code that finds security exploits, is, I assume, fairly difficult, but a matter of expertise and time, not genius. I think most 'hackers' just torrent said files and run them.

    Wellington • Since Nov 2006 • 927 posts Report Reply

  • BenWilson, in reply to Danyl Mclauchlan,

    Writing the code that finds security exploits, is, I assume, fairly difficult, but a matter of expertise and time, not genius. I think most 'hackers' just torrent said files and run them.

    Yup, if you could crack public key encryption, you'd be a genius, and worth billions. But if you like throwing common passwords at security systems for hours, or phishing for mail passwords, then sifting through it for foolish security weaknesses, then you're neither smart nor wise. But you will break a lot of systems.

    Depends on the security, really. If the car's a late model BMW bristling with Thatcham Cat 1 alarms, then it would be pretty impressive to be able to twoc it.

    Not really. All you have to do is nick the owner's bag and steal their keys. This is what people don't get about security. Most of it is down to simple shit.

    Auckland • Since Nov 2006 • 10657 posts Report Reply

  • Steve Braunias,

    Peter Griffen sounds like a total knob.

    Auckland • Since May 2011 • 1 posts Report Reply

  • Lucy Stewart, in reply to BenWilson,

    Most of it is down to simple shit.

    Most of it is down to people. Which is why nothing involving them will ever be 100% secure.

    Wellington • Since Nov 2006 • 2105 posts Report Reply

  • Fooman, in reply to Steve Braunias,

    Lower Hutt • Since Dec 2009 • 87 posts Report Reply

  • BenWilson, in reply to Lucy Stewart,

    Most of it is down to people. Which is why nothing involving them will ever be 100% secure.

    It's also why most hackers get caught. They're people too.

    Auckland • Since Nov 2006 • 10657 posts Report Reply

  • Paul Campbell,

    Or just DOS his car by continually setting off the alarm ....

    Dunedin • Since Nov 2006 • 2623 posts Report Reply

  • stephen walker, in reply to Steve Braunias,

    i agree

    nagano • Since Nov 2006 • 646 posts Report Reply

  • James Butler, in reply to BenWilson,

    Not really. All you have to do is nick the owner's bag and steal their keys. This is what people don't get about security. Most of it is down to simple shit.

    Indeed. The HBGary Hack for example was a little more involved than most, but one of Anonymous's biggest exploits in that instance was pure social engineering:

    From: Greg
    To: Jussi
    Subject: need to ssh into rootkit
    im in europe and need to ssh into the server. can you drop open up
    firewall and allow ssh through port 59022 or something vague?
    and is our root password still 88j4bb3rw0cky88 or did we change to
    88Scr3am3r88 ?
    thanks
    -------------------------------------
    From: Jussi
    To: Greg
    Subject: Re: need to ssh into rootkit
    hi, do you have public ip? or should i just drop fw?
    and it is w0cky - tho no remote root access allowed

    etc.. Password discovered, firewall unlocked.

    Auckland • Since Jan 2009 • 856 posts Report Reply

  • Rich of Observationz,

    Ok, so what were the Bletchley Park team? Geniuses or script kiddies?

    The Germans made a schoolboy error – no letter could be encoded as itself – which opened Enigma up to attack through frequency analysis, along with the system enabling various Wehrmacht grunts to make further operating errors (I summarise here).

    They then built a huge infrastructure to brute force their way into the keys.

    And is the traditional classification of them as geniuses influenced by them being on the Right Side?

    Back in Wellington • Since Nov 2006 • 5550 posts Report Reply

  • Matthew Poole, in reply to Danyl Mclauchlan,

    I think most 'hackers' just torrent said files and run them.

    There is a reason that the computer security vernacular includes the highly disparaging term "script kiddie". The real geniuses find their own holes, and craft their own exploits. The lesser geniuses follow the instructions for finding the holes but still roll their own exploits. And the kiddies just torrent the exploits and call themselves hackers.

    Auckland • Since Mar 2007 • 4097 posts Report Reply

  • Graham Dunster,

    Can you link to the Computerworld article, please?

    Thanks

    Auckland • Since Nov 2009 • 184 posts Report Reply

  • Rich Lock,

    the system enabling various Wehrmacht grunts to make further operating errors

    If I recall correctly from a doco I saw some years ago, one of the 'handshake' protocols when sending a message was to send five or so random characters to the recipient, who would have to send them back as an acknowledgement that a connection had been established (or something like that).

    One particularly lazy operator used to just repeatedly hit the nearest key (E), rather than attempt a random string. The result was that the crackers had an instant 'in' for the frequency analysis.

    back in the mother countr… • Since Feb 2007 • 2728 posts Report Reply

  • Juha Saarinen, in reply to Graham Dunster,

    Fixed now...

    Since Nov 2006 • 529 posts Report Reply

  • Kumara Republic,

    Who here remembers the Auckland Harbour Board hacking from 1985?

    The southernmost capital … • Since Nov 2006 • 5446 posts Report Reply

  • Russell Brown, in reply to Graham Dunster,

    Can you link to the Computerworld article, please?

    Thanks

    It's in there now. Vagaries of importing MS Word hyperlinks ...

    Auckland • Since Nov 2006 • 22850 posts Report Reply

  • B Jones, in reply to Rich Lock,

    Another crack in Enigma's armour, I think, was the practice of repeating the three-letter callsign of the operator. The users got too focused on the clarity of the message at the expense of its security.

    Wellington • Since Nov 2006 • 976 posts Report Reply

  • Keith Ng, in reply to BenWilson,

    It's also why most hackers get caught. They're people too.

    Ahem, that's why most of the hackers who get caught end up getting caught. I'm not sure if the ones who don't get caught are the same kind of benign(ish), not-for-profit braggards.

    Auckland • Since Nov 2006 • 543 posts Report Reply

  • Rich of Observationz,

    I'm not sure if the ones who don't get caught are the same kind of benign(ish), not-for-profit braggards

    Well, there are the ones that work for, inter alia: the Chinese secret service, NSA, GCHQ, GCSB, the Russian mafia, News International or various permutations of the above.

    (In the days of the former Soviet Union, the Russians had a bank, Moscow Narodny. [it still exists]. They were very successful on the money markets, which was generally thought to be due to their access to information collected by the KGB).

    Back in Wellington • Since Nov 2006 • 5550 posts Report Reply

  • BenWilson, in reply to Rich of Observationz,

    Yup, and just as with hackers, the majority of cyber-espionage is also rather less than brilliant. Guess the password, break in and steal the password/install a keystroke logger, demand the password via legal means, beat the password out of the target. All of these are usually cheaper and quicker than trying to directly or indirectly crack the networks of anyone worth their attention. Also, avoiding them seems to be just as easy, and not particularly hi-tech. You wouldn't bother with wicked encryption and all that crap when you can just organize to meet in person if you ever want to pass complex information. The main protection against intelligence organizations is likely to be obscurity. I remember a particularly crooked acquaintance of mine telling me his awesome method for negotiating in secret with his crooked colleagues, when he was paranoid about being busted. He invited them over, and then did the dealing on his kid's Etch-E-Sketch. Two swipes and it's all gone.

    Auckland • Since Nov 2006 • 10657 posts Report Reply

  • Lilith __,

    I've got nothing pertinent to say, except this article and everybody's comments are really fascinating! So much good stuff on PA lately.

    Dunedin • Since Jul 2010 • 3895 posts Report Reply

First ←Older Page 1 2 Newer→ Last

Post your response…

Please sign in using your Public Address credentials…

Login

You may also create an account or retrieve your password.