Path: utzoo!attcan!uunet!decwrl!hayes.fai.alaska.edu!accuvax.nwu.edu!nucsrl!telecom-request
From: wdc@athena.mit.edu (Bill Cattey)
Newsgroups: comp.dcom.telecom
Subject: Re: Hacker Altering Voicemail Messages
Message-ID: <13082@accuvax.nwu.edu>
Date: 5 Oct 90 11:41:48 GMT
Sender: news@accuvax.nwu.edu
Organization: TELECOM Digest
Lines: 37
Approved: Telecom@eecs.nwu.edu
X-Submissions-To: telecom@eecs.nwu.edu
X-Administrivia-To: telecom-request@eecs.nwu.edu
X-Telecom-Digest: Volume 10, Issue 715, Message 7 of 8


Making your personal access password easily guessable is a mistake.
Users should be educated by the vendor to choose better passwords.
The problem in Kingsport TN will go away when everyone picks
reasonable passwords.  They should consider themselves lucky...

According to friends of mine who have been there when voice mail was
installed at the compannies where they work, there are three common
policies that make it particularly easy for crackers to do much worse
things to voice mail than changing message text:

1.  The installing companies often keep the same master password for
all the systems they install, and never change it.

2. They never disconnect the maintenance console dial-in.  That's
right!  There are voice mail systems that allow anybody who knows the
telephone number to dial in and modify it.

3.  The installing company insists on keeping secret how simple it is
to change the phone system with a few simple commands.

I hope that voice mail system providers and purchasers begin QUICKLY
to take the same precautions they take with their other computer
systems:

1. SECRET passwords.  (both at the user and system levels) Changed often.

2. Physical security: Don't have a publicly accessible maintenance
console.  At the very least, leave it un-plugged until you NEED to
receive an AUTHORIZED remote maintance call.

3. A hierarchy of commands and privileges so that someone getting in
to the maintenance programs still needs higher levels of privileged
(discretionary) access to do things.


wdc