Computerworld - Security consultants aren't surprised that someone managed to take a voice mail Hewlett Packard Co. Chairwoman and CEO Carly Fiorina left for HP Chief Financial Officer Robert Wayman last month and transmit it to the world.
Voice-mail systems and phone rooms tend to have less security than other sensitive areas in companies, and the four-digit personal information numbers used to guard access to user's messages can be easily cracked.
"My guess is that this info was obtained simply by guessing [Wayman's] password," said Todd Tucker, director of security and architecture at Pentasafe Security Technologies Inc. in Houston.
The San Jose Mercury News said it received the voice-mail message, in which Fiorina told Wayman she was worried about the outcome of the March 19 proxy vote on the HP/Compaq Computer Corp. merger, from an anonymous caller. HP has had little to say about the incident except that the message was genuine and that it takes the dissemination of private company communications quite seriously (see story).
But Tucker and others think HP has learned a lesson that all companies should take to heart.
"I think the biggest thing is that we continue to have wake-up calls on how security and privacy needs to be addressed, and this is definitely a wake-up call," said Rick Shaw, president of CorpNet Security Inc. in Lincoln, Neb. "Companies do not always cover their voice-mail systems with the same critical level that they would with the networks. The bottom line is ever since we started digitizing, voice mail it is just another file sitting on a server."
As such, Shaw said that anyone who can access that server can listen to whatever voice-mail messages are there. He said it isn't "that difficult" to go looking around on voice-mail servers and poking into different files to see what's vulnerable.
If the intruder finds something interesting, then downloading that information and spreading it to the rest of the world is even easier, Shaw said.
Another way companies leave themselves vulnerable is that they use systems right out of the box without configuring them for added security, said David Losen, director of secure systems at Sergeant Laboratories Inc., in La Crosse, Wis.
"If you do it right out of the box and think you are good to go, then you probably aren't," Losen said. He noted that it also depends on what kind of system companies use for voice mail, as some systems are left "wide open" to attack.
There is also a human element at play, Tucker said. People tend to forget about security or not think about itwhen they send e-mail messages or leave voice-mail messages containing sensitive data.
"They are unaware of the potential impact to either them or their company and underestimate the threat," Tucker said. "I doubt Carly Fiorina would have expected this kind of a backlash just from leaving a voice mail with someone."
On the other side of the equation is the fact that people can overestimate security measures that their colleagues, contractors and customers put in place and often believe that those measures are as good or better than their own.
"You have to be extremely careful when sharing information with any other person or party because you never know what level of security they have over their information," Tucker said.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts