Risky Thinking
October 2012
Michael Z. Bell, Principal Consultant
www.RiskyThinking.com

Risky Thinking is a free newsletter providing essays, analysis, insights, and oddities related to Business Continuity, Disaster Recovery, and Risk Management.

To subscribe, visit: http://www.RiskyThinking.com/newsletter

For more information and articles, visit the RiskyThinking website at
http://www.RiskyThinking.com/.


In This Issue
  • Phone Hacking - The Wrong Scandal
  • Risk Assessment and Business Impact Analysis Seminars
  • Zombie Statistics in Business Continuity
  • World News
  • Book Reviews
  • Administrivia, Subscribing and Unsubscribing

GPO 332 Telephone

Phone Hacking - The Wrong Scandal

It's been hard to miss the UK phone hacking scandal  A private detective has been imprisoned, a popular newspaper (The News of The World) has been closed, two top police officers have resigned, a bid by News International to take over a satellite company had to be scrapped, and it would be surprising if there wasn't more fall-out from the scandal in the future.

But in case you missed it, the essence of the story carried in the press is this: a private detective working for the newspaper News of The World listened to voice mails left for celebrities in the pursuit of news stories. The newspaper (but not the private detective) would probably have got away with a sharp reprimand if they had stuck to celebrities: they didn't. They made the mistake of investigating the disappearance of a school girl by listening to her voice mail.  It was (incorrectly) alleged that in their enthusiasm for a scoop they deleted some old voice mail from the girl's mailbox to make room for new messages: this gave the misleading impression to the child's parents that the schoolgirl might still be alive. She was not. She had been murdered, and her body was discovered six months later.

The Wrong Lessons

The scandal as portrayed in the media is quite simple: rogue newspapers breaking the law and invading privacy in order to get news stories. The simple lessons to learn from this are also the wrong ones:

  • Journalists need to be regulated to stop them investigating peoples' private lives.
  • We need better licensing to prevent phone hacking by unscrupulous private investigators.
  • Companies need to beware of wrong-doing by employees.
  • Company staff need to beware of putting incriminating evidence in emails. 

But these are the wrong lessons a company or regulator should take away from this scandal.

The Real Scandal

The real scandal here, (and the one that the press for some perhaps-too-convenient reason seem to be ignoring), is that the voice mail security typically deployed by phone companies (and many corporations) is insecure:

  • Default passwords used when creating the mailbox are often easy to guess and are not forced to be changed on first use. (See the list in this document  for some common passwords).
  • The user can switch off checking of passwords when calling from their mobile phone, but the only check on the identity of the caller is the caller-id information, which is easily forged. Often this is the default setup of an account.
  • Users never have to change their passwords: a 4 digit password, once guessed, will leave the account vulnerable for months or years.
  • There is no way for a voice mail box owner to know that an attempt has been made to compromise their account.
  • There is no way for the voice mail box owner to detect that their account has been compromised and that someone else is listening to their voice mail.

People will always choose bad passwords, but without any way for a user of the system to detect that his or her account has been compromised, the pickings for any unscrupulous hacker are easy. The hard problem for the hacker is to find accounts worth compromising, not compromising the accounts.

How to Check if You Are Vulnerable to Phone Hacking
Examine your telephone company and  internal voice mail systems, and ask yourself the following:

How to Check if You Are Vulnerable to Phone Hacking

Examine your telephone company and  internal voice mail systems, and ask yourself the following:

  • Is a password required when calling from a mobile phone? If not, you are vulnerable to caller-id spoofing using a PABX (private automated branch exchange) or a Voice-over-IP provider.
  • Is a password required when calling from an office phone? If not, then anyone with physical access to your office or your phone line has access to your voice mail.
  • Is the default password easy to guess? Do all users get the same default? Have you changed it? The risks here are obvious.
  • Is there a lockout, or is there an SMS message sent to you after multiple wrong password attempts? If not, your account is vulnerable to brute force password guessing. If the password is only 4 digits long and truly random, the worst case is 10,000  attempts, with a 1 in 10 odds of guessing it in the first 1000 attempts. But chances are you picked a password which was easy to enter or remember, and the odds of guessing it quicker are much higher.
  • Do you receive an SMS message when your password is changed? If not, you are vulnerable to social engineering attacks against the phone company or your system administrator. If I can pretend to be you and get your password reset, I can read your voice mail. Chances are that you will assume a system glitch and get your password reset never realizing your account was temporarily compromised.

Any system relying only on a four-digit user-selected password is never going to be very secure, but the security holes left open by default are very big. It's not at all surprising that so many voice mails were hacked and that the hacks went undetected for so long.

The ease with which many voice mail systems can be hacked is the real scandal: but it's not the one that the press (or the phone companies) want to talk about.assword required when calling from a mobile phone? If not, you are vulnerable to caller-id spoofing using a PABX (private automated branch exchange) or a Voice-over-IP provider. Is a password required when calling from an office phone? If not, then anyone with physical access to your office or your phone line has access to your voice ma


Lion

Risk Assessment and Business Impact Analysis Seminars

We have just opened booking for some new seminars in Ottawa (Canada), Chicago (Illinois), London (UK).

A Business Continuity Plan is only as good as the risks it is designed to deal with, so any good planbased on a sound analysis of the risks that your organization faces. These seminars/workshops are designed to give you a practical method for identifying and prioritizing those risks, and to generate the information needed to create a cost-effective business recovery strategy.

Due to the hands-on nature of the seminars, there are a limited number of places available.

To find out more or to reserve your place.

Zombie

Zombie Statistics in Business Continuity

 If you read most sales material for business continuity, you will find some unattributed statistics. The most common is the proportion of businesses who don't have a business continuity plan that fail following a disaster. You can often find values for this figure ranging from 40% to 80%.

Like many people, I've tried to track down the source for these statistics without success. The trail normally ends with a magazine article or some promotional material quoting the number without identifying the source.

Statisticians know these numbers as Zombie Statistics: numbers without a source (or with an incorrect source) which get passed around as fact and never die.

Recently I've come to the conclusion that even if these statistics exist, they aren't of any use whatsoever. Why? Because what matters is our own chance of survival, not the combined average survival rate of hot-dog vendors, retail stores, and major banks.

If you are a bank without a business continuity plan and you are out of operation for a week following an incident, you stand a high probability of failure. You should have had a plan and did not, and investors, customers and regulators are going to put you out of business. If you are a hot dog vendor and your stand gets demolished by a garbage truck, you can probably pick up pretty much where you left off a few weeks later (assuming it was insured). Different businesses have different requirements, and an average statistic doesn't help you decide how much effort to devote to business continuity planning.

What's important is to figure out what would happen if your business was disrupted for a period of time. What would be your chances of survival?

Original blog article

Books

Book Reviews

Estimation of the probability of adverse events is part of the bread and butter of risk management. Recently I came across two interesting books related to this:

Degrees of Belief: Subjective Probability and Engineering Judgment by Steven G. Vick looks at the methods and difficulties involved in estimating the probability of a major failure such as a dam collapse. It's comprehensive, and deals well with the issues involved in creating and combining subjective probability estimates. However, it's a rather heavy read. Amusingly I came across this in the new age/religion section of a second hand book shop.

Don't Believe Everything You Think by Thomas Kida is a lighter read which looks at how people make mistakes when drawing conclusions about the world around them, including how they overestimate or underestimate probabilities of events based on the frequency and recency of news reports. If you've ever encountered a company with an irrational fear of volcanic eruptions (despite not being near any active volcanoes) you will appreciate this book.

I've linked the titles of both these books to Amazon so you can find out more information on them.


Globe

News of The World

In this issue we concentrate on backup generators.

New Orleans City Council is introducing a by-law to require that nursing homes have backup generators with sufficient capacity to power air conditioners and life saving equipment. While losing air conditioning for a few hours is just an inconvenience, after Hurricane Isaac there was a three day power cut.
http://arl.ca/s/4j

In Islamabad the Capital Development Authority apparently failed to pay its electricity bill, got its electricity supply cut off, and is now running on backup generators. Hopefully they realize that if you use backup generators like that, they are not backup generators.
http://arl.ca/s/4k

The University Malaya Medical Centre lost power for five hours when standby generators failed to start after a power outage. Fortunately operating theatres and surgical rooms had an alternative power source. Poor maintenance of the backup generators is suspected to have been the cause of the problem.
http://arl.ca/s/4l

In Yukon, NWT power problems disrupted land lines, cellphones, internet and other services. The problems occurred after normal power was restored, causing the backup generator in the telephone central office to shut down. While transfer from normal to backup power appears to have worked flawlessly, either the backup power did not have sufficient capacity, or the automatic transfer back to normal power did not.
http://arl.ca/s/4m

The EPA suggests that half of New York City's 58 hospitals suffered failures in their backup power generators during the Northeast blackout of 2003. Combined Heat and Power units (where the grid is used as the backup) may be a cheaper and more reliable alternative. However, the citation associated with the statistic does not seem to include this number, making me wonder this is just another zombie statistic...
 http://arl.ca/s/4o


Administrivia, Subscribing, and Unsubscribing

RISKY THINKING is a free newsletter providing essays, analysis, insights, and oddities related to Business Continuity, Disaster Recovery, and Risk Management. You can subscribe on the web at http://www.RiskyThinking.com/newsletter.

Please feel free to forward RISKY THINKING to colleagues or friends who will find it valuable. You may reprint this newsletter providing it is reprinted in its entirety.