News Of The World Wasn’t ‘Hacking’ Voicemail, It Was Blagging

This is nitpicky, and I certainly don’t mean to take lightly the seriousness of the matter. But I do want to clarify that the News of the World wasn’t technically “hacking” voicemail in its scandal. It was engaged in social engineering.

For those of you who missed the headlines (and for the benefit of posterity): News of the World was (until July 10, 2011) a Sunday tabloid; like most British tabs, it’s best known for printing racy pictures of women and sleazy stories.

News of the World  hired a private investigator to help it research stories. That contractor gained access to a number of voicemail accounts, including those of a murdered 13-year-old girl, several soldiers killed in the Middle East conflicts, and royal family members.

All the shoes involved here haven’t yet dropped, but as of this writing the scandal has closed the paper after 168 years of publication; threatens to bring down Prime Minister David Cameron; has led to several arrests and may well result in additional restrictions on Great Britain’s press. (Even overwhelmingly reasonable pundits, such as The Economist, are calling for a mucking out of British journalism’s stables.)

The entire affair is loathsome, no question about that, even for the British press, nefarious for its “chew people up and spit them out” appetite. It’s also caused other world press outlets to term what News of the World did “phone hacking,” needlessly worrying people who have taken reasonable steps to secure their voicemail that they, too, might be targeted.

So I want to clear things up. If you’ve changed your voicemail password (PIN), you almost certainly can’t be violated in the way News of the World violated its victims.

Hacking means “to alter a system to perform differently than intended.” Hacking isn’t necessarily a malicious act. In fact, it’s often a good thing. I am 100 percent in favor of hacking, provided the thing you are hacking is yours or you have permission to hack it.

Cracking means “to compromise the security of a system.” While there are legitimate reasons to crack, it’s never an appropriate thing to do with property that doesn’t belong to you.

(I realize this is only one interpretation of “hacker,” and that other definitions exist, which also encompass what I term separately as “cracking.” I reject definitions of hacking that assume malice or nefarious intent. Hackers don’t aim to cause harm to, or violate the rights of, others; crackers do. Period.)

Social engineering (also called “blagging”) is the act of exploiting human behavior to achieve an end, usually without the tacit understanding of the people targeted that they are being exploited.

That’s what News of the World was up to: Exploiting people who were ignorant of, or indifferent to, basic voicemail features and security.

As explained at this excellent article at sophos.com, a lot of people don’t change the default password for their voicemail. Additionally, most users don’t understand that the convenience of being able to access voicemail from a different phone is a security risk that should at least be managed, if not disabled. (Admittedly, a number of phone providers don’t give you the option to disable remote access to voicemail.)

Simply put, News of the World’s private investigator gambled that the victims of his snooping didn’t bother to change their voicemail passwords from default values, and didn’t disable (if they even could disable) remote voicemail access.

Again, I am not suggesting what News of the World did was OK. That people don’t protect themselves from being violated does not make it OK to violate them.

My point is that what News of the World did is not hacking; at no point did anything not perform as designed. It also isn’t cracking; at no point was any procedure undertaken to circumvent the built-in security of the voicemail systems in question. The victims’ misunderstandings and inaction were exploited. That’s social engineering.

All links in this post on delicious: http://www.delicious.com/dougvdotcom/news-of-the-world-wasnt-hacking-voicemail-it-was-blagging

Comments

  1. Bob says

    How is it social engineering when there was no engagement with the end user? They didn’t deceive anyone in to handing out the pin numbers. The actual method is more akin to a brute force / dictionary attack. They presumably just threw 1234 or 0000 etc. at enough phones and hit the jackpot a few times.

Leave a Reply

Your email address will not be published. Required fields are marked *