We sold our house and moved to an apartment in January, waiting for our new home to get built. Cleaning up the house for a move is a big chore, and one of my tasks for a weekend before the sale was cleaning up a big pile of post-it notes left in a box. I chanced upon a post-it note with a 1-888 number that was an AT&T teleconferencing line. I had scrawled the name “John Doe” below the phone number, followed by a ten-digit passcode that belonged to him. I might have written this down when I dialed into the conference from an airport pay phone perhaps, saving my cell phone battery for the six-hour flight back west to Seattle. This brought back memories and a scare that became the reason for this post. If I recall correctly, John is a senior Vice-President of the Customer Success division in one of my previous employers. On the third Friday of every month, John holds a web conference for all of his direct reports and people in his organization. This conference is to highlight important events and developments that happened in the last four weeks for his division – what new contracts or customers were signed in, who got promoted or joined the group, and recent events or initiatives. This conference is at 11 am ET (8 am PT). Originally, our group was small enough that John would address and greet everyone that joined the call. I’d dial into the conference number, punch in the common passcode that was shared across the team, and be greeted by John, who would go, “Hello, who just joined?” I’d reply back and say, “Sundar from Seattle.” John would chide and ask, “Hi Sundar, is it still raining out there? We have awesome weather out here on the east coast!” Now, in a few months, the organization grew, and we had a lot of new people join our group. Folks from the Bangalore office, London, and the satellite development center in Brazil all joined the conference. Now, if you dialed into the call at 7:58 am PT, you could hear a big frenzy of beeps, a lot of people all employing the same passcode to dial into the conference to listen to John for the monthly update call. There would be dollar figures mentioned, as well as a lot of confidential information about customers, clients, leads, and contracts. There is no way John could identify all the people that dialed into his phone conference. This discovery made me believe that if I were a renegade real-bad-guy, I could employ the 1-888 number and John’s passcode to dial into his conference on that Friday morning, sneak in at 7:59 am in the loud flurry of beeps, be privy to the conversation, and eavesdrop on a lot of things spoken on the call. This is a big security vulnerability, and a lack of expirations of these passcodes is a big reason. Webex, Gotomeeting and a couple of others all have a 1-8xx number with an organizer passcode. There are no individual attendee passcodes implemented or a method that changes this passcode every month for the organizer. A few web conferencing tools like Microsoft Lync have other means to make certain this is covered. I believe the United States should have a blanket law that would bring eavesdropping on phone conferences under Title 18 Section 1030 “Fraud and Related Activity in relation with computers.” This law is explained here: https://www.law.cornell.edu/uscode/text/18/1030 Every single web conferencing tool out there – Cisco Webex, Citrix GotoMeeting, AT&T Teleconferencing and others – should change all of their organizer passcodes every month. On a recurring Outlook meeting married to a web conference client, we usually have a 1-8xx number and the same passcode displayed for every meeting in the series that does not change. Instead, this could be a passcode that could be automatically changed or picked from a common location with a certain URL or web service – it shouldn’t be a static 10-digit number that gets used over a long period of time. The current approach cannot factor in attendee departures from the company. That is indeed a severe vulnerability. Unless attention is paid to this small but important detail, we have an untracked and unmitigated information leakage risk of lethal proportions. I can only hope things eventually change. In the meantime, I've destroyed the post-it note.
About the Author: Sundar Krishnamurthy is a Senior Software Security Engineer at Concur Technologies, Bellevue WA. He is on Twitter, and a SANS instructor; mentoring students for the GSEC and GCED certifications. With a long prior career as a software engineer, Sundar now tries to find some sleep in Seattle. Training developers to embrace security and think like the bad guys is what keeps the excitement high and adrenaline flowing. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
