« Securitydays 2007 | Main | Bot roast and how easy it is to not get caught »

Shared phone conference numbers

If you like it here, please consider subscribing to the RSS feed or spreading the news among your friends who also care about security.

How often do you happen to meet up via a phone? I did quite a lot of late — normal thing — you call a virtual conference room number, type in a preset password and start falling asleep while someone tries to bore you to death with their ramblings. This lasts like for ever… you switch your ears when receiver-induced pain starts getting unbearable… play whatever flash game is your favourite with one hand or type a short email to a friend putting a receiver between your had and your shoulder… yawn… try to not saw the wood and subconsciously scan the conversation trying to catch your name. Bored to death you occasionally mimic line-induced cracking sounds and ask other participants to repeat themselves and refuse to go any further before every word gets to you. Sounds familiar? Very likely, as this is what we do — we communicate.

But. When did the password to the phone conference room change last time? And how about a phone number? Is it by any chance a shared number that your whole team uses and to which everyone can dial in, provided they know the number and the never-changing password?

Riiiight. And how often does someone dial in mistakenly and it turns out they’re not at the conference they intended to, not at the right time, or not the same time zone? Imagine that, for a change, some serious matter is discussed, confidential maybe. Picture the situation when the discussion is so super-important that someone actually intends to eavesdrop on it. Would it be possible at your environment? How much of the effort would it take to get into such conference unnoticed? Wiretapping exec’s conference this way is not that easy and leaves trails, sure. But the key point here is that it’s usually not that difficult for an insider, as we would like it to be.

Of course, again, we trade the security for the convenience and usability here. Agreed that changing a password per conference might be a pain in the neck, but it’s good to at least know how this impacts security of the conference and be able to elevate security level whenever necessary.

It’s always your choice, but it’s best when it’s a good choice.

Posted by Michał Sobiegraj on August 16, 2007 12:36 AM | | Digg It

TrackBack

TrackBack URL for this entry:
http://sobiegraj.com/blog/mt-tb.cgi/41

© 2006-2007 Michał Sobiegraj. All rights reserved. The views expressed here are my own, and not necessarily endorsed by any former or current employer.

Search


About

This page contains a single entry from the blog posted on August 16, 2007 12:36 AM.

The previous post in this blog was Securitydays 2007.

The next post in this blog is Bot roast and how easy it is to not get caught.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.34