I’m sure everyone who reads this will be bored (all of us at Data Defender are) and shocked by the constant revelations about the News of The World phone scandal. Every day we here about new victims, Milly Dowler, Jessica Wells, Holly Chapman, 7/7 terrorist victims, soldiers killed in Iraq and Afghanistan and so on.
The media likes to make stories 'sexy', to sell them but sometimes they do not understand the terminology or simply exaggerate. One example is the alleged Essex-based hacker Ryan Cleary of Lulzsec. He is accused of hacking into various companies’ networks and websites, as well as SOCA, the Brazilian Government and the CIA.
Judging by the media headlines, they hacked into and/or defaced the websites of all three. They didn’t. They launched a DDoS (Distributed denial of service) attack against the targets to overload them. DDoS is often a 'give up' attack if penetration fails. The websites were simply overloaded and taken offline for a short while, not compromised.
Moving back to the NOTW scandal, headlines say they hacked into people’s phones. The method of the attack was pretty simple, it's what is usually called a default configuration attack. It can be compared to a hotel's safe or a home-based where the default pin is usually 0000, 1234 or similar. Most people do not change the details on safes, voicemails, Wi-Fi.
It seems that the NOTW or its investigators got in just by guessing the default pin. There are ways to dial into voicemails from anywhere, even if you do not have the sim or pin. Once you connect up, you enter the mobile number and pin, hey presto you have access. The majority of people do not change their pin and those who do may use obvious pins. Staff bribery is another scenario; staff within the phone network may have access to the voicemail server or master pin. Pretty simple really and you do not need a huge amount of skill to pull this off.
How do you protect yourself? Simply change your pin to something that cannot be guessed. Remember too that everyone has a price and if someone is really desperate to get into your voicemail, there may be a way to use a rogue phone network employee. Paranoid? Do not use voicemail or disable it.
Other problems such as communications (GSM hacking) interception also exist. Governments worldwide, private companies and individuals (legal or not) can get hold of GSM interceptors. These can be used to listen in to phone calls or intercept text messages. The more unethical, corrupt, authoritarian or unstable a country is, the more chance there is of interception … you could be discussing an important deal with your board of management and an unscrupulous rival finds out and beats you to the contract. Of course you don’t know if someone has or will ever intercept a call, but you should assume it's happening and protect yourself. That said, even France admitted it used to (perhaps still does) listen into calls – see http://www.independent.co.uk/news/world/france-spied-on-commercial-rivals-1323422.html.