British tabloid News of the World said today it is closing down over a phone hacking scandal in which workers for the Rupert

Murdoch-owned newspaper allegedly snooped on voice mail messages left on the mobile phones of murder victims, as well as

celebrities, politicians, and the British royal family.
If unethical journalists can do it chances are anyone can, right?

To test my theory I called up Kevin Mitnick, who wrote about the hacking and social engineering that landed him in jail in a

fascinating ugg boots sale book coming out this

summer, "Ghost in the Wires," and who serves as a security consultant, helping clients protect against privacy breaches such

as this.

Phone hacking, also known as "phreaking," is easy to do, Mitnick said, adding that he could demonstrate it on my phone if I

wanted proof. So I gave him permission to access my voice mail and told him my mobile phone number.

He called me right back on a conference call so I could hear what was going on. First he dialed a number to a system he uses

for such demonstration purposes and entered a PIN. Then he was prompted to enter the area code and phone number that he

wanted to call (mine) and the number he wanted to be identified as calling from (again mine). Next thing I know I'm

listening to a voice message a friend of mine left me last night that I hadn't erased.
[img]http://i.i.com.com/cnwk.1d/i/tim//2010/08/04/kevin-mitnick_270x405_270x405.jpg[/img]
"See how easy it is?!" Mitnick says as my jaw drops.

He was able to get into my voice mail by tricking my mobile operator's equipment into registering the call as coming from

the handset--basically pretending to be me. To do this, he wrote a script using open-source telecom software and used a

voice-over-IP provider that allows him to set caller ID, but there also are online services that provide similar capability

that non-hackers could subscribe to. It might be easier or harder to accomplish depending on the mobile operator, he said.

(I'm keeping some of the details sketchy to avoid providing a how-to for phreaking.)

"Any 15-year-old that knows how to write a simple script can find a VoIP provider that spoofs caller ID and set this up in

about 30 minutes," ugg boots clearance Mitnick said. "If you're not

adept at programming, you could use a spoofing service and pay for it."

This technique, called Caller ID Spoofing, has been used and abused for years. In 2006, a caller ID spoofing account in the

name of Paris Hilton was suspended for voicemail hacking, with other celebrities, including Lindsay Lohan, allegedly being

victims, according to IDG News Service.

The method is more sophisticated than that allegedly used by the British journalists who are accused of using default PINs

to access victims' voicemail accounts, assuming correctly that many people wouldn't bother to change the PINs. Since the

phone hacking cheap ugg boots scandal first erupted about five years ago,

mobile operators in the U.K. have changed their practices and most now require people to set their own PINs for remotely

checking voice mail.

If I want to avoid having anyone use Caller ID Spoofing to access my voice mail again, I need to change my phone settings to

require a PIN even when checking voice mail from my mobile device. But that doesn't address the fact that mobile operators

don't authenticate caller ID. "The magic is that my VoIP provider allows me to set any caller ID and the other operators

trust it," Mitnick said. "Caller ID is automatically trusted."

Mobile phone industry specialist David Rogers suggests on his blog that operators should consider preventing people from

accessing mobile uggs on sale voicemails remotely at all.

Meanwhile, the Truth in Caller ID Act of 2010, which was signed into law late last year, prohibits anyone intending to

defraud, cause harm, or wrongfully obtain anything of value from knowingly causing any caller ID service to transmit or

display misleading or inaccurate caller ID information. This could send the caller spoofing services off shore but likely

won't put an end to the practice.