Have you been following the story of HP hiring investigators to uncover leaks from the highest levels in their company? It has been in the Wall Street Journal the past few days and I have to tell you I'm very worried about this. As you can see from my title of the post, I'm wondering why there isn't bigger outrage over this?
No matter which side of the political fence you are on, this seems a lot more to worry about than the Government getting phone records or wiretapping people that it suspects has ties to terrorism. One has to do with national security and the other has to do with keeping a company's private conversations under wraps until it is ready to release it. On the one side you don't have any victims that have been identified while on the HP pretexting side you have reporters, a reporter's father, and board members that have had their privacy compromised. Here's a quick summary of the relevant articles I've been reading.
- HP's SEC filing of the resignation of board member Thomas Perkins over HP's investigation into leaks. It also mentions some form of pretexting was used.
- Perkins letter where he writes how his phone records were hacked and also the letter from AT&T explaining how this occurred.
- CNET reports how the HP Probe snared a third reporter, a father and 6 other reporters in the pretexting scheme. Let me repeat that again, Steven Shankland's father, Thomas, a semi-retired physicist has his phone records targeted.
- Wall Street Journal has many articles, but the best are Nine Journalists Phone Records Targeted in HP Probe of Leaks and key HP documents.
So how does the pretexting work? Well according to the AT&T letter that they sent to Thomas Perkins it doesn't seem that difficult. First, you need a 3rd party who wants to pose as you in order to obtain your records. In this case it was firstname.lastname@example.org with IP address 220.127.116.11. Second, email@example.com got a copy of the last 4 digits of Mr. Perkins' social security number and phone number and then established an online bill with AT&T for local. Mike then tried to establish an online LD billing account but was denied so he called into customer care and had it manually established. Not bad huh?
I don't know about you, but this worries me a lot. How many documents do you receive in the mail every month that someone could get a hold of to gain information on your records. Here are some steps that I'm taking ASAP.
- No more using Mother's maiden name as a security question. I'm going with other less obvious ones that people can't find by looking up marriage licenses.
- Shred all bills and financial statements
- Open and then shred all offers for credit cards
- I don't do this, but make sure you use a good version of passwords. Your first name with last initial is terrible. Come up with something that can't be figured out in 2 seconds. I always try and make mine letters, number, and special characters.
- Be careful who you give your data to online. I'm still pissed off that Second Life's customer database was recently hacked.
- I won't be leaking anything to the press from the various boards I'm serving on ;-)
The HP pretexting case should worry you a lot more than the Government using phone records to track potential terrorist activities. A reporter's dad was targeted....think about that....it could easily happen to you. And you thought you just needed to make sure you don't call Iran on a regular basis.