Another long weekend, and another PABX hacking takes place.
It tends to come in waves, but lately it’s been particularly nasty with at least one report of a $250,000 weekend for one local company.
You probably know how it works but it bears repeating. Ratbags ring around after business hours looking for a PABX system. They try various combinations of readily available default passwords (user name and password set to 0000 for example) and once they’ve struck gold they wait for a long weekend.
Staff clear out on Friday at 5pm, then the diallers start in. They have access to the set-up systems of the hacked PABX (which hasn’t really been hacked, just left unguarded) so they assign all the direct dial outbound lines to call numbers overseas – typically in those countries that couldn’t care less about such things. Think Somalia or Azerbaijan. These compromised systems spend the next three days dialling out and every time they connect the company in questions starts paying through the nose for the toll call.
The staff return to work on Monday none the wiser until the phone bill arrives, typically with tens of thousands of dollars’ worth of toll calling included.
The company will then ring the telco which will say sorry but your phones made all those calls, and even if the local telco waives any profit margin and offers the calls at cost, you’re still in the gun for thousands of dollars owed to a foreign telco that isn’t going to take no for an answer.
The ratbags in question typically get a clip of the revenue earned in their country and have had quite a profitable weekend. Even if the host telco over there wises up and kicks them out, there’s always another telco to use.
Rinse, repeat until wealthy.
This isn’t a new phenomenon – in 2005 we covered the situation at Computerworld and even then we referred to advice given in 2003.
There are, however, some simple steps you can take here to make sure you’re not done over. Fortunately it’s all quite straight forward.
First, talk to your PABX system provider. Actually, the real first step is to figure out if anyone in your organisation is responsible for the PABX – in many cases I’m told responsibility has devolved to the IT department who don’t necessarily know all the old PABX hacker tricks.
But talk to your provider about securing your system and you’ll probably discover the easiest thing to do is change the default passwords to something more difficult.
I’m in two minds about password security – on the one hand a long and tricky password means you’re unlikely to be hacked. On the other hand, who can remember them? Bruce Schneier once told me the best way to secure a system was with a long password that’s complex and difficult that is written down and stored by the computer, on the basis that anyone who steals your PC won’t know about the bit of paper and will miss it, and anyone who’s hacking in from outside won’t be able to see the bit of paper because they’re in another country. I quite like that.
While the telcos do what they can to limit the damage from this kind of thing, at the end of the day we the customers have to play our part and making sure we bolt the door before we head away for a break is a very good thing to do.