It’s the long weekend – do you know what your PABX is up to?
Another long weekend, and another PABX hacking takes place.
It tends to come in waves, but lately it’s been particularly
nasty with at least one report of a $250,000 weekend for one local company.
You probably know how it works but it bears repeating.
Ratbags ring around after business hours looking for a PABX system. They try
various combinations of readily available default passwords (user name and
password set to 0000 for example) and once they’ve struck gold they wait for a
long weekend.
Staff clear out on Friday at 5pm, then the diallers start
in. They have access to the set-up systems of the hacked PABX (which hasn’t
really been hacked, just left unguarded) so they assign all the direct dial
outbound lines to call numbers overseas – typically in those countries that
couldn’t care less about such things. Think Somalia or Azerbaijan. These
compromised systems spend the next three days dialling out and every time they
connect the company in questions starts paying through the nose for the toll
call.
The staff return to work on Monday none the wiser until the
phone bill arrives, typically with tens of thousands of dollars’ worth of toll
calling included.
The company will then ring the telco which will say sorry
but your phones made all those calls, and even if the local telco waives any
profit margin and offers the calls at cost, you’re still in the gun for
thousands of dollars owed to a foreign telco that isn’t going to take no for an
answer.
The ratbags in question typically get a clip of the revenue
earned in their country and have had quite a profitable weekend. Even if the
host telco over there wises up and kicks them out, there’s always another telco
to use.
Rinse, repeat until wealthy.
This isn’t a new phenomenon – in 2005 we covered the
situation at Computerworld and even then we referred to advice given in 2003.
There are, however, some simple steps you can take here to
make sure you’re not done over. Fortunately it’s all quite straight forward.
First, talk to your PABX system provider. Actually, the real
first step is to figure out if anyone in your organisation is responsible for
the PABX – in many cases I’m told responsibility has devolved to the IT department
who don’t necessarily know all the old PABX hacker tricks.
But talk to your provider about securing your system and you’ll
probably discover the easiest thing to do is change the default passwords to
something more difficult.
I’m in two minds about password security – on the one hand a
long and tricky password means you’re unlikely to be hacked. On the other hand,
who can remember them? Bruce Schneier once told me the best way to secure a
system was with a long password that’s complex and difficult that is written
down and stored by the computer, on the basis that anyone who steals your PC
won’t know about the bit of paper and will miss it, and anyone who’s hacking in
from outside won’t be able to see the bit of paper because they’re in another
country. I quite like that.
TelstraClear has a page of advice on what to do that’s worth
a read. The TCF put out a warning last year and also has a page of information on what to do.
While the telcos do what they can to limit the damage from
this kind of thing, at the end of the day we the customers have to play our
part and making sure we bolt the door before we head away for a break is a very
good thing to do.
Something wrong with the links. They all seem to point back to this article,..
Even more while this is on my brain:
Just because your PABX is from 1987 (mmm beige) and hasn’t been attacked yet, doesn’t mean it won’t be.
If you use auto attendants or phone menus, make sure they are secured too. Remove any option to dial through to an extension unless you are absolutely sure it is secure.
Great tips, Ben. Thanks for that – I’d hate to see a small business get into hot water because of a phone bill. High time we stamped out these … ratbags.
And a few more tips:
Make sure someone in your organization is responsible for the PABX. Having a single point of contact makes it a lot easier for users to change passwords, and get questions answered. It can also make it easier to get changes made. Pay this person more money!
Ensure that logging is enabled, and monitored. Often a problem won’t be spotted until the next phone bill arrives.
Look at setting up system-wide call bars. Blocking 0900 numbers is a good start, and if no one will ever call Nigeria, it is a good idea to bar it.
I have been one of those IT people who got lumped with several PABX systems spread across multiple sites. The Telstra Clear advice is a good start. Unfortunately many PABX systems don’t have adequate protections built-in, but there are a few things you can do to limit the damage.
Educate your users, work with them to use better passwords.
Create calling restrictions, and put appropriate limits on where each line can call. If a line is only used for calls to local, national, and Australian numbers then that is all they should be able to call (don’t forget fax/alarm lines).
Work with your vendor to ensure any root/master/service/vendor passwords are complex and unique. I have seen a vendor use the same service password everywhere, and a crafty hacker cracked it. Also talk to them about a maintenance contract, and ensure they will install security updates in a timely manner. Restrict any remote service access where possible.
If you have multiple sites make sure that only appropriate calls can be routed between sites. Some phone hackers have been known to abuse site-site connections to work around restrictions.
If you have lots of smaller sites, you may not always have control over the PABX, so work with your telco and have them restrict international calls as appropriate. Put this in your contract so it happens by default.
If you have a mix of PABX systems/vendors at different sites, things can get very complicated and expensive, very quickly. Work on reducing the complexity.
Practice good IT security. Most PABX’s from the last 10+ years are Windows/Linux boxes (usually unpatched..) under the hood, and can be attacked over your network too (or used to attack your internal network!).
The most important thing to take away is an awareness of the problem. Dealing with PABX’s can be confusing, and hard. Don’t be afraid to get expert help. Your telco and PABX vendor are probably the best places to start.