Phone System Hacked!

[Netman]

Heads-up... We found out this morning that our phone system had been hacked. Someone managed to get in and change the settings so that the substitute function would forward calls onto a premium rate number.
Needless to say we've locked it down now and it looks like we caught it before any costs were incurred...
Just wanted to warn people as I wasn't aware of this scam and the engineer at our phone support company says there is an epidemic of this at the moment...

[ChrisH]

What phone system?

[uk101man]

Was it asterisk?

[Netman]

Siemens HiPath 3750

[danIT]

And i presume it wasnt 'hacked' more that the default password/username was never changed?

[john]

ooh thanks for the heads up, surprised it hasn't happened before as most installation firms leave them at default would you believe! Must admit I'm terrible for it leaving ones i've done on default more for sheer lazyness than anything else but I should change them for security, and will go and do them this weekend.

[Netman]

And i presume it wasnt 'hacked' more that the default password/username was never changed?

Not the point though is it? I'm just trying to warn people as it was a new one on me. I was using the phrase that our comms company engineer used.
The safest thing is to diasble this feature on your system if you're not using it.
Of course we will now check our 50+ extensions to ensure none still have the default PIN on them... end users though isn't it - you tell them to change it and what happens?

[SYSMAN_MK]

Can also be done on your mobile. Crooks add a calling card / prefix number so you end up dialing premium rate number on all your calls.

[Tamarside]

Not the point though is it? I'm just trying to warn people as it was a new one on me. I was using the phrase that our comms company engineer used.
The safest thing is to diasble this feature on your system if you're not using it.
Of course we will now check our 50+ extensions to ensure none still have the default PIN on them... end users though isn't it - you tell them to change it and what happens?

Actually it IS the point. There is a vast chasm between a system that was hacked and a system that was completely compromised because your telecoms contractor couldn't be bothered to change default passwords!

[laserblazer]

It's Xmas guys so thanks to Netman for alerting us and Tamarside for reminding us to be more security minded.

[Domino]

Hacking: Unauthorized attempts to bypass the security mechanisms of an information system or network

so, even if they guessed the password, they were unauthorized to do so - therefore, hacking.

Thats how the law sees it. as in this recent article Oil software exec pleads guilty to hacking charges ? The Register

[Tamarside]

Perhaps so, Domino, but according to the law it is a crime if you accessed somebody else's mailbox without permission (assuming they're not on your network) but in reality that person won't get much of a result popping in to their local police station to report the crime.

The law is an ass, somebody once said. Certainly the law is having a nightmare just trying to keep up with technology.

It is in this context that I say there is a massive difference between hacking and not securing systems. Most pentesters will agree when I say hacking a phone system is vastly different to accessing it (without permission) using unchanged default values.

We'll have to agree to disagree here.

[jamesb]

Perhaps so, Domino, but according to the law it is a crime if you accessed somebody else's mailbox without permission (assuming they're not on your network) but in reality that person won't get much of a result popping in to their local police station to report the crime.

Depends what's in their mailbox, and what you do once you've accessed it. The police might not take an interest but your employers might.

It is in this context that I say there is a massive difference between hacking and not securing systems. Most pentesters will agree when I say hacking a phone system is vastly different to accessing it (without permission) using unchanged default values.

Given that social engineering is a recognised hacking technique, and research is essential to hacking, I'd say that essentially that's what happened here. It would've been hacking if the password had been changed to something obvious, say the area code of the school, so it'll be hacking if its left at the default code.