Phone System Hacked! Heads-up... We found out this morning that our phone system had been hacked. Someone managed to get in and change the settings so that the substitute function would forward calls onto a premium rate number.
Needless to say we've locked it down now and it looks like we caught it before any costs were incurred...
Just wanted to warn people as I wasn't aware of this scam and the engineer at our phone support company says there is an epidemic of this at the moment...
laserblazer (24th December 2008)
What phone system?
Was it asterisk?
Siemens HiPath 3750
And i presume it wasnt 'hacked' more that the default password/username was never changed?
ooh thanks for the heads up, surprised it hasn't happened before as most installation firms leave them at default would you believe! Must admit I'm terrible for it leaving ones i've done on default more for sheer lazyness than anything else but I should change them for security, and will go and do them this weekend.
Not the point though is it? I'm just trying to warn people as it was a new one on me. I was using the phrase that our comms company engineer used.Originally Posted by danIT
The safest thing is to diasble this feature on your system if you're not using it.
Of course we will now check our 50+ extensions to ensure none still have the default PIN on them... end users though isn't it - you tell them to change it and what happens?
Can also be done on your mobile. Crooks add a calling card / prefix number so you end up dialing premium rate number on all your calls.
Actually it IS the point. There is a vast chasm between a system that was hacked and a system that was completely compromised because your telecoms contractor couldn't be bothered to change default passwords!
laserblazer (24th December 2008)
It's Xmas guys so thanks to Netman for alerting us and Tamarside for reminding us to be more security minded.
so, even if they guessed the password, they were unauthorized to do so - therefore, hacking.Hacking: Unauthorized attempts to bypass the security mechanisms of an information system or network
Thats how the law sees it. as in this recent article Oil software exec pleads guilty to hacking charges ? The Register
Netman (1st April 2009)
Perhaps so, Domino, but according to the law it is a crime if you accessed somebody else's mailbox without permission (assuming they're not on your network) but in reality that person won't get much of a result popping in to their local police station to report the crime.
The law is an ass, somebody once said. Certainly the law is having a nightmare just trying to keep up with technology.
It is in this context that I say there is a massive difference between hacking and not securing systems. Most pentesters will agree when I say hacking a phone system is vastly different to accessing it (without permission) using unchanged default values.
We'll have to agree to disagree here.
Depends what's in their mailbox, and what you do once you've accessed it. The police might not take an interest but your employers might.
Given that social engineering is a recognised hacking technique, and research is essential to hacking, I'd say that essentially that's what happened here. It would've been hacking if the password had been changed to something obvious, say the area code of the school, so it'll be hacking if its left at the default code.It is in this context that I say there is a massive difference between hacking and not securing systems. Most pentesters will agree when I say hacking a phone system is vastly different to accessing it (without permission) using unchanged default values.
Last edited by jamesb; 2nd January 2009 at 09:57 AM.
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks