back to article Phreakers seize government phone system

Information technology workers at the US Department of Homeland Security are busy scraping egg off their collective faces after unknown hackers broke into their telephone system and racked up $12,000 in calls to the Middle East and Asia. The hackers made more than 400 calls by accessing the voicemail system of the Federal …

COMMENTS

This topic is closed for new posts.
  1. Kevin
    Thumb Up

    FIRST!

    I WIN!

  2. Anonymous Coward
    Coat

    Mmmk

    /mails ten year old copies of Phrak and 2600 to the DHS and FEMA. Here ya' go boys and girls. Use that reading material to beef up your PBX security and while you're at it you might want to check for any of those pesky Y2K bugs in the system.

    Ooo I feel more secure already.

    Mine is the one with the acoustic coupler and TRS80.

  3. Frank Thomas

    @Kevin

    what do you think this is? /. ?

  4. James O'Brien
    Joke

    HAHAHAHAHAHAHAHAHAHAHA

    Our tax dollars at work. I LOVE IT

  5. Anonymous Coward
    Paris Hilton

    Two possible things

    "it appears a "hole" was left open by the unidentified contractor who performed the job."

    He/she forgot to install the authentication file, bad.

    He/she created an admin login to simplify the upgrade process as several reboots and logons are required, and neglected to remove it, worse.

    However, I would think it was the former, because if it was the latter, then this "contractor" would have had to tell someone what the admin account password was to access the system. It is the difference between merely being yelled at or fired, and being sent to federal prison.

    Paris, because she is as secure as a system can get 8-)

  6. Duffy
    Joke

    Ha ha

    I feel so much safer knowing my government can't secure it's own phone lines.

  7. Mark Cathcart
    Paris Hilton

    But did they wire tap the calls ?

    and are they going to keep them for 75-years... You bet if I called them they would.

    Paris, because she's had her phone stolen too!

  8. Paul Young
    Coat

    What Title?

    I bet it was a Siemens HiPath System

    Easy for installers to forget about v/m security

    I had a client a couple of years ago that was hacked over 2 weekends

    it cost them next to £20k.

    The UK.GOV use some Siemens stuff in the FCO

    I wouldn't underestimate the power of an engineering password!!

    Coat please, the one with all the Siemens Passwords in the pocket

    Paul

  9. Anonymous Coward
    Anonymous Coward

    Some one has not been reading

    Um whats that chap they are trying to extradite ??? Yeah they might just fucked you over to prove point.

  10. Tim

    FAO: Sarah Bee

    I trust that Kevin will shortly find himself shackled to the wall in a particularly damp corner of your dungeon.

  11. charles platt

    value of calls?

    400 calls cost $12,000? Did I get that right? $30 average per call?

    Sounds like basic AT&T service back in the day. DHS has never heard of Skype I guess.

  12. Jach

    Wow...

    First their site falls to an SQL Injection attack, now their phone lines have been hacked. These people are supposed to be protecting me? (Besides, I thought phone hacking was something of the old ages, stamped out long ago...)

  13. Anonymous Coward
    IT Angle

    POTS?

    What's wrong with just a Plain Old Telephone system? Harder to infiltrate that all this digital malarkey, I'll wager, and a lot cheaper too. I don't know of anyone's digital phone system that doesn't keep falling over and getting hacked.

    This is the 21st century: phone systems have worked perfectly well for well over a hundred years — until some daftie privatises them and makes them "go digital".

    As they Scottish engineer once said, “the more they overthink the plumbing, the easier it is to stop up the drains”.

  14. Alan Donaly

    phreaking is back

    I think the mobile business has something to do with that whenever you have enough people interested in a subject (means there is money in it) you get this sort thing as well.

  15. Anonymous Coward
    Anonymous Coward

    Don't need any hacking skills at all ...

    I often receive calls from overseas where the caller ID I see is a local number. This happens when the folks calling me use cheap wannabe internet telephony providers which use some cheap local setup to terminate the calls using equipment they don't know anything about. The default setup of those VoIP-to-POTS boxes seems to be such that they provide a dialtone without any PIN number set. Apparently, they never consider the possibility that somebody may call the number back and find out.

    So, all you have to do is call the number back, wait for the box to pick up and give you a second dialtone, then dial any number you want and it will connect you. If you call witholding your own caller ID, they will not even be able to find out who made calls on their bill.

  16. James Woods

    Accountability?

    This is the same Government mind you that wants all of your e-mails to be archived so that they can come after you for spam and other actions for which they deem you to be accountable for. Will they hold themselves to the same standards, what will happen to those government employees responsible for this? A promotiion perhaps? It's good to see that "Homeland Security" relies on contractors that from what has been witnessed with Bushes Iraq, do not have to follow the same rules that our citizens and agents do. Im sure the contractor will never be named, heck they should be given some extra pork for this.

  17. Anonymous Coward
    Anonymous Coward

    title

    "If you call witholding your own caller ID, they will not even be able to find out who made calls on their bill."

    NOT true.

    When you withold your number it still travels the entire length of the phone system. It is only the last connection that witholds the A party number depending on whether the caller ID bit is set. Witholding your number does NOT give you any privacy except from the user of the B number.

  18. James Prior

    Why so complicated?

    Why do you think this is all so complicated?

    Where I used to work we had a Toshiba phone system. If the voicemail answered the call you could press * during the greeting and then hear a complaint that it wasn't a recognised command. The voicemail system would then volunteer to transfer you to an extension if you knew the number.

    If the system hadn't been told to deny access to an outside line at this point the person calling could simply put in a nine and access an outside line before dialing any number they want.

  19. Stuart Van Onselen

    It had to be said:

    "Heckuva job, Brownie!"

    Actually, Brownie's replacement, but I bet he's also just a second-rate horse-show manager.

    @Greg Fleming: You're kidding, right? Phreakers have been cracking POTS/analogue phone systems since the 70s at least.

    "If you make it, they will come" has become "If you make it, they will hack it".

  20. Martin Maloney
    Dead Vulture

    Insecure by default

    The reason for entering a new password is to prevent any motherphreaker who enters the default password from gaining access.

    In short, changing the password allows the system to telephony!

  21. Anonymous Coward
    Anonymous Coward

    re: title

    "Witholding your number does NOT give you any privacy except from the user of the B number."

    Smarta$$, I knew that already, but it doesn't mean my statement was wrong. Do you think that guys who are too stupid to configure their gateway so it doesn't give any jack, dick and harry a dialtone will be smart enough to ask the phone company for inbound call records? In fact it isn't always easy to get inbound records, many phone companies will not give them out without a court order.

  22. Anonymous Coward
    Anonymous Coward

    re: title

    "many phone companies will not give them out without a court order."

    no, "SmartA$$", the MSISDN is delivered across the network as the call is routed, appearing in every log all the way & available to every system the call is routed through or used for other purposes whether they be MSCs or Prepay Account Managers, HLRs, MLRs or whatever.

    You said: "If you call witholding your own caller ID, they will not even be able to find out who made calls on their bill."

    Yes they will be able to find out. Very easily. Withholding your own callerid ONLY stops the person that answers the B number from seeing your number.

    Granted they may be stupid enough not to be able to check logs or ask their supplier to. Also their supplier might be too stupid to check their logs & supply the number. After all, some people are stupid enough to think that witholding callerid actually withholds their phone number.

    Anyway, why would they need a court order to view their own data?

    You'll be telling me next that BT won't give an itemised phone bill without a court order.

  23. Anonymous Coward
    Anonymous Coward

    re: re: title

    "Anyway, why would they need a court order to view their own data?"

    because its not their own data, it's the phone company's data.

    "You'll be telling me next that BT won't give an itemised phone bill without a court order."

    itemised bill only shows outbound calls, not incoming.

  24. Anonymous Coward
    Boffin

    subpoenas

    "MSISDN is delivered across the network as the call is routed, appearing in every log all the way & available to every system the call is routed through or used for other purposes whether they be MSCs or Prepay Account Managers, HLRs, MLRs or whatever."

    The type of setup described is probably just an analog FXO to VOIP gateway (ie Linksys) or maybe it is an ISDN to VOIP gateway (ie Patton), in other words customer premises terminal equipment. Such equipment will not be able to see the calling number if the caller ID is withheld. You would indeed need access to the logs of the phone company to know who called in on such a box if the caller ID was withheld.

    I can't speak for BT, but France Telecom, Deutsche Telecom, NTT, Swisscom and Telefonica (places I have had professional experience with this sort of thing) will not reveal who the calling party was unless either law enforcement agencies make a request or a court order is presented.

  25. Anonymous Coward
    Anonymous Coward

    @ Stuart Van Onselen

    "You're kidding, right? Phreakers have been cracking POTS/analogue phone systems since the 70s at least."

    Since the 60's actually and I know that. Its just no one actually does nowadays. Analogue is sooooo last century.

  26. unitron

    Hello, Osama?

    "The blessings of Allah on you, Sheik Bin Laden. You'll never guess who's paying for this phone call!"

  27. This post has been deleted by its author

  28. Anonymous Coward
    Anonymous Coward

    Yeah right,

    they're just trying to get out of paying their phone bills, I suspect.

    Won't someone think of the phone companies.

  29. Ambi Valent
    Black Helicopters

    @ Osama

    "Great now we can use the money you saved to get some new clothes and some milkshakes, Allah be with you"

This topic is closed for new posts.

Other stories you might like