Information technology workers at the US Department of Homeland Security are busy scraping egg off their collective faces after unknown hackers broke into their telephone system and racked up $12,000 in calls to the Middle East and Asia. The hackers made more than 400 calls by accessing the voicemail system of the Federal …
/mails ten year old copies of Phrak and 2600 to the DHS and FEMA. Here ya' go boys and girls. Use that reading material to beef up your PBX security and while you're at it you might want to check for any of those pesky Y2K bugs in the system.
Ooo I feel more secure already.
Mine is the one with the acoustic coupler and TRS80.
what do you think this is? /. ?
Our tax dollars at work. I LOVE IT
"it appears a "hole" was left open by the unidentified contractor who performed the job."
He/she forgot to install the authentication file, bad.
He/she created an admin login to simplify the upgrade process as several reboots and logons are required, and neglected to remove it, worse.
However, I would think it was the former, because if it was the latter, then this "contractor" would have had to tell someone what the admin account password was to access the system. It is the difference between merely being yelled at or fired, and being sent to federal prison.
Paris, because she is as secure as a system can get 8-)
I feel so much safer knowing my government can't secure it's own phone lines.
and are they going to keep them for 75-years... You bet if I called them they would.
Paris, because she's had her phone stolen too!
I bet it was a Siemens HiPath System
Easy for installers to forget about v/m security
I had a client a couple of years ago that was hacked over 2 weekends
it cost them next to £20k.
The UK.GOV use some Siemens stuff in the FCO
I wouldn't underestimate the power of an engineering password!!
Coat please, the one with all the Siemens Passwords in the pocket
Um whats that chap they are trying to extradite ??? Yeah they might just fucked you over to prove point.
I trust that Kevin will shortly find himself shackled to the wall in a particularly damp corner of your dungeon.
400 calls cost $12,000? Did I get that right? $30 average per call?
Sounds like basic AT&T service back in the day. DHS has never heard of Skype I guess.
First their site falls to an SQL Injection attack, now their phone lines have been hacked. These people are supposed to be protecting me? (Besides, I thought phone hacking was something of the old ages, stamped out long ago...)
What's wrong with just a Plain Old Telephone system? Harder to infiltrate that all this digital malarkey, I'll wager, and a lot cheaper too. I don't know of anyone's digital phone system that doesn't keep falling over and getting hacked.
This is the 21st century: phone systems have worked perfectly well for well over a hundred years — until some daftie privatises them and makes them "go digital".
As they Scottish engineer once said, “the more they overthink the plumbing, the easier it is to stop up the drains”.
I think the mobile business has something to do with that whenever you have enough people interested in a subject (means there is money in it) you get this sort thing as well.
I often receive calls from overseas where the caller ID I see is a local number. This happens when the folks calling me use cheap wannabe internet telephony providers which use some cheap local setup to terminate the calls using equipment they don't know anything about. The default setup of those VoIP-to-POTS boxes seems to be such that they provide a dialtone without any PIN number set. Apparently, they never consider the possibility that somebody may call the number back and find out.
So, all you have to do is call the number back, wait for the box to pick up and give you a second dialtone, then dial any number you want and it will connect you. If you call witholding your own caller ID, they will not even be able to find out who made calls on their bill.
This is the same Government mind you that wants all of your e-mails to be archived so that they can come after you for spam and other actions for which they deem you to be accountable for. Will they hold themselves to the same standards, what will happen to those government employees responsible for this? A promotiion perhaps? It's good to see that "Homeland Security" relies on contractors that from what has been witnessed with Bushes Iraq, do not have to follow the same rules that our citizens and agents do. Im sure the contractor will never be named, heck they should be given some extra pork for this.
"If you call witholding your own caller ID, they will not even be able to find out who made calls on their bill."
When you withold your number it still travels the entire length of the phone system. It is only the last connection that witholds the A party number depending on whether the caller ID bit is set. Witholding your number does NOT give you any privacy except from the user of the B number.
Why do you think this is all so complicated?
Where I used to work we had a Toshiba phone system. If the voicemail answered the call you could press * during the greeting and then hear a complaint that it wasn't a recognised command. The voicemail system would then volunteer to transfer you to an extension if you knew the number.
If the system hadn't been told to deny access to an outside line at this point the person calling could simply put in a nine and access an outside line before dialing any number they want.
"Heckuva job, Brownie!"
Actually, Brownie's replacement, but I bet he's also just a second-rate horse-show manager.
@Greg Fleming: You're kidding, right? Phreakers have been cracking POTS/analogue phone systems since the 70s at least.
"If you make it, they will come" has become "If you make it, they will hack it".
The reason for entering a new password is to prevent any motherphreaker who enters the default password from gaining access.
In short, changing the password allows the system to telephony!
"Witholding your number does NOT give you any privacy except from the user of the B number."
Smarta$$, I knew that already, but it doesn't mean my statement was wrong. Do you think that guys who are too stupid to configure their gateway so it doesn't give any jack, dick and harry a dialtone will be smart enough to ask the phone company for inbound call records? In fact it isn't always easy to get inbound records, many phone companies will not give them out without a court order.
"many phone companies will not give them out without a court order."
no, "SmartA$$", the MSISDN is delivered across the network as the call is routed, appearing in every log all the way & available to every system the call is routed through or used for other purposes whether they be MSCs or Prepay Account Managers, HLRs, MLRs or whatever.
You said: "If you call witholding your own caller ID, they will not even be able to find out who made calls on their bill."
Yes they will be able to find out. Very easily. Withholding your own callerid ONLY stops the person that answers the B number from seeing your number.
Granted they may be stupid enough not to be able to check logs or ask their supplier to. Also their supplier might be too stupid to check their logs & supply the number. After all, some people are stupid enough to think that witholding callerid actually withholds their phone number.
Anyway, why would they need a court order to view their own data?
You'll be telling me next that BT won't give an itemised phone bill without a court order.
"Anyway, why would they need a court order to view their own data?"
because its not their own data, it's the phone company's data.
"You'll be telling me next that BT won't give an itemised phone bill without a court order."
itemised bill only shows outbound calls, not incoming.
"MSISDN is delivered across the network as the call is routed, appearing in every log all the way & available to every system the call is routed through or used for other purposes whether they be MSCs or Prepay Account Managers, HLRs, MLRs or whatever."
The type of setup described is probably just an analog FXO to VOIP gateway (ie Linksys) or maybe it is an ISDN to VOIP gateway (ie Patton), in other words customer premises terminal equipment. Such equipment will not be able to see the calling number if the caller ID is withheld. You would indeed need access to the logs of the phone company to know who called in on such a box if the caller ID was withheld.
I can't speak for BT, but France Telecom, Deutsche Telecom, NTT, Swisscom and Telefonica (places I have had professional experience with this sort of thing) will not reveal who the calling party was unless either law enforcement agencies make a request or a court order is presented.
"You're kidding, right? Phreakers have been cracking POTS/analogue phone systems since the 70s at least."
Since the 60's actually and I know that. Its just no one actually does nowadays. Analogue is sooooo last century.
"The blessings of Allah on you, Sheik Bin Laden. You'll never guess who's paying for this phone call!"
they're just trying to get out of paying their phone bills, I suspect.
Won't someone think of the phone companies.
"Great now we can use the money you saved to get some new clothes and some milkshakes, Allah be with you"
Biting the hand that feeds IT © 1998–2017