Information technology workers at the US Department of Homeland Security are busy scraping egg off their collective faces after unknown hackers broke into their telephone system and racked up $12,000 in calls to the Middle East and Asia. The hackers made more than 400 calls by accessing the voicemail system of the Federal …
/mails ten year old copies of Phrak and 2600 to the DHS and FEMA. Here ya' go boys and girls. Use that reading material to beef up your PBX security and while you're at it you might want to check for any of those pesky Y2K bugs in the system.
Ooo I feel more secure already.
Mine is the one with the acoustic coupler and TRS80.
"it appears a "hole" was left open by the unidentified contractor who performed the job."
He/she forgot to install the authentication file, bad.
He/she created an admin login to simplify the upgrade process as several reboots and logons are required, and neglected to remove it, worse.
However, I would think it was the former, because if it was the latter, then this "contractor" would have had to tell someone what the admin account password was to access the system. It is the difference between merely being yelled at or fired, and being sent to federal prison.
Paris, because she is as secure as a system can get 8-)
I bet it was a Siemens HiPath System
Easy for installers to forget about v/m security
I had a client a couple of years ago that was hacked over 2 weekends
it cost them next to £20k.
The UK.GOV use some Siemens stuff in the FCO
I wouldn't underestimate the power of an engineering password!!
Coat please, the one with all the Siemens Passwords in the pocket
What's wrong with just a Plain Old Telephone system? Harder to infiltrate that all this digital malarkey, I'll wager, and a lot cheaper too. I don't know of anyone's digital phone system that doesn't keep falling over and getting hacked.
This is the 21st century: phone systems have worked perfectly well for well over a hundred years — until some daftie privatises them and makes them "go digital".
As they Scottish engineer once said, “the more they overthink the plumbing, the easier it is to stop up the drains”.
I often receive calls from overseas where the caller ID I see is a local number. This happens when the folks calling me use cheap wannabe internet telephony providers which use some cheap local setup to terminate the calls using equipment they don't know anything about. The default setup of those VoIP-to-POTS boxes seems to be such that they provide a dialtone without any PIN number set. Apparently, they never consider the possibility that somebody may call the number back and find out.
So, all you have to do is call the number back, wait for the box to pick up and give you a second dialtone, then dial any number you want and it will connect you. If you call witholding your own caller ID, they will not even be able to find out who made calls on their bill.
This is the same Government mind you that wants all of your e-mails to be archived so that they can come after you for spam and other actions for which they deem you to be accountable for. Will they hold themselves to the same standards, what will happen to those government employees responsible for this? A promotiion perhaps? It's good to see that "Homeland Security" relies on contractors that from what has been witnessed with Bushes Iraq, do not have to follow the same rules that our citizens and agents do. Im sure the contractor will never be named, heck they should be given some extra pork for this.
"If you call witholding your own caller ID, they will not even be able to find out who made calls on their bill."
When you withold your number it still travels the entire length of the phone system. It is only the last connection that witholds the A party number depending on whether the caller ID bit is set. Witholding your number does NOT give you any privacy except from the user of the B number.
Why do you think this is all so complicated?
Where I used to work we had a Toshiba phone system. If the voicemail answered the call you could press * during the greeting and then hear a complaint that it wasn't a recognised command. The voicemail system would then volunteer to transfer you to an extension if you knew the number.
If the system hadn't been told to deny access to an outside line at this point the person calling could simply put in a nine and access an outside line before dialing any number they want.
"Heckuva job, Brownie!"
Actually, Brownie's replacement, but I bet he's also just a second-rate horse-show manager.
@Greg Fleming: You're kidding, right? Phreakers have been cracking POTS/analogue phone systems since the 70s at least.
"If you make it, they will come" has become "If you make it, they will hack it".
"Witholding your number does NOT give you any privacy except from the user of the B number."
Smarta$$, I knew that already, but it doesn't mean my statement was wrong. Do you think that guys who are too stupid to configure their gateway so it doesn't give any jack, dick and harry a dialtone will be smart enough to ask the phone company for inbound call records? In fact it isn't always easy to get inbound records, many phone companies will not give them out without a court order.
"many phone companies will not give them out without a court order."
no, "SmartA$$", the MSISDN is delivered across the network as the call is routed, appearing in every log all the way & available to every system the call is routed through or used for other purposes whether they be MSCs or Prepay Account Managers, HLRs, MLRs or whatever.
You said: "If you call witholding your own caller ID, they will not even be able to find out who made calls on their bill."
Yes they will be able to find out. Very easily. Withholding your own callerid ONLY stops the person that answers the B number from seeing your number.
Granted they may be stupid enough not to be able to check logs or ask their supplier to. Also their supplier might be too stupid to check their logs & supply the number. After all, some people are stupid enough to think that witholding callerid actually withholds their phone number.
Anyway, why would they need a court order to view their own data?
You'll be telling me next that BT won't give an itemised phone bill without a court order.
"MSISDN is delivered across the network as the call is routed, appearing in every log all the way & available to every system the call is routed through or used for other purposes whether they be MSCs or Prepay Account Managers, HLRs, MLRs or whatever."
The type of setup described is probably just an analog FXO to VOIP gateway (ie Linksys) or maybe it is an ISDN to VOIP gateway (ie Patton), in other words customer premises terminal equipment. Such equipment will not be able to see the calling number if the caller ID is withheld. You would indeed need access to the logs of the phone company to know who called in on such a box if the caller ID was withheld.
I can't speak for BT, but France Telecom, Deutsche Telecom, NTT, Swisscom and Telefonica (places I have had professional experience with this sort of thing) will not reveal who the calling party was unless either law enforcement agencies make a request or a court order is presented.
Biting the hand that feeds IT © 1998–2019