We have all heard of voicemail hacking, but it appears it isn't just the red top gossip rags after your secrets, but also criminal gangs targeting your company telephone system ... and bills.
While outside our IT support remit, this morning we assisted a customer whose telephone system had been hacked over the weekend, and as a consequence have run up a bill of several thousand pounds in international phone call charges. Not knowing where to start, the customer called us and what we discovered was quite shocking as to just how easily this was effected by hacking of the voicemail system. So much so that I thought a security advisory was wise; suggesting that you raise this matter with your telephone supplier as a preventative measure.
A little background
Not so long ago, a telephone answering machine was as secure as the room it was in. It was, essentially, a tape recorder bolted onto a phone. If you called someone and they were out, the tiny cassette inside would record your message so that the intended recipient could play it back later. The only way to "hack" the message would be to steal the cassette itself. But mobile telephony has changed all that. Users now need access to their messages wherever they are and sometimes from more than one phone. This provided a way in for the phone hackers.
For most circumstances there are three common ways a hacker can take control of your phone system and run up huge long distance charges without you knowing:
- Remote voice mail access is BY FAR the easiest way for a hacker to gain enough access to a phone system to do bad things. Employees want to be able to access information (including voice mail) while out of the office, so your "phone guy" may have setup a way to access your voice mail while you're not in the office - a convenient but hackable feature.
Hacking a voice mail system is quite easy. Once a voice mail system has the capabilities to be accessed by dialling in from an outside line - this also makes it available to be hacked by anyone in the world who can call your phone number. Phone Engineers who do installations are unfortunately notorious for leaving system programming and user (voice mail) passwords set to their default password assigned by the manufacturer. Most voice mail systems only allow 4-digit passwords, which means there are 9,999 possible password combinations
- Remote Programming has become extremely profitable for phone engineers and leaves you less secure.
Once someone has access to the remote programming, they have complete and full control of all phones, phone lines, call forwarding, voice mail, etc.
- IP-Phones / Remote Phones have saved businesses tons of money by eliminating long-distance communications costs between offices or remote workers. With newer phone systems, it will use the data network to establish communications with the remote office/worker. If improperly setup/secured, hackers will use the same techniques from items #1 and #2 - default passwords. Once a hacker has successfully registered a remote phone, they act like an extension on your phone system - pick up the phone and start dialling anywhere, any time.
What should you do?
Speak to your telephone system provider and pose the question; is our telephone system secure? While this is the first incident that we have seen, it is by all accounts becoming increasingly common. The steps we have found suggested are often straightforward and include:
- Restrict the use of phone systems to specific dial codes or block all international calls if not required
- Ask if your phone systems has a built-in firewall to help prevent your phone system from being hacked
- Prevent call transferring of international calls through your voicemail system.
Managing Director - EasylifeIT
Portions (C) Sean Brown of Sleepy Shark. Click here for full article
3200 years ago, a city stood on the shores of the Hellespont. Already ancient, it was rich beyond compare and with its mighty walls and formidable warriors it dominated all it surveyed on land and sea.
Until, one fine spring day, a thousand sails brought an army the like of which the world had never seen before; who besieged the city for 10 long years. Battles, death and carnage ensued, but the walls still held. Eventually; dispirited, exhausted and denied the riches of the city and their conquest, the army retreated back across the Aegean Sea, leaving as the only sign they had been there, a giant effigy of a horse standing on the shore, built from the timbers of their own boats. This was their offering to the Gods to ensure a safe journey home.
Warily emerging from their city, the inhabitants treated the horse initially with suspicion; but they shared the same Gods and were persuaded by the duplicitous to drag the effigy back into the heart of the city, around which they celebrated, drank and made merry. As darkness fell; tired and happy; they retired and all gradually became quiet.
Except there was a sudden noise, a creek of wood; then from the horse emerged a small group of enemy warriors; but there was nobody to see them, nobody to challenge them. Taking the guards by surprise from behind, they then threw open the gates of the city to the army that had not in fact retreated but had been hiding out of sight. Flooding into the city and venting the frustration of 10 long years, the destruction was terrible and utterly complete.
The city was of course Troy, and the effigy by which the city had been tricked and taken has passed into legend as the Trojan horse. So, you might be asking; what has this got to do with IT security?
The Trojan horse, in today’s parlance; a mechanism by which defences are bypassed and then neutralised by little more than the trust and nativity of the user; causing chaos in its wake. Whoever named this class of viruses certainly knew their classics. To paraphrase Virgil; “beware of geeks bearing gifts”.