Default Passwords Blamed In $55M PBX Hacks 102
An anonymous reader writes "The Washington Post is reporting that the US Justice Department has indicted three residents of the Philippines for breaking into more than 2,500 corporate PBX systems in the United States and abroad. The government says the hackers sold access to those systems to operators of call centers in Italy, which allegedly made 12 million minutes of unauthorized phone calls through the system, valued at more than $55 million. The DOJ's action coincides with an announcement from Italian authorities today of the arrest of five men there who are suspected of funneling the profits from those call centers to terrorist groups in Southeast Asia."
That's a spicy meatball! (Score:5, Insightful)
Hackers, hacks ??!? (Score:4, Insightful)
If factory-set default passwords were used to gain access to the systems and use them, what exactly did they 'hack' ?
That would seem like a typical case of unauthorized use of a system to me, but hardly qualify as 'hacking'. When legal charges are to be brought, use a correct description of the crime, will you?
"Your honor, there was a gaping hole where the door used to be! I didn't even have to touch the doorknob!"
"I don't care! Since a computer system was involved, you broke into the place, understood?"
Re:Hacking? (Score:3, Insightful)
That's different.
A web server is not a home, and web pages not protected by htaccess could presumably be public.
Not using htaccess would probably be counted as constructive permission anyway, since a website has to be published/brought online to be accessed at all, whereas a home has no such requirement to be entered, invasively or otherwise.
Ah, slashdot (Score:2, Insightful)
Good show, old boy.
Re:Feh. (Score:5, Insightful)
Am I the only one that finds this "terrorism" link a bit absurd. Having travelled in SE Asia I sincerely doubt that this money was filtered into "terrorist" hands. All that has happened here is that a small number of enterprising Philipino's have made themselves rich enough to retire (rich enough for their kids to retire in the Philipines). If they've been caught then they've just made the cops rich enough to retire as well.
It just seems the "evil terrorist" card is played every time law enforcement fucks up and wants to keep people from questioning that.
Re:Hackers, hacks ??!? (Score:2, Insightful)
How is it even unauthorized? They used the correct passwords.
Re:Feh. (Score:3, Insightful)
But that's just because we are pretty good at labelling everything "terrorist" right now. It always was a tactic of the organized crime to either make the local policy part of the organization or assasinate the policemen who didn't conform. Today assasinating a local police officer surely gets labelled "terrorism".
Re:Which one was it? (Score:3, Insightful)
It has nothing to do with the type of PBX, but with the admins using it. And yes, the company I work for mostly keeps the original passwords on the PBX they deploy, because most customers have a lousy policy when it comes to keep passwords.
So why doesn't your company set the password to a random string, *keep a record for yourself in the customer file*, and then tell the customer what it is?
1) If they change it and keep records for themselves properly. GREAT
2) If they don't change it, and leave it the way you set it up... well not great, but still pretty good. Nobody is ever going to get in remotely. And its a vast improvement over leaving it on the default. And if they call you for support 5 years from now, and they never changed it, that's exactly what your records are for.
3) If they change it and forget it, well, there's nothing you can do about those people no matter what you do.