Default Passwords Blamed In $55M PBX Hacks

An anonymous reader writes "The Washington Post is reporting that the US Justice Department has indicted three residents of the Philippines for breaking into more than 2,500 corporate PBX systems in the United States and abroad. The government says the hackers sold access to those systems to operators of call centers in Italy, which allegedly made 12 million minutes of unauthorized phone calls through the system, valued at more than $55 million. The DOJ's action coincides with an announcement from Italian authorities today of the arrest of five men there who are suspected of funneling the profits from those call centers to terrorist groups in Southeast Asia."

Yea well

[Anonymous Coward]

Maybe governments should figure out its the 21st century out there, and stop treating phone traffic as a source of tax revenue, instead of treating it exactly like every other kind of electronic traffic (internet, bank transactions, etc), which is tax free the way it should be. Then those "terrorist groups" would suddenly find themselves out of profit.

CAPTCHA: Rackets. How appropriate.

Telcos suck

[Anonymous Coward]

12 million minutes of unauthorized phone calls through the system, valued at more than $55 million.

... or a lot less.
$5 per minute?!! Just to route some packets a bit farther?
And then telcos wonder why IP phones are eating their lunch.

Maybe they're using MAFIAA math... Each minute causes $5 worth of damage to their network...?

Hacking?

[EdIII]

These were default passwords on more than likely open ports. I would hardly call that hacking. That would be like walking by a house with an open door and saying you picked the lock by walking inside.

One heck of an expensive lesson to the IT guys responsible. Never leave default passwords is Rule #1. Or at least in the top 3.

Re:Hacking?

[Anonymous Coward]

Aye, but trespassing is trespassing.

Sue the people who neglected to change passwords?

[kasperd]

Is it illegal to support terrorism by remiss? The people who left those default passwords have indirectly supported terrorists, even if it was unintentional. Can they be sentenced for that, should they be? I think they ought to be fined for it, but I don't think they deserve as harsh a punishment as the people who abused the systems for economical gain.

Phreak Freely...

[Anonymous Coward]

It could be done via DISA... But DISA is usually not enabled by default, neither is Trunk to Trunk Transfer.

The brunt of the civil litigation will be aimed at the VAR's and manufacturers. It will be claimed that the breaches happened on their watch and they are therefore responsible. Toll Fraud Prevention is always one the the major selling points of any Maintenance Contract from the VAR's and PBX makers. Unless the PBX's were bought grey-market, and I think it's pretty unlikely that so many switches are floating around on the grey-market. Most IT departments don't admin their own switches beyond simple MAC... Rarely do you meet anyone in corporate IT that understand Dialplans, CoS, CoR, etc... unless the Telco side is their specialty... sadly, they are a dying breed.

Anyone that bashes the Filipinos as terrorist is simply a bigoted nitwit. If you have spent any time in Telco, you know that some of the best and brightest are the Filipinos techs. Just too bad that a couple of them used their talents for criminal purposes.

One questions that begs to be asked, was it a Cust level default password or a Vendor level default?