Forgot your password?
typodupeerror
Security Government The Courts News

Default Passwords Blamed In $55M PBX Hacks 102

Posted by ScuttleMonkey
from the god-sex-love dept.
An anonymous reader writes "The Washington Post is reporting that the US Justice Department has indicted three residents of the Philippines for breaking into more than 2,500 corporate PBX systems in the United States and abroad. The government says the hackers sold access to those systems to operators of call centers in Italy, which allegedly made 12 million minutes of unauthorized phone calls through the system, valued at more than $55 million. The DOJ's action coincides with an announcement from Italian authorities today of the arrest of five men there who are suspected of funneling the profits from those call centers to terrorist groups in Southeast Asia."
This discussion has been archived. No new comments can be posted.

Default Passwords Blamed In $55M PBX Hacks

Comments Filter:
  • by RickRussellTX (755670) on Saturday June 13, 2009 @03:39AM (#28318085)
    I'm just amazed they found somebody willing to pay almost $5 per minute for long distance.
    • by stephanruby (542433) on Saturday June 13, 2009 @04:18AM (#28318249)
      Hey, they're terrorists! Terrorists get to set their own prices. Also, may be there is some value in having a voice mail number traceable to a legitimate corporation in the United States. Also, the article confirmed something that I always knew deep down in my gut, telemarketers are terrorists. This makes a lot of sense actually.
      • Re: (Score:3, Funny)

        by PopeRatzo (965947) *

        Hey, they're terrorists! Terrorists get to set their own prices.

        That's no way to talk about the phone company.

    • Good catch. They were actually paid $100 for each PBX they found, and they found 25,000. So in theory they were paid $2,500,000 (that's roughly 21 cents per minute, plus the operators still had to incur local charges).
      • Hacking into PBX systems was something of a pastime for phreakers in the U.S. in the 1980s; who knows, they might still be doing it.The PBX systems would be terminated with toll-free numbers. What the businesses who own the PBXs pay for long distance is a lot higher than what you and I would pay.

        The thing is, though, that large U.S. corporations, in particular, have replaced a lot of their traditional lines with VOIP. Since most calls are campus-to-campus -- e.g., at IBM a call between, say, Boca Raton, F

        • Re: (Score:3, Informative)

          by sumdumass (711423)

          So I wonder how many of them are still having PBX systems with the ability to call in and dial out via an 800 number?

          I would say quite a few. I have noticed that a lot of VoIP systems are added-on instead of replacing older phone systems. They also already have the copper and it's cheaper to purchase lines by the bundle then to separate them.

          BTW, large businesses would connect different campuses across a T1 point to point connection(s) before VoIP was around. Basically, the software/hardware in the phone

          • Re: (Score:3, Informative)

            by fluffy99 (870997)

            VoIP has come a long ways since that has started and the bandwidth needed for good quality calls have dropped quite a bit.

            If you definite a "good quality call" as the same quality as a POTS line, then VOIP G.711 (no compression) actually requires more bandwidth as it adds control signaling and you end up needing 80k instead of a single 64k channel per call. It also introduces more timing issues as ip doesn't guarantee timely or orderly deliverly of the packets. If you use a lower quality compression codec line G.729 you can reduce the bandwidth down as far as 8k data and 8k control, but at the expense of reduced voice quality - making it sound like a poor cell phone call.

            • by sumdumass (711423)

              I've had poor lines, static and noised in the calls over POTS lines. I'm defining a good quality call as the same as POTS calls on average with the good and the bad and perhaps the added fudder of cordless phone static and so on.

              I've been on a couple VoIP calls that I couldn't distinguish between them and a regular call. I do know know how much bandwidth they were using though, it was where the VoIP feature on the phone allowed me to take a Avaya phone home and set it up as an extension to several sites I w

    • by DavidD_CA (750156)

      If they were from Italy to the US, that might be right.

      Granted, not if you have VoIP or some international long distance plan, but rarely do these kinds of numbers ever show discounted prices.

      I'd love to know if this was the source of those annoying "auto warranty" calls I keep getting.

    • There are ways around that. Just like the time I call every number in Sunnyvale ca.

  • by Laser_iCE (1125271) on Saturday June 13, 2009 @03:40AM (#28318093)
    admin or password?
    • Re: (Score:2, Informative)

      by mail2345 (1201389)
      Article: mainly by exploiting factory-set or default passwords on the voicemail systems
      So, linksys?
      • Re:Which one was it? (Score:4, Informative)

        by infolation (840436) on Saturday June 13, 2009 @05:05AM (#28318371)
        actually the DoJ papers say the PBX systems were Nortel, Lucent, Bizphone and Panasonic
      • by Lennie (16154)

        I've seen the same thing happen with Televantage

    • Most likely, the username...
  • Yea well (Score:3, Interesting)

    by Anonymous Coward on Saturday June 13, 2009 @03:40AM (#28318095)

    Maybe governments should figure out its the 21st century out there, and stop treating phone traffic as a source of tax revenue, instead of treating it exactly like every other kind of electronic traffic (internet, bank transactions, etc), which is tax free the way it should be. Then those "terrorist groups" would suddenly find themselves out of profit.

    CAPTCHA: Rackets. How appropriate.

    • by Jurily (900488)

      Maybe governments should figure out its the 21st century out there, and stop treating phone traffic as a source of tax revenue, instead of treating it exactly like every other kind of electronic traffic (internet, bank transactions, etc), which is tax free the way it should be.

      How many governments do you know that willingly gave up entire categories of tax revenue?

      GyurcsÃny won the elections with that promise in Hungary, they went through with it, and after a year they gave us a "see, we tried it, didn't work out" speech, and now taxes are higher than ever.

    • by PopeRatzo (965947) *

      Or maybe, we should all figure out this is the 21st century, and stop treating phone traffic (and all electronic traffic) like a source of revenue.

      While we're at it, I suggest we stop treating health care as a source of revenue, too, unless you are a provider.

      I could continue...

  • Feh. (Score:1, Redundant)

    by Renraku (518261)

    The companies that got 'hacked' should get a serious talking to by the anti-terrorism folks. After all, they played a part in terrorism (or at least, what is called terrorism, who knows what it really funded?), and should be punished!

    Not changing default passwords is literally begging for trouble.

    • Re:Feh. (Score:5, Insightful)

      by mjwx (966435) on Saturday June 13, 2009 @06:44AM (#28318711)

      The companies that got 'hacked' should get a serious talking to by the anti-terrorism folks.

      Am I the only one that finds this "terrorism" link a bit absurd. Having travelled in SE Asia I sincerely doubt that this money was filtered into "terrorist" hands. All that has happened here is that a small number of enterprising Philipino's have made themselves rich enough to retire (rich enough for their kids to retire in the Philipines). If they've been caught then they've just made the cops rich enough to retire as well.

      It just seems the "evil terrorist" card is played every time law enforcement fucks up and wants to keep people from questioning that.

      • Re:Feh. (Score:4, Informative)

        by DNS-and-BIND (461968) on Saturday June 13, 2009 @11:08AM (#28319951) Homepage
        Actually a lot of organized crime funds terrorism. I'm sure on your travels in SE Asia, you didn't see any so obviously it doesn't exist [gulfnews.com]. If it seems absurd to you, then we're sorry and will try to let reality intrude less next time.
        • Re: (Score:3, Insightful)

          by Sique (173459)

          But that's just because we are pretty good at labelling everything "terrorist" right now. It always was a tactic of the organized crime to either make the local policy part of the organization or assasinate the policemen who didn't conform. Today assasinating a local police officer surely gets labelled "terrorism".

        • by mjwx (966435)

          Actually a lot of organised crime funds terrorism

          Citation needed?

          Actually, if you travel to SE Asia and have half a clue you see a lot of organised crime, or at least what we westerners consider to be organised crime. Crime and corruption is rife in the poorer SE Asian countries, particularly the Philipines, so much so that it is its own economy. Every business must pay off the police in order to operate (they call this Tea Money), same for many gangs which operate in that area (taxi drivers, scamers a

      • by afidel (530433)
        Uh, tell that to the people who lost loved ones in Bali, I'd say there are plenty of radical Muslim terrorists in SE Asia.
        • by mjwx (966435)

          Uh, tell that to the people who lost loved ones in Bali, I'd say there are plenty of radical Muslim terrorists in SE Asia.

          That old chestnut. If you keep repeating the same old line people will stop listening. The families of the Australian Bali bombing victims would resent their problems being used in this fashion, they would like to move on with their lives rather then have this dragged up for more pointless fear mongering. So I'd say the same to you, why don't you go and remind these people of what they

    • by PopeRatzo (965947) *

      or at least, what is called terrorism

      That's how you get people's attention. Say it's "funding terrorists".

      Did you know that marijuana funds terrorism? That argument has been made repeatedly.

  • Telcos suck (Score:4, Interesting)

    by Anonymous Coward on Saturday June 13, 2009 @03:43AM (#28318111)

    12 million minutes of unauthorized phone calls through the system, valued at more than $55 million.

    ... or a lot less.
    $5 per minute?!! Just to route some packets a bit farther?
    And then telcos wonder why IP phones are eating their lunch.

    Maybe they're using MAFIAA math... Each minute causes $5 worth of damage to their network...?

    • Maybe they're using MAFIAA math... Each minute causes $5 worth of damage to their network...?

      Obviously, each minute moving terrorist traffic could be spent moving song torrents worth $5 of kickback from the damages awarded to the RIAA members...

      Wait, is that what you call cynicism? ;-)

  • Hacking? (Score:5, Interesting)

    by EdIII (1114411) * on Saturday June 13, 2009 @03:47AM (#28318123)

    These were default passwords on more than likely open ports. I would hardly call that hacking. That would be like walking by a house with an open door and saying you picked the lock by walking inside.

    One heck of an expensive lesson to the IT guys responsible. Never leave default passwords is Rule #1. Or at least in the top 3.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Aye, but trespassing is trespassing.

      • by iluvcapra (782887)

        The AC is right. Interacting with a system without the knowledge and consent of the owner is forbidden, regardless of the ease involved.

        • by smoker2 (750216)
          So google breaks the law every time they spider private pages where the owner has neglected to use htaccess ?
          • Re: (Score:3, Insightful)

            by shentino (1139071)

            That's different.

            A web server is not a home, and web pages not protected by htaccess could presumably be public.

            Not using htaccess would probably be counted as constructive permission anyway, since a website has to be published/brought online to be accessed at all, whereas a home has no such requirement to be entered, invasively or otherwise.

          • So google breaks the law every time they spider private pages where the owner has neglected to use htaccess ?

            Well, what exactly is a "private page" when the owner has neglected to use .htaccess? Seems to me that would be a public page.

            Look at the real world: When am I trespassing when I go onto Wal-Mart's private property? If I'm there to buy beer, I'm fine. If I go there with no intent to transact business, and just hang out in the parking lot, it's loitering. If I go past the "Employees Only" sign and start poking around in the stockroom, even if it's unlocked, even if I don't steal anything, it's trespassing.

          • by Muad'Dave (255648)
            As long as they abide by robots.txt, they're only searching/indexing public pages - htaccess is not necessary.
      • Re: (Score:2, Informative)

        "trespassing is trespassing"

        Now that we have the glaring truisms out of the way... That is entirely irrelevant. The parent was stating that it was not hacking; hacking and trespassing are not the same thing, although one may include the other.
        • by identity0 (77976)
          "Hacking" means "unauthorized access to computers/other technology" in common usage and nowadays actual law. Get over it, the "Hacking = tinkering" thing was lost in the '90s.
          • Nope. It's not. Hacking still means tinkering. It's just that today, the media uninformed shit-storm even reached the dirty bottom of all Slashdot users.

            Here, where we know what we are talking about. We call unauthorized access "cracking" (like you crack a safe).

            This is the reference, as long as we still live: http://www.catb.org/jargon/html/H/hacker.html [catb.org] ^^
            But I bet you don't even know the jargon file.

            • by identity0 (77976)

              Must I point out my Slashdot ID #, Mr. Six-Digit?

              I'm just sayin', it's already encoded in various laws as well as media that "hacking" is a term for unauthorized computer access. Some may still accept using it for "tinkering", but it's clear that the majority of usage is for unauthorized access.

    • by houghi (78078)

      That could never happen to where I work. We use the default password on the PBX, but it is protected by a Cisco router. Encrypted password, so it can never be found out. In fact I am so sure of that that I just post it here: 095c4f1a0a1218000f.
      Obviously you need the address as well. That is http://hackme.houghi.org/ [houghi.org]

    • Re: (Score:3, Funny)

      by iamdrscience (541136)

      Never leave default passwords is Rule #1. Or at least in the top 3.

      Indeed. The rules of IT:

      1. You do not talk about IT.
      2. You DO NOT talk about IT.
      3. Never leave default passwords.
      4. No girls allowed.
    • by jonadab (583620)
      > Never leave default passwords is Rule #1. Or at least in the top 3.

      Actually, I think it's a corollary to Rule #2, "Only grant access to the people who actually need to have it." HTH.HAND.
    • by nausicaa (461792)

      Why does this remind me of The Cuckoo's Egg?

      Same problem with default passwords, some 20+ years ago..

      I'm well aware that the problems there weren't limited to default passwords, but it's one of those issues you'd think people would be more carefull about these days, at least when it comes to that kind of system.. It's one thing to have a homesystem with lax security, but this? Seriously? I guess it might be a case in point for me to use when explaining to people why it's actually important to try and use pr

    • by timmyd (108567)

      I wouldn't necessarily call it default passwords. I believe I was one of the people victim to this. I have an asterisk PBX setup for my parents at their house so they could call me for free. One of the problems I think with asterisk is that the flag "allowguest" is set to true by default which means random computers on the internet can connect to your box and try to call out. (I also made the mistake of allowing the default dialplan to have a way to dial out on this computer). I noticed this a few weeks pri

  • Yeah. $55 million dollars in routings costs. Call me an idiot, but I just don't see how they could have used so much electricity that it added up to $55 million dollars. Maybe $54.98 million dollars was for technical support.

    • Re:$55 million (Score:5, Informative)

      by bruce_the_loon (856617) on Saturday June 13, 2009 @03:59AM (#28318173) Homepage

      You are forgetting the reciprocal costs of phone calls. You break out of the network to another telco, most of the time there are costs per minute. You pay for access to the circuit. Add international calls to this and the numbers climb.

      Most telcos have reciprocals in place that say if Telco A made 1000 minutes of calls to Telco B, and Telco B made 1000 minutes to Telco A, they call it quits. Now if A made 1000000 minutes to B, B wants its money. And A has nobody to send the bill to because they were stupid and didn't change the passwords.

      • by rundgong (1575963)
        Since it was PBXs that were hacked it is not really related to the Telcos, but rather it is telephony switches at other companys.

        The indictment pdf has some details on how it was made also. There are two different scenarios:
        A: the hacker calls the PBX (a cheap call). He then has the PBX make an outgoing call to where the hacker wants to call (an expensive call)
        B: the hacker makes the PBX first call up the hacker and then call the other party, thus making the company that owns the PBX pay for both calls.
  • by Alwin Henseler (640539) on Saturday June 13, 2009 @03:58AM (#28318165) Homepage

    If factory-set default passwords were used to gain access to the systems and use them, what exactly did they 'hack' ?

    That would seem like a typical case of unauthorized use of a system to me, but hardly qualify as 'hacking'. When legal charges are to be brought, use a correct description of the crime, will you?

    "Your honor, there was a gaping hole where the door used to be! I didn't even have to touch the doorknob!"
    "I don't care! Since a computer system was involved, you broke into the place, understood?"

    • That would seem like a typical case of unauthorized use of a system to me, but hardly qualify as 'hacking'. When legal charges are to be brought, use a correct description of the crime, will you?

      Stupidity on the part of the legal owner?

    • Re: (Score:3, Informative)

      by dns_server (696283)

      "Hacking" laws are generally written with that language.
      The COMPUTER CRIMES ACT 1997 has as section 3. "Unauthorized access to computer material."

    • Re: (Score:2, Insightful)

      by Thaelon (250687)

      How is it even unauthorized? They used the correct passwords.

      • by sjames (1099)

        If I hotwire your car and drive it away, I have committed a crime.

        If I take your carkeys when you're not looking (even if you absently leave them on my desk) and drive your car away, I have committed a crime.

        If you leave the door open and the engine running and I drive your car away, I have committed a crime.

        In the end, it comes down to what's customary. If I walk freely into your unlocked house, I'm trespassing. If I do the same with your well lit and unlocked retail store, I'm browsing. However, if there'

    • Re: (Score:3, Informative)

      by Dare nMc (468959)

      The last PBX system I did has the default admin password but, 1) it is behind NAT 2) behind firewall 3) truck to main office is wrapped inside the VPN (VPN not default password).
      Likely they need a bot net to scan ports, or some social engineering to find their way inside the networks. another option is to trick the box into accepting a second trunk. The last possibility is they placed calls, and knew which keys to get, or which modem type capability's to try and exploit, so have to take several guesses at

    • "You make an excellent point, but your overall case suffers because you stole the 60 inch plasma screen and the family dog."
  • His intellectual property back.
    What is it with the US gov and the use of MS like default passwords?
    http://freegary.org.uk/ [freegary.org.uk]
  • by operator_error (1363139) <spztoid@nOsPAm.gmail.com> on Saturday June 13, 2009 @04:51AM (#28318329)

    Wait! before I thought only the NSA by statute and Google (because Google is truly eViL by supplying the NSA (& NASA!) with technology & staff), could listen to my phone calls, transcribe, translate, & index them into perpetuity. But now I'm reading the Italian mafia can listen in too?

    Of course this explains why the Italian mafia learned awhile ago to encrypt their own calls. On the job training if you ask me.

    FWIW, there's an asterisk module for pretty good privacy: http://www.zfoneproject.com/prod_asterisk.html [zfoneproject.com]

    http://www.securitymanagement.com/article/new-voip-encryption-challenges-005680 [securitymanagement.com]

    Why not?

  • Is it illegal to support terrorism by remiss? The people who left those default passwords have indirectly supported terrorists, even if it was unintentional. Can they be sentenced for that, should they be? I think they ought to be fined for it, but I don't think they deserve as harsh a punishment as the people who abused the systems for economical gain.
  • by wintermute000 (928348) <bender@planetexp ... u ['ss.' in gap]> on Saturday June 13, 2009 @07:10AM (#28318783)

    Guys its probably a DISA they discovered NOT CLI ACCESS TO THE PABX.....

    Many PABXs have a feature where a specific incoming extension (DISA) is configured to allow calls to be re-routed from the PABX if you enter the correct PIN.

    e.g. you dial into the secret number, enter the secret PIN, then from there you have full access to the PABX's destination codes.
    so e.g. if your DISA extension is 333-88888, and PIN is 12345, and you dial 0 for external, then dialling this would work: 333-88888-12345-0-(number you want to dial). The call would then be originated from the PABX instead of the caller.

    This is mostly used for troubleshooting because in PABX tie line networks your number codes determine how your calls route, with complex tie line networks you end up with destination codes upon destination codes which require a lot of thinking to get right as its basically a huge, layered sequence of static routes.

    Anyhow back in my TDM days I used to run PABXs for a large corporation. A few years before I started the EXACT SAME THING happened to us - someone phreaked the PIN code to the disa number - and was then selling calling cards in the phillipines that rerouted using one of our PABX's DISA lol.

    • Anyhow back in my TDM days I used to run PABXs for a large corporation. A few years before I started the EXACT SAME THING happened to us - someone phreaked the PIN code to the disa number - and was then selling calling cards in the phillipines that rerouted using one of our PABX's DISA lol.

      back before hacking vs cracking (cracking was what you did to apple ][ games), phreaking was very popular as a teenage sport. PBX's and voicemail systems were popular targets, of course. I had access to a local PBX belong

  • Does anyone know which brand(s) of PBX were 'hacked'? Were these 'traditional' PBX's or were many (most?) of them VoIP systems?

    I work for a telco and we notice that the vendors who have IT backgrounds often decide that voice is just another kind of data, and frequently have trouble setting up PBX's (like Asterisk). (You ask them if they'd like that PRI as NI-2 Standard and they just mumble at you.)

  • by orange47 (1519059) on Saturday June 13, 2009 @09:55AM (#28319521)
    ..make all default passwords hard to guess!
  • by Luthair (847766) on Saturday June 13, 2009 @10:37AM (#28319743)
    At first I thought it was trying to claim that 3 men used 12 million minutes of phone time, I mean three women I could believe!
    • Let's assume women can talk on the phone for 16 hours each day (leaving them one hour to eat and use the toilet, seven hours to sleep).

      Then, for three people to spend 12 million minutes on the phone would take well over eleven years.

      That's 12e6 / 60 / 24 / 365 / 3 * 1.5 = 11.4155...

      number of minutes / minutes per hour / hours per day / days per year / number of persons * phone use inefficiency factor (16-vs-24 hours per day).

      No wonder people say slashdot is late with the news ;-)

  • Phreak Freely... (Score:1, Interesting)

    by Anonymous Coward

    It could be done via DISA... But DISA is usually not enabled by default, neither is Trunk to Trunk Transfer.

    The brunt of the civil litigation will be aimed at the VAR's and manufacturers. It will be claimed that the breaches happened on their watch and they are therefore responsible. Toll Fraud Prevention is always one the the major selling points of any Maintenance Contract from the VAR's and PBX makers. Unless the PBX's were bought grey-market, and I think it's pretty unlikely that so many switches are fl

  • So slashdot is now echoing anonymous rumors of blatant lies in its headlines. This is pretty shoddy work, ScuttleMonkey.

    55 bucks for 12 minutes of long distance? Not unless you're using an Iridium sat phone! It's typical LEO bullcrap propaganda.

    And don't get me started on "financing terrorism". It's the pot calling the snowman "darkie", is what that is.

  • Are you saying the average cost of a phone call is 4.58$ per minute ?
    you need to change your phone company! Calling oversee is usually 5-10 cents max, and maybe 25 centsÂfor far out places.
    (unless you really want to call that weird looking pacific island of course...)

    • by Mashiki (184564)

      Want to guess how much Bell Canada, charges per/min for a long distance phone call, for a city that is 14mins away from me?

      A) 0.02-0.05
      B) 0.05-0.10
      C) 0.10-0.15
      D) None of the Above

      If you picked D, you are correct! The correct answer is $0.25/minute. That's right, it costs me less money to call my ex-gf in the Philippines than it does to call a relative who lives in the same county.

      • by alexandre (53) *

        hehe, being in Montreal i fully understand your hate for Bell...(Don't get me started!)

        I ditched them for a dry loop with acanac as a provider (could have been with teksavvy too) and use unlimitel for the phone (VoIP)! :)

  • You should not be allowed to get the system running unless you change all the default passwords. Too bad if this a problem. The documentation should say in big letters "NOTE: THIS SYSTEM WILL NOT OPERATE UNTIL YOU PROVIDE NEW PASSWORDS FOR ALL ITEMS THAT HAVE PASSWORDS. To do this please follow these instructions..."
  • I'm just shocked that no one ever thought to change the password! Even a weak password is better than default. I guess someone will be writing a 10 page paper, aka, an SOP.

One good reason why computers can do more work than people is that they never have to stop and answer the phone.

Working...