Default Passwords Blamed In $55M PBX Hacks 102
An anonymous reader writes "The Washington Post is reporting that the US Justice Department has indicted three residents of the Philippines for breaking into more than 2,500 corporate PBX systems in the United States and abroad. The government says the hackers sold access to those systems to operators of call centers in Italy, which allegedly made 12 million minutes of unauthorized phone calls through the system, valued at more than $55 million. The DOJ's action coincides with an announcement from Italian authorities today of the arrest of five men there who are suspected of funneling the profits from those call centers to terrorist groups in Southeast Asia."
Re: (Score:3, Funny)
access denied
(hint: the default password for the system is "qwert" if this is your first time accessing it)
Re:12345 post (Score:4, Funny)
That's the kinda thing an idiot would have on his luggage.
Re: (Score:3, Funny)
Re: (Score:2)
an idiot would apply to a reply to a slashdot post about a luggage combination and a reply to a reply to a slashdot post about a luggage combination
when they don't recognize the essential humor of recursive, meaningless replies as a form of
Re: (Score:2)
And it nearly matches the default password on most phone stations I am working with (not the PBX though). And because most customers have a very lousy password retainment and password storing policy, the colleagues keep the phone systems on their default passwords. If you know the extension for the modem that connects to the admin console, you could dial in from outside and go forward to administrate...
Re: (Score:1)
That's literally what telemarketers like to use too.
Wanna bet telemarketers are on the list of targets who failed to set any security at all on their PBX's?
Wanna bet
4321 or 0000 or 1234 or 12345 or 00000 was what they had their annoying kit set to I even saw 123 being used as a password.
I worked for a telemarketer before. (Flame suit on) I did, and I noticed a theme, no firewall, simple guessable passwords everywhere. I wanted to add firewalls, and make all the default passwords harder to crack, but they we
That's a spicy meatball! (Score:5, Insightful)
Re:That's a spicy meatball! (Score:5, Funny)
Re: (Score:3, Funny)
That's no way to talk about the phone company.
Re: (Score:2)
Re: (Score:1)
Hacking into PBX systems was something of a pastime for phreakers in the U.S. in the 1980s; who knows, they might still be doing it.The PBX systems would be terminated with toll-free numbers. What the businesses who own the PBXs pay for long distance is a lot higher than what you and I would pay.
The thing is, though, that large U.S. corporations, in particular, have replaced a lot of their traditional lines with VOIP. Since most calls are campus-to-campus -- e.g., at IBM a call between, say, Boca Raton, F
Re: (Score:3, Informative)
I would say quite a few. I have noticed that a lot of VoIP systems are added-on instead of replacing older phone systems. They also already have the copper and it's cheaper to purchase lines by the bundle then to separate them.
BTW, large businesses would connect different campuses across a T1 point to point connection(s) before VoIP was around. Basically, the software/hardware in the phone
Re: (Score:3, Informative)
Re: (Score:1)
I've had poor lines, static and noised in the calls over POTS lines. I'm defining a good quality call as the same as POTS calls on average with the good and the bad and perhaps the added fudder of cordless phone static and so on.
I've been on a couple VoIP calls that I couldn't distinguish between them and a regular call. I do know know how much bandwidth they were using though, it was where the VoIP feature on the phone allowed me to take a Avaya phone home and set it up as an extension to several sites I w
Re: (Score:2)
Here's a quick summary of the codecs and the MOS (essentially call quality) http://www.cisco.com/en/US/tech/tk1077/technologies_tech_note09186a00800b6710.shtml#mos [cisco.com]. The big thing with the compressed codecs is the latency and increased sensitivity to line problems like jitter and dropped packets.
Done right on a network with proper QOS, VOIP using the G.711 codec works great. The big benefit for me is that it eliminated the need for installing an entire cabling plant just for analog voice.
Ah, slashdot (Score:2, Insightful)
Good show, old boy.
Re: (Score:2)
If they were from Italy to the US, that might be right.
Granted, not if you have VoIP or some international long distance plan, but rarely do these kinds of numbers ever show discounted prices.
I'd love to know if this was the source of those annoying "auto warranty" calls I keep getting.
Re: (Score:2)
There are ways around that. Just like the time I call every number in Sunnyvale ca.
Which one was it? (Score:4, Funny)
Re: (Score:2, Informative)
So, linksys?
Re:Which one was it? (Score:4, Informative)
Re: (Score:2)
It has nothing to do with the type of PBX, but with the admins using it. And yes, the company I work for mostly keeps the original passwords on the PBX they deploy, because most customers have a lousy policy when it comes to keep passwords.
Re: (Score:2)
Hey, nice! Say, what's the company called again?
I have something way better for you:
Telindus, which is a large Luxemburgish computer shop, sells computer systems to roughly half the banks in Luxemburg (the land of the banks). Well. One employee told me, that they put the password "telindus" or "password" on them, and then add a big sticker, saying that the new maintainers absolutely must change that password when Telindus is done and gone.
But when they come back, one year later, for some contract-required m
Re: (Score:3, Insightful)
It has nothing to do with the type of PBX, but with the admins using it. And yes, the company I work for mostly keeps the original passwords on the PBX they deploy, because most customers have a lousy policy when it comes to keep passwords.
So why doesn't your company set the password to a random string, *keep a record for yourself in the customer file*, and then tell the customer what it is?
1) If they change it and keep records for themselves properly. GREAT
2) If they don't change it, and leave it the way y
Re: (Score:2)
Because a lot of customers do some maintenance work like administration of extensions, and for that they need the password.
Re: (Score:2)
Because a lot of customers do some maintenance work like administration of extensions, and for that they need the password.
Which is why you give it to them, and keep a record of it. If they never change it and manage it themselves and then they need it, they can call you for it.
I mean, how are they doing admin work now? The only change I'm proposing is giving them a unique password instead of giving all your customers the same password and/or leaving it as the default. Then if they never change it, at least
Re: (Score:2)
Re: (Score:2)
I've seen the same thing happen with Televantage
Re: (Score:1)
Yea well (Score:3, Interesting)
Maybe governments should figure out its the 21st century out there, and stop treating phone traffic as a source of tax revenue, instead of treating it exactly like every other kind of electronic traffic (internet, bank transactions, etc), which is tax free the way it should be. Then those "terrorist groups" would suddenly find themselves out of profit.
CAPTCHA: Rackets. How appropriate.
Re: (Score:2)
Maybe governments should figure out its the 21st century out there, and stop treating phone traffic as a source of tax revenue, instead of treating it exactly like every other kind of electronic traffic (internet, bank transactions, etc), which is tax free the way it should be.
How many governments do you know that willingly gave up entire categories of tax revenue?
GyurcsÃny won the elections with that promise in Hungary, they went through with it, and after a year they gave us a "see, we tried it, didn't work out" speech, and now taxes are higher than ever.
Re: (Score:2)
Or maybe, we should all figure out this is the 21st century, and stop treating phone traffic (and all electronic traffic) like a source of revenue.
While we're at it, I suggest we stop treating health care as a source of revenue, too, unless you are a provider.
I could continue...
Feh. (Score:1, Redundant)
The companies that got 'hacked' should get a serious talking to by the anti-terrorism folks. After all, they played a part in terrorism (or at least, what is called terrorism, who knows what it really funded?), and should be punished!
Not changing default passwords is literally begging for trouble.
Re:Feh. (Score:5, Insightful)
Am I the only one that finds this "terrorism" link a bit absurd. Having travelled in SE Asia I sincerely doubt that this money was filtered into "terrorist" hands. All that has happened here is that a small number of enterprising Philipino's have made themselves rich enough to retire (rich enough for their kids to retire in the Philipines). If they've been caught then they've just made the cops rich enough to retire as well.
It just seems the "evil terrorist" card is played every time law enforcement fucks up and wants to keep people from questioning that.
Re:Feh. (Score:4, Informative)
Re: (Score:3, Insightful)
But that's just because we are pretty good at labelling everything "terrorist" right now. It always was a tactic of the organized crime to either make the local policy part of the organization or assasinate the policemen who didn't conform. Today assasinating a local police officer surely gets labelled "terrorism".
Re: (Score:2)
Citation needed?
Actually, if you travel to SE Asia and have half a clue you see a lot of organised crime, or at least what we westerners consider to be organised crime. Crime and corruption is rife in the poorer SE Asian countries, particularly the Philipines, so much so that it is its own economy. Every business must pay off the police in order to operate (they call this Tea Money), same for many gangs which operate in that area (taxi drivers, scamers a
Re: (Score:2)
Re: (Score:2)
That old chestnut. If you keep repeating the same old line people will stop listening. The families of the Australian Bali bombing victims would resent their problems being used in this fashion, they would like to move on with their lives rather then have this dragged up for more pointless fear mongering. So I'd say the same to you, why don't you go and remind these people of what they
Re: (Score:2)
That's how you get people's attention. Say it's "funding terrorists".
Did you know that marijuana funds terrorism? That argument has been made repeatedly.
Telcos suck (Score:4, Interesting)
12 million minutes of unauthorized phone calls through the system, valued at more than $55 million.
... or a lot less.
$5 per minute?!! Just to route some packets a bit farther?
And then telcos wonder why IP phones are eating their lunch.
Maybe they're using MAFIAA math... Each minute causes $5 worth of damage to their network...?
Re: (Score:2)
Maybe they're using MAFIAA math... Each minute causes $5 worth of damage to their network...?
Obviously, each minute moving terrorist traffic could be spent moving song torrents worth $5 of kickback from the damages awarded to the RIAA members...
Wait, is that what you call cynicism? ;-)
Hacking? (Score:5, Interesting)
These were default passwords on more than likely open ports. I would hardly call that hacking. That would be like walking by a house with an open door and saying you picked the lock by walking inside.
One heck of an expensive lesson to the IT guys responsible. Never leave default passwords is Rule #1. Or at least in the top 3.
Re: (Score:2, Interesting)
Aye, but trespassing is trespassing.
Re: (Score:2)
The AC is right. Interacting with a system without the knowledge and consent of the owner is forbidden, regardless of the ease involved.
Re: (Score:2)
Re: (Score:3, Insightful)
That's different.
A web server is not a home, and web pages not protected by htaccess could presumably be public.
Not using htaccess would probably be counted as constructive permission anyway, since a website has to be published/brought online to be accessed at all, whereas a home has no such requirement to be entered, invasively or otherwise.
Re: (Score:2)
So google breaks the law every time they spider private pages where the owner has neglected to use htaccess ?
Well, what exactly is a "private page" when the owner has neglected to use .htaccess? Seems to me that would be a public page.
Look at the real world: When am I trespassing when I go onto Wal-Mart's private property? If I'm there to buy beer, I'm fine. If I go there with no intent to transact business, and just hang out in the parking lot, it's loitering. If I go past the "Employees Only" sign and start poking around in the stockroom, even if it's unlocked, even if I don't steal anything, it's trespassing.
Re: (Score:2)
Re: (Score:2, Informative)
Now that we have the glaring truisms out of the way... That is entirely irrelevant. The parent was stating that it was not hacking; hacking and trespassing are not the same thing, although one may include the other.
Re: (Score:2)
Re: (Score:1)
Nope. It's not. Hacking still means tinkering. It's just that today, the media uninformed shit-storm even reached the dirty bottom of all Slashdot users.
Here, where we know what we are talking about. We call unauthorized access "cracking" (like you crack a safe).
This is the reference, as long as we still live: http://www.catb.org/jargon/html/H/hacker.html [catb.org] ^^
But I bet you don't even know the jargon file.
Re: (Score:2)
Must I point out my Slashdot ID #, Mr. Six-Digit?
I'm just sayin', it's already encoded in various laws as well as media that "hacking" is a term for unauthorized computer access. Some may still accept using it for "tinkering", but it's clear that the majority of usage is for unauthorized access.
Re: (Score:1)
Re: (Score:3, Funny)
You must work for LifeLock
Re: (Score:3, Funny)
Indeed. The rules of IT:
Re: (Score:1)
Actually, I think it's a corollary to Rule #2, "Only grant access to the people who actually need to have it." HTH.HAND.
Re: (Score:1)
Why does this remind me of The Cuckoo's Egg?
Same problem with default passwords, some 20+ years ago..
I'm well aware that the problems there weren't limited to default passwords, but it's one of those issues you'd think people would be more carefull about these days, at least when it comes to that kind of system.. It's one thing to have a homesystem with lax security, but this? Seriously? I guess it might be a case in point for me to use when explaining to people why it's actually important to try and use pr
Re: (Score:2)
I wouldn't necessarily call it default passwords. I believe I was one of the people victim to this. I have an asterisk PBX setup for my parents at their house so they could call me for free. One of the problems I think with asterisk is that the flag "allowguest" is set to true by default which means random computers on the internet can connect to your box and try to call out. (I also made the mistake of allowing the default dialplan to have a way to dial out on this computer). I noticed this a few weeks pri
Re: (Score:1)
$55 million (Score:2)
Yeah. $55 million dollars in routings costs. Call me an idiot, but I just don't see how they could have used so much electricity that it added up to $55 million dollars. Maybe $54.98 million dollars was for technical support.
Re:$55 million (Score:5, Informative)
You are forgetting the reciprocal costs of phone calls. You break out of the network to another telco, most of the time there are costs per minute. You pay for access to the circuit. Add international calls to this and the numbers climb.
Most telcos have reciprocals in place that say if Telco A made 1000 minutes of calls to Telco B, and Telco B made 1000 minutes to Telco A, they call it quits. Now if A made 1000000 minutes to B, B wants its money. And A has nobody to send the bill to because they were stupid and didn't change the passwords.
Re: (Score:1)
The indictment pdf has some details on how it was made also. There are two different scenarios:
A: the hacker calls the PBX (a cheap call). He then has the PBX make an outgoing call to where the hacker wants to call (an expensive call)
B: the hacker makes the PBX first call up the hacker and then call the other party, thus making the company that owns the PBX pay for both calls.
Hackers, hacks ??!? (Score:4, Insightful)
If factory-set default passwords were used to gain access to the systems and use them, what exactly did they 'hack' ?
That would seem like a typical case of unauthorized use of a system to me, but hardly qualify as 'hacking'. When legal charges are to be brought, use a correct description of the crime, will you?
"Your honor, there was a gaping hole where the door used to be! I didn't even have to touch the doorknob!"
"I don't care! Since a computer system was involved, you broke into the place, understood?"
Re: (Score:1)
That would seem like a typical case of unauthorized use of a system to me, but hardly qualify as 'hacking'. When legal charges are to be brought, use a correct description of the crime, will you?
Stupidity on the part of the legal owner?
Re: (Score:3, Informative)
"Hacking" laws are generally written with that language.
The COMPUTER CRIMES ACT 1997 has as section 3. "Unauthorized access to computer material."
Re: (Score:2, Insightful)
How is it even unauthorized? They used the correct passwords.
Re: (Score:2)
If I hotwire your car and drive it away, I have committed a crime.
If I take your carkeys when you're not looking (even if you absently leave them on my desk) and drive your car away, I have committed a crime.
If you leave the door open and the engine running and I drive your car away, I have committed a crime.
In the end, it comes down to what's customary. If I walk freely into your unlocked house, I'm trespassing. If I do the same with your well lit and unlocked retail store, I'm browsing. However, if there'
Re: (Score:3, Informative)
The last PBX system I did has the default admin password but, 1) it is behind NAT 2) behind firewall 3) truck to main office is wrapped inside the VPN (VPN not default password).
Likely they need a bot net to scan ports, or some social engineering to find their way inside the networks. another option is to trick the box into accepting a second trunk. The last possibility is they placed calls, and knew which keys to get, or which modem type capability's to try and exploit, so have to take several guesses at
Re: (Score:2)
Gary McKinnon wants (Score:2)
What is it with the US gov and the use of MS like default passwords?
http://freegary.org.uk/ [freegary.org.uk]
Privacy? What privacy? (use encryption folks) (Score:3, Informative)
Wait! before I thought only the NSA by statute and Google (because Google is truly eViL by supplying the NSA (& NASA!) with technology & staff), could listen to my phone calls, transcribe, translate, & index them into perpetuity. But now I'm reading the Italian mafia can listen in too?
Of course this explains why the Italian mafia learned awhile ago to encrypt their own calls. On the job training if you ask me.
FWIW, there's an asterisk module for pretty good privacy: http://www.zfoneproject.com/prod_asterisk.html [zfoneproject.com]
http://www.securitymanagement.com/article/new-voip-encryption-challenges-005680 [securitymanagement.com]
Why not?
Sue the people who neglected to change passwords? (Score:2, Interesting)
Its probably a DISA hack (Score:3, Informative)
Guys its probably a DISA they discovered NOT CLI ACCESS TO THE PABX.....
Many PABXs have a feature where a specific incoming extension (DISA) is configured to allow calls to be re-routed from the PABX if you enter the correct PIN.
e.g. you dial into the secret number, enter the secret PIN, then from there you have full access to the PABX's destination codes.
so e.g. if your DISA extension is 333-88888, and PIN is 12345, and you dial 0 for external, then dialling this would work: 333-88888-12345-0-(number you want to dial). The call would then be originated from the PABX instead of the caller.
This is mostly used for troubleshooting because in PABX tie line networks your number codes determine how your calls route, with complex tie line networks you end up with destination codes upon destination codes which require a lot of thinking to get right as its basically a huge, layered sequence of static routes.
Anyhow back in my TDM days I used to run PABXs for a large corporation. A few years before I started the EXACT SAME THING happened to us - someone phreaked the PIN code to the disa number - and was then selling calling cards in the phillipines that rerouted using one of our PABX's DISA lol.
Re: (Score:2)
Anyhow back in my TDM days I used to run PABXs for a large corporation. A few years before I started the EXACT SAME THING happened to us - someone phreaked the PIN code to the disa number - and was then selling calling cards in the phillipines that rerouted using one of our PABX's DISA lol.
back before hacking vs cracking (cracking was what you did to apple ][ games), phreaking was very popular as a teenage sport. PBX's and voicemail systems were popular targets, of course. I had access to a local PBX belong
Which brand(s) of PBX? (Score:1)
I work for a telco and we notice that the vendors who have IT backgrounds often decide that voice is just another kind of data, and frequently have trouble setting up PBX's (like Asterisk). (You ask them if they'd like that PRI as NI-2 Standard and they just mumble at you.)
simple solution.. (Score:3, Funny)
Re: (Score:3, Funny)
Nobody would suspect the
spanishinquisition
Missed Call Centrees (Score:4, Funny)
Re: (Score:2)
Let's assume women can talk on the phone for 16 hours each day (leaving them one hour to eat and use the toilet, seven hours to sleep).
Then, for three people to spend 12 million minutes on the phone would take well over eleven years.
That's 12e6 / 60 / 24 / 365 / 3 * 1.5 = 11.4155...
number of minutes / minutes per hour / hours per day / days per year / number of persons * phone use inefficiency factor (16-vs-24 hours per day).
No wonder people say slashdot is late with the news ;-)
Phreak Freely... (Score:1, Interesting)
It could be done via DISA... But DISA is usually not enabled by default, neither is Trunk to Trunk Transfer.
The brunt of the civil litigation will be aimed at the VAR's and manufacturers. It will be claimed that the breaches happened on their watch and they are therefore responsible. Toll Fraud Prevention is always one the the major selling points of any Maintenance Contract from the VAR's and PBX makers. Unless the PBX's were bought grey-market, and I think it's pretty unlikely that so many switches are fl
This is the bottom of the barrel (Score:2)
So slashdot is now echoing anonymous rumors of blatant lies in its headlines. This is pretty shoddy work, ScuttleMonkey.
55 bucks for 12 minutes of long distance? Not unless you're using an Iridium sat phone! It's typical LEO bullcrap propaganda.
And don't get me started on "financing terrorism". It's the pot calling the snowman "darkie", is what that is.
You're paying how much!? (Score:2)
Are you saying the average cost of a phone call is 4.58$ per minute ?
you need to change your phone company! Calling oversee is usually 5-10 cents max, and maybe 25 centsÂfor far out places.
(unless you really want to call that weird looking pacific island of course...)
Re: (Score:2)
Want to guess how much Bell Canada, charges per/min for a long distance phone call, for a city that is 14mins away from me?
A) 0.02-0.05
B) 0.05-0.10
C) 0.10-0.15
D) None of the Above
If you picked D, you are correct! The correct answer is $0.25/minute. That's right, it costs me less money to call my ex-gf in the Philippines than it does to call a relative who lives in the same county.
Re: (Score:2)
hehe, being in Montreal i fully understand your hate for Bell...(Don't get me started!)
I ditched them for a dry loop with acanac as a provider (could have been with teksavvy too) and use unlimitel for the phone (VoIP)! :)
Changing the password should be a permissive (Score:1)
Basic Security failure (Score:1)