Default Passwords Blamed In $55M PBX Hacks

An anonymous reader writes "The Washington Post is reporting that the US Justice Department has indicted three residents of the Philippines for breaking into more than 2,500 corporate PBX systems in the United States and abroad. The government says the hackers sold access to those systems to operators of call centers in Italy, which allegedly made 12 million minutes of unauthorized phone calls through the system, valued at more than $55 million. The DOJ's action coincides with an announcement from Italian authorities today of the arrest of five men there who are suspected of funneling the profits from those call centers to terrorist groups in Southeast Asia."

12345 post

12345

Re:12345 post

[masshuu]

access denied
(hint: the default password for the system is "qwert" if this is your first time accessing it)

Re:12345 post

[EdIII]

12345

That's the kinda thing an idiot would have on his luggage.

Re:12345 post

[smittyoneeach]

That's the kind of thing an idiot would post in reply to a slashdot post about a luggage combination.

Re:12345 post

[Sique]

And it nearly matches the default password on most phone stations I am working with (not the PBX though). And because most customers have a very lousy password retainment and password storing policy, the colleagues keep the phone systems on their default passwords. If you know the extension for the modem that connects to the admin console, you could dial in from outside and go forward to administrate...

Re:12345 post

[smittyoneeach]

That's the kind of anonymous meta-moderation comment
an idiot would apply to a reply to a slashdot post about a luggage combination and a reply to a reply to a slashdot post about a luggage combination
when they don't recognize the essential humor of recursive, meaningless replies as a form of /. art.

Re:12345 post

[myspace-cn]

That's literally what telemarketers like to use too.

Wanna bet telemarketers are on the list of targets who failed to set any security at all on their PBX's?

Wanna bet
4321 or 0000 or 1234 or 12345 or 00000 was what they had their annoying kit set to I even saw 123 being used as a password.

I worked for a telemarketer before. (Flame suit on) I did, and I noticed a theme, no firewall, simple guessable passwords everywhere. I wanted to add firewalls, and make all the default passwords harder to crack, but they weren't interested. The only thing they wanted me to do, was drill, pull twisted pairs, mount all their crap on the wall, hook it all up, get the video surveillance, workstations and digital dialers up as quick as possible. They already had an admin for the 600 win98SE workstations, and the dns server and win2000 server. I got finished, got paid, and I got the hell out cause everyone was either annoying, or pretty creepy anyway.

At some point there has to be some kind of shared responsibility. I mean with lists like this well known for years now.

Na, I guess not, just spy on everyone's communications and fry motherfuckers when they start to cost too much after the fact. It's the retarded American way.

That's a spicy meatball!

[RickRussellTX]

I'm just amazed they found somebody willing to pay almost $5 per minute for long distance.

Re:That's a spicy meatball!

[stephanruby]

Hey, they're terrorists! Terrorists get to set their own prices. Also, may be there is some value in having a voice mail number traceable to a legitimate corporation in the United States. Also, the article confirmed something that I always knew deep down in my gut, telemarketers are terrorists. This makes a lot of sense actually.

Re:That's a spicy meatball!

[stephanruby]

Good catch. They were actually paid $100 for each PBX they found, and they found 25,000. So in theory they were paid $2,500,000 (that's roughly 21 cents per minute, plus the operators still had to incur local charges).

Re:That's a spicy meatball!

[DavidD_CA]

If they were from Italy to the US, that might be right.

Granted, not if you have VoIP or some international long distance plan, but rarely do these kinds of numbers ever show discounted prices.

I'd love to know if this was the source of those annoying "auto warranty" calls I keep getting.

Re:That's a spicy meatball!

[morgan_greywolf]

Hacking into PBX systems was something of a pastime for phreakers in the U.S. in the 1980s; who knows, they might still be doing it.The PBX systems would be terminated with toll-free numbers. What the businesses who own the PBXs pay for long distance is a lot higher than what you and I would pay.

The thing is, though, that large U.S. corporations, in particular, have replaced a lot of their traditional lines with VOIP. Since most calls are campus-to-campus -- e.g., at IBM a call between, say, Boca Raton, FL, and Armonk, NY -- calls are routed over the company's already existing network lines by using VOIP, thus eliminating long distance charges. So I wonder how many of them are still having PBX systems with the ability to call in and dial out via an 800 number?

Re:That's a spicy meatball!

[PopeRatzo]

Hey, they're terrorists! Terrorists get to set their own prices.

That's no way to talk about the phone company.

Re:That's a spicy meatball!

[sumdumass]

So I wonder how many of them are still having PBX systems with the ability to call in and dial out via an 800 number?

I would say quite a few. I have noticed that a lot of VoIP systems are added-on instead of replacing older phone systems. They also already have the copper and it's cheaper to purchase lines by the bundle then to separate them.

BTW, large businesses would connect different campuses across a T1 point to point connection(s) before VoIP was around. Basically, the software/hardware in the phone system will use a channel on the T1 line as a phone line and allow the cross campus communications including passing inbound calls to the other facilities (one 800 number for 10 facilities across 5 states.) You can get 24 voice channels from one t1 line too. This also cuts down on long distance because you can program it to call out on the loop closest to the call termination. This means that if your in Buffalo NY and a customer is in Orangevale California and you have a branch office in Fair Oaks, it will be a local call for you. Some long distance telecoms offer T1 loops directly to their long distance center eliminating much of the costs in a normal switched call. That means they would be paying about 1/3 of what normal people would pay if you didn't consider the costs of the T1 loop.

VoIP has basically gotten around the T1 costs (you need one for each location). Some switched networks already use VoIP on controlled backbones to consolidate long distance calls as the telecoms saw the savings way before it was economical for normal people to play with it. VoIP has come a long ways since that has started and the bandwidth needed for good quality calls have dropped quite a bit.

Re:That's a spicy meatball!

[Joe+The+Dragon]

There are ways around that. Just like the time I call every number in Sunnyvale ca.

Re:That's a spicy meatball!

[fluffy99]

VoIP has come a long ways since that has started and the bandwidth needed for good quality calls have dropped quite a bit.

If you definite a "good quality call" as the same quality as a POTS line, then VOIP G.711 (no compression) actually requires more bandwidth as it adds control signaling and you end up needing 80k instead of a single 64k channel per call. It also introduces more timing issues as ip doesn't guarantee timely or orderly deliverly of the packets. If you use a lower quality compression codec line G.729 you can reduce the bandwidth down as far as 8k data and 8k control, but at the expense of reduced voice quality - making it sound like a poor cell phone call.

Re:That's a spicy meatball!

[sumdumass]

I've had poor lines, static and noised in the calls over POTS lines. I'm defining a good quality call as the same as POTS calls on average with the good and the bad and perhaps the added fudder of cordless phone static and so on.

I've been on a couple VoIP calls that I couldn't distinguish between them and a regular call. I do know know how much bandwidth they were using though, it was where the VoIP feature on the phone allowed me to take a Avaya phone home and set it up as an extension to several sites I work with.

It's interesting to see the bandwidth information though. I guess VoIP isn't as far as I thought.

Re:That's a spicy meatball!

[fluffy99]

Here's a quick summary of the codecs and the MOS (essentially call quality) http://www.cisco.com/en/US/tech/tk1077/technologies_tech_note09186a00800b6710.shtml#mos. The big thing with the compressed codecs is the latency and increased sensitivity to line problems like jitter and dropped packets.

Done right on a network with proper QOS, VOIP using the G.711 codec works great. The big benefit for me is that it eliminated the need for installing an entire cabling plant just for analog voice.

Which one was it?

[Laser_iCE]

admin or password?

Re:Which one was it?

[mail2345]

Article: mainly by exploiting factory-set or default passwords on the voicemail systems
So, linksys?

Re:Which one was it?

[GreenTech11]

Most likely, the username...

Re:Which one was it?

[infolation]

actually the DoJ papers say the PBX systems were Nortel, Lucent, Bizphone and Panasonic

Re:Which one was it?

Avaya has this problem as well...the company I used to work for fell for this exact hack...BASTARDS!

Re:Which one was it?

[Sique]

It has nothing to do with the type of PBX, but with the admins using it. And yes, the company I work for mostly keeps the original passwords on the PBX they deploy, because most customers have a lousy policy when it comes to keep passwords.

Re:Which one was it?

[Hurricane78]

Hey, nice! Say, what's the company called again?

I have something way better for you:

Telindus, which is a large Luxemburgish computer shop, sells computer systems to roughly half the banks in Luxemburg (the land of the banks). Well. One employee told me, that they put the password "telindus" or "password" on them, and then add a big sticker, saying that the new maintainers absolutely must change that password when Telindus is done and gone.
But when they come back, one year later, for some contract-required maintenance/updates, half of those still have that initial password in them. And they are banks. With hundreds to thousands of computers. (Yes, Telindus also sets up the main servers.)

So if you ever get to a login of a bank in Luxemburg, there is about a one in four chance, that you crack the absolute jackpot. I recommend keeping a stealthy rootkit ready. ^^

Re:Which one was it?

[vux984]

It has nothing to do with the type of PBX, but with the admins using it. And yes, the company I work for mostly keeps the original passwords on the PBX they deploy, because most customers have a lousy policy when it comes to keep passwords.

So why doesn't your company set the password to a random string, *keep a record for yourself in the customer file*, and then tell the customer what it is?

1) If they change it and keep records for themselves properly. GREAT
2) If they don't change it, and leave it the way you set it up... well not great, but still pretty good. Nobody is ever going to get in remotely. And its a vast improvement over leaving it on the default. And if they call you for support 5 years from now, and they never changed it, that's exactly what your records are for.
3) If they change it and forget it, well, there's nothing you can do about those people no matter what you do.

Re:Which one was it?

[Sique]

Because a lot of customers do some maintenance work like administration of extensions, and for that they need the password.

Re:Which one was it?

[vux984]

Because a lot of customers do some maintenance work like administration of extensions, and for that they need the password.

Which is why you give it to them, and keep a record of it. If they never change it and manage it themselves and then they need it, they can call you for it.

I mean, how are they doing admin work now? The only change I'm proposing is giving them a unique password instead of giving all your customers the same password and/or leaving it as the default. Then if they never change it, at least its not remotely exploitable, and/or compromising it doesn't compromise ALL your customers.

Hell, stick it on a sticker right on the device. Even that will be more secure than leaving it as the default.

Re:Which one was it?

[afidel]

That's what HP does with iLo passwords, the unique default password is printed on the toe-tag of each server.

Re:Which one was it?

I agree.

Now I am thinking of a new joke:
"You want to send a telemarketer into a tailspin? Change their default password."

Although, I would have to say, "worked for" as I got the hell out.
We used the SAMSUNG PROSTAR 's
Was yours owned by a retired CIA guy by chance?

Re:Which one was it?

[Lennie]

I've seen the same thing happen with Televantage

Yea well

Maybe governments should figure out its the 21st century out there, and stop treating phone traffic as a source of tax revenue, instead of treating it exactly like every other kind of electronic traffic (internet, bank transactions, etc), which is tax free the way it should be. Then those "terrorist groups" would suddenly find themselves out of profit.

CAPTCHA: Rackets. How appropriate.

Re:Yea well

[Jurily]

Maybe governments should figure out its the 21st century out there, and stop treating phone traffic as a source of tax revenue, instead of treating it exactly like every other kind of electronic traffic (internet, bank transactions, etc), which is tax free the way it should be.

How many governments do you know that willingly gave up entire categories of tax revenue?

GyurcsÃny won the elections with that promise in Hungary, they went through with it, and after a year they gave us a "see, we tried it, didn't work out" speech, and now taxes are higher than ever.

Re:Yea well

[PopeRatzo]

Or maybe, we should all figure out this is the 21st century, and stop treating phone traffic (and all electronic traffic) like a source of revenue.

While we're at it, I suggest we stop treating health care as a source of revenue, too, unless you are a provider.

I could continue...

Feh.

[Renraku]

The companies that got 'hacked' should get a serious talking to by the anti-terrorism folks. After all, they played a part in terrorism (or at least, what is called terrorism, who knows what it really funded?), and should be punished!

Not changing default passwords is literally begging for trouble.

Re:Feh.

[mjwx]

The companies that got 'hacked' should get a serious talking to by the anti-terrorism folks.

Am I the only one that finds this "terrorism" link a bit absurd. Having travelled in SE Asia I sincerely doubt that this money was filtered into "terrorist" hands. All that has happened here is that a small number of enterprising Philipino's have made themselves rich enough to retire (rich enough for their kids to retire in the Philipines). If they've been caught then they've just made the cops rich enough to retire as well.

It just seems the "evil terrorist" card is played every time law enforcement fucks up and wants to keep people from questioning that.

Re:Feh.

[PopeRatzo]

or at least, what is called terrorism

That's how you get people's attention. Say it's "funding terrorists".

Did you know that marijuana funds terrorism? That argument has been made repeatedly.

Re:Feh.

[DNS-and-BIND]

Actually a lot of organized crime funds terrorism. I'm sure on your travels in SE Asia, you didn't see any so obviously it doesn't exist. If it seems absurd to you, then we're sorry and will try to let reality intrude less next time.

Re:Feh.

[Sique]

But that's just because we are pretty good at labelling everything "terrorist" right now. It always was a tactic of the organized crime to either make the local policy part of the organization or assasinate the policemen who didn't conform. Today assasinating a local police officer surely gets labelled "terrorism".

Re:Feh.

[afidel]

Uh, tell that to the people who lost loved ones in Bali, I'd say there are plenty of radical Muslim terrorists in SE Asia.

Re:Feh.

[mjwx]

Uh, tell that to the people who lost loved ones in Bali, I'd say there are plenty of radical Muslim terrorists in SE Asia.

That old chestnut. If you keep repeating the same old line people will stop listening. The families of the Australian Bali bombing victims would resent their problems being used in this fashion, they would like to move on with their lives rather then have this dragged up for more pointless fear mongering. So I'd say the same to you, why don't you go and remind these people of what they've lost and why they should be afraid, you'll be picking yourself up off the pavement for being an arsehole mate.

There is no mass fear of the great terrorist poltergeist that you describe. More Australians have died on Western Australian roads this year then have died in terrorist attacks in the last 10 years, sorry if this shatters your illusion that terrorism is an imminent threat.

Re:Feh.

[mjwx]

Actually a lot of organised crime funds terrorism

Citation needed?

Actually, if you travel to SE Asia and have half a clue you see a lot of organised crime, or at least what we westerners consider to be organised crime. Crime and corruption is rife in the poorer SE Asian countries, particularly the Philipines, so much so that it is its own economy. Every business must pay off the police in order to operate (they call this Tea Money), same for many gangs which operate in that area (taxi drivers, scamers and touts are the most common types in tourist areas). Not all crime is being used to support terrorism, the same as all petty crime in the US is not being used to fund the KKK.

Secondly, I wouldn't call the Moro Islamic Liberation Front (yes that is their real name) a true terrorist organisation as they have never struck outside the Philipines. This is the organisation you were referring to in your link. This organisation is fighting the government in the southern island of Moro, even the article you linked to referred to them as separatists. Further more you wouldn't even know about them if you were to travel to Luzon, which is where the two largest international airports in the Philipines are (MNL and CRK).

If it seems absurd to you,

Yes it does seem absurd to me, considering the amount of crime and how little of that actually gets funnelled to Terrorism I've applied Occams Razor to this situation and every bit of logic tells me that this was for someone's personal gain. The small chance that this could actually end up in the hands of a group like Jamah Islamia is so tiny that its not even worth mentioning let alone making a big issue out of. It's far more likely that this was someone's get rich quick scheme.

Sorry if a bit of common sense has gotten in the way of your baseless fear mongering, I'll try to let reality intrude a little less next time.

Re:Feh.

I lived in SE Asia for a while. The only crime that was organised was committed by the Government. Unfortunatly they are not able to prosecute US citezins for ripping off SE Asians.

I'd argue that the biggest funders of terrorist activity are US citizens who use cocain and heroin. If the US legalised drugs, they'd cut the funding for terrorism, free up a whole load of troops, hit organised crime in the US, be able to get their police onto other stuff, like corporate fraud. Tax it and they might even be able to start paying China back.

On second thoughts - I'd rather they stay in Afghanistan and Colombia - means they won't come here. Sorry Colombia and Afghanistan.

Telcos suck

12 million minutes of unauthorized phone calls through the system, valued at more than $55 million.

... or a lot less.
$5 per minute?!! Just to route some packets a bit farther?
And then telcos wonder why IP phones are eating their lunch.

Maybe they're using MAFIAA math... Each minute causes $5 worth of damage to their network...?

Re:Telcos suck

[jonaskoelker]

Maybe they're using MAFIAA math... Each minute causes $5 worth of damage to their network...?

Obviously, each minute moving terrorist traffic could be spent moving song torrents worth $5 of kickback from the damages awarded to the RIAA members...

Wait, is that what you call cynicism? ;-)

Hacking?

[EdIII]

These were default passwords on more than likely open ports. I would hardly call that hacking. That would be like walking by a house with an open door and saying you picked the lock by walking inside.

One heck of an expensive lesson to the IT guys responsible. Never leave default passwords is Rule #1. Or at least in the top 3.

Re:Hacking?

Aye, but trespassing is trespassing.

Re:Hacking?

[iluvcapra]

The AC is right. Interacting with a system without the knowledge and consent of the owner is forbidden, regardless of the ease involved.

Re:Hacking?

[houghi]

That could never happen to where I work. We use the default password on the PBX, but it is protected by a Cisco router. Encrypted password, so it can never be found out. In fact I am so sure of that that I just post it here: 095c4f1a0a1218000f.
Obviously you need the address as well. That is http://hackme.houghi.org/

Re:Hacking?

[smoker2]

So google breaks the law every time they spider private pages where the owner has neglected to use htaccess ?

Re:Hacking?

[Thundarr+Trollgrim]

"trespassing is trespassing"

Now that we have the glaring truisms out of the way... That is entirely irrelevant. The parent was stating that it was not hacking; hacking and trespassing are not the same thing, although one may include the other.

Re:Hacking?

[shentino]

That's different.

A web server is not a home, and web pages not protected by htaccess could presumably be public.

Not using htaccess would probably be counted as constructive permission anyway, since a website has to be published/brought online to be accessed at all, whereas a home has no such requirement to be entered, invasively or otherwise.

Re:Hacking?

[shentino]

You must work for LifeLock

Re:Hacking?

[iamdrscience]

Never leave default passwords is Rule #1. Or at least in the top 3.

Indeed. The rules of IT:

1. You do not talk about IT.
2. You DO NOT talk about IT.
3. Never leave default passwords.
4. No girls allowed.

Re:Hacking?

[jonadab]

> Never leave default passwords is Rule #1. Or at least in the top 3.

Actually, I think it's a corollary to Rule #2, "Only grant access to the people who actually need to have it." HTH.HAND.

Re:Hacking?

[nausicaa]

Why does this remind me of The Cuckoo's Egg?

Same problem with default passwords, some 20+ years ago..

I'm well aware that the problems there weren't limited to default passwords, but it's one of those issues you'd think people would be more carefull about these days, at least when it comes to that kind of system.. It's one thing to have a homesystem with lax security, but this? Seriously? I guess it might be a case in point for me to use when explaining to people why it's actually important to try and use proper grammar all the time; skimp on it in one place and others easilly follow..

Re:Hacking?

[ThrowAwaySociety]

So google breaks the law every time they spider private pages where the owner has neglected to use htaccess ?

Well, what exactly is a "private page" when the owner has neglected to use .htaccess? Seems to me that would be a public page.

Look at the real world: When am I trespassing when I go onto Wal-Mart's private property? If I'm there to buy beer, I'm fine. If I go there with no intent to transact business, and just hang out in the parking lot, it's loitering. If I go past the "Employees Only" sign and start poking around in the stockroom, even if it's unlocked, even if I don't steal anything, it's trespassing.

Re:Hacking?

The law doesn't require it to be a challenge. It might increase the penalties, but the mere fact that there was a password and as such, a security system in place, makes it hacking.

Re:Hacking?

I know of a hospital in a major metropolitan area which has default passwords set for its inter-staff communication system, security cameras, and God only knows what else. They're also dependent on 802.11g for communication between units as well as their security cameras. Then they have the IV pumps which have their own network -- WHY THE FUCK ARE IV PUMPS ON A WIRELESS NETWORK?!

I'm waiting for someone to just stick a cheap laptop up under a desk and throw up thousands of bogus access points and jam the whole mess, or to change the sounds for their Vocera system to fart sounds and F-bombs. And can you imagine what you could do with the unencrypted public network they have for their patients and guests with airpwn?

Re:Hacking?

[identity0]

"Hacking" means "unauthorized access to computers/other technology" in common usage and nowadays actual law. Get over it, the "Hacking = tinkering" thing was lost in the '90s.

Re:Hacking?

[timmyd]

I wouldn't necessarily call it default passwords. I believe I was one of the people victim to this. I have an asterisk PBX setup for my parents at their house so they could call me for free. One of the problems I think with asterisk is that the flag "allowguest" is set to true by default which means random computers on the internet can connect to your box and try to call out. (I also made the mistake of allowing the default dialplan to have a way to dial out on this computer). I noticed this a few weeks prior when bots had been randomly connecting to me and tried to place outgoing calls. I promptly found the 'feature' and turned it off on my computer and I was planning to do the same on my parents box. Unfortunately I forgot about doing it and about a week ago I noticed that I had a lot of calls had been placed to cell phones in the Philippines. It easily ate through the $60 I had in my prepaid account until I had realized what had happened.

Re:Hacking?

4. No girls allowed.

Unless they have great tits.

Re:Hacking?

[Hurricane78]

Nope. It's not. Hacking still means tinkering. It's just that today, the media uninformed shit-storm even reached the dirty bottom of all Slashdot users.

Here, where we know what we are talking about. We call unauthorized access "cracking" (like you crack a safe).

This is the reference, as long as we still live: http://www.catb.org/jargon/html/H/hacker.html ^^
But I bet you don't even know the jargon file.

Re:Hacking?

[identity0]

Must I point out my Slashdot ID #, Mr. Six-Digit?

I'm just sayin', it's already encoded in various laws as well as media that "hacking" is a term for unauthorized computer access. Some may still accept using it for "tinkering", but it's clear that the majority of usage is for unauthorized access.

Re:Hacking?

[Qwell]

security.txt Read it and stop using the default context.

Re:Hacking?

[Muad'Dave]

As long as they abide by robots.txt, they're only searching/indexing public pages - htaccess is not necessary.

$55 million

[Psychotria]

Yeah. $55 million dollars in routings costs. Call me an idiot, but I just don't see how they could have used so much electricity that it added up to $55 million dollars. Maybe $54.98 million dollars was for technical support.

Re:$55 million

[bruce_the_loon]

You are forgetting the reciprocal costs of phone calls. You break out of the network to another telco, most of the time there are costs per minute. You pay for access to the circuit. Add international calls to this and the numbers climb.

Most telcos have reciprocals in place that say if Telco A made 1000 minutes of calls to Telco B, and Telco B made 1000 minutes to Telco A, they call it quits. Now if A made 1000000 minutes to B, B wants its money. And A has nobody to send the bill to because they were stupid and didn't change the passwords.

Re:$55 million

Why hack PBX systems using G.711? It seems like it would be more beneficial to go through G.729 given that it offers higher call volume for the same T1 line. Maybe it has something to do with the fact that most CALEA systems are the last to do the C2P migrations, especially during 2005, as VoIP was being introduced to large market PBX systems.

Or maybe it is nothing. Just joy-riding, but the guy is kinda old, based on what the article mentioned, "40".

Re:$55 million

[rundgong]

Since it was PBXs that were hacked it is not really related to the Telcos, but rather it is telephony switches at other companys.

The indictment pdf has some details on how it was made also. There are two different scenarios:
A: the hacker calls the PBX (a cheap call). He then has the PBX make an outgoing call to where the hacker wants to call (an expensive call)
B: the hacker makes the PBX first call up the hacker and then call the other party, thus making the company that owns the PBX pay for both calls.

There was one example where the second method was used to make calls to the Philippines and Guinea and the lines were open for over 23 hours. Both of these calls are probably 2-3 USD/minute which makes that one instance cost around $6000

Hackers, hacks ??!?

[Alwin+Henseler]

If factory-set default passwords were used to gain access to the systems and use them, what exactly did they 'hack' ?

That would seem like a typical case of unauthorized use of a system to me, but hardly qualify as 'hacking'. When legal charges are to be brought, use a correct description of the crime, will you?

"Your honor, there was a gaping hole where the door used to be! I didn't even have to touch the doorknob!"
"I don't care! Since a computer system was involved, you broke into the place, understood?"

Re:Hackers, hacks ??!?

[GreenTech11]

That would seem like a typical case of unauthorized use of a system to me, but hardly qualify as 'hacking'. When legal charges are to be brought, use a correct description of the crime, will you?

Stupidity on the part of the legal owner?

Re:Hackers, hacks ??!?

[dns_server]

"Hacking" laws are generally written with that language.
The COMPUTER CRIMES ACT 1997 has as section 3. "Unauthorized access to computer material."

Re:Hackers, hacks ??!?

[Thaelon]

How is it even unauthorized? They used the correct passwords.

Re:Hackers, hacks ??!?

[Dare+nMc]

The last PBX system I did has the default admin password but, 1) it is behind NAT 2) behind firewall 3) truck to main office is wrapped inside the VPN (VPN not default password).
Likely they need a bot net to scan ports, or some social engineering to find their way inside the networks. another option is to trick the box into accepting a second trunk. The last possibility is they placed calls, and knew which keys to get, or which modem type capability's to try and exploit, so have to take several guesses at which system they are hitting.
Even having dealt with many PBX's, it takes considerable effort on most of them, even with full access, to get these non-standard call in and be able to call back out... (available feature on many systems, but not a standard line setting, that needs enabled/setup...)

Re:Hackers, hacks ??!?

[sjames]

If I hotwire your car and drive it away, I have committed a crime.

If I take your carkeys when you're not looking (even if you absently leave them on my desk) and drive your car away, I have committed a crime.

If you leave the door open and the engine running and I drive your car away, I have committed a crime.

In the end, it comes down to what's customary. If I walk freely into your unlocked house, I'm trespassing. If I do the same with your well lit and unlocked retail store, I'm browsing. However, if there's a closed sign on the door, the lights are off, and there's nobody there, we're back to trespassing even if the door was unlocked. However, if there's a sign that says "yes, we're open" displayed on the door, I'm not trespassing.

In the network world the rules are a bit more formal since there are no cues like seeing that the lights are off or that there's nobody there, but there are still customary uses. In general, if it asks you for a password and you have to guess one, you're not authorized even if you guess right. Exceptions to that would include if you own the device, work for the person or company that does, or if you are asked to gain access by the owner. Beyond that, PBXs are not customarily open to the public. Neither are routers. Because web servers are customarily meant for public access, not asking for a password may be taken as an invitation there.

Re:Hackers, hacks ??!?

[liquiddark]

"You make an excellent point, but your overall case suffers because you stole the 60 inch plasma screen and the family dog."

Gary McKinnon wants

[AHuxley]

His intellectual property back.
What is it with the US gov and the use of MS like default passwords?
http://freegary.org.uk/

Talk about obscure...

What a reference!

Now where's the beef?

Privacy? What privacy? (use encryption folks)

[operator_error]

Wait! before I thought only the NSA by statute and Google (because Google is truly eViL by supplying the NSA (& NASA!) with technology & staff), could listen to my phone calls, transcribe, translate, & index them into perpetuity. But now I'm reading the Italian mafia can listen in too?

Of course this explains why the Italian mafia learned awhile ago to encrypt their own calls. On the job training if you ask me.

FWIW, there's an asterisk module for pretty good privacy: http://www.zfoneproject.com/prod_asterisk.html

http://www.securitymanagement.com/article/new-voip-encryption-challenges-005680

Why not?

Re:Privacy? What privacy? (use encryption folks)

The Italian mafia is running support call centers too - who would have thought?...

Hey Vinnie - this guy on the phone doesn't like our product, can we send someone from our on site service center to "fix" it?

Reminds me of BLAZEMONGER! customer service.

Sue the people who neglected to change passwords?

[kasperd]

Is it illegal to support terrorism by remiss? The people who left those default passwords have indirectly supported terrorists, even if it was unintentional. Can they be sentenced for that, should they be? I think they ought to be fined for it, but I don't think they deserve as harsh a punishment as the people who abused the systems for economical gain.

Ah, slashdot

[smittyoneeach]

Replying anonymously to yourself to explain an obscure reference.
Good show, old boy.

Its probably a DISA hack

[wintermute000]

Guys its probably a DISA they discovered NOT CLI ACCESS TO THE PABX.....

Many PABXs have a feature where a specific incoming extension (DISA) is configured to allow calls to be re-routed from the PABX if you enter the correct PIN.

e.g. you dial into the secret number, enter the secret PIN, then from there you have full access to the PABX's destination codes.
so e.g. if your DISA extension is 333-88888, and PIN is 12345, and you dial 0 for external, then dialling this would work: 333-88888-12345-0-(number you want to dial). The call would then be originated from the PABX instead of the caller.

This is mostly used for troubleshooting because in PABX tie line networks your number codes determine how your calls route, with complex tie line networks you end up with destination codes upon destination codes which require a lot of thinking to get right as its basically a huge, layered sequence of static routes.

Anyhow back in my TDM days I used to run PABXs for a large corporation. A few years before I started the EXACT SAME THING happened to us - someone phreaked the PIN code to the disa number - and was then selling calling cards in the phillipines that rerouted using one of our PABX's DISA lol.

Re:Its probably a DISA hack

Its not a system password. I diagnosed a few of these compromised systems last fall. The team that discovered the PBX came from IP's from the APNIC. The calls were made via SIP from italy. By default password they are referring the the old practice of making the SIP password match the extension. A LOT of wiki articles gave examples of setting up SIP extensions and they always showed the secret= matching the extension number. There are a trio of SIP tools that 1) discovered sip extensions on a PBX and then 2) attempted the extension as the password and 3) if that fails, attempt brute force dictionary attack trying to guess the secret.

Re:Its probably a DISA hack

[djdavetrouble]

Anyhow back in my TDM days I used to run PABXs for a large corporation. A few years before I started the EXACT SAME THING happened to us - someone phreaked the PIN code to the disa number - and was then selling calling cards in the phillipines that rerouted using one of our PABX's DISA lol.

back before hacking vs cracking (cracking was what you did to apple ][ games), phreaking was very popular as a teenage sport. PBX's and voicemail systems were popular targets, of course. I had access to a local PBX belonging to LCC (LARGE COMPUTER CORPORATION) via brute force. It had unlimited outbound, and the password famously spelled "Rock". We kept it to ourselves and it worked for 4 or 5 years for our little team. I have seen a few large scale operations to monetize stolen telephone networks, this is nothing new. In New York City, there are so many foreign people that want to call home that there
is a cottage industry catering to them. There are even long distance "stores" where you go to a booth and call the Dominican Republic or whatever. Back when calling cards were more popular, it was known that there were spotters at JFK airport that would try to look at your fingers as you entered your code.
Still, it is a pretty ambitious plan that these guys undertook.... and terrorists omglol

Which brand(s) of PBX?

[PuddleBoy]

Does anyone know which brand(s) of PBX were 'hacked'? Were these 'traditional' PBX's or were many (most?) of them VoIP systems?

I work for a telco and we notice that the vendors who have IT backgrounds often decide that voice is just another kind of data, and frequently have trouble setting up PBX's (like Asterisk). (You ask them if they'd like that PRI as NI-2 Standard and they just mumble at you.)

simple solution..

[orange47]

..make all default passwords hard to guess!

Re:simple solution..

[Celeste+R]

Nobody would suspect the

spanishinquisition

Missed Call Centrees

[Luthair]

At first I thought it was trying to claim that 3 men used 12 million minutes of phone time, I mean three women I could believe!

Re:Missed Call Centrees

[jonaskoelker]

Let's assume women can talk on the phone for 16 hours each day (leaving them one hour to eat and use the toilet, seven hours to sleep).

Then, for three people to spend 12 million minutes on the phone would take well over eleven years.

That's 12e6 / 60 / 24 / 365 / 3 * 1.5 = 11.4155...

number of minutes / minutes per hour / hours per day / days per year / number of persons * phone use inefficiency factor (16-vs-24 hours per day).

No wonder people say slashdot is late with the news ;-)

Phreak Freely...

It could be done via DISA... But DISA is usually not enabled by default, neither is Trunk to Trunk Transfer.

The brunt of the civil litigation will be aimed at the VAR's and manufacturers. It will be claimed that the breaches happened on their watch and they are therefore responsible. Toll Fraud Prevention is always one the the major selling points of any Maintenance Contract from the VAR's and PBX makers. Unless the PBX's were bought grey-market, and I think it's pretty unlikely that so many switches are floating around on the grey-market. Most IT departments don't admin their own switches beyond simple MAC... Rarely do you meet anyone in corporate IT that understand Dialplans, CoS, CoR, etc... unless the Telco side is their specialty... sadly, they are a dying breed.

Anyone that bashes the Filipinos as terrorist is simply a bigoted nitwit. If you have spent any time in Telco, you know that some of the best and brightest are the Filipinos techs. Just too bad that a couple of them used their talents for criminal purposes.

One questions that begs to be asked, was it a Cust level default password or a Vendor level default?

This is the bottom of the barrel

[aminorex]

So slashdot is now echoing anonymous rumors of blatant lies in its headlines. This is pretty shoddy work, ScuttleMonkey.

55 bucks for 12 minutes of long distance? Not unless you're using an Iridium sat phone! It's typical LEO bullcrap propaganda.

And don't get me started on "financing terrorism". It's the pot calling the snowman "darkie", is what that is.

You're paying how much!?

[alexandre]

Are you saying the average cost of a phone call is 4.58$ per minute ?
you need to change your phone company! Calling oversee is usually 5-10 cents max, and maybe 25 centsÂfor far out places.
(unless you really want to call that weird looking pacific island of course...)

Re:You're paying how much!?

[Mashiki]

Want to guess how much Bell Canada, charges per/min for a long distance phone call, for a city that is 14mins away from me?

A) 0.02-0.05
B) 0.05-0.10
C) 0.10-0.15
D) None of the Above

If you picked D, you are correct! The correct answer is $0.25/minute. That's right, it costs me less money to call my ex-gf in the Philippines than it does to call a relative who lives in the same county.

Re:You're paying how much!?

[alexandre]

hehe, being in Montreal i fully understand your hate for Bell...(Don't get me started!)

I ditched them for a dry loop with acanac as a provider (could have been with teksavvy too) and use unlimitel for the phone (VoIP)! :)

4.5 cents per minute

I doubt it - I get cheaper legitimate rates

Changing the password should be a permissive

[Grocks]

You should not be allowed to get the system running unless you change all the default passwords. Too bad if this a problem. The documentation should say in big letters "NOTE: THIS SYSTEM WILL NOT OPERATE UNTIL YOU PROVIDE NEW PASSWORDS FOR ALL ITEMS THAT HAVE PASSWORDS. To do this please follow these instructions..."

Basic Security failure

[hysonmb]

I'm just shocked that no one ever thought to change the password! Even a weak password is better than default. I guess someone will be writing a 10 page paper, aka, an SOP.