Slashdot Mirror

← Back to Stories (view on slashdot.org)

Default Passwords Blamed In $55M PBX Hacks

Posted by ScuttleMonkey on from the god-sex-love dept.

An anonymous reader writes "The Washington Post is reporting that the US Justice Department has indicted three residents of the Philippines for breaking into more than 2,500 corporate PBX systems in the United States and abroad. The government says the hackers sold access to those systems to operators of call centers in Italy, which allegedly made 12 million minutes of unauthorized phone calls through the system, valued at more than $55 million. The DOJ's action coincides with an announcement from Italian authorities today of the arrest of five men there who are suspected of funneling the profits from those call centers to terrorist groups in Southeast Asia."

33 of 102 comments (clear)

  1. That's a spicy meatball! by RickRussellTX · · Score: 4, Insightful

    I'm just amazed they found somebody willing to pay almost $5 per minute for long distance.

    1. Re:That's a spicy meatball! by stephanruby · · Score: 4, Funny

      Hey, they're terrorists! Terrorists get to set their own prices. Also, may be there is some value in having a voice mail number traceable to a legitimate corporation in the United States. Also, the article confirmed something that I always knew deep down in my gut, telemarketers are terrorists. This makes a lot of sense actually.

    2. Re:That's a spicy meatball! by PopeRatzo · · Score: 2, Funny

      Hey, they're terrorists! Terrorists get to set their own prices.

      That's no way to talk about the phone company.

      --
      You are welcome on my lawn.
    3. Re:That's a spicy meatball! by sumdumass · · Score: 2, Informative

      So I wonder how many of them are still having PBX systems with the ability to call in and dial out via an 800 number?

      I would say quite a few. I have noticed that a lot of VoIP systems are added-on instead of replacing older phone systems. They also already have the copper and it's cheaper to purchase lines by the bundle then to separate them.

      BTW, large businesses would connect different campuses across a T1 point to point connection(s) before VoIP was around. Basically, the software/hardware in the phone system will use a channel on the T1 line as a phone line and allow the cross campus communications including passing inbound calls to the other facilities (one 800 number for 10 facilities across 5 states.) You can get 24 voice channels from one t1 line too. This also cuts down on long distance because you can program it to call out on the loop closest to the call termination. This means that if your in Buffalo NY and a customer is in Orangevale California and you have a branch office in Fair Oaks, it will be a local call for you. Some long distance telecoms offer T1 loops directly to their long distance center eliminating much of the costs in a normal switched call. That means they would be paying about 1/3 of what normal people would pay if you didn't consider the costs of the T1 loop.

      VoIP has basically gotten around the T1 costs (you need one for each location). Some switched networks already use VoIP on controlled backbones to consolidate long distance calls as the telecoms saw the savings way before it was economical for normal people to play with it. VoIP has come a long ways since that has started and the bandwidth needed for good quality calls have dropped quite a bit.

    4. Re:That's a spicy meatball! by fluffy99 · · Score: 2, Informative

      VoIP has come a long ways since that has started and the bandwidth needed for good quality calls have dropped quite a bit.

      If you definite a "good quality call" as the same quality as a POTS line, then VOIP G.711 (no compression) actually requires more bandwidth as it adds control signaling and you end up needing 80k instead of a single 64k channel per call. It also introduces more timing issues as ip doesn't guarantee timely or orderly deliverly of the packets. If you use a lower quality compression codec line G.729 you can reduce the bandwidth down as far as 8k data and 8k control, but at the expense of reduced voice quality - making it sound like a poor cell phone call.

  2. Which one was it? by Laser_iCE · · Score: 4, Funny

    admin or password?

    1. Re:Which one was it? by mail2345 · · Score: 2, Informative

      Article: mainly by exploiting factory-set or default passwords on the voicemail systems
      So, linksys?

    2. Re:Which one was it? by infolation · · Score: 4, Informative

      actually the DoJ papers say the PBX systems were Nortel, Lucent, Bizphone and Panasonic

    3. Re:Which one was it? by vux984 · · Score: 2, Insightful

      It has nothing to do with the type of PBX, but with the admins using it. And yes, the company I work for mostly keeps the original passwords on the PBX they deploy, because most customers have a lousy policy when it comes to keep passwords.

      So why doesn't your company set the password to a random string, *keep a record for yourself in the customer file*, and then tell the customer what it is?

      1) If they change it and keep records for themselves properly. GREAT
      2) If they don't change it, and leave it the way you set it up... well not great, but still pretty good. Nobody is ever going to get in remotely. And its a vast improvement over leaving it on the default. And if they call you for support 5 years from now, and they never changed it, that's exactly what your records are for.
      3) If they change it and forget it, well, there's nothing you can do about those people no matter what you do.

  3. Yea well by Anonymous Coward · · Score: 3, Interesting

    Maybe governments should figure out its the 21st century out there, and stop treating phone traffic as a source of tax revenue, instead of treating it exactly like every other kind of electronic traffic (internet, bank transactions, etc), which is tax free the way it should be. Then those "terrorist groups" would suddenly find themselves out of profit.

    CAPTCHA: Rackets. How appropriate.

  4. Telcos suck by Anonymous Coward · · Score: 4, Interesting

    12 million minutes of unauthorized phone calls through the system, valued at more than $55 million.

    ... or a lot less.
    $5 per minute?!! Just to route some packets a bit farther?
    And then telcos wonder why IP phones are eating their lunch.

    Maybe they're using MAFIAA math... Each minute causes $5 worth of damage to their network...?

  5. Hacking? by EdIII · · Score: 5, Interesting

    These were default passwords on more than likely open ports. I would hardly call that hacking. That would be like walking by a house with an open door and saying you picked the lock by walking inside.

    One heck of an expensive lesson to the IT guys responsible. Never leave default passwords is Rule #1. Or at least in the top 3.

    1. Re:Hacking? by Anonymous Coward · · Score: 2, Interesting

      Aye, but trespassing is trespassing.

    2. Re:Hacking? by Thundarr+Trollgrim · · Score: 2, Informative

      "trespassing is trespassing"

      Now that we have the glaring truisms out of the way... That is entirely irrelevant. The parent was stating that it was not hacking; hacking and trespassing are not the same thing, although one may include the other.

    3. Re:Hacking? by shentino · · Score: 2, Insightful

      That's different.

      A web server is not a home, and web pages not protected by htaccess could presumably be public.

      Not using htaccess would probably be counted as constructive permission anyway, since a website has to be published/brought online to be accessed at all, whereas a home has no such requirement to be entered, invasively or otherwise.

    4. Re:Hacking? by shentino · · Score: 2, Funny

      You must work for LifeLock

    5. Re:Hacking? by iamdrscience · · Score: 2, Funny

      Never leave default passwords is Rule #1. Or at least in the top 3.

      Indeed. The rules of IT:

      1. You do not talk about IT.
      2. You DO NOT talk about IT.
      3. Never leave default passwords.
      4. No girls allowed.
  6. Hackers, hacks ??!? by Alwin+Henseler · · Score: 4, Insightful

    If factory-set default passwords were used to gain access to the systems and use them, what exactly did they 'hack' ?

    That would seem like a typical case of unauthorized use of a system to me, but hardly qualify as 'hacking'. When legal charges are to be brought, use a correct description of the crime, will you?

    "Your honor, there was a gaping hole where the door used to be! I didn't even have to touch the doorknob!"
    "I don't care! Since a computer system was involved, you broke into the place, understood?"

    1. Re:Hackers, hacks ??!? by dns_server · · Score: 2, Informative

      "Hacking" laws are generally written with that language.
      The COMPUTER CRIMES ACT 1997 has as section 3. "Unauthorized access to computer material."

    2. Re:Hackers, hacks ??!? by Dare+nMc · · Score: 2, Informative

      The last PBX system I did has the default admin password but, 1) it is behind NAT 2) behind firewall 3) truck to main office is wrapped inside the VPN (VPN not default password).
      Likely they need a bot net to scan ports, or some social engineering to find their way inside the networks. another option is to trick the box into accepting a second trunk. The last possibility is they placed calls, and knew which keys to get, or which modem type capability's to try and exploit, so have to take several guesses at which system they are hitting.
      Even having dealt with many PBX's, it takes considerable effort on most of them, even with full access, to get these non-standard call in and be able to call back out... (available feature on many systems, but not a standard line setting, that needs enabled/setup...)

  7. Re:$55 million by bruce_the_loon · · Score: 5, Informative

    You are forgetting the reciprocal costs of phone calls. You break out of the network to another telco, most of the time there are costs per minute. You pay for access to the circuit. Add international calls to this and the numbers climb.

    Most telcos have reciprocals in place that say if Telco A made 1000 minutes of calls to Telco B, and Telco B made 1000 minutes to Telco A, they call it quits. Now if A made 1000000 minutes to B, B wants its money. And A has nobody to send the bill to because they were stupid and didn't change the passwords.

    --
    Trying to become famous by taking photos. Visit my homepage please.
  8. Re:12345 post by masshuu · · Score: 3, Funny

    access denied
    (hint: the default password for the system is "qwert" if this is your first time accessing it)

    --
    O.o
  9. Privacy? What privacy? (use encryption folks) by operator_error · · Score: 2, Informative

    Wait! before I thought only the NSA by statute and Google (because Google is truly eViL by supplying the NSA (& NASA!) with technology & staff), could listen to my phone calls, transcribe, translate, & index them into perpetuity. But now I'm reading the Italian mafia can listen in too?

    Of course this explains why the Italian mafia learned awhile ago to encrypt their own calls. On the job training if you ask me.

    FWIW, there's an asterisk module for pretty good privacy: http://www.zfoneproject.com/prod_asterisk.html

    http://www.securitymanagement.com/article/new-voip-encryption-challenges-005680

    Why not?

  10. Re:12345 post by EdIII · · Score: 3, Funny

    12345

    That's the kinda thing an idiot would have on his luggage.

  11. Sue the people who neglected to change passwords? by kasperd · · Score: 2, Interesting

    Is it illegal to support terrorism by remiss? The people who left those default passwords have indirectly supported terrorists, even if it was unintentional. Can they be sentenced for that, should they be? I think they ought to be fined for it, but I don't think they deserve as harsh a punishment as the people who abused the systems for economical gain.

    --

    Do you care about the security of your wireless mouse?
  12. Re:12345 post by smittyoneeach · · Score: 2, Funny

    That's the kind of thing an idiot would post in reply to a slashdot post about a luggage combination.

    --
    Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
  13. Re:Feh. by mjwx · · Score: 4, Insightful

    The companies that got 'hacked' should get a serious talking to by the anti-terrorism folks.

    Am I the only one that finds this "terrorism" link a bit absurd. Having travelled in SE Asia I sincerely doubt that this money was filtered into "terrorist" hands. All that has happened here is that a small number of enterprising Philipino's have made themselves rich enough to retire (rich enough for their kids to retire in the Philipines). If they've been caught then they've just made the cops rich enough to retire as well.

    It just seems the "evil terrorist" card is played every time law enforcement fucks up and wants to keep people from questioning that.

    --
    Calling someone a "hater" only means you can not rationally rebut their argument.
  14. Its probably a DISA hack by wintermute000 · · Score: 2, Informative

    Guys its probably a DISA they discovered NOT CLI ACCESS TO THE PABX.....

    Many PABXs have a feature where a specific incoming extension (DISA) is configured to allow calls to be re-routed from the PABX if you enter the correct PIN.

    e.g. you dial into the secret number, enter the secret PIN, then from there you have full access to the PABX's destination codes.
    so e.g. if your DISA extension is 333-88888, and PIN is 12345, and you dial 0 for external, then dialling this would work: 333-88888-12345-0-(number you want to dial). The call would then be originated from the PABX instead of the caller.

    This is mostly used for troubleshooting because in PABX tie line networks your number codes determine how your calls route, with complex tie line networks you end up with destination codes upon destination codes which require a lot of thinking to get right as its basically a huge, layered sequence of static routes.

    Anyhow back in my TDM days I used to run PABXs for a large corporation. A few years before I started the EXACT SAME THING happened to us - someone phreaked the PIN code to the disa number - and was then selling calling cards in the phillipines that rerouted using one of our PABX's DISA lol.

  15. simple solution.. by orange47 · · Score: 3, Funny

    ..make all default passwords hard to guess!

    1. Re:simple solution.. by Celeste+R · · Score: 2, Funny

      Nobody would suspect the

      spanishinquisition

      --
      There are no perfect answers, only the right questions. More questions at http://foresightandhindsight.blogspot.com/
  16. Missed Call Centrees by Luthair · · Score: 3, Funny

    At first I thought it was trying to claim that 3 men used 12 million minutes of phone time, I mean three women I could believe!

  17. Re:Feh. by DNS-and-BIND · · Score: 3, Informative

    Actually a lot of organized crime funds terrorism. I'm sure on your travels in SE Asia, you didn't see any so obviously it doesn't exist. If it seems absurd to you, then we're sorry and will try to let reality intrude less next time.

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  18. Re:Feh. by Sique · · Score: 2, Insightful

    But that's just because we are pretty good at labelling everything "terrorist" right now. It always was a tactic of the organized crime to either make the local policy part of the organization or assasinate the policemen who didn't conform. Today assasinating a local police officer surely gets labelled "terrorism".

    --
    .sig: Sique *sigh*