Hackers are busy targeting PBXs, particularly multinationals’ PBXs, using them to bounce calls from one exchange to another — to steal long-distance calls.
These dodgy services are being on-sold to consumers, by way of low-cost phone cards, says Nelson DaSilva, a Sydney-based systems engineer with security company Fortinet.
Because of the increased use of voice-over IP and IP-based PBXs, private exchanges need to be properly secured these days — and given as much attention as other computer systems and networks.
DaSilva says a call from New Zealand to the United States on such a network may go by way of Algeria, with resulting low quality, but the biggest loser will be the PBX owner, whose bandwidth is being stolen — perhaps without the company even knowing this is happening.
DaSilva cites the recent case of an Australian business whose Nortel exchange was hacked. It found itself with an extra A$1,800 (NZ$1,996) on its bill for calls its staff had not made.
Nortel Australia spokesman Mitch Radomir confirms the story of the hacked exchange, but says if it’s the story he knows about, it didn’t involve a PBX in the strict sense but rather a smaller keyphone system. Diagnostics showed the intrusion came through use of an administrator’s password, rather than any sophisticated, low-level virus-type penetration.
“Either the password was written on a post-it note or the default password [installed at the factory] was left in the system when it should have been changed,” he says.
Small systems are if anything more vulnerable than larger exchanges, because they are unlikely to have a full-time administrator who can devise and practise proper security, says Radomir. Surveys have shown that 89% of irregular use of PBXs is traceable to company employees who have inside knowledge, he says.
However, Radomir confirms that administrator-level penetration could be used to call a line in the UK, then one in India and link them together at the PBX owner’s expense. PBX connections should be on an independent LAN inaccessible from the organisation’s computer networks, he says. All configuration changes should be done from a dedicated terminal with an encrypted connection.
Banks have tools in place to detect unusual patterns in charges to customers’ accounts, says DaSilva. And they may query an unusual payment with the customer before he or she knows anything is wrong, and will certainly give the customer the chance to deny having made the payment. In most cases, the customer will not be liable for any fraudulent transaction.
Telephone companies, however, have no such tradition of warning and dispute-handling. “They will just hand you a big bill and expect you to accept full liability, even for fraudulent traffic,” DaSilva says.
The biggest danger with VoIP is a denial-of-service attack on the gateway, blocking calls or rendering them incomprehensible. A lesser offence, but still annoying, is spam to VoIP phones and mobile phones — and with multimedia capability now being built into phones such messages can be quite bulky.
VoIP phishing is also emerging, with users being urged to call a certain number. The number will connect to a scammer, who will try to persuade the user to give away personal information that will provide an opening for theft.
People tend to be more vulnerable to deception by phone, because they don’t think of the phone as new technology, DaSilva says. “It’s trusted in a way that people don’t yet completely trust computers.”
DaSilva says unified threat management is an effective answer to the many different kinds of threats emerging. One security system to handle electronic intrusions of all types gives economies of scale and maintenance.
“If something goes wrong you only need to troubleshoot one device — not several.”
DaSilva and fellow security specialist Ignatius Gigis, from Computer Security, were in Wellington and Auckland earlier this month, giving seminars to local users about new electronic threats and precautions.