In his “Security Fix” blog at the Washington Post, Brian Krebs has an article reporting on a scheme to steal international telephone service from more than 2500 organizations that have PBXs, to the tune of $55 million in charges. The target firms were in the US, Canada, Australia, and Europe. According to the indictment, a group of hackers broke into the PBX systems, and then sold access to those systems to a group in Italy that ran international calling centers:
The indictment alleges that between October 2005 and December 2008, Manila residents Mahmoud Nusier, Paul Michael Kwan and Nancy Gomez broke into PBX systems, mainly by exploiting factory-set or default passwords on the voicemail systems. The government charges that their Italian call center operators paid the hackers $100 for each hacked PBX system they found.
The call centers would advertise cheap international calls, and could turn a tidy profit, since they paid only for the initial call to the victim’s PBX, and nothing for the international portion of the call.
You’ll note that the article mentions that the main technique for getting access to these systems was by using the default access passwords installed on the PBX when it is shipped. I have installed a few PBX systems myself, and I can vouch for the fact that at least some of the vendors do tell you that you must change the default passwords immediately when the system is installed. So negligence and sheer stupidity on the part of the PBX owners contributed significantly to their own problems.
Unfortunately, this does not surprise me very much. One of the installations I worked on, about 15 years ago, was an AT&T PBX for a relatively small organization; it had an attractive option that would allow the vendor’s network operations center to perform remote diagnostic tests on the equipment. This sort of thing is, of course, a potential security hole; in this case, the remedy was to employ special modems with hardware encryption on both ends of the maintenance connection. That added about $800 to the price, and we had to have a significant argument with some of the business managers before they agreed to the expenditure. In that case, our argument was vindicated sooner than we expected: one of that firm’s competitors had installed the same system, but without the special modems, and had been rewarded with a $55,000 monthly telephone bill, due to the same sort of call-center scam mentioned in Mr. Krebs’s article.
Even back then, this was not a new phenomenon. Richard Feynman, the Nobel Prize winning physicist who was also a notable prankster, has a section in his book, Surely You’re Joking, Mr. Feynman (New York: W.W. Norton & Co., ISBN 0-393-01921-7), about some of his experiences at Los Alamos, while he was working on the Manhattan Project. In one of the chapters, “Safecracker Meets Safecracker”, he described how he gained a reputation as “Feynman the great safecracker”, by learning about design flaws in some of the cabinets and safes used to hold classified information; and also by learning how many of his colleagues picked a common number for the combination (the value of π was popular, 3.14159), wrote the combination down on the inside of a desk drawer, or simply never bothered to change the factory default combination.
Security is not a product, but a process, and all the steps in the process have to be considered to arrive at a truly secure solution. Otherwise, ignoring some parts of the process, particularly the human elements, is like putting five pick-resistant locks on your front door, and leaving all the windows open.
Random Walks 