Security Incidents mailing list archives

Re: War Dial on my PBX

From: "Volker Tanger" <volker.tanger () discon de>
Date: Wed, 25 Jun 2003 18:37:39 +0200

Greetings!

Are you sure the calls are not automated SPM (voice or fax
telemarketers)? Such should be fairly easy to stop once you got a hold
of a single instance/copy, so I guess this is not the case.

So what you experience seems to be a brute-force attack against your
phone system where the attacker seems to try to  get access to
connection and/or voicebox control. They usually call boxes/numbers and
try different combinations of DMTF in hope to find a combination that
gives them access. Often these access codes work even if they are not
announced in the voice help.


On Wed, 25 Jun 2003 01:03:26 -0500 "Dave Phelps"
<tippenring () tippenring com> wrote:

There's not a lot you can do.


I'd like to object here. One is to secure your phone system (here:
Meridian). This way you can (depending on your business needs) disable
remote controlling and thus discourage phreaking attempts ("nothing to
gain here, sorry pal..."). Depending on the phone system you can even
try to tarpit callers (e.g. IVR set to loop a "Sorry, not implemented
- press 0 to return to main menu"). 

Second you can evaluate the logs - if the caller did not disable CLID
you have his number. Else - see previous posting: turn to your telco.

As far as voicemail insecurity, the problem is virtually always the
subscribers using weak passwords that get penetrated.


...or a weak configuration of the PBX itself, if it was left with all
possible services enabled. Especially the Meridian had a bad record of
being shipped with all stuff enabled as factory default. Strong
passwords did not help here, only bastioning (i.e. proper configuration)
of the system. 

OTOH we regularily find >60% of all voice box passwords still being set
to the default when performing an audit in companies.


Ask your contracted telephone system supplier/supporter for help to
secure your system. If he cannot help, ask experts, maybe even turn
directly to the hardware company. Shameless plug: we provide such
support for Nortel, Ericson and (of course) DeTeWe systems in
(continental) Europe.

Bye

Volker Tanger

ITK-Security
DeTeWe AG & Co. KG

Fon +49 30 6104-3307
Fax +49 30 6104-3435
http://www.detewe.de/

-- 


     


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Current thread:

War Dial on my PBX David Barnett (Jun 24)
- Re: War Dial on my PBX Dave Phelps (Jun 25)
  - Re: War Dial on my PBX Volker Tanger (Jun 25)
- <Possible follow-ups>
- RE: War Dial on my PBX Cotter, Joe (Jun 25)
- RE: War Dial on my PBX Maria J. Vello (Jun 25)
  - RE: War Dial on my PBX .:[ Death Star]:. (Jun 26)