Are hackers accessing your company via your PBX?

[InfoSec News <isn () c4i org>]

http://www.itweb.co.za/sections/techforum/2002/0209050728.asp?A=TEP&S=Telephony&T=Section&O=FPSH

By John Van Munckhof
5 September 2002  

Although most companies today have improved security on their data
networks, thus cutting down on white-collar crime and hack attacks,
too few have paid enough attention to their PBX system. The PBX
remains a potentially huge back door problem for data network
security.

"Many corporates have implemented firewalls as well as stringent
anti-virus and content filtering applications to reduce attack and
fraud," says John van den Munckhof, managing director of Dimension
Data Interactive Communications. "The PBX, however, remains a
significant loophole. All the perimeter security in the world can be
bypassed by a poorly configured authorised or unauthorised modem."

Indeed, as a leading communications publication puts it: "If you want
to do real damage to a business or institution, telecom infrastructure
is probably a better target than the corporate LAN or Web site. PBX
hacking may not sound glamorous by comparison with elite Internet
penetrations, but it can be just as damaging. Attacks on PBXs, ACDS,
voicemail, voice-response units, and other infrastructure can bring
down a company: make it unable to function, expose its secrets, damage
its reputation, burden it with telephone charges and the cost of
re-provisioning and repair after damage is done." (Source:  
Communications Convergence, April 2002. Securing your Switch by John
Jainschigg.)

By not securing the PBX, companies risk a number of costly problems.

"Poorly configured authorised or unauthorised modems enable an
attacker to do war dialling exercises on the PBX," explains Rob Brown
at network security specialists Dynamic Recovery Services (DRS). DRS,
in partnership with Dimension Data, markets the TeleWall PBX security
solution from SecureLogix.

"War dialling software allows the hacker to automatically dial a range
of numbers until it finds a fax or modem number. The hacker then uses
the modem to access the organisation. It can also identify the
management port on the PBX, which he can easily hack into to get free
reign over the entire PBX system."

Once in, the hacker can wreak chaos. He can change voicemail messages
and listen to messages that have been left.

"For example, he may change the voicemail message left by the CEO for
those trying to contact him, or he may listen to a highly confidential
message left for the CEO concerning an upcoming merger."

Once inside the PBX, the hacker can also create a virtual extension,
giving himself an outside line to use for international calls, thus
being able to run up huge bills on international calls.

Apart from outside attack, there is the very real threat of toll fraud
from within the company if the PBX is unsecured. This in turn can lead
to further external attack, where for example a hacker can piggyback
on an unauthorised modem that an employee has brought into the
organisation.

"If employees find that they can no longer get into their favourite
porn or sport Web site, because of newly installed content filtering,
they can simply bring in their own modem and use the dial-in facility
- but using the company's telephone system," says Brown.

"Alternatively, he can use a built-in laptop modem. Not only does this
create a back door to circumvent company policy, but when he dials out
a hacker can piggyback on the call, thus bypassing security on the
data network."

Employees often use the simple tactic of dialling internationally over
an unbarred fax line if their own desk telephones are barred.

"In the last month alone, we have talked to four different companies
that between them have run up toll fraud bills of R4 million - in
these cases, all unauthorised international calls," says Brown.

And many South African companies have seen huge surges in their
telephone bills when a reality television show requires viewers to
call in and vote.

Another problem companies and governmental organisations are more
aware of since 11 September is criminal or terrorist activity within
their organisations. They often also battle against unscrupulous
recruitment agencies that regularly poach their staff.

"The answer to all these problems is a PBX security system that sits
between the telecommunications provider and the company PBX," says Van
den Munckhof.

TeleWall is a PBX firewall and intrusion detection system that
effectively solves the last back door security problem on the data
network. It logs all call progress information and characterises all
call types.

"Basically it gives the same visibility to your voice network as your
data network," says Van den Munckhof.

The system can terminate all calls made to certain telephone numbers,
for example, competitors or even known criminals. It can also bar all
incoming calls from certain telephone numbers, for example,
recruitment agencies.

It will identify all calls made using unauthorised modems, and -
depending on the rules set by the company - either alert the
administrator and terminate the call immediately, or simply alert the
administrator.

It can also terminate all voice calls over fax lines, thus stopping
phone abuse.

"This is done in real-time, and is not a report that you get a week
later," says Van den Munckhof. "For example, if you suddenly see that
a number of employees are all dialling the same cellphone number, you
may want to check it out. Often it will be a prank call that is doing
the rounds, or a vote line, for example, and this number can
immediately be barred to prevent further unnecessary costs."

If TeleWall detects war dialling, this is identified as an attack,
terminated, and the administrator will be alerted via e-mail or fax.

"Perhaps most importantly, the system will enable you to see patterns,
which will then enable you to put the right policies and preventative
measures in place," says Van den Munckhof. "This will result in
significant cost savings."

TeleWall uses an Oracle database, and works with all brands of PBX. It
caters for analogue, digital and voice over IP and can be remotely
administered.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.