A company's vulnerability to threats varies by its size and business type. For example, businesses that frequently engage in intense international bidding may find themselves in competition with a government-owned organization. Because the government often owns the telephone company as well (PTT), there is a temptation to "share" information by tapping the lines (all it takes is a butt set and knowing which trunks to tap into). While such occurrences are undoubtedly infrequent, they are a threat.
Toll fraud, on the other hand, is ubiquitous. Hackers use stolen calling cards to find a vulnerable PBX anywhere in the world and sell the number on the street (mostly for international calls). Poorly controlled voicemail options and DISA (direct inward system access) are excellent "hacker attractor" features. Medium-sized installations are preferred because they offer enough complexity and trunking to allow hackers to get into the system and run up the minutes before detection. Smaller key system sites do not have the capacity, and larger sites often (but not always!) have toll fraud detection systems (such as Telco Research or ISI Infortext's TSB TrunkWatch Service).
Two characteristics of the telephone system enhance the hacker's world of opportunity: (1) it is difficult to trace calls because they can be routed across many points in the system; and (2) hacking equipment is relatively cheap, consisting of a PC or even a dumb terminal hooked to a modem. Hackers (a.k.a. "phone phreaks") sometimes have specific PBX training. It could be a disgruntled PBX technician (working for an end-user organization or the vendor). In addition to their technical background, hackers share explicit information over the Internet (see www.phonelosers.org). These individuals have a large universe of opportunity; they hack for awhile on a voice system, find its vulnerabilities, and then wait for a major holiday and go in for the kill. Losses of $100,000 over four days are common. If holes in one PBX have been plugged, they go on to another. In some cases, they use a breach in one PBX to transfer to another, even less secure PBX.
The final category of security break, malicious pranks, gets inordinate attention from senior management — far beyond the economic damage usually incurred. For example, a voicemail greeting could be reprogrammed (just by guessing the password) to say, "Hello, this is Mr. John Doe, CEO of XYZ Company. I just want you to know that I would never personally use any of XYZ's products." Of course, not all changes are minor. A clever hacker who obtains control of the maintenance port can shut down all outgoing calls or change a routing table — there is no end to the damage if the maintenance port is compromised.
No comments:
Post a Comment