Malicious Pranks & Using Security Tools to Offer More Services

Many of the same controls listed for toll fraud will help reduce the exposure to destructive changes by hackers. Some basic prevention steps include:

• Force changes of voicemail passwords. Most current voicemail manufacturers maintain a history of changes so that a user cannot change his password to one number and then quickly change it back to the same number he has used for the past ten years.

• Force passwords to be at least eight digits.

• Identify unused mailboxes (sometimes used by drug dealers as an untraceable mailbox for transactions).

• Never allow dial tone to be accessible from voicemail.

• Implement a class of service program that allows employees or on-premise contractors to have only the features they need. For example, the ability to modify someone else's telephone features is obviously powerful and dangerous if misused — a hacker who gains access to a phone with that level class of service could significantly disrupt operations. Review class of service annually.

Using Security Tools to Offer More Services

Although our discussion of security to this point has been from a defensive perspective, there are a few operational enhancements that come out of a good security system. Some of these include:

• Use of voice verification to allow DISA. By enrolling employees who normally use calling cards for business (salespeople, traveling professionals, etc.) in a voice print authorization system, calling card costs can be significantly reduced. By use of an 800 number to call in to the PBX and allow DISA for an outgoing call (after verification), a traveler can obtain the same services at a cheaper rate. Although she would pay for the call two ways (into the PBX and out to another location), the cost of calling card calls is usually so high that the organization still reduces costs. In particular, the cost of calling card international calls and intraLATA calls are often well above 800 number rates. Exhibit 1 shows a payback analysis using fictitious but typical calling card and 800 number rates. Savings in calling cards alone can pay for the security device, since the payback shown in less than one year. Of course, the payback calculation shown in Exhibit 1 will vary considerably, depending on the number of calls via calling cards, the percentage of users who would be willing to go through the voice registration process, per-minute costs of long-distance and calling card usage, and cost of the verification equipment itself (e.g., Veritel's Voicecheck technology).

Exhibit 1: Analysis of Potential Savings Using Voice Verification in Place of Calling Cards

• Access voicemail in areas of the world without touch-tone telephones. Using voice-activated-only voicemail (with appropriate speaker voice recognition) allows rotary users to go through menus within voicemail.

• Access special/confidential services. For example, Parlance Corporation has a service called Employee Connector that allows an individual to list multiple phone, pager, cellular, etc. numbers. These numbers can be dialed by saying, for example, "Ms. Doe's vacation home" or "Mr. Smith's New York office." Having this information would be useful for executives and their administrative assistants but might be too sensitive for the general employee population. By front ending this service with a security device, it would be practical to use it. Executives would feel confident that only those with a need to know would have access.

Business Loss Due to Disclosure of Confidential Information

Some organizations have found their bids for projects coming in at just above the competition on a consistent basis. This could be due to coincidence or to unauthorized disclosure. It is always a concern when sensitive information is passed over wires or air space.

Following are some techniques for securing confidential voice transmissions:

• Use a scrambling device such as SecureLogix Telewall, which has built-in encryption capability (the same device is required on both ends). The advantage of a trunk rather than handset-based approach is that the entire office or plant can be set up for encrypted conversations, assuming the other end (e.g., headquarters or a sister location) has a Telewall as well. The Motorola KG-95 also encrypts at the trunk level, unlike the older AT&T Surity 3600, which encrypts only from one handset to another. The Motorola product is shown in Exhibit 1. These devices, which enable point-to-point and multi-party encryption, protect the conversation from origin to destination (i.e., no intermediate points of clear conversation). Faxes can be protected as well. They typically have a secure/non-secure button that allows the telephone to be used in either mode, as required.

• 

Exhibit 1: Motorola End Crypto Unit, CI-13 (Courtesy of Motorola, Inc.)

• • Use IP encryption if the voice conversation is converted to IP traffic before transmission beyond the premises. The Borderguard NetSentry devices, for example, use DES (Data Encryption Standard), 3DES (triple DES), and IDEA (International Data Encryption Algorithm) to scramble any data going across the wire. Note that with the increasing power of microchips, it is much easier for determined hackers (or governments) to break codes. The following quote, found on an Internet security page (http://www.jumbo.com/pages/utilities/dos/crypt/sfs110.zip.docs.htp), illustrates how quickly algorithms once thought secure have become as antiquated as iron safes:

    Use of insecure algorithms designed by amateurs. This covers the algorithms used in the majority of commercial database, spread-sheet, and word processing programs such as Lotus 123, Lotus Symphony, Microsoft Excel, Microsoft Word, Paradox, Quattro Pro, WordPerfect, and many others. These systems are so simple to break that the author of at least one package which does so added several delay loops to his code simply to make it look as if there was actually some work involved.

  • Use an enterprisewide dialing plan to ensure that all calls go through the least cost and least public route. Calls that go over leased lines (tie lines) are easier to secure than calls going over the public switched telephone network (PSTN). Encryption equipment can be placed at both ends and the voice traffic can be converted to IP. Typically, dialing plans are implemented to facilitate ease of use for employees as well as least-cost routing. However, they also increase (at least to some extent) security. A dialing plan is implemented by making changes to every PBX in the organization's network so the user dials the same number to reach an individual regardless of what location the call is made from. For example, if Mary Doe's number is 789-1234 and she is located in a Memphis, Tennessee office, then she can be reached from London or Sydney by dialing 789-1234 (with no preceding country codes, etc.). The PBX has all the logic built in to convert the numbers to the appropriate route. A dialing plan also has the side benefit of increasing contact between the telecom staffs of various locations, resulting in an exchange of security information.

  Keep in mind that the U.S. Commerce Department as well as most international governments have significant regulations on the level of encryption used. The French government, in particular, has stringent laws against encrypting without permission.

Toll Fraud | Voice and Telephony Security

Prevention of toll fraud requires unceasing vigilance. Hacking is frequent and can result in large losses. For example, NASA and the Drug Enforcement Agency have both been hacked for millions of dollars. The basic steps for toll fraud prevention include the following:

• Protect the PBX maintenance port. Use passwords of at least ten characters and change them monthly. This is the absolute minimum protection. Far better is to use a two-factor authentication system, such as verification systems from Axent, CDI's Uniguard, or Avaya's ASG security gateway. Exhibit 1 illustrates a device used to control access to multiple ports, including the PBX. Such a device can be used to manage security for many devices.

• 

  Exhibit 1: Example of PBX Maintenance Port Protection Device (Uses Two-Factor Authentication)

• Use common sense calling restrictions. If your organization never makes calls to South America, restrict the calling patterns to eliminate that possibility. The telephone operators can be given a class of service that overrides that restriction on the chance that a legitimate call needs to be made to a restricted location. Calls can be restricted by time of day, day of the week, and location. For example, lobby area telephones should not generally have the ability to make long-distance telephone calls (or at least not international calls). If the organization does not do business on Sunday, restrict outgoing calls on that day. All "common area" telephones, such as those in lobbies, break areas, and conference rooms, may need to have after-hours restrictions. The mechanism for restricting functions on the PBX is the class of service. Many organizations, much to their later regret, have allowed the technical staff to set class of service policy. Because the technical staff is oriented toward pleasing the user, there is often escalation over time in the number of users who have the most powerful class of service. In the absence of policy, if a vice president asks a switch technician to enable dial-tone capabilities from an international location, the switch technician will most likely comply with the request.

• Use toll fraud insurance. Some PBX vendors and most common carriers will provide toll fraud insurance, as long as basic control mechanisms (that they specify) are in place. Typically there will be a deductible ($5000 to $20,000) per loss, but at least coverage for large losses is available. The carriers have sophisticated monitoring programs that identify an organization's typical usage patterns and flag unexplained and rapid increases in volumes to particular destinations. Also, some international locations are far more likely to be called by hackers than others (actually, hackers typically sell the "service" to individuals on the street, who then tend to call certain locations more than others).

• It is prudent to keep an up-to-date contact list of those management personnel authorized to make decisions regarding long-distance services. This list should be periodically sent to the vendor (carrier or PBX manufacturer) that is monitoring your traffic. For example, assume that your organization is attacked on a Saturday night. The monitoring service identifies hundreds of calls going to Bolivia and Columbia (countries with which you normally do not do business) and attempts to call a responsible party on your contact list. If they cannot reach someone in authority, they are hesitant to shut down all outgoing international business because you may have essential functions that require outgoing international calls.

• Put tight controls over tandem trunk calling (going into the PBX, then going to an outside line). DISA — allowing someone to call in, get dial tone, then call out — should be prohibited unless there is some security system in place to control it (e.g., voice verification). Some organizations will allow calls into voicemail, and then a transfer to dial tone (using a password). Given the ease of password cracking techniques now available, this service to employees can be expensive indeed. Better to provide them with calling cards for business-related calls outside the office (or an 800 number to dial into the office). Sometimes, vendors set up a new PBX and voicemail system and leave backdoor passwords as well as voicemail-to-dial tone capabilities (with only a two-digit password). In smaller locations, the organization will be completely dependent on vendor expertise. When a hacking incident occurs, the maintenance vendor may accept the responsibility or may say that the customer never instructed them to eliminate DISA, etc. Caveat emptor!

• Periodically review forwarding of extensions to dial tone. Any station forwarded to dial tone is "hacker bait."

• Educate your operators and employees to social engineering techniques. One technique widely practiced is for a hacker to call someone and say, for example, "I'm from PAC Bell and we are testing your system for some reported problems. Would you please forward me to 9011 so we can complete our trace of the system?" Of course, this transfer gives them dial tone. Another scam is for someone dressed in a delivery company uniform to arrive at the receiving desk to deliver a package for "Mr. X." Mr. X is not there and the hacker asks to use the telephone to call his boss. Apparently, he is put on hold and then gets in an involved conversation with his boss about wrong directions, etc. What he is actually doing is dialing a local number that charges a high per-minute charge for services (e.g., $15 per minute); he then gets a kickback from the service provider.

• Immediately request your local exchange carrier to disallow any third-party charges to the main number. Some prisoners, for example, will make long-distance calls and charge to any organization that allows third-party charges.

• Do not forget to periodically review your call accounting reports. Are there calls to a location that your organization has no business reason to call? Some hackers will keep the volume of calls sufficiently small to stay below the radar screen of the long-distance carrier's monitoring algorithms. Sort down minutes called by location and also list single calls in descending order of cost. A quick review can spot problem areas — including some that are unrelated to toll fraud (e.g., "stuck" modems).

• Educate users on the vulnerability of calling card theft. In some airports, "shoulder surfers" observe calling card numbers being keyed in and sell the numbers on the street as fast as possible. Using an 800 number to call back to the office reduces the frequency of calling card calls (as well as reducing the cost). Using a voice verification system to allow secure DISA (see discussion below) also decreases the need for card use. A user, in the interest of expediency, may occasionally give her card number to coworkers. Most carriers, when they detect multiple usage of the same calling card in widely separate geographic areas (e.g., Japan and the United States) within a short period of time, assume fraud. Ensure that all employees who need a card have one.

• Some organizations, concerned about potential misuse by their own employees, contractors, or temporary workers, use prepaid calling cards. The advantage of this technique is that a stolen card number would be used to its limit and then no further charges will accrue. The disadvantages are that it allows for no internal accounting of what the card was used for and that sometimes the card is not fully used.

• Monitor your organization's fax-on-demand server. To efficiently serve their customers, many firms will set up a fax-on-demand server that accepts a call from the public network and faxes requested information back to the caller. Hackers have recently begun to exploit this service in the following ways:

  • Repeatedly calling the fax-on-demand service, asking for faxes to be sent to a 900 or 976 number owned by the hacker (these area codes have a special surcharge associated with them). Of course, the information on the fax is not used, but the minutes accumulate and the calling party (i.e., the hacked party) is responsible for paying the toll.

  • Repeatedly calling a fax-on-demand service, merely to harass the organization by running up its long-distance bill.

  • Harassing individuals by sending the fax to a business or residence that did not request it (waking up people in the middle of the night, etc.).

  • One company was hit with over 2000 requests to send a long document to Israel, resulting in a $60,000 telephone bill. ^[4]

  • Techniques to detect and defend against fax-on-demand abuse include:

    • Check the fax system log (or call detail) for repetitive faxes to the same number.

    • Exclude all area codes where there is no reasonable expectation that the organization would do business.

    • Exclude area codes associated with high fraud incidence (e.g., 767 — Trinidad and Tobago; 868 — Dominican Republic). ^[5]

    • Monitor overall volume of faxes sent out.

    • Power off and on to clear the queue if it is obvious that the server has or is being attacked.

    • Monitor the fax server over the weekend (particularly long holiday weekends) because that is the favorite time for hackers to start their penetration.

• Make use of your organization's internal billing system. It is easier to spot unusual activity if long-distance bills are broken down by department. Make the internal reports easy to read, with appropriate summary information (e.g., by international location called), to provide the organization with more eyes to watch for unusual activity.

• Use appropriate hardware/software monitoring and toll restricting tools. Some features of these tools include:

  • Selectively allow or restrict specific telephone numbers and/or area codes.

  • Allow 0+ credit card access but restrict 0+ operator access.

  • Limit the duration of telephone calls in certain areas.

  • Restrict international toll access.

  • Provide for bypass codes.

  • Report on a daily basis (sent via e-mail) any suspicious activity, based on predefined exception conditions.

  
  

Voice and Telephony Security

A company's vulnerability to threats varies by its size and business type. For example, businesses that frequently engage in intense international bidding may find themselves in competition with a government-owned organization. Because the government often owns the telephone company as well (PTT), there is a temptation to "share" information by tapping the lines (all it takes is a butt set and knowing which trunks to tap into). While such occurrences are undoubtedly infrequent, they are a threat.

Toll fraud, on the other hand, is ubiquitous. Hackers use stolen calling cards to find a vulnerable PBX anywhere in the world and sell the number on the street (mostly for international calls). Poorly controlled voicemail options and DISA (direct inward system access) are excellent "hacker attractor" features. Medium-sized installations are preferred because they offer enough complexity and trunking to allow hackers to get into the system and run up the minutes before detection. Smaller key system sites do not have the capacity, and larger sites often (but not always!) have toll fraud detection systems (such as Telco Research or ISI Infortext's TSB TrunkWatch Service).

Two characteristics of the telephone system enhance the hacker's world of opportunity: (1) it is difficult to trace calls because they can be routed across many points in the system; and (2) hacking equipment is relatively cheap, consisting of a PC or even a dumb terminal hooked to a modem. Hackers (a.k.a. "phone phreaks") sometimes have specific PBX training. It could be a disgruntled PBX technician (working for an end-user organization or the vendor). In addition to their technical background, hackers share explicit information over the Internet (see www.phonelosers.org). These individuals have a large universe of opportunity; they hack for awhile on a voice system, find its vulnerabilities, and then wait for a major holiday and go in for the kill. Losses of $100,000 over four days are common. If holes in one PBX have been plugged, they go on to another. In some cases, they use a breach in one PBX to transfer to another, even less secure PBX.

The final category of security break, malicious pranks, gets inordinate attention from senior management — far beyond the economic damage usually incurred. For example, a voicemail greeting could be reprogrammed (just by guessing the password) to say, "Hello, this is Mr. John Doe, CEO of XYZ Company. I just want you to know that I would never personally use any of XYZ's products." Of course, not all changes are minor. A clever hacker who obtains control of the maintenance port can shut down all outgoing calls or change a routing table — there is no end to the damage if the maintenance port is compromised.