Tag Archive for PBX

| July 18, 2009
Comments Off on Weak PBX Passwords Cost $55 Million

Weak PBX Passwords Cost $55 Million

Weak PBX Passwords Cost $55 MillionThe U.S. Justice Department unsealed indictments against three Filipino residents on 06-12-2009 for an international PBX hacking scheme. According to Security Fix, the three are accused of hacking into thousands of private telephone networks in the U.S. and abroad, and then selling access to those networks at call centers in Italy that advertised cheap international calls and used the profits to help finance terrorist groups in Southeast Asia.

broke into PBX and voice mail systems, mainly by exploiting factory-set or default passwordsThe U.S. government alleges that the people arrested in the Philippines were responsible for hacking private branch exchange (PBX) systems and voice mail systems owned by more than 2,500 companies worldwide. The indictments allege that between October 2005 and December 2008, Manila residents Mahmoud Nusier, Paul Michael Kwan and Nancy Gomez broke into PBX and voice mail systems, mainly by exploiting factory-set or default passwords on the systems. According to Erez Liebermann,  assistant U.S. attorney for New Jersey, “The default passwords were left open in most of these PBX systems.”

The government charges that Italian call center operators paid the hackers $100 for each hacked PBX system they found. The defendants are charged with computer hacking, conspiracy to commit wire fraud, and access device fraud. The case was filed in the U.S. District Court of New Jersey, the home of long-distance provider AT&T. The documents allege the thieves used the hacked PBX systems to relay more than 12 million minutes in unauthorized international phone calls, or $55 million worth of telephone charges.

According to Reuters the defendants allegedly sold access to the compromised systems to 40-year-old Pakistani Mohammed Zamir, the manager of a call center in Brescia, Italy. Italian authorities arrested Zamir and at least four other Pakistani men operating call centers throughout Northern Italy. According to the AP and Carlo De Stefano, head of Italy’s anti-terrorism police unit, much of the proceeds were sent to the Philippines and may have been forwarded to Islamic extremist groups in the region, including Al-Qaeda-linked Abu Sayyaf. “There are strong suspicions and some clues, but nothing concrete,” De Stefano said.

Rb-

No matter the system (TCM, VoIP, SIP, T’s) sloppy installation practices can make any type of system vulnerable. That’s why I always include a requirement that all manufacturer and VAR account passwords be changed before the equipment is brought on-site and that they are changed by the Owner at the time of acceptance of the system. I have started to back this up by tying this requirement to their PLM bond requirements.

We also recommend to our clients that they disable international calling by default on their system and only allow it as required, based on the concept of least privilege.

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
| July 5, 2008
Comments Off on Converting from Centrex to a PBX

Converting from Centrex to a PBX

Converting from Centrex to a PBXSomething to be aware of as you plan a migration from Centrex to PBX or VoIP. There is a potential that if the customer does not use the phone system that the LEC sells, the LEC may charge the customer for the in-house wiring.  There have been cases where the LEC was seeking over $100,000 for the wiring after the customer switched.

Cable plant

In some areas, regulators have allowed the LEC to carry some OSP (Outside Plant Cables) on the regulated side of the books so some projected accounting value minus the depreciation would need to be recovered by the LEC if the customer were to leave the LEC. OSP has a life expectancy of 25 years or more, especially in environmentally protected locations such as equipment rooms.

A general rule of thumb is if the cable is black jacketed it is OSP. If the cable is gray or beige it is Inside Wire or cable such as riser. In some states, at the time of the ATT break up and thereafter black jacketed cable is still carried on the LEC’s books while the gray jacket is expensed. However, the customer should talk to the LEC OSPE (Outside Plant Engineer) as soon as possible to determine your specific situation.

The OSPE may want the customer to buy the risers and black jacket, which may include a 50-year-old black jacket, a mixture of Paper & Lead (a method of insulating conductors using paper pulp and covering in a lead jacket) as well as more current PIC (Plastic Insulated Cable).

An option would be to rebuild the complex. This option could be less expensive and easier than negotiating with the OSPE to take over 50 years of infrastructure.  Infrastructure which will never support any modern high-speed services.

Rebuilding the infrastructure also provides an opportunity to turn the tables on the LEC. With their own infrastructure, it is possible for the Owner to tell the LEC to vacate the building since they no longer provide service beyond the MDF. Maybe this is your opportunity to link the buildings with fiber and replace older copper while it is in good shape (having been inside most of its life).

Another tactic would be to convince the Telco into certifying that they had “abandoned the cable in place.” If the LEC has installed the infrastructure, and if they want to claim ownership of the cable then they would be responsible for removing the cable as is required by state/local building codes. In many areas, if a cable is not terminated on both ends then it is considered to be abandoned and must be removed. Removing cable is almost as expensive as installing it.

PBX Circuit sales

Another advantage Owners may have is that the LEC is the Centrex provider. A PBX deployment still represents an opportunity for DS-1, DS-3, and trunks sale. Another lever would be to keep a small Centrex as a backup, as part of a business continuity plan as well as ISDN services to remote locations.

One consideration is that when taking over the cable plant the LEC will have to deal with the fact that there may be customers within the facilities that were not part of the enterprise and which were customers of the LEC. We ended up having to sign a “Shared Sheath” or condominium agreement with the owner. The condominium agreement will let the LEC support their customers on the Owners riser system. The Owner will have to provide a technician to help the LEC in mapping out cable pathways for their customers.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,