Hi Mark :)
   I submitted a paper on InfoSec to Interex for this year's Interex... It
is aimed at the Novice-Intermediate level ... and deals with the things like
your solution paragraph point out...

   So let Interex know if you are interested in InfoSec tutorials... :)

   Also, remember that 80% of hacks are from within... Timothy Lloyd was
sentenced recently to 4.5 years prison time and $2,000,000 in restitution
for his destroying Omega Engineering's network back in 1996...  Physical
Security is a big thing too!

Art "watching always hehe " Bahrs


----- Original Message -----
From: "Mark Wonsil" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, March 07, 2002 6:51 AM
Subject: [HP3000-L] OT: Hacking and terrorism


> This came from an NT Newsletter.  I thought it was interesting in light of
> world events.  From http://www.w2knews.com/?id=348
>
> Postmortem: How Sunbelt Got Hacked
>
> It's just one of these things. You talk about security for years, you warn
> people once a week, protect your domains with many layers, and then some
> hacker walks right into your own open back door. [grin] At the end of this
> cautionary tale I will tell you what to do to prevent it in your own
> organization.
>
> Here is how this whole thing went down, it's not as bad as it could be,
and
> our domains were never compromised. But it is egg on our face! Someone
> hacked into our phone system. It's called phreaking, and has been done for
> decades. Lucky for us he was just talking to people instead of using it to
> (try to) break into other systems.
>
> How it started? Last Thursday one of our Reps found she could not use her
> voice mail box anymore. It was forwarded to some strange number. The Admin
> in charge frowned, reset it, and things worked again. Then last Friday, it
> happened again, and with not just one but with a few mailboxes. Now we
> really started looking!
>
> What the hacker did not know is that we have an advanced phone system that
> really is just software. The whole system is a W2K server in a special
frame
> with 20 expansion slots. Each slot holds a card for 8 extensions. The
> software is powerful and allows you to reconfig anything on the fly
instead
> of having to call your PBX vendor all the time if you move a few staff to
> new spots. The brand is Altigen.
>
> We started to look in the Altigen console, and found a few mailboxes that
> were forwarded to far away countries. When we started to trace these down,
> it turned out they were Pakistan, Saudi-Arabia, Kuwait and the
Philippines.
> Anyone that has followed the news recently can draw their own preliminary
> conclusions. So did we.
>
> Since we can see everything in real-time coming in and out of the system,
it
> was clear that a hacker had compromised a few mailboxes and was using
these
> to break into other companies' systems as well and create a chain of
> compromised PBX-es. In some cases we were the end of that chain, so we
knew
> the final destination. The hacker was fairly smart in trying to hide their
> trail by dialing in, dialing out, and then dialing in again and use
another
> mailbox.
>
> However, since we could see and change things in real time, we took him
off
> the voice T1, and rerouted him to a copper trunk which we could tap. And
> sure enough a both American and Arabic speaking male voice was busy making
> calls, through several other companies systems that he already "owned". So
> while he was happily tapping away, we recorded what he was doing and
called
> the FBI.
>
> They actually are in a building 5 minutes from here so shortly they were
> over and listening in. And since Altigen dumps all the data into a SQL
> database, we were able to give them both the voice recordings and a
detailed
> track of all the calls, their origination and destination points and
> duration. They were happy we could provide them with all the data
> immediately burned on a CD so they could start their analysis, using
Excel.
>
> The FBI agents told us that phone system hacking is happening thousands of
> times every day! And we had to shamefacedly admit that the password used
for
> the compromised mailbox turned out to be the same as the extension. OUCH!
> The hacker simply cracked these mailboxes using this very simple trick.
DUH.
> And me scoffing at the New York Times for using the last four digits of
> someone's social security number as their default passwords...[grumble]
>
> Luckily for us, the hacker never got into our W2K domains, and never used
it
> for actual computer cracking, but a simple trick like this can cause
damage
> in many other ways. Especially if one deals with a bit more sophisticated
> criminal elements. So we compiled all the evidence necessary and turned it
> over to the FBI Computer Crime Special Agents.
>
> We then shut the hacker down, and changed all mailbox passwords to
something
> a bit more sophisticated. We also shut down all international calling
> ability for mailboxes that did not need it, which was about 95%, and made
> some other configuration changes in the Altigen console which I'll not go
> into. And to the hacker, if you read this, you were caught. Expect a tap
on
> your shoulder any minute now.
>
> Lesson learned: USE STRONG PASSWORDS FOR THE PHONE SYSTEMS AS WELL.
Monitor
> your phone system logs for unusual activity and out of normal range events
> or durations, just like you would your networks and set red flags. You
could
> dump that stuff into a flat file and use a tool like ELM to ping you when
> things are out of the ordinary.
>
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
> * To join/leave the list, search archives, change list settings, *
> * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *