LISTSERV - HP3000-L Archives

HP3000-L Archives

March 2002, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L March 2002, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	OT: Hacking and terrorism
From:	Mark Wonsil <[log in to unmask]>
Reply To:	[log in to unmask]
Date:	Thu, 7 Mar 2002 09:51:24 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (94 lines)

This came from an NT Newsletter.  I thought it was interesting in light of
world events.  From http://www.w2knews.com/?id=348

Postmortem: How Sunbelt Got Hacked

It's just one of these things. You talk about security for years, you warn
people once a week, protect your domains with many layers, and then some
hacker walks right into your own open back door. [grin] At the end of this
cautionary tale I will tell you what to do to prevent it in your own
organization.

Here is how this whole thing went down, it's not as bad as it could be, and
our domains were never compromised. But it is egg on our face! Someone
hacked into our phone system. It's called phreaking, and has been done for
decades. Lucky for us he was just talking to people instead of using it to
(try to) break into other systems.

How it started? Last Thursday one of our Reps found she could not use her
voice mail box anymore. It was forwarded to some strange number. The Admin
in charge frowned, reset it, and things worked again. Then last Friday, it
happened again, and with not just one but with a few mailboxes. Now we
really started looking!

What the hacker did not know is that we have an advanced phone system that
really is just software. The whole system is a W2K server in a special frame
with 20 expansion slots. Each slot holds a card for 8 extensions. The
software is powerful and allows you to reconfig anything on the fly instead
of having to call your PBX vendor all the time if you move a few staff to
new spots. The brand is Altigen.

We started to look in the Altigen console, and found a few mailboxes that
were forwarded to far away countries. When we started to trace these down,
it turned out they were Pakistan, Saudi-Arabia, Kuwait and the Philippines.
Anyone that has followed the news recently can draw their own preliminary
conclusions. So did we.

Since we can see everything in real-time coming in and out of the system, it
was clear that a hacker had compromised a few mailboxes and was using these
to break into other companies' systems as well and create a chain of
compromised PBX-es. In some cases we were the end of that chain, so we knew
the final destination. The hacker was fairly smart in trying to hide their
trail by dialing in, dialing out, and then dialing in again and use another
mailbox.

However, since we could see and change things in real time, we took him off
the voice T1, and rerouted him to a copper trunk which we could tap. And
sure enough a both American and Arabic speaking male voice was busy making
calls, through several other companies systems that he already "owned". So
while he was happily tapping away, we recorded what he was doing and called
the FBI.

They actually are in a building 5 minutes from here so shortly they were
over and listening in. And since Altigen dumps all the data into a SQL
database, we were able to give them both the voice recordings and a detailed
track of all the calls, their origination and destination points and
duration. They were happy we could provide them with all the data
immediately burned on a CD so they could start their analysis, using Excel.

The FBI agents told us that phone system hacking is happening thousands of
times every day! And we had to shamefacedly admit that the password used for
the compromised mailbox turned out to be the same as the extension. OUCH!
The hacker simply cracked these mailboxes using this very simple trick. DUH.
And me scoffing at the New York Times for using the last four digits of
someone's social security number as their default passwords...[grumble]

Luckily for us, the hacker never got into our W2K domains, and never used it
for actual computer cracking, but a simple trick like this can cause damage
in many other ways. Especially if one deals with a bit more sophisticated
criminal elements. So we compiled all the evidence necessary and turned it
over to the FBI Computer Crime Special Agents.

We then shut the hacker down, and changed all mailbox passwords to something
a bit more sophisticated. We also shut down all international calling
ability for mailboxes that did not need it, which was about 95%, and made
some other configuration changes in the Altigen console which I'll not go
into. And to the hacker, if you read this, you were caught. Expect a tap on
your shoulder any minute now.

Lesson learned: USE STRONG PASSWORDS FOR THE PHONE SYSTEMS AS WELL. Monitor
your phone system logs for unusual activity and out of normal range events
or durations, just like you would your networks and set red flags. You could
dump that stuff into a flat file and use a tool like ELM to ping you when
things are out of the ordinary.



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU