September 27, 2010
Posted by on
Telecommunications Industry Group (TIG) in New Zealand has seen the telecom fraud quadruple in 2010. Private Branch Exchanges (PABX) can be downloaded for free and installed on an (older) PC, but not secured enough. This makes the PABX open for exploiting. TIG has made a list of what minimum(!) need to do, to ensure that your system will more secure.
Some practical tips for preventing PABX hacking
- Choose a strong password: Voicemail and DISA passwords should be changed on a regular basis, avoiding factory defaults and obvious combinations such as 1234 or the extension number.
- Change it: Make sure all security features – passwords, PINS etc – are changed following installation, upgrade and fault/maintenance. Don’t forget to reset password defaults.
- Keep it confidential: Keep all internal information such as directories, call logging reports and audit logs confidential. Destroy them appropriately if no longer required.
- Regular Review:
- Review system security and configuration settings regularly. Follow up any vulnerabilities or irregularities.
- Review your PABX call logging/reporting material regularly and analyse it for increases in call volumes or suspicious destinations.
- Callers: Be vigilant against bogus callers – for example, people posing as company employees – who ask to be connected to switchboard operators to get an outgoing line.
- Employees: Develop processes to cover employee entry procedures, passcards, new employee vetting and people leaving and changing jobs. Formally evoke their access to systems, mailboxes and buildings.
- Vendor Terms and conditions: Make sure you have the right terms and conditions reflected in your contracts with your PABX, VoIP and/or voicemail maintainer in order to keep your system regularly maintained and serviced to stay safe.
- De-activate, Restrict, Bar:
- Remove or de-activate all unnecessary system functionality including remote access ports. If remote access ports are used, consider using strong authentication such as smartcards/tokens.
- Restrict any destinations that should not normally be dialed: for example, premium rate, international, operator and directory enquiry numbers.
- Restrict access to equipment eg. your comms room and master terminals.
- Only give the appropriate and minimum level of system access required to carry out a task.
- Bar voicemail ports for outgoing access to trunks if possible. If access to trunks via voicemail is necessary then implement suitable controls. Remove auto attendant options for accessing trunks.
- Lock surplus mailboxes until allocated to a user.
- If DISA is not used then disable it completely.
- Tones: Avoid using tones to prompt for password/PIN entry: these are often used by hacking programmers.
I would also like to add:
- Security updates BOTH on your server and on the phones
- Don’t expose the PABX nor the phones on public IPs.
The Honeynet Project has also picked up extensively scannings in Australia. Which country will be next?