TELEPHONE SYSTEMS SECURITY GUIDANCE NOTES

Introduction

Hackers use various methods to access a PABX, which may be done for many
reasons, but primarily for obtaining free calls. This inevitably results
in very large telephone bills for the hacked company.


What is Hacking ? (sorry not my definition)


When telephone system hacking began, it was achieved by people who used
PCs to break into the voice mail system. Hackers used mailboxes to
spread information, conduct drug sales, post stolen credit card numbers
or simply to record nasty greetings for callers. Now however, hackers
use telephone systems to obtain outgoing trunks, they then sell this
access to a community of people for dialing expensive international
calls. If the incoming trunks are Freephone numbers, the fraudsters
enjoy the benefit of completely free calls, with the hacked company
paying the bill for both ends of the call.


Why has Hacking now become a problem in the UK?


Hacking has become a serious problem in the UK for the following
reasons: The sophistication of telephone systems now available to
companies in the UK.


OFTEL now allows many features on PABXs, such as PSTN trunk to PSTN
trunk transfer, to be used.


Wide use of maintenance modems on telephone systems.


Sophisticated Voice Mail Systems.


Widespread use of the Internet which is used for posting Hacking
information.


Widespread use of modems in the UK, which has resulted in cheap and user
friendly modems being available on the market.


The huge demand for free international calls, as overseas nations
develop their telephone networks and business requirements.


Customers either ignoring, or not being aware of the hacking problem
thereby leaving their telephone systems open to fraud.


The widespread use of the Freephone numbers 0500 and 0800.


Direct Inward System Access (DISA).

By far the greatest current problem in the UK for PABX owners is toll
fraud, a service that has millions of potential "customers".

What can be done to prevent the PABX from being Hacked?


Hacker activity may not be completely avoidable, but steps can be made
to reduce the risks. The principal aim of telephone security is to deter
hackers from taking control of a customers telephone system. For
example, fraudsters will move on to other PABXs if it takes too long to
break into a system. Hackers with a personal or political grudge against
a company will spend a considerable amount of time in hacking a targeted
telephone system, in order to achieve their required objective. This may
be:

To obtain free calls.


Crash the Telephone System.


Leave abusive messages on the Voice Mail System.

So the chief objective must be to reduce the risks that expose a
telephone system to being successfully hacked.

Risk Factors


The principal factors that attract a hacker to a telephone system are:
Freephone numbers connected to the Telephone System.


Modem Access to the Telephone System.


Voice Mail Systems.


Systems with a large amount of trunks / DDI trunks.


Direct Inward System Access (DISA).

Once the hacker has ascertained that the targeted telephone system has
one or more of the features listed above and there are inadequate
counter security measures on the telephone system, the opportunity will
be seized by the hacker. The system is then reconfigured for fraudulent
use. Systems are often not used immediately, as the fraudster has to
inform their "Customers" of the toll free access number.


Hacking Counter Measures




The primary method of preventing fraudulent access to the telephone
system, is for the customer to educate their staff with regard to
telephone security.

Implementing all, or at least some, of the following simple steps can
reduce the susceptibility of a system to being hacked.


Customer Level Measures



Passwords / Codes Use random numbers for PINs, which should utilise the
maximum number of permissible digits.


Ensure system passwords and codes are not left as default, particularly
system administration passwords.


Cancel passwords and security codes of departing employees.


Change passwords and security codes as often as possible.


Do not divulge passwords / codes over the phone.

Trunk Access




Educate everyone about not connecting anyone they do not know to an
outgoing trunk.


Ensure effective call barring has been carried out. Barring the
following numbers may reduce the possibility of the system being used
for fraudulent calls. Note: No call barring plan should be limited to
the codes listed below.




7 (ClS- former USSR) 234 (Nigeria) 1809 (Jamaica) 86 (China) 91 (India)
92 (Pakistan) 155 (International Operator)


The customer should consider "call allow" rather than "call bar" on
their system. They should also bar access to countries that they do not
require telephone access to.


Do not allow Voice Mail Systems to have trunk access.


System Information

Guard information on the Telephone system: Network service providers
authorisation codes should be kept in a secure location.


Do not write authorisation codes in notebooks.


Keep all System Manuals in a secure location and do not write
information that may be useful to hackers in these manuals. Cabinets
used to store system manuals must be kept locked.


Customers and engineers should dispose of sensitive information securely
and not leave information useful to hackers in waste bins.

Equipment Room Access


Access to the telephone system should be restricted as much as possible.
Customers should ask for identification before allowing access to the
telephone system. Engineers should record all site visit details in the
site logbook.

Monitoring The Telephone System



Fraudulent calls and Hacking attempts can be detected if the Call
logging Information is reviewed on a daily basis. Immediate correct
action should be taken and the Network Service Provider should be
informed as soon as possible.

Engineering Level Measures


Engineers must be security conscious at all times when dealing with a
customers PABX. Change the default passwords / passcodes to new codes
when an installation is completed, particularly the engineering
passcodes.


Destroy any customer code that has been written down before leaving
site.


Configure systems in accordance with the equipment security guidance
information.


DO NOT enable features on the telephone system that allows "Dial
Through". Unless the customer requests this feature.


Disable any feature on the system which allows or facilitates "Dial
Through" applications, unless specifically requested otherwise by the
customer.


Advise and configure any PIN digits used by the customer to be the
maximum number of permitted digits. These PIN numbers must not include
the customer's STD number or be related to extension numbers.


Hackers are adept at finding the numbers of maintenance modems. If a
maintenance modem is used, the allocated extension number should be
different for each site.


Maintenance modems should ideally be configured as dial back modems so
that they ring back to the service centre. Under no circumstances should
the customer be told the passcode for the maintenance modem.


Keep all documentation up to date, accurate and secure. If a telephone
system has been successfully hacked and the perpetrator is found and
prosecuted, documents such as site visit log books and configuration
manual may be required as evidence in court


DO NOT leave the customer with spare configured Mail Box numbers and
only configure the minimum amount of spare extension numbers. Ideally
there should be no spare extension numbers.


Educate the customer to ask for security passes from engineers
requesting access to the switch room. Make sure that the customer is
aware of who should be allowed entry to the equipment room and what
their security passes would look like.


*** LeChat