Postmortem: How Sunbelt Got Hacked
It's just one of these things. You talk about security for years,
you warn people once a week, protect your domains with many layers,
and then some hacker walks right into your own open back door. [grin]
At the end of this cautionary tale I will tell you what to do to
prevent it in your own organization.
Here is how this whole thing went down, it's not as bad as it could
be, and our domains were never compromised. But it is egg on our
face! Someone hacked into our phone system. It's called phreaking,
and has been done for decades. Lucky for us he was just talking to
people instead of using it to (try to) break into other systems.
How it started? Last Thursday one of our Reps found she could not
use her voice mail box anymore. It was forwarded to some strange
number. The Admin in charge frowned, reset it, and things worked
again. Then last Friday, it happened again, and with not just one
but with a few mailboxes. Now we really started looking!
What the hacker did not know is that we have an advanced phone system
that really is just software. The whole system is a W2K server in
a special frame with 20 expansion slots. Each slot holds a card for
8 extensions. The software is powerful and allows you to reconfig
anything on the fly instead of having to call your PBX vendor all
the time if you move a few staff to new spots. The brand is Altigen.
We started to look in the Altigen console, and found a few mailboxes
that were forwarded to far away countries. When we started to trace
these down, it turned out they were Pakistan, Saudi-Arabia, Kuwait
and the Philippines. Anyone that has followed the news recently can
draw their own preliminary conclusions. So did we.
Since we can see everything in real-time coming in and out of the
system, it was clear that a hacker had compromised a few mailboxes
and was using these to break into other companies' systems as well
and create a chain of compromised PBX-es. In some cases we were the
end of that chain, so we knew the final destination. The hacker was
fairly smart in trying to hide their trail by dialing in, dialing
out, and then dialing in again and use another mailbox.
However, since we could see and change things in real time, we took
him off the voice T1, and rerouted him to a copper trunk which we
could tap. And sure enough a both American and Arabic speaking male
voice was busy making calls, through several other companies systems
that he already "owned". So while he was happily tapping away, we
recorded what he was doing and called the FBI.
They actually are in a building 5 minutes from here so shortly they
were over and listening in. And since Altigen dumps all the data
into a SQL database, we were able to give them both the voice
recordings and a detailed track of all the calls, their origination
and destination points and duration. They were happy we could provide
them with all the data immediately burned on a CD so they could start
their analysis, using Excel.
The FBI agents told us that phone system hacking is happening
thousands of times every day! And we had to shamefacedly admit that
the password used for the compromised mailbox turned out to be the
same as the extension. OUCH! The hacker simply cracked these mailboxes
using this very simple trick. DUH. And me scoffing at the New York
Times for using the last four digits of someone's social security
number as their default passwords...[grumble]
Luckily for us, the hacker never got into our W2K domains, and never
used it for actual computer cracking, but a simple trick like this
can cause damage in many other ways. Especially if one deals with
a bit more sophisticated criminal elements. So we compiled all the
evidence necessary and turned it over to the FBI Computer Crime
We then shut the hacker down, and changed all mailbox passwords to
something a bit more sophisticated. We also shut down all international
calling ability for mailboxes that did not need it, which was about
95%, and made some other configuration changes in the Altigen
console which I'll not go into. And to the hacker, if you read this,
you were caught. Expect a tap on your shoulder any minute now.
Lesson learned: USE STRONG PASSWORDS FOR THE PHONE SYSTEMS AS WELL.
Monitor your phone system logs for unusual activity and out of normal
range events or durations, just like you would your networks and set
red flags. You could dump that stuff into a flat file and use a tool
like ELM to ping you when things are out of the ordinary.
This week's XBOX Winner is Doug Taylor from Huntsville, Alabama.
Congrats Doug! To have a chance in winning yours, refer up to three
(email me with feedback: [email protected])