209 lines
7.8 KiB
Plaintext
209 lines
7.8 KiB
Plaintext
|
|
Founded By: | _ _______
|
|
Guardian Of Time | __ N.I.A. _ ___ ___ Are you on any WAN? are
|
|
Judge Dredd | ____ ___ ___ ___ ___ you on Bitnet, Internet
|
|
------------------+ _____ ___ ___ ___ ___ Compuserve, MCI Mail,
|
|
Ø / ___ ___ ___ ___ ___________ Sprintmail, Applelink,
|
|
+---------+ ___ ___ ___ ___ ___________ Easynet, MilNet,
|
|
| 03NOV90 | ___ ______ ___ ___ ___ FidoNet, et al.?
|
|
| File 65 | ___ _____ ___ ___ ___ If so please drop us a
|
|
+---------+ ____ _ __ ___ line at
|
|
___ _ ___ elisem@nuchat.sccsi.com
|
|
Other World BBS __
|
|
Text Only _ Network Information Access
|
|
Ignorance, There's No Excuse.
|
|
|
|
PBX Security
|
|
by Judge Dredd
|
|
|
|
|
|
$_NOTE:
|
|
This is the PBX security manual... it is not a how-to. This is what is given
|
|
to PBX owners/operators. Use it to your advantage.
|
|
|
|
|
|
Protecting Your PBX From Illegal Access
|
|
=======================================
|
|
|
|
As an owner of a private branch exchange (or PBX) you've invested
|
|
quite a lot of money into a remarkable piece of equipment that greatly
|
|
enhances your company's communications capabilities. A so-called smart
|
|
device, this sophisticated switch usually has a number of useful
|
|
device, this sophisticated switch usually has a number of useful
|
|
features such as remote access and voice store-and-forward systems, or
|
|
voice mail.
|
|
|
|
The problem is, criminals are finding it easier than ever to
|
|
access these helpful features, blocking out legitimate users. This is
|
|
mainly because many end-users are not taking advantage of new
|
|
protective technologies that are now available.
|
|
|
|
You may be a victim of this industry-wide problem and not even
|
|
know it. Last year, a Midwestern manufacturer lost $25,000 when
|
|
someone accessed its PBX for a short time to make unauthorized long
|
|
distance calls.
|
|
|
|
One favorite PBX pathway to free long distance calls is the
|
|
remote access unit, which allows callers to access the switch from a
|
|
phone outside the company and obtain a dial tone.
|
|
|
|
The abuse is hitting end-users at all levels. Over a two- month
|
|
period in 1988, employees at a large city agency rigged a phone system
|
|
in a scam that cost taxpayers over $700,000 for unauthorized phone
|
|
calls. Workers tampered with the organization's PBX to allow callers
|
|
from public payphones to dial a special access number that gave them
|
|
an outside line to anywhere in the world.
|
|
|
|
In another case, intruders left instructions on computer bulletin
|
|
board systems detailing how to access conference bridges, call
|
|
diverters and remote access units.
|
|
|
|
Abusers can include current and former employees, summer interns
|
|
and technicians as well as hackers, street hustlers and other thieves
|
|
of telecommunications services. And unfortunately, many companies
|
|
simply forget to take out the easy-to-break authorization test codes
|
|
that are installed before a PBX is placed in service.
|
|
|
|
|
|
Establish Strict Defenses
|
|
=========================
|
|
|
|
1. Assign authorization codes randomly on a need-to-have basis,
|
|
and limit the number of calls using these codes. Never match
|
|
codes with company telephone, station or badge numbers.
|
|
|
|
2. Instruct employees to safeguard their authorization codes,
|
|
which should be assigned individually, not printed in
|
|
billing records. And the codes should be changed frequently,
|
|
and canceled when employees depart.
|
|
|
|
3. Remote access trunks should be limited to domestic calling
|
|
and shut down when not in use.
|
|
|
|
4. Use the time-of-day PBX option.
|
|
|
|
5. Use a system-wide barrier code, followed by an authorization
|
|
code with the most digits your PBX can handle.
|
|
|
|
6. Use a nonpublished number for remote access lines.
|
|
|
|
7. Use a delayed electronic call response (the same as letting
|
|
your phone ring four or five times before answering).
|
|
|
|
8. Try hacking your own system to find weaknesses, then correct
|
|
them.
|
|
|
|
|
|
Implementing Effective Controls
|
|
===============================
|
|
|
|
1. Know the safeguards on your PBX.
|
|
|
|
2. Develop an action plan that provides adequate staffing to
|
|
direct specific defensive procedures.
|
|
|
|
3. Monitor billing, call details and traffic for unusual
|
|
patterns and busy lines during off-peak hours, such as late
|
|
at night.
|
|
|
|
4. Inform PBX console attendants, night security officers and
|
|
remote access users of the need to secure equipment and what
|
|
to do if they suspect an intrusion.
|
|
|
|
5. Ask your PBX vendor/supplier what inherent defenses could be
|
|
used to make your PBX more difficult to penetrate.
|
|
|
|
6. Monitor valid and invalid call attempts as often as
|
|
possible.
|
|
|
|
7. Look for attempted calls of short duration that usually
|
|
indicate hacking activity.
|
|
|
|
8. Know who is on the other end of the line before giving out
|
|
any information.
|
|
|
|
9. Learn whom to contact at your local and long distance
|
|
service providers when you have a security problem.
|
|
|
|
|
|
Glossary
|
|
========
|
|
|
|
Access number: Preliminary digits that must be dialed to connect
|
|
to an outgoing line.
|
|
|
|
Authorization code: Unique multidigit code identifying an authorized
|
|
subscriber that must be validated for a call to be processed.
|
|
|
|
Barrier code: A number of digits that, when dialed before an
|
|
authorization code, allow dial entry to a PBX.
|
|
|
|
Bulletin board system: Computer-based message system.
|
|
|
|
Call detail recording: A PBX feature that logs outgoing and incoming
|
|
calls.
|
|
|
|
Conference bridge: Allows several parties to carry on a conversation
|
|
(Conference Call) from remote sites.
|
|
|
|
End-user: Subscriber that uses, rather than provides, telecommunications
|
|
services.
|
|
|
|
PBX, or private branch exchange A private switch, either automatic or
|
|
manually operated, serving extensions in a business complex and
|
|
providing access to the public switched network.
|
|
|
|
Remote access: A feature that allows an employee to access a PBX from
|
|
a remote site and charge calls to the caller's company.
|
|
|
|
Smart device: A computer-based system that carries out complex functions.
|
|
|
|
Switch: A mechanical or solid state device that opens or closes
|
|
circuits, changes operating parameters, or selects paths or circuits,
|
|
either on a space or time division basis.
|
|
|
|
Time-of-day option: An added restriction to the automatic route
|
|
selection or least-cost options, it can be preset to block long
|
|
distance calls at certain hours.
|
|
|
|
Trunk: A communications channel between different switching systems or
|
|
between a PBX and a central office.
|
|
|
|
Voice mail: or voice store-and-forward systems: A voice message system
|
|
that allows messages to be played back when the addressee returns.
|
|
|
|
|
|
Since 1985, CFCA has served as the industry's
|
|
clearinghouse for information pertaining to
|
|
the fraudulent use of telecommunications
|
|
services. To learn more about PBX system
|
|
security, call (703)848-9768, or write:
|
|
|
|
The Communications Fraud Control Association
|
|
7921 Jones Branch Drive, Suite 300
|
|
McLean, VA 22102
|
|
|
|
eMail address: < cfca@mcimail.com >
|
|
|
|
|
|
A short footnote:
|
|
|
|
If you even >think< you have a problem with PBX Fraud, contact:
|
|
|
|
1. Your PBX Switching System Vendor
|
|
|
|
2. Your 'Local Exchange Carrier' ( Your local telephone company) and
|
|
|
|
3. Your 'Inter-Exchange Carrier' ( Your long-distance telephone company)
|
|
|
|
If finding the >right person< gets to be a problem, contact the
|
|
Communications Fraud Control Association (CFCA) at the above address
|
|
or telephone them at (703) 848-9768.
|
|
|
|
---
|
|
|
|
Enjoy. Its early and it looks like it's gonna be a nice day... I'm outta
|
|
here. -JD
|
|
|
|
|