Phone Networks Open Doors for Hackers

Corporate America spends untold amounts of time and money every year to ensure that its data systems are secure from cyberattacks, but there’s one relatively low-tech flank that is often lightly guarded — office telephone systems. Federal law-enforcement officials said last week that they are tracking numerous reports of hackers who gain access to corporate voice mail and telephone systems to launch Internet attacks. The hackers, according to the Department of Homeland Security, tap into corporate phone systems — called private branch exchange (PBX) systems — using them to make long-distance calls to Internet service providers in other cities or overseas. They can work anonymously because the service providers see the activity as coming from within the company whose phone network was compromised. The FBI is pursuing “several investigations” into the problem, which the Department of Homeland Security last week identified as a growing trend in the hacking community. So-called “phone phreakers” have exploited telephone systems to make free long-distance telephone calls for several decades. AT&T said it started monitoring phone calls as early as 1964 to nab phreakers, who used so-called blue boxes to generate tones that would let them into the network. In the early 1970s, computer pioneer Steve Wozniak developed his own blue box that he sold to fellow students at Berkeley several years before co-founding Apple Computer Co. Using a corporate network as a way to hack anonymously is “a very pervasive exploit that’s costing corporations and the phone companies hundreds of millions of dollars,” said FBI cyber division spokesman Bill Murray. “These people are racking up huge phone bills and there’s virtually no way to trace them,” he said. Newer phone networks often are linked to internal corporate data networks, making them enticing targets for hackers, said Lisa Pierce, a research fellow for the Giga Information Group, a subsidiary of Forrester Research. Hackers compromising PBX systems that run voice data services can use them as entryways into computer systems. From there they can steal corporate information, eavesdrop on conversations and create havoc on the system because no one knows where the attacks are coming from, she said. “[When] you have internal data and voice lines on the same network, it’s basically a welcome sign for hackers,” Pierce added. “The implications can get frightening pretty quickly.” Unsecured corporate phone systems can leave open other back doors to a company’s network. Kevin Mitnick, who spent five years in jail for hacking into telephone companies and stealing secret code from software industry titans, broke into software maker Novell Corp.’s network in a similar way. Mitnick called the company’s operations department and posed as an employee who forgot his voice mail passcode. He received the passcode, recorded his voice on the impersonated employee’s outgoing voice mail message, then called the operations department asking for a dial-up modem number to Novell’s internal computer network. After verifying the supposed employee’s voice mail extension and hearing the familiar voice on the message, the technician gave Mitnick a direct line into the company’s Intranet. “The fact is, companies are focusing their resources on protecting their computer assets and too often don’t realize how vulnerable these phone networks can make them,” said Mitnick, now a security consultant. Murray said poorly secured PBX systems also present a serious national security threat. A hacker could use a compromised PBX system to route dozens of calls simultaneously to an emergency 9-1-1 center, overloading the emergency call center and preventing real emergency calls from getting through. “A potential terrorist could couple a denial-of-service attack on a local 9-1-1 system with setting off a bomb nearby,” Murray said. “That’s really our worst nightmare in a situation like this.” The FBI is urging companies to review and tighten security around their PBX and voicemail systems. A tutorial on locking them down is available from the National Institute of Standards & Technology at: http://www.csrc.nist.gov/publications/nistpubs/800-24/sp800-24pbx.pdf

Reported By TechNews.com, http://www.TechNews.com

(20030610/WIRES /)