A couple of weeks ago Paul Brislen posted a really good post on the TUANZ blog about PABX security. It seems some criminals had used a local companies phone system to route a huge number of international calls, leaving them with a colossal ($250k!) phone bill. These attacks are increasing common, and I have heard a number of similar stories.
Phone systems increasingly rely upon IP connectivity and often interface with other business processes, putting them in the domain of IT. But even if your PABX is from 1987 (mmm beige) and hasn’t been attacked yet, doesn’t mean it won’t be.
Both Telecom NZ and TelstraClear NZ have some good advice to start with, and you might find your PABX vendor can also give expert advice. Unfortunately many PABX systems are insecure from the factory, and a number of vendors don’t do a great job with security.
In a previous role I ended up managing several PABX systems spread across multiple sites, and learnt a few lessons along the way. Here are a few tips to get you started:
If you live in NZ, or follow the IT Security press, you are probably aware of a security flaw recently discovered on public kiosks at the MSD (Ministry for Social Development). The story has really gained traction, spreading quickly across Twitter and the International press.
In short, it was possible to open sensitive files across the organisation using the Open File dialog in an application, on public kiosks, in Work and Income NZ offices. This sort of problem is as old as network file shares, and trivial to do. For more information I highly recommend reading the original Blog post and the follow-up posts by Keith Ng.
Not all of the facts are available, but it seems there are three good lessons we can all take away from this breach:
There has been a lot of press recently about 6.45 million password hashes from LinkedIn appearing online. A 120MB Zip file showed up last week on a Russian hacking site without any related account information (although the hackers likely have these details). Large volumes of account information being stolen is a common occurrence. eHarmony and Last.fm also both suffered breeches just last week.