A small Sydney-based company last week discovered that hackers had broken into its telephone system and run up bills of AU$9,000 in a week.
The company's IT manager and finance director agreed to speak with ZDNet Australia about the security breach on condition of anonymity. They revealed that hackers broke into the firm's Nortel PABX system and used its call-forwarding functionality to run up the huge bill.
"[The hack] has cost us AU$9,000, which is about eight times our normal monthly telephone bill. All of our focus was on server and network security but we have this one bit of equipment -- which is one of the most expensive -- that nobody knows anything about," said the finance director.
"Over a one week period there were an enormous amount of calls made -- there were two and three hour calls made to the Arab Emirates, Somalia and other countries in Africa and South America.
"We got a printout of where all the calls were made and I had no idea. I thought international calls were relatively cheap these days but when you call the Arab Emirates for three hours it is not cheap," he added.
The company's IT manager told ZDNet Australia that the hackers most likely gained access to the PABX by exploiting a weak password. Although the company's servers and network are relatively secure, PABX security was not "well documented" and the hackers probably had technical knowledge about the specific system, he said.
"You hear a lot more about servers being hacked but to hack a PABX, you need to know how that particular model works. It's not like jumping onto the Internet and finding a general purpose exploit.
"You get turnover in IT and some people don't know how to set it up. It is not a part of the business that is well documented," he said.
The IT manager admitted that the company left some unused features on its PABX enabled, which most likely made the hack relatively easy.
"It doesn't matter what kind of lock you have if you leave the door wide open. We had the call forwarding system enabled. We now monitor our call logs everyday," he added.
Nortel provides training to its partners and has a security checklist for customers on its Web site (pdf version).
Nick Avakian, general manager for enterprise in ANZ for Nortel, said that educating customers and partners on PABX security was very important.
"There are safeguards that you should practise on a regular basis -- such as changing passwords and feature code -- to provide a level of protection. PABX features have been around for a long, long while. It is a matter of educating customers and channel partners about what the naughty people out there can do," Avakian told ZDNet Australia.
The hacked company's finance director was very unimpressed with the carriers, who initially refused to believe the PABX could have been hacked. Instead they tried to point the finger at a possible dishonest employee.
"When we queried them as to what to do they said we should go to the phone extension and stop the person from making the calls. It was that sort of attitude. It took us a day or two to figure out what was actually going on," the finance director said.
The finance director was keen to advise other companies that own a PABX to arrange a security audit, ensure they know exactly what services are enabled and to change their passwords regularly.
"I would say they need to have a security audit. I have never heard of this before -- which obviously does not mean it doesn't happen. I think it's our fault because we had some things enabled on our PABX system that made it very easy for them to hack into it. But I had never heard of anybody hacking into a phone system to make international calls like that," he added.
PABX hacking is relatively common, according to Robert McAdam, chief executive of penetration testing specialist Pure Hacking. However, McAdam said the issue does not receive much press because victims tend to shy away from publicity.
"[Hacking] is common, but it is very uncommon for [this kind of news] to get into the public domain and be published. To be able to admit that security has been compromised, for some companies, is an embarrassment," McAdam told ZDNet Australia.
McAdam said that hacking PABX systems can be a lucrative business: "I know they will be making an absolute killing".
Should have installed an open source (thats free for the older people reading this) Asterisk IP-PBX.
Open source means far better security.
www.asterisk.org
www.Astricon if you want to come to Dallas next week for training.
Dean Collins
Cognation