Toll Fraud. How can I keep from getting hacked?

[phonebiz]

Does any one have a recommended list of settings to protect against toll fraud? I've been in the business for years, but never had a customer hacked until today. Someone dialed into the system remotely and made a ton of calls to the middle east.

They have a MICS 6.0, PRI and Call Pilot 100. They use external transfer to local numbers on their CCR tree and also message notification.

Nortel's info on this seems scattered and disjointed. I would greatly appreciate any recommendations.

Thanks

 

[Arr]

This sounds like something that we would all LOVE to discuss. But unfortunately it would be best done over a beer in the back room and not on this unguarded forum.

Phonebiz, not that I have answers; only questions, if you like you can E me off line at tisvcs@yahoo.com I would like to know a little more of your situation to help guard my own customers.

PhM

 

[jerryreeve]

you probably need to do five different things done to reduce the possibility of someone getting into your system. most of these are based on having random numbers for passwords. Main thing is to keep the hacker our of the RAD. second is to keep the hacker out of the mailboxes that allow outbound t ransfer. Keeping the hacker out of these two areas and you will probably keep them out of your system entirely

1. Change the password on your RAD to a random number
2. Physically disconnect the RAD and have someone plug it in when you need to make admin changes on the system

3. Chenge the password on your Voicemail SysAdmin to a random number

4. Change the class of service to one that does not allow outbound transfer for all but the customers who require outbound transfers
5. Make sure that these customer have random numbers for their voicemail passwords




JerryReeve
Communications Systems Int'l
com-sys.com

 

[jerryreeve]

Arr
sorry for stepping on lyour response, I just gave some general suggestions and not specific enough (hopefully) to help a hacker in.

JerryReeve
Communications Systems Int'l
com-sys.com

 

[macphoneguy]

Not knowing MICS specifically all I can say is Look at anything that would allow a transfer from inside to outside,

 

[Arr]

Jerryreeve,
You didn't step on my response. I like this forum for the wide range of approaches to issues. All forum members should always to feel free to post into any thread I'm involved in. It makes a better situation for all.

Cheers
PhM

 

[hawks]

Just to add to Jerry, if the outbound transfer is to just a few numbers everytime. Then restrict any other numbers except the ones you want to be dialed.

 

[rconn]

Hi all,

I have played with this off & on for a while now and there is one thing I cannot stop. I can close up a system (I am using a CICS 6.x CP100 1.5) so it is impossible to dial anything from an internal set, however by programming a transfer using the centrex transfer feature (link) from a mailbox or CCR point all transfers are completed regardless of the restrictions.

I have the restrictions set on the extension for the mailbox and a transfer to any number is still completed.

I have put restrictions on the lines and the VM DN's also line/set restrictions on the VM DN's and the transfer is still completed.

I have disallowed link from the extension with the mailbox and the VM DN's and still the call completes.

I don't know if there is an answer for this. Any thoughts?

 

[phonebiz]

rconn have you tried putting *71 as a restriction on your RPL?

 

[rconn]

For testing I have made a filter restricting "any" and the centrex link call still passes and no one can dial from the system at all.

It looks like a big hole to me.

Rob

 

[phonebiz]

Are you using Restriction/Permission Lists under Call Pilot programming?

 

[rconn]

As near as I can tell there is no RPL's in my system (CP100 Ver 1.5).
I will admit to not reading every word in the manuals as life is very short. There are RPL's in the CallPilot mini.

Is there something I have missed? I had the system restricted not to allow any digit to be dialed but it would still allow a link transfer to any number programmed to outbound transfer.

It would seem RPL would do what I need.

Rob

 

[westcoaster]

rconn, did you try to make the link timer shorter/longer so that it could no longer be used?? (sounds like you don't want to use the centrex features)

 

[luv2ski]

cancel the centrex feature

Pat Guido
NEXTIRAONE
Pat.guido@nextiraone.com

Formerly Nextira, formerly Williams Communications, formerly Wiltel, formerly Nortel networks, formerly Northern Telecom, formerly, Nynex meridian systems formerly Northern Telecom.

 

[hdingman]

Set up a COS that restricts outbound-transfer to system speed-dial numbers only, and make sure the RAD is locked down (random PWD as suggested above, and preferrably disconnected when not in use) so the hacker can't get in to program speed-dial.

It's only slightly inconvenient to the customer, i.e. they have to plan in advance for what outgoing numbers they want to call on a dial-through. It's not usually a big deal for legitimate users, but makes it worthless to hackers.

Of course, if it's an in-house user making the abusive calls, you'll find the number in the speed dial directory.

BTW, don't forget to change the passwords on secondary IDs that can make programming changes on the system, as well as the primary configuration ID - there's a couple IDs that have limited access, but enough authority to bypass COS restrictions. Also, don't set COS passwords unless absolutely necessary, tell them to call the attendant instead. If a hacker tries it, the attendant can see the call is inbound from DISA and handle accordingly.

howard

 

[Arr]

Just a note all:

This is the second hacking post I've seen here in the last few months. Both systems were stated to be PRI equiped. I wonder if there is something at the LEC end we are not aware of nor should post. Both these posts have drawn a lot of comment, but the last poster didn't provide the end results to us.. perhaps none of this should be posted at all?
This Norstar forum is probably the best out on the net and any hacker info would be easily found and copied. Perhaps we should not discuss any hacking info here at all?

Comments?

Rgds
PhM

 

[luv2ski]

Arr , you a right we shouldnt discuss this and a lot of other things on this site.

Pat Guido
NEXTIRAONE
Pat.guido@nextiraone.com

Formerly Nextira, formerly Williams Communications, formerly Wiltel, formerly Nortel networks, formerly Northern Telecom, formerly, Nynex meridian systems formerly Northern Telecom.

 

[rconn]

Hi all,

I been away all weekend. Lots of activity and thanks for all the responses.

I have been spending alot of time on this because of the recent rise in fraud and I want ensure that my customers are protected as well as can be expected. I am sure this true of all technicians.

I like the centrex transfer feature and will continue to use it (Link timing did cross my mind). Taking all the normal precautions to restrict access to systems, voicemail and mailboxes will certainly work.

My intent was not to let the cat out of the bag and we should certainly be careful about the information we post.

Thanks again,

Rob

 

[jerryreeve]

ARR, et all

It seems that ther more we keep silent about hackers the better it is for them. They live in a world where secrecy is great since once they figure out a way to hack into one system one way then they might have an open door to many systems, especially if the fixes that would prevent the hacker from entering systems are not passed around. I see no problem with general statements such as what is needed to be done to protect systems as long as they are not specific enough to tell a hacker how to bypass them. most especially if there is an open door/port that we can close to protect the customers we should know that.

I do disagree with telling, on an open forum, how someone hacked into a system but do think the open forum should know how to block that hacker.

It seems important to know what calls are being handeled by your system. As a defense against hackers get SMDR running on your system. If you have a PRI you already have Caller ID, if not caller ID is very useful for SMDR data. Just getting the raw feed off of the SMDR could give you an indication of where hacking calls are coming from.

JerryReeve
Communications Systems Int'l
com-sys.com

 

[phonebiz]

Thanks everyone for all your suggestions. I have used several of them and it seems like the open door has been closed.

I tend to agree with Jerry. I picked up several good tips. Don't know where else I could have turned. This helps me keep my customers from being the victim.

Steve