|
|
 |
|
|
|
register |
bbs |
search |
rss |
faq |
about
|
|
|
meet up |
add to del.icio.us |
digg it
|
|
|
|
Locate PBX and determine the type of PBX
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
The following article was transcribed from Tele Mgr, a magazine for, you
guessed it, managers of telecommunications systems. I thought everyone
would like to get an idea of how the people on the other side see them. When
reading over the article, be sure to take note of the methods that are not
mentioned. And like any other writing on phreaks, this article is filled with
over generaliztions and unfounded connections between p/hacking and
organized crime. But despite the standard lies, the article is fairly
informative. Feedback or comments can be directed to me at:
CybernetI [504] 272-1710, Johnny Rotten <Sysop>
>>>>>>>>>Ratfink
By now the stories are all too familiar. Your PBX/CPE customer receives a
long distance telephone bill in a huge box, rather than an envelope.
Throughout the bill are pages of calls from international locations and
locations your customer doesn't do business with: The Dominican Republic,
Mexico, Pakistan or Colombia. A total of $50,000 in international calls.
Another victim of PBX/CPE fraud.
For as long as there has been direct dial long distance service, there have
been ways to steal it. Methods have constantly evolved over the years. First,
the "boxes" fraud. Blueboxes, Redboxes, Silverboxes. With the advent of
competitive long distance service, a new avenue became available, Feature
Group.
A FGA offers access to the interexchange carriers' network through a
subscriber-type line connection rather than through a trunk. Thus the birth
of "hackers" and "phreakers". Phreakers are aspiring hackers sharpening
their skills by uncovering long distance authority codes.(auth codes). This is
accomplished by breaking in to a company's telecommunications computer
and uncovering the auth code identifying long distance customers to which
phone calls are billed. The more experienced hackers are skilled in breaking
into modem ports, including PBX/CPE.
With divestitures and advancements in monitoring systems, FGA became
less of a problem. Carrier calling cards became the favorite method for
stealing service. Calling cards were wonderfully easy to steal. You didn't
need to hack. All you needed was to hang around the payphone banks at any
major transportation facility, watch the legitimate users dial their code or
listen to them repeat it to an operator, and you were in business. All the
carriers eventually developed advance monitoring systems to detect calling
card abuse. Now fraudulently used calling cards are good for a few hours at
most before the card is deactivated.
The migration continued to the PBX/CPE environment, and extremely fertile
area of attack. Many PBX/CPE owners were unaware of fraud potential.
Systems were not in place to detect this fraud in a short time frame. The
abuse could often continue unabated until the PBX/CPE owner received the
aforementioned bill.
As the years have passed, fraud migrated from one product to the next. What
started as a problem with college students trying to call friends and family
for free, or businesses trying to reduce their phone bill, has turned into a
very lucrative market. The "call sellers" stealing phone service are
professionals. The resale of lang distance service at very low rates is their
full time job. While the problem was once confined to domestic calls, it has
evolved almost totally to international calls. These professionals work from
their homes or from payphones on the street. For as little as $5, they will
sell you a 15-minute telephone call to anywhere in the world.
Phreakers are still uncovering authcodes; however, this is no longer the only
method employed to garner information . The migration has moved to
technical expertise. Now, hackers no longer attack only dialtones, they
attack modems that are the maintenance ports on PBX/CPE equipment. Once
inside the equipment, the hackers reprogram features. They turn on function,
such as Direct Inward System Access (DISA), that owners have turned off.
They reprogram certain call processing features allowing outbound dialing
from voice mail boxes or call attendants.
Previously, these two communities (call sellers and hackers) worked
individually. Hockers posted codes on bulletin boards or pirated voice mail
boxes, and call sell operators accessed for the information. Recent
activities indicate this relationship has changed to one of direct
cooperation. As PBX/CPE owners have become more aware of the fraud
issues over the last two or three years, they have taken steps to protect
their systems. EISAs have been removed, and international calling has been
blocked. The PBX/CPE equipment can no longer be abused with simple keypad
manipulation. This places call sell operators in a bind. They have customers
to support and cannot provide the service those customers desire. As a
result, hackers and call sell operators have joined forces. A call sell
operator puts a hacker on the payroll. The hacker, armed with PBX/CPE
manuals, accesses the equipment and modifies it to allow a fraudulent call
to be placed.
These crimes require total industry cooperation to be combated. It's no
something that can be solved without a combined effort by the
interexchange carriers (IXCs), PBX/CPE manufacturers and distributors, and
end users.
EDUCATION AND AWARENESS
This is the area that has produced the best results to date. Over the last two
years there have been many articles published in trade journals and the
general media highlighting the problem. Seminars have been conducted by
the Communications Fraud Control Association, American Society of
industrial Security, and other organizations, highlighting potential exposure.
The IXDs have all developed some form of customer awareness training,
forcing the hackers call sell operators to resort to drastic measures. It's
not as east to beat a PBX as it was two years ago.
Despite the advances made, however, the efforts need to be refocuses.
Resources should be directed at law enforcement and the judicial system.
Many believe telecommunications fraud is still a victimless crime being
perpetrated against the "deep pockets" of the local and interexchange
carriers. But as many PBX?CPE owners unfortunately know, industry tariffs
hold the owner responsible for this type of fraud.
Law enforcers need to know the carriers will assist them in any way
possible to put a case together. They must know that many times there is a
connection between telecommunications fraud and everyday street crimes,
including the drug trade.
Likewise, prosecutors and judges need to understand the impact of these
crimes and to hand out appropriate sentences when a suspect has been
convicted. In a recent case in New York City, a fraud suspect was convicted
and sentenced to 300 hours of community service for over $375,000 of
documented fraudulent phone calls attributed to this individual. That
equates to over $1,000 stolen for each hour of community service, or
something far less than an effective deterrent.
BETTER LAWS
The federal laws most often used against hackers are Title XVIII Sections
1029 and 1030. These laws offer reasonable penalties for the criminal. Many
state laws lack teeth, however. In many states the best that can be done
under existing laws is to charge the hacker with a misdemeanor offense.
The time for change is now. Hackers don't believe they are doing anything
wrong. They think confidential and marketable information should be
accessible and free. They rant and rave about their First and Fourth
Amendment rights. Mitch Kapor, creator of LOTUS 1-2-3 has even started a
fund to help arrested hackers defend themselves. The industry needs to
regain the upper hand. These hackers are nothing less than thieves stealing
information and services.
SECURITY
Security for PBX/CBE equipment must be developed. The first area to
approach is the maintenance modem port. Dial-up access to a bare modem
protected by only user IDs and passwords does not offer security. PBX/CBE
manufacturers should assist their customers in finding a suitable security
Access Unit (SAU) to protect the dial-up port or offer such a product
themselves. These SAUs work with multiple authentication schemes and can
cost anywhere from $200 to $1,000 per line. All these products provide an
additional layer of security. The cost differences stem from additional
features such as real time alarms and audit trails.
Manufacturers, suppliers and vendors must fully explain to equipment
owners the existing security features of their systems. These include call
restriction capabilities, event logging, traffic reporting, and auth code
management features, to name a few.
Emphasize to your customers that the key to protection against fraud is
diligence. Customers are battling a very resourceful and tenacious enemy.
Letting one's guard down for a minute could cost one's company literally
thousands of dollars a day. Remember, we're up against a professional
industry stealing $1 to $1.5 billion annually. It is unlikely the hackers/call
sell operators will go away any time soon. They will uncover and develop
methods we have yet to imagine. However, by addressing the legal issues
and putting more teeth in our laws and sentences, we may be able to turn
the corner on toll fraud. Until then, you must offer your customers not only
great products and services, but advice on how to prevent the wrong hands
from using them as well.
|
|
|
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.
totse.com certificate signatures
|
|
|
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
|
|
|
|
|
|
