http://www.gazettetimes.com/articles/2004/11/24/news/community/wedloc05.txt By Les Gehrett For the Gazette-Times November 24, 2004 ALBANY - Hackers broke into the Linn County government's phone system earlier this month and billed the county for many hours worth of expensive international calls. The county has fixed the problem and is working with phone company fraud investigators to sort out the charges. Linda Penick, an administrative assistant in the county's general services division in charge of telecommunications, said the problem seems to have begun over the weekend of Nov. 13-14. She said hackers began by calling the main dial-in number for various county departments. Using the voicemail system, they reached individual employee voicemail boxes. The hackers then tried to figure out each employee's password, so that they could change the greeting on the employee's voicemail. This turned out to be pretty easy to do in some cases, because a few employees were using their extension number as their voicemail password. Once the hackers figured out the password, they recorded a new greeting. This new greeting was basically, "Hello. Yes, I'll accept the charges." This was done to between 10 and 20 county phone lines. These phone lines were then used to authorize third-party collect calls overseas. Callers would simply make collect phone calls, say that they wanted to bill the call to a home phone, and give a county employee's phone number as the home number. When the operator dialed the county number, the altered voicemail system kicked in, answered the phone and authorized the billing. Penick said county departments were contacted by fraud investigators from MCI on Monday, Nov. 15. The departments referred the problems to her, since she handles the county's phone system. "I spent all week fighting through this and trying to figure out what they had done," Penick said. She thinks that once the phone system was broken into, the hackers publicized and sold the access numbers. Throughout the week, employees continued to receive a barrage of phone calls from operators asking them to authorize the collect phone calls. The employees, of course, refused. Penick said county employees have been told to change their voicemail passwords and to not use their extension number as their password. She has also changed their system so that third-party collect calls cannot by billed to the county. County departments will continue to accept legitimate collect calls from residents of the county. Debbie Lewis, a spokeswoman for MCI, said this is a common scheme. "This is one way that intruders try to damage the integrity of a phone system for their own illegal activities," Lewis said. To guard against such an attack, Lewis said companies and government agencies should work closely with their internal phone system vendors to follow proper security measures. Passwords should be long enough that they are difficult to hack, and they should never be based on birthdays or social security numbers. Passwords should also be varied, not using either a single number, such as "9999" or a sequential number, such as "1234." Penick said the total amount of fraudulent charges has not been determined, but she doesn't think the county will be stuck with the bill. "It's my understanding that we'll be able to contact them and get the charges dropped," Penick said. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Wed Nov 24 2004 - 06:47:00 PST