0004248165@mcimail.com (CTC Wang Labs) (11/02/90)
[Pat: I think your subscribers might find the following interesting. dab]
- - - - - - -
Date: Thu Aug 16, 1990 9:26 pm GMT
From: Communications Fraud Control Association / MCI ID: 338-0396
Subject: PBX Security Brochure
Protecting Your PBX From Illegal Access
=======================================
As an owner of a private branch exchange (or PBX) you've invested
quite a lot of money into a remarkable piece of equipment that greatly
enhances your company's communications capabilities. A so-called smart
device, this sophisticated switch usually has a number of useful
features such as remote access and voice store-and-forward systems, or
voice mail.
The problem is, criminals are finding it easier than ever to
access these helpful features, blocking out legitimate users. This is
mainly because many end-users are not taking advantage of new
protective technologies that are now available.
You may be a victim of this industry-wide problem and not even
know it. Last year, a Midwestern manufacturer lost $25,000 when
someone accessed its PBX for a short time to make unauthorized long
distance calls.
One favorite PBX pathway to free long distance calls is the
remote access unit, which allows callers to access the switch from a
phone outside the company and obtain a dial tone.
The abuse is hitting end-users at all levels. Over a two- month
period in 1988, employees at a large city agency rigged a phone system
in a scam that cost taxpayers over $700,000 for unauthorized phone
calls. Workers tampered with the organization's PBX to allow callers
from public payphones to dial a special access number that gave them
an outside line to anywhere in the world.
In another case, intruders left instructions on computer bulletin
board systems detailing how to access conference bridges, call
diverters and remote access units.
Abusers can include current and former employees, summer interns
and technicians as well as hackers, street hustlers and other thieves
of telecommunications services. And unfortunately, many companies
simply forget to take out the easy-to-break authorization test codes
that are installed before a PBX is placed in service.
Establish Strict Defenses
=========================
1. Assign authorization codes randomly on a need-to-have basis,
and limit the number of calls using these codes. Never match
codes with company telephone, station or badge numbers.
2. Instruct employees to safeguard their authorization codes,
which should be assigned individually, not printed in
billing records. And the codes should be changed frequently,
and canceled when employees depart.
3. Remote access trunks should be limited to domestic calling
and shut down when not in use.
4. Use the time-of-day PBX option.
5. Use a system-wide barrier code, followed by an authorization
code with the most digits your PBX can handle.
6. Use a nonpublished number for remote access lines.
7. Use a delayed electronic call response (the same as letting
your phone ring four or five times before answering).
8. Try hacking your own system to find weaknesses, then correct
them.
Implementing Effective Controls
===============================
1. Know the safeguards on your PBX.
2. Develop an action plan that provides adequate staffing to
direct specific defensive procedures.
3. Monitor billing, call details and traffic for unusual
patterns and busy lines during off-peak hours, such as late
at night.
4. Inform PBX console attendants, night security officers and
remote access users of the need to secure equipment and what
to do if they suspect an intrusion.
5. Ask your PBX vendor/supplier what inherent defenses could be
used to make your PBX more difficult to penetrate.
6. Monitor valid and invalid call attempts as often as
possible.
7. Look for attempted calls of short duration that usually
indicate hacking activity.
8. Know who is on the other end of the line before giving out
any information.
9. Learn whom to contact at your local and long distance
service providers when you have a security problem.
Glossary
========
Access number: Preliminary digits that must be dialed to connect
to an outgoing line.
Authorization code: Unique multidigit code identifying an authorized
subscriber that must be validated for a call to be processed.
Barrier code: A number of digits that, when dialed before an
authorization code, allow dial entry to a PBX.
Bulletin board system: Computer-based message system.
Call detail recording: A PBX feature that logs outgoing and incoming
calls.
Conference bridge: Allows several parties to carry on a conversation
(Conference Call) from remote sites.
End-user: Subscriber that uses, rather than provides, telecommunications
services.
PBX, or private branch exchange A private switch, either automatic or
manually operated, serving extensions in a business complex and
providing access to the public switched network.
Remote access: A feature that allows an employee to access a PBX from
a remote site and charge calls to the caller's company.
Smart device: A computer-based system that carries out complex functions.
Switch: A mechanical or solid state device that opens or closes
circuits, changes operating parameters, or selects paths or circuits,
either on a space or time division basis.
Time-of-day option: An added restriction to the automatic route
selection or least-cost options, it can be preset to block long
distance calls at certain hours.
Trunk: A communications channel between different switching systems or
between a PBX and a central office.
Voice mail: or voice store-and-forward systems: A voice message system
that allows messages to be played back when the addressee returns.
Since 1985, CFCA has served as the industry's
clearinghouse for information pertaining to
the fraudulent use of telecommunications
services. To learn more about PBX system
security, call (703)848-9768, or write:
The Communications Fraud Control Association
7921 Jones Branch Drive, Suite 300
McLean, VA 22102
eMail address: < cfca@mcimail.com >
A short footnote:
If you even >think< you have a problem with PBX Fraud, contact:
1. Your PBX Switching System Vendor
2. Your 'Local Exchange Carrier' ( Your local telephone company) and
3. Your 'Inter-Exchange Carrier' ( Your long-distance telephone company)
If finding the >right person< gets to be a problem, contact the
Communications Fraud Control Association (CFCA) at the above address
or telephone them at (703) 848-9768.
dab