Founded By: | _ _______ Guardian Of Time | __ N.I.A. _ ___ ___ Are you on any WAN? are Judge Dredd | ____ ___ ___ ___ ___ you on Bitnet, Internet ------------------+ _____ ___ ___ ___ ___ Compuserve, MCI Mail, X / ___ ___ ___ ___ ___________ Sprintmail, Applelink, +---------+ ___ ___ ___ ___ ___________ Easynet, MilNet, | 03NOV90 | ___ ______ ___ ___ ___ FidoNet, et al.? | File 65 | ___ _____ ___ ___ ___ If so please drop us a +---------+ ____ _ __ ___ line at ___ _ ___ elisem@nuchat.sccsi.com Other World BBS __ Text Only _ Network Information Access Ignorance, There's No Excuse. PBX Security by Judge Dredd $_NOTE: This is the PBX security manual... it is not a how-to. This is what is given to PBX owners/operators. Use it to your advantage. Protecting Your PBX From Illegal Access ======================================= As an owner of a private branch exchange (or PBX) you've invested quite a lot of money into a remarkable piece of equipment that greatly enhances your company's communications capabilities. A so-called smart device, this sophisticated switch usually has a number of useful device, this sophisticated switch usually has a number of useful features such as remote access and voice store-and-forward systems, or voice mail. The problem is, criminals are finding it easier than ever to access these helpful features, blocking out legitimate users. This is mainly because many end-users are not taking advantage of new protective technologies that are now available. You may be a victim of this industry-wide problem and not even know it. Last year, a Midwestern manufacturer lost $25,000 when someone accessed its PBX for a short time to make unauthorized long distance calls. One favorite PBX pathway to free long distance calls is the remote access unit, which allows callers to access the switch from a phone outside the company and obtain a dial tone. The abuse is hitting end-users at all levels. Over a two- month period in 1988, employees at a large city agency rigged a phone system in a scam that cost taxpayers over $700,000 for unauthorized phone calls. Workers tampered with the organization's PBX to allow callers from public payphones to dial a special access number that gave them an outside line to anywhere in the world. In another case, intruders left instructions on computer bulletin board systems detailing how to access conference bridges, call diverters and remote access units. Abusers can include current and former employees, summer interns and technicians as well as hackers, street hustlers and other thieves of telecommunications services. And unfortunately, many companies simply forget to take out the easy-to-break authorization test codes that are installed before a PBX is placed in service. Establish Strict Defenses ========================= 1. Assign authorization codes randomly on a need-to-have basis, and limit the number of calls using these codes. Never match codes with company telephone, station or badge numbers. 2. Instruct employees to safeguard their authorization codes, which should be assigned individually, not printed in billing records. And the codes should be changed frequently, and canceled when employees depart. 3. Remote access trunks should be limited to domestic calling and shut down when not in use. 4. Use the time-of-day PBX option. 5. Use a system-wide barrier code, followed by an authorization code with the most digits your PBX can handle. 6. Use a nonpublished number for remote access lines. 7. Use a delayed electronic call response (the same as letting your phone ring four or five times before answering). 8. Try hacking your own system to find weaknesses, then correct them. Implementing Effective Controls =============================== 1. Know the safeguards on your PBX. 2. Develop an action plan that provides adequate staffing to direct specific defensive procedures. 3. Monitor billing, call details and traffic for unusual patterns and busy lines during off-peak hours, such as late at night. 4. Inform PBX console attendants, night security officers and remote access users of the need to secure equipment and what to do if they suspect an intrusion. 5. Ask your PBX vendor/supplier what inherent defenses could be used to make your PBX more difficult to penetrate. 6. Monitor valid and invalid call attempts as often as possible. 7. Look for attempted calls of short duration that usually indicate hacking activity. 8. Know who is on the other end of the line before giving out any information. 9. Learn whom to contact at your local and long distance service providers when you have a security problem. Glossary ======== Access number: Preliminary digits that must be dialed to connect to an outgoing line. Authorization code: Unique multidigit code identifying an authorized subscriber that must be validated for a call to be processed. Barrier code: A number of digits that, when dialed before an authorization code, allow dial entry to a PBX. Bulletin board system: Computer-based message system. Call detail recording: A PBX feature that logs outgoing and incoming calls. Conference bridge: Allows several parties to carry on a conversation (Conference Call) from remote sites. End-user: Subscriber that uses, rather than provides, telecommunications services. PBX, or private branch exchange A private switch, either automatic or manually operated, serving extensions in a business complex and providing access to the public switched network. Remote access: A feature that allows an employee to access a PBX from a remote site and charge calls to the caller's company. Smart device: A computer-based system that carries out complex functions. Switch: A mechanical or solid state device that opens or closes circuits, changes operating parameters, or selects paths or circuits, either on a space or time division basis. Time-of-day option: An added restriction to the automatic route selection or least-cost options, it can be preset to block long distance calls at certain hours. Trunk: A communications channel between different switching systems or between a PBX and a central office. Voice mail: or voice store-and-forward systems: A voice message system that allows messages to be played back when the addressee returns. Since 1985, CFCA has served as the industry's clearinghouse for information pertaining to the fraudulent use of telecommunications services. To learn more about PBX system security, call (703)848-9768, or write: The Communications Fraud Control Association 7921 Jones Branch Drive, Suite 300 McLean, VA 22102 eMail address: < cfca@mcimail.com > A short footnote: If you even >think< you have a problem with PBX Fraud, contact: 1. Your PBX Switching System Vendor 2. Your 'Local Exchange Carrier' ( Your local telephone company) and 3. Your 'Inter-Exchange Carrier' ( Your long-distance telephone company) If finding the >right person< gets to be a problem, contact the Communications Fraud Control Association (CFCA) at the above address or telephone them at (703) 848-9768. --- Enjoy. Its early and it looks like it's gonna be a nice day... I'm outta here. -JD