So I have read a few of the articles over the past couple of weeks about the global phone system hacking ring that was recently busted up. The good news is this ring has been stopped. The bad part is that it happened after $55 million of long distance theft transpired. If you didn’t hear about this, the short version is that hackers used brute force to essentially hijack telephone extensions of 2500 corporate phone systems. Oversimplifying things quite a bit, the thieves then proceeded to reroute long distance minutes to overseas call centers and profited through the sale of those minutes. Beyond the issue of the crime at face value, it appears that a good portion of the profits were then transferred into the hands of Islamic fundamentalists.
So how in the world did this happen? First of all, toll fraud is not a new crime and was even more lucrative back in the days of sky high domestic and international long distance. Remember those days when mom would call the grandparents and sound like a speed reader trying to sync up on life while dad stood there tapping his watch and wondering if a second mortgage may be in the future? It seems like a distant memory in these days of unlimited minutes with free long distance on cell phones.
Anyway, I think the issue stemmed from two things: (1) people do not perceive toll fraud as a major threat any longer. In fact, I bet call accounting records are rarely kept let alone reviewed by very many companies these days, and (2) the recession nearly a decade ago saw separate telecom and IT departments at most organizations become a thing of the past. From my experience, I witnessed a lot of telecom staff being let go and the task of maintaining the phone system passed onto the IT department. As IP phone systems have matured, there is definitely some value in doing this anyway, but the problem is that these departments were generally not skilled/versed into the nuances of telecom and more importantly were already overworked and often under budgeted. So they never had the chance to really drill down and learn about things such as toll fraud, call accounting reports, etc.
One ironic thing I read had to do with default passwords. It turns out that the brute force necessary to hack some systems was not so brute after all. Well known default login and passwords were all that was necessary. This was left unchanged by many of the same people who cast judgment on the average employee who buys a SOHO wireless router for their home and just plugs it in and goes without changing the login/password or setting up security measures. So besides not judging non-technical employees, what is there to learn from this fiasco? There are several things but two items that stick out in my mind are (1) the industry needs to heed this as a wakeup call and realize that the threat of network attacks are not limited to data networks. Voice networks pose their own risks and challenges, and (2) Executive management at companies need to realize that security is not a luxury but rather a priority and start budgeting more money to address issues proactively rather than reactively. Why do companies have to be burned before they perceive any value in this space?
By Darren
