Does Your Corporate Phone System Have a Password?
Just about every corporate office uses a telephone routing system or a PBX to handle their incoming calls and route calls both internally and externally back to their carrier. I was once the administrator of my office’s PBX, and would often configure the system for new employees, reset voicemail passwords and perform other tasks for the office. Unfortunately, the password of such systems, typically a 6-digit code, are all too often are left as default.
People familiar with such systems can dial into your office after hours, request the voicemail box of the administrator and program the PBX remotely. Then the attacker will sell access to your system to overseas exchanges who will route calls through your system for their customers at a deeply discounted price. And if you are criminal or terrorist organizations, you can avoid wiretaps this way. Brian Krebs has a great story here on an Italian case that deals with 2,500 US corporations that left their PBX with a default password. Check it out.
I’m back on travel again this week. This time its Shreveport, Louisiana, home of mosquitoes and alligators. Oh, and maybe some cajun food too. Blogging will be erratic when possible, so browse through some of my archives.