Phone Phreaks Target NY Govt System

[desslock]

Phone phreakers managed to break into the Linn County (New York) telephone system and alter the outgoing message on several voice mailboxes to sound as if they were accepting third-party charges for long distance collect phone calls. Part of the problem was that some employees used their extension numbers as their voice mailbox passwords. The system has been changed not to accept third-party collect calls.


Hackers hijack county phones

By Les Gehrett
For the Gazette-Times

Linn County hopeful unauthorized charges will be dropped

ALBANY — Hackers broke into the Linn County government's phone system earlier this month and billed the county for many hours worth of expensive international calls.

The county has fixed the problem and is working with phone company fraud investigators to sort out the charges.

Linda Penick, an administrative assistant in the county's general services division in charge of telecommunications, said the problem seems to have begun over the weekend of Nov. 13-14.

She said hackers began by calling the main dial-in number for various county departments. Using the voicemail system, they reached individual employee voicemail boxes.

The hackers then tried to figure out each employee's password, so that they could change the greeting on the employee's voicemail. This turned out to be pretty easy to do in some cases, because a few employees were using their extension number as their voicemail password.

Once the hackers figured out the password, they recorded a new greeting. This new greeting was basically, "Hello. Yes, I'll accept the charges."

This was done to between 10 and 20 county phone lines. These phone lines were then used to authorize third-party collect calls overseas. Callers would simply make collect phone calls, say that they wanted to bill the call to a home phone, and give a county employee's phone number as the home number.

When the operator dialed the county number, the altered voicemail system kicked in, answered the phone and authorized the billing.

Penick said county departments were contacted by fraud investigators from MCI on Monday, Nov. 15. The departments referred the problems to her, since she handles the county's phone system.

"I spent all week fighting through this and trying to figure out what they had done," Penick said.

She thinks that once the phone system was broken into, the hackers publicized and sold the access numbers. Throughout the week, employees continued to receive a barrage of phone calls from operators asking them to authorize the collect phone calls. The employees, of course, refused.

Penick said county employees have been told to change their voicemail passwords and to not use their extension number as their password. She has also changed their system so that third-party collect calls cannot by billed to the county.

County departments will continue to accept legitimate collect calls from residents of the county.

Debbie Lewis, a spokeswoman for MCI, said this is a common scheme.

"This is one way that intruders try to damage the integrity of a phone system for their own illegal activities," Lewis said.

To guard against such an attack, Lewis said companies and government agencies should work closely with their internal phone system vendors to follow proper security measures. Passwords should be long enough that they are difficult to hack, and they should never be based on birthdays or social security numbers.

Passwords should also be varied, not using either a single number, such as "9999" or a sequential number, such as "1234."

Penick said the total amount of fraudulent charges has not been determined, but she doesn't think the county will be stuck with the bill.

"It's my understanding that we'll be able to contact them and get the charges dropped," Penick said.

[BDBionic]

Crazy how easy it is to get ahold of people's passwords these days. Know what I mean?

But anyways... let's talk about something else. Hey Steve... what was the name of your first pet?

[desslock]

Ever consider the security paradox someone would experience if they had happened to name their first pet their mother's maiden name?


.... who had happened to be named for their city of birth....