We recently had a Norstar MICS hacked resulting in numerous calls to off shore locations. Would like to be sure that I have checked / closed all possible areas where a phreaker could get thru the system and place these calls. Would anyone be able to provide areas to watch, settings to check, or reference material that could assist? I think we've checked everything, catching some weaknesses in the process, that would give hackers a shoe in. Just want to be sure. Thanks
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Hacking a Norstar MICS 2
- Thread starter DMWSr
- Start date
Some common things we do as general corporate wise policy :
1) Made users to use long distance access code from LEC .
It is a pain but so what . Do enduser have to login their PC to use it ???
2) use CAS and setout threshold warning such as excessive international , long call duration after normal bussiness hour etc. These reports are automatically email to each department as they are utimately responsible for their telecom expenses.
3) no 1010 , 976, 900 allowed
4) no DISA , no barrier code, no remote package allowed
5) no remote call forward, notification . If user needs it , tell them to inform caller about their cell phone, pager etc.
Norstar voicemail is the weakest part . If you have old NAM, you might want to apply all the security patches .
You got the idea.
1) Made users to use long distance access code from LEC .
It is a pain but so what . Do enduser have to login their PC to use it ???
2) use CAS and setout threshold warning such as excessive international , long call duration after normal bussiness hour etc. These reports are automatically email to each department as they are utimately responsible for their telecom expenses.
3) no 1010 , 976, 900 allowed
4) no DISA , no barrier code, no remote package allowed
5) no remote call forward, notification . If user needs it , tell them to inform caller about their cell phone, pager etc.
Norstar voicemail is the weakest part . If you have old NAM, you might want to apply all the security patches .
You got the idea.
curlycord
Programmer
First change passwords to every mailbox be it the users like it or not.
Include mailbox 100 and 102 (General delivery and System Manager)
Inspect COS via laptop as to what mailboxes can do.
Allow only executives to have call forwarding from set or vmail or off Prem Notify.
Restrict all lines from International except reception if need.
Allow restrictions only as people ask, when getting billed you can narrow it down to who maybe is allowing these calls.
Your best protection is simple, have the Telco supply a user password to continue/make the long distance call, this is fail safe.
Also get Call Accounting to see who make calls from where.
Include mailbox 100 and 102 (General delivery and System Manager)
Inspect COS via laptop as to what mailboxes can do.
Allow only executives to have call forwarding from set or vmail or off Prem Notify.
Restrict all lines from International except reception if need.
Allow restrictions only as people ask, when getting billed you can narrow it down to who maybe is allowing these calls.
Your best protection is simple, have the Telco supply a user password to continue/make the long distance call, this is fail safe.
Also get Call Accounting to see who make calls from where.
There is a patch availble to correct this on 1st rev 3 C.P. and is already loaded on newer revs. This forces programable out dials to be 10 digit numbers not just a pool code. You still have to do password changes and toll restriction to stop everything.
- Thread starter
- #24
Sure do appreciate everyone's input. The system that was hacked had three openings that we feel were the cause of the penetration. The input from everyone confirmed we were not missing any area that could allow an opening. Redirect was allowed, voice mail ports were not restricted, outcalling was available on all boxes. With these areas secured, and some other things we did - some based on suggestions from this thread - we feel the system is secure. Thanks again to everyone for providing very helpful and valuable recommendations and observations from your experience.
Disable outbound transfer in the COS. If someone needs outbound transfer put them in a different COS. Have the users use at least a 5 digit password, and set the attempts to 4. You can look in reports (mailbox information) and see if any mailboxes are set with any number for outbound transfer.
ChicagoTech5555
Vendor
this pertains to a norstar running 7.1 fc and a call pilot 3.1
I had a system that was hacked and I was under the impression that it was being done through the voice mail I went through and disabled all possible access to the outside world from voicemail and after finding out from telco while onsite that the system was hacked again I found the problem was not in voice mail at all it was the line redirection. there was 1 phone set to use line redirection to fwd their main number to another site, as I tested it to make sure that it was fordwarding correctly I found that when the phone was redirected there was no phone number entered just the line pool access code and that gives the caller dialtone off your switch and it also bypasses all restrictions so even if you restrict every number in the world if that redirect is set with a pool acces code only the caller can still call anywhere they want or dial zero for a telco operator then the caller can tell the operator to dial the country code and phone number they want and the customer with the phone system gets stuck with the bill.
So watch the line redirection settings
I did find out that you can allow redirect then set the redirection and go back and turn off the allow redirect and the forwarding will stay if it needs to be changed just go back in and turn on allow redirect just make sure it gets turned back off when you are done.
I had a system that was hacked and I was under the impression that it was being done through the voice mail I went through and disabled all possible access to the outside world from voicemail and after finding out from telco while onsite that the system was hacked again I found the problem was not in voice mail at all it was the line redirection. there was 1 phone set to use line redirection to fwd their main number to another site, as I tested it to make sure that it was fordwarding correctly I found that when the phone was redirected there was no phone number entered just the line pool access code and that gives the caller dialtone off your switch and it also bypasses all restrictions so even if you restrict every number in the world if that redirect is set with a pool acces code only the caller can still call anywhere they want or dial zero for a telco operator then the caller can tell the operator to dial the country code and phone number they want and the customer with the phone system gets stuck with the bill.
So watch the line redirection settings
I did find out that you can allow redirect then set the redirection and go back and turn off the allow redirect and the forwarding will stay if it needs to be changed just go back in and turn on allow redirect just make sure it gets turned back off when you are done.
martinduchesneau
Vendor
There is a whole lot of useful information in here lol. One note on restrictions applied on phones on the system, block 411, 0 and * in your restrictions. * functions can return a dial tone, such as block outgoing id. If a call starts with *funct. then the number then restriction filters did not catch it unless * was blocked.
ChicagoTech5555
Vendor
hawks I know that's the way it seems but the other thing I found is that using the nru you can set the line redirection feature thru the remote set which makes it look more like the hacking is comming from outside what I found is that the redirection was set by another phone which I later found out was the ext of the rad. that's how I figured it was comming from the outside world.
Good point, but I still say it's an inside job. Even using the RAD the person would have had to know the rad phone number and password just to get to the system. Take everybody out back for questioning.......Did someone there upset the last person who was working on the system?
Hi all,
On our M7310 we have 4 recorded messages that the caller gets depending on time of day. We set it to holiday message on Memorial day and once we set it back it now swithces to the "we are closed for the day greeting" at 4pm instead of the usual 5pm. Time on set seems to be correct. Any ideas how to fix this? Thanks for your time. (sorry to be so simplistic but I dont know my trees from my groups
Jodi
On our M7310 we have 4 recorded messages that the caller gets depending on time of day. We set it to holiday message on Memorial day and once we set it back it now swithces to the "we are closed for the day greeting" at 4pm instead of the usual 5pm. Time on set seems to be correct. Any ideas how to fix this? Thanks for your time. (sorry to be so simplistic but I dont know my trees from my groups
Jodi
RikRodgers
Vendor
jleviner- you'll probably want to start a new thread for this one to avoid confusion.
ChicagoTech5555
Vendor
not to my knowledge as far as I know my company has serviced the site since the origional install. the modem wasn't being used until I recently upgraded the ksu to 7.1 and installed a new call pilot 100. before the call pilot they used centralized VM in another state.
My personal thoughts are the cleaning crew since the customer has the steps for line redirection taped to the wall in front of the reception phone.and that customer site is not staffed every day most of the time the site is empty.
My personal thoughts are the cleaning crew since the customer has the steps for line redirection taped to the wall in front of the reception phone.and that customer site is not staffed every day most of the time the site is empty.
- Status
Similar threads
- Locked
- Question