Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Hacking a Norstar MICS 2

Status
Not open for further replies.

DMWSr

Technical User
Dec 14, 2007
29
US
We recently had a Norstar MICS hacked resulting in numerous calls to off shore locations. Would like to be sure that I have checked / closed all possible areas where a phreaker could get thru the system and place these calls. Would anyone be able to provide areas to watch, settings to check, or reference material that could assist? I think we've checked everything, catching some weaknesses in the process, that would give hackers a shoe in. Just want to be sure. Thanks
 
Voice mail is the most likely spot. Google what you are lookign for and it will give you instructions on hacking various systems and then you would know where to block them.
 
Also aside from just making changes in the system another thing I find that works. If you do not use 1010 codes let your provider know and they can block anyone from using it out of your system.
 
Make sure your users change their passwords- something other than 1234, or 1111, etc... and change the password on the admin mailbox. (12, 102, 1002, etc...)

That's the most common route I've seen used for toll fraud.
 
You can also restrict the voice mail ports and that should stop all long distance fraud.
 
The 100% guarantee is lock all Vmail ports from access to any pool, intercom only. The only issue is if some big wig needs his Off-Premise Notification or Outbound Transfer. My past expierance tells me, they want you to give them a 100%, and are willing to forgo any Vmail outside access.

DISA access, unless your recpt. is a goofball, is really the only way not involving Vmail and happens 10% of the time.

Adversity is Opportunity
 
I would not give a 100% quarantee because the minute someone does find a way in and out and runs up a 10K or so phone bill guess who the customer is comming to collect from. Just my 2 cents..

Published April 23, 2007
Security.ITworld.com reports that the FBI and FCC estimate over $4 billion in losses due to toll fraud, with a typical incident amounting to around $30,000 in fraudulent long distance charges.
 
Thanks!!! All info very helpful. Tells me I'm looking at the right things and you all have provided some additional areas. Really appreciate the help!
 
Thought about deweyhumbolt's reply concerning message notification. I can restrict the voice mail ports to local and toll free (01) and allow an override to a specific parameter if the user needing notification has a mobile device with a number outside the local calling area of the phone system, right?
 
I had 3 car dealer's that had NAM's and PRI's and they all got hit around xmas time 3 years ago. Your right about the "big-wigs" wanting off premise notification, but do they want the hugh phone bill? Have you thought about Unified Messaging for this customer? The CP 150 either comes with one or two seats of this. If anything, give it to the "big-wig". I heard its easy to install (from my tech support), but have not done it myself yet.
 
FROM AN OLD THREAD
This post is to bring to light the vast attempts to hack phone and voicemail systems. I have had one of my Norstar systems hacked in the last week or so. The hackers went in and were able to hack the password on a mailbox, and change the outbound transfer number to another N* in a location (not to be mentioned here) across the country. They were then able to place a call out of that N* to the Phillipines. They were able to hack my system by using a dial around ie: 1010 to access a different LD company and place calls. My CO tech was able to bring up the CLID where the calls were being placed from. I then went onsite and 1. set COS in the CP150 wi 3.0 to force password changes each 14 days. 2. Made sure network trn is set to no. 3. Set mailboxes to lock out after 4 incorrect password attempts. In the switch, I set the dialing filter 03 (standard filter for normal on all lines) to restrict 1010, and 011, then set all ringing schedules to line filter 03. Then I entered the number provided by my CO tech into the CLID tables for the auto att on the CP and set it to trn to an analog ext. I then fwd that ext to my office number. When this person dialed the site, it came to my office set, and the voicemail recorded what I suspected. As soon as the auto att answered, you could hear them dialing * *, * *, * * trying to get to the mailbox they had hacked previously. In listening to the vm from the attempts, (8 attempts on that night) you could also hear voices in the background. The voices had an obvious middle eastern accent. I am going onsite today and install an SMDR6 with a printer to check on any other attempts that might be made but have been thwarted. Just FYI for all using this forum. I take it personally when this happens, and if the hackers happen to read this. I WILL NAIL YOUR A-- TO THE WALL!! We know where you are, and we are coming to get you. All of this info is being passed on to the proper authorities, and the customer had agreed to prosecute. Check your sites guys and gals. Refer to Nortel ITAS tip 315NA for any info needed.



OLD ROLMEN WORKING ON NORTELS
 
I concur, it was always Vmail Outbound Transfer related, due to trivial passwords, was always at least 5 digits in $ fraud, was always to the Middle East or Phillipines and 80% of the time Telco ate it, but they only do it once.

That's why they wanted a guarantee from me. hawks is correct, I overstated, but if you lock down Vmail 100%, your chance of it happening again are slim to none, and slim just left town.

Adversity is Opportunity
 
Do not forget to block lines from dialing " 0 " I have had a few sites that we restricted from dialing 011 or 001.
Than they got hacked by outbound transferring to " 0 "
which gets you to the local operator & they will dial for you. Better still the operator will tranfer you to any countries directory assistance.
 
Another trick :

Block these 3 dial around # (800 300 3000, 877 627 8359, 888 700 400) from ALL Filters . Filter 01 by default allow 800,877,888.
 
Madwok:

1800, 1888, 1877 are toll free #s in North America.
 
These numbers have been used in the past to collect CLID (800 300 3000, 877 627 8359, 888 700 400)and bill back to the CLID number the call that is made.
 
18xx numbers can lend a false sense of security. We had a hospital that allowed 800 numbers, and got hacked. The bum set up a 800 number, and forwarded it to a 900 number. They called in, transferred out, and collected their paycheck- to the tune of $70,000.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top