Norstar System being hacked

[eslate]

Hi,

We have a user reporting that he is getting calls on his cell phone and the caller ID shows that the call is coming from his boss's phone. When he answers, it is a sales call. We believe that someone is getting into our phone system and making calls out that appear to come from internal numbers.

Is this a possibility, and, what are the ways in which this can be done? I've heard that they can use DISA (remote access) to do this. Are there other ways? Does anyone have tips on how to test this and/or prevent it?

 

[kvandmx]

Is his caller ID Showing an actual area code and number or just a 3 or 4 digit extension number? Just about any Phone number can be sent from PRI's You may be getting calls from a legitimate company using another CID Number.

 

[curlycord]

It's called Toll Fraud.

KSU
-Turn Disa off or created a tough password for COS.
-Put restrictions filters on all lines, you can created a COS to override if need to make over sea's calls.
-Disallow Line Redirect on all sets that dont need it
-Restrict voice mail ports for long distance

Voice Mail
-for NAM's install Toll Fraud patch.
-Have everyone change to tough 6-8 digits passwords including General Delivery and System Manager boxes.
-Disable Outdial for mailboxes that dont require it




=----(((((((((()----=
curlycord

http://www.curlycord.com

 

[hawks]

Honestly if this is a sales call with a live person trying to sell you something. Then I don't think it is anyone hacking your system it looks more like Outbound Transfer is turned on in a mailbox with your number in it. But follow curley advice because you do need to shut down things from potential hackers. Good Luck.

 

[eslate]

@kvandmx:
It is showing an area code + 7 digit number. It's showing as the person's direct dial #.

@curlycord:
Thanks for all of the suggestions. I'll have to look in to how to modify all of these areas.

@hawks:
Outbound transfer is not enabled for this user. I know that it is set up in their VM menu, but if I go to the Feat 983 menu and look through their options, Outdial is set to <none>. If I'm not mistaken, that would mean outbound transfer would not be possible. Right?

 

[eslate]

I'm not very familiar with this system, but it appears to me like all of the Remote access settings are off or non-configured. Do any of these settings look like a potential problem point?

Under remote access > Rem line access -- all my lines show Rem pkg 00 ...when I look at Rem access pkgs, and type in 00, I can then look at linepool access, and all pools have N next to them.

Under services > Routes > SCAN comes up with two of them and they both have DialOut:No numbr

Under System Programming > Direct Dial > D-Dial1: is set to Internal, the rest are None

Under System Programming > Access codes > Extrnl code:None, Direct-dia:0, Auto DN:None, DISA DN:None, PrivAccCode:None

Another question, under Trunk/Line data, what do the Line Types mean? The line in question shows Public for Line Type.

 

[jerryreeve]

what it sounds like is you are a victim of spoofing the caller id. thic can be done by a subscriber of a PRI or BRI service that uses outgoing line identifier or the equivalent feature on a nor nortel system. The outgoing Line identifier OLI can be pretty much set to anything and I have seen it cause some problems when you program the wrong number into a phone system and the long distance company dosen't have that number in their database. I believe that it is illeagle to spoof the number to misrepresent yourself but like spamming it is hard to catch.

----------------------------
Hill?? What hill??
I didn't see any $%@#(*$ Hill!!
----------------------------
JerryReeve
Communication Systems Int'l
com-sys.com

 

[jerryreeve]

If you want to verify that your phone system is where the calls are coming from set up a SMDR and capture the call details for a while and see if you can prove or disprove that the calls are coming from your system.


----------------------------
Hill?? What hill??
I didn't see any $%@#(*$ Hill!!
----------------------------
JerryReeve
Communication Systems Int'l
com-sys.com

 

[curlycord]

Another question, under Trunk/Line data, what do the Line Types mean? The line in question shows Public for Line Type.

Public means that other set can have the line appear or ring at their set where Private means to one set only.
Soon as you you make a line private to one set then any assoicated programming on other sets is erased.




=----(((((((((()----=
curlycord

http://www.curlycord.com

 

[eslate]

That's very helpful information, Jerry. Thank you. We have gotten in contact with the company that the sales people work for, so maybe that will be enough, but if the problem persists, we will certainly look into getting a SMDR/CDR set up.

Thank you for the clarification on the Line Types, curlycord.

 

[HughRunyan]

If the call is coming from a VOIP provider on the new VOIP system you can send any caller ID that you program into the system that is why you see caller ID as 800-000-0000

 

[KTM72]

Telemarketers frequently employ this tactic. They have a way of manipulating their caller ID, and frequently do. My boss had the same problem, they were calling from a number one digit different to our office line, or one digit off of his cellphone number. It is not likely that they are hacking your KSU. However follow everyone elses advice and secure your KSU with a nice fat password and restrictions.

I was miserable, then someone told me "smile and be happy, things could be worse". So I smiled and was happy...and they were right, things were worse!