Hackers beat businesses by ‘default’
RECENT cases of computer hackers gaining access to, and exploiting, sensitive business systems by discovering ‘default’ passwords are a chilling development, according to Surety IT technology director Geoff Stewart.
“I’ve heard some horror stories about devices being hacked that had default passwords on them but none as bad as the one I heard last week,” Mr Stewart said. “It has always been best practice to change default passwords on all computing devices to secure them and make them less likely to be hacked.
“A colleague who works in the manufacturing industry made a bee-line for me at an event when he saw me to get my advice. He told me that their phone system had been hacked and they were being billed for over $40,000 by their telco in call charges.”
After hours on a Friday the hackers called every direct number in the business and tried the usual default password for a phone system extension ‘0000’ and tried to get access to the admin/set-up of that extension. When they found an extension with a default password they diverted the phone to a foreign premium rate number, which belonged to them, and set-up an autodial to continuously call the number. On Monday morning, before hours, the hackers logged back in and removed the divert.
Employees came into work on the Monday and were totally oblivious to what had been going on over the weekend.
“It was only when they got a call from their telco who said about the suspicious number of calls to the foreign number that they knew something had happened,” Mr Stewart said. “The telco asked did they want to block foreign call-outs and the business said ‘yes’.
“There was no indication at this stage that the system had been hacked. For whatever reason the hackers were able to still make foreign calls on the extension and the overall damage in phone charges was over $40k.”
Mr Stewart advised businesses to immediately change default username and passwords for all network connected devices.
“This is becoming more and more of a risk with the Internet of Things and also why doesn’t Telstra have something in place that will spot patterns of suspicious behavior and put a block on it temporarily until the owner can confirm that it is legitimate, a bit like banks and credit cards?” he asked.
“The business in question reported the incident to ACORN and the telecommunications ombudsman but as yet neither have been of much help, so they not sure what to do next.”
Mr Stewart said he heard the very next day of a very similar incident happening to another business, with the same outcome, “a bill of $5k from their telco from a hacked phone system”.
Surety IT has developed a checklist for business leaders to protect phone networks and head off phone hackers:
- Read your contract and know what you’ve signed up for.
- Find out from you provider what kind of fraud protection it offers. If it doesn’t offer any, it’s probably best to move on.
- Make sure your PBX is sitting behind a firewall.
- Make sure every user on the phone network uses a complex password, if possible.
- Tell you provider to switch off international calls, if you don’t need them.
- Consider placing limits with your provider on the dollar amount you’re willing to have spent each day on international calls.
- Create a whitelist of IP addresses that are allowed to make phone calls.
Best password policies for devices:
- If you can, change the default username to something different.
- Don’t use a shared administrator password across devices.
- Make your device passwords strong with a minimum of 9 characters.
- If you can use passphrases instead of passwords.
- Store the passwords securely.
- If you are in any doubt, contact your trusted IT partner.
About Geoff Stewart
Geoff Stewart is a highly experienced and skilled technology director at Surety IT. His knowledge is based on years of industry experience having created customised, stable, well performing systems both for multi-national companies in the UK and Australia and Surety IT customers.
ends