|In the News
| Jul 12, 2004, 18:49 PST
FREE PDF READER
I never thought it could happen to me.
Isnt that what all crime victims say?
Well thats me - a crime victim who never thought it
could happen to her. And the reason Im writing this column today is to
share that it not only happened, but that most people to whom this crime
happens dont even realize it is possible.
Im talking about hacking. But not hacking into
computers. Hacking into phone systems.
It happened over the long July 4th weekend, when no one was
in our office to catch that something was going wrong. Hackers accessed our
phone system and used our lines to place long distance calls.
The good news is that the fraud divisions at both Sprint and
AT&T caught the calls, putting a stop to them after 2 days.
The bad news is that once those major providers halted our
international service, they tell us it is likely the perpetrators started using
our lines to access those 10-10 services you see advertised all the time.
Worse news is that the extent of the long distance calls
placed from our phone system may be as much as $20,000 or more.
Even worse is the news that in at least the initial stage of
this fight, the phone companies have said we are liable for those charges, and
it appears some courts have backed them up.
But that's not the very worst of it.
The worst is that in those short 2 days, the calls placed
from our system included a 16 hour call to Saudi Arabia, 6 and 8 hour calls to
Yemen, Afghanistan, Pakistan, India and other countries the United States has
on watch during this time of war.
From Gotcha to Fighting Back
As happens with any crime, first you feel violated, then you
put things in order. And sometimes, depending on the crime, there is a next
step fighting back.
So the first thought running through my head when we learned
of the problem was consternation: There is a war going on, and my phone
is being used to make long illegal calls to countries that are both directly
and indirectly involved in that war. Its one thing to feel violated
after a crime, but this went beyond that feeling, bringing home to me the fact
that regardless of how each of us individually feels about it, the world is in
a state of war, and the tools of war and espionage have absolutely changed.
But as we began to put things in order, learning as we went,
those feelings of being violated were replaced by a different sensation. A
single thought kept resonating louder and louder in my head:
WHY ISNT ANYONE TALKING ABOUT THIS?
Even those of us in the nonprofit world who have come late
to the technology party those who are finally seeing the need for a
website, or those who have finally grown accustomed to using email for much of
their communication regardless of how much or how little we know about
technology, we know about virus protection and spam filters. We know these
things because everyone seems to talk about them.
Then why is it not just as common knowledge that our phone
systems could be used as tools for international crime? How did this happen?
How It Happened
From our crash course in phone security over these past few
days, weve learned a few of the things that allowed this to happen.
First, lets clarify that this applies more to
multi-line office phone systems than it does to the single phone in your home.
That said, there has been a dramatic increase in hacking of cell phones and
Palm Pilot / other PDAs, as wireless technology makes that so easy. For the
sake of keeping this article brief, lets stick to office phone systems
for now. (Although if my cell phone is hacked next week, I may be back with a
Part 2 for this article!)
These days, modern office phone systems are little more than
computer systems. Many of the cool new features on these phones allow not only
remote access to your voice mail, but remote access to a dial tone. For
example, your voice mail system may, for your convenience, allow you to
Press 3 to return this call, even if you are away from the office
when you check your messages.
Well, if you can make that call from your office system when
you are not physically there, so can someone else. That feature may be a
convenience for you, but it allows easy access for those whose intentions are
less than noble.
Another part of the problem, though, is that our world
places tremendous emphasis on keeping our computers safe, but we hear virtually
nothing about keeping our phone systems safe. Even non-techies (such as myself)
know enough about the Internet to know I want a firewall and the latest virus
definitions, and that every so often I want my teenaged daughter to check my
system for spyware and other evidence of foul play.
But my phones?
Which leads to a related piece of the puzzle: There
havent been anywhere near the advances in protection for these systems as
have been made for our computers. A quick Internet search regarding this
problem found a Business Week article dating from 1991, describing the exact
methods the thieves used to gain access to our system - 13 years ago! In a
world where we are so used to techno-changes every few minutes, how is it
possible my phone system has the same hack-potential it had when the buzz on
the tech circuit was the latest version of DOS?
Until such time as there are more foolproof
phone-hack-protection measures available, there are things you can do to
protect yourself. The first is to contact whoever services your office phone
system, to have them run through their own checklists with your system. There
are a number of layers of protection they can add that will make your system
harder to crack.
It is equally important, however, to simply be aware. If you
dont need the feature that allows a remote dial tone, turn it off. When
employees leave the firm, change any passwords that employee might have known.
Make those passwords as LONG as possible. Like the Neighborhood Watch programs
that teach residents to make their house unappealing to thieves, make your
system too much effort to crack, and theyll head to an easier system.
Sprint has created an excellent tip sheet for how to protect
your phones. They also have a great tip sheet for protecting yourself from
whats known in the lingo as Social Engineering. An example of
Social Engineering (which I confess, sounds like some strange eugenics project,
but actually has to do with your phone system) is when the people who want to
use your phones for illegal activity will call and identify themselves as
Sprint or AT&T operators who need your password to keep the system safe.
This latter issue will be of particular interest to nonprofit organizations
with volunteers answering the phones, and you may want to have a special phone
security training session with those individuals.
We have posted both these tip sheets to a special section at
our website. (See Above) We urge you to download them and provide
them to all your organizations employees.
To all who have expressed their concern for us, we thank
you. We have filed police reports and are reporting the "theft" to our
insurance company and will be protesting the charges with the phone companies.
But to us, this was a lesson. A lesson that says, You
never know. And if you can learn from our lesson, then perhaps some good
will come out of what is likely to become some long months of battles ahead.
NonProfits & Tribes
©2004 Help 4 NonProfits & Tribes 4433 E.
Broadway Blvd. Suite 202 Tucson, Arizona 85711 520.321.4433