Allworx, a Windstream company, has announced new security practices in response to recent Hacking Issues. 

Suggested Security Best Practices

Overview

One of the primary advantages of the Allworx family of products is its flexibility in configuration and settings in a way that is easy to understand. Security is an important consideration, and we are constantly striving to improve our systems to protect our customers.

We are investigating reported instances and have seen fraudulent SIP registration attacks that search public IP addresses and gain access to either an Allworx server or, most recently, to remote Allworx handsets not installed behind a firewall. We have also received reports of recent toll fraud incidents in which fraudulent attacks take over the SIP registration of an Allworx handset attached to a public network. This document summarizes the security best practices to prevent security compromises.

What You Should Do

• Update Allworx server to the most recent patch level of  7.6 . These patches change each Allworx phone SIP registration passwords during the phone reboot.
• Install the server behind a firewall or connect it to the public internet using the WAN port. DO NOT connect the Allworx LAN port directly onto the public internet.
• Disable Allworx WAN services (ports) not in use.
• Change voicemail ports (SMTP and IMAP) to non-standard port numbers.
• Change all server admin, phone admin, and user passwords from the default values.
• Use strong passwords for server and phone administration pages. DO NOT use simple passwords such as “1234″ or “Allworx”.
• Verify that there is no exposure of the Admin Page (Port 8080) to the Public network. DO NOT port forward directly to the LAN port of an Allworx server from the customer’s router. For remote maintenance, use the Allworx VPN. Navigate to Home > Network > VPN > modify to configure the VPN settings.

For more information about Allworx please contact Telcom & Data at 800-335-0229

Upgrade Your Allworx Phone System Against Hacking

Q. How do you know when you’re Phone System has been hacked?

A. When you get the phone bill!

In a reoccurring theme, The Salem News reported today about a small business in Ipswich MA. called Todd Tool and Abrasive Systems whose phone system was hacked during a four day period to the tune of $ 891,470 worth of phone calls. Even though Todd Tool was a Verizon customer the hackers used a dial around long distance service that placed the calls through AT&Ts network.  The Salem News also reported that Verizon who was the service provider for Todd Tool, noticed an unusual amount of calls being made and shut down the ability to make these types of calls. Verizon ended up writing off $ 260,000 worth of calls. AT&T also had calls made through their service but they are not going to take a write off and they have filed a $1.15 million dollar law suit against Todd Tool for the calls. If AT&T wins in court, according to Michael Smith the owner,  it could mean bankruptcy for Todd Tools.

I decided to ask telecom guru Rick Trinidad what a business could do to prevent hacker from doing the same thing.  Below is a list of suggestions.

1. Hire a company to do a thorough security analysis of your phone system security. If you can’t afford a $ 12,000.00 phone bill you might really need this.
2. Make sure your voice mail system does not have the default passwords and that out bound calling features are turned off or addressed. Many voice mail systems can make out bound calls to notify you of messages. This can be used to make calls through your phone system.
3. Old voice mail boxes need to be deleted. If you r like most companies people come and go but voice mail boxes remain active and do not get removed. Delete all old voice mail boxes.
4. DISA is a phone system feature designed to allow companies to use their phone systems to place out going calls remotely. DISA or Direct Inward System Access allows just that. Access to your phone systems telephone lines through the phone system.  It was developed long before Cell Phones as a way to reduce old expensive telephone calling cards. Really a favorite among hackers.
5. Auto Attendant used for routing calls can also transfer calls to off-site locations make sure if you aren’t doing this that this feature is turned off. If you are using it this feature change your passwords frequently.
6. Call forwarding to outside numbers is another feature while wonderful for working remotely leaves open a window of opportunity. Make sure who ever needs this feature really needs it and make sure this feature is turned off for everyone else.
7. Operator transfers are another way hackers can use your phone lines to make calls. A caller posing as a telephone company repairman will call and say he is testing the phone lines and if the operator would please transfer them to 910333 or 910XXX— these are access numbers to Sprint or any other phone company to make calls direct through your lines through the phone companies network. The phone company will then bill back the call to you at the most expensive calling rate. For more on this check out Sprint’s Corporate security guide.
8. Old Direct Dial Numbers that are no longer being used should be removed for your phone systems numbering scheme until needed again. Hackers are looking for anyway in to your systems.
9. Conference Call Systems and Conference Bridges should be password protected. Hackers can get in to conference bridges to listen to sensitive corporate information. Use in house bridge as opposed to an out side conference call service for maximum protection. An in house conference bridge can be placed behind your company’s firewall and passwords can be changed for every conference.
10. Call Accounting Software such as Tapit Call Accounting can help reduce un authorized phone calls. The Tapit Fraud alert module alarms you when set calling parameters are being breached by sounding an alarm and a text message.

 For more information on how to avoid phone system hacking call 800-335-0229 or visit www.telcom-data.com