> PBX Adjunct Servers

PBX Adjunct Servers
Most PBX systems have an adjunct server or two, providing voice messaging or call
center functionality that isn’t part of the core PBX switching capabilities.The larger
and more complex a network gets, the more demanding traffic becomes to the
underlying hardware. Given the modularity of voice networks, we can off load some
of this functionality to other hardware that can be set to handle a specific task, rather
than attempt to do everything itself. Of course, this also complicates the overall security
model, so make sure you know how this offloading impacts security.


Voice Messaging
It’s hard to remember that voicemail was once a completely optional capability for
PBX systems, but it’s still implemented as a separate server by most vendors using
analog, digital, or IP trunks to integrate with the PBX. Some settings on that voice
messaging server can open the door to fraud and abuse, so be sure to follow manufacturer
recommendations for security—especially when it comes to changing
default administrator passwords! Are mailboxes using strong enough PINs? Are old
mailboxes closed down? Make sure you can answer these questions.
Notes from the Underground…


Voice Messaging: Swiss Army Knife for Hackers?
Voice messaging is not without its share of security considerations, though. Many
vendors ship voice mail systems with default passwords installed, which some
users opt to never change. These passwords are often as simple as the number
of the voice mailbox itself, or a simple string of numbers like 12345. Hackers love
it when it’s this easy to get in. But that’s only the beginning when it comes to
security attacks you may need to protect against within your voice messaging systems.
Here are a few other scenarios:
■ When attachers gain control over a compromised PBX system that
supports DID and voice-mail, they might change the outbound
greeting to something like “Hello? Yes, yes, that’s fine.” Or just “Yes
(pause) yes (pause) yes…” They then call that number collect and the
operator hears what appears to be someone more than willing to
accept charges! Some PBX and voice-mail systems send a special
tone when a line is forwarded to voice-mail that may discourage this
tactic since a savvy operator would recognize the tone. Does your
organization know what’s happening with old or unused mailboxes?
■ Another security issue can arise when mobile phone providers offer
voicemail to their subscribers, but don’t require a password to access
messages when the voicemail server receives the subscriber ANI (indicating
that subscriber is calling from the mobile phone associated
with that extension). But by offering their users the “convenience” of
Continued
quick access to their messages, these carriers may be opening the
door to eavesdropping through ANI spoofing (which is discussed in
more detail in Chapter 4) unless they have other means of verifying
the origin of a given call.
■ Eavesdropping on potentially confidential messages is certainly a
threat, but an attacker may potentially hijack phone calls intended
for a victim as well. This can be done by changing their outbound
message greeting to say “Hi, this is Corey. Please call me at my new
number at…” and leave a number that they control, performing a
man-in-the-middle attack on the intended recipient.
■ Another successful social engineering technique involves leaving
messages within a voicemail system requesting passwords (for
“testing” or “administrative purposes”) on another internal extension,
lulling the victim into believing that the attacker is a legitimate
employee at the target company.
■ The latest voice-messaging systems can be used to read e-mail using
text-to-speech. Attackers know that a PIN for the voice messaging
system is easy to guess, and this may be the easiest way for them to
get to an e-mail system.
■ And don’t forget toll fraud that can happen through out-dial capabilities
on voicemail systems. Consider turning off this feature if it
isn’t needed in your organization. Associated risks can also be mitigated
through carefully crafted PBX dial policy.



Interactive Voice Response Servers
Perhaps you first ran into an IVR when you noticed an incorrect charge on your
phone bill, and you decide to speak with a customer service representative to clear
things up. But when you dial the toll-free number on the bill, you’re greeted with a
labyrinth of options allegedly to help you self-navigate to the appropriate agent.This
maze of menus is brought to you through an Interactive Voice Response (IVR)
system. An IVR is a series of recorded greetings and logic flows that provide a caller
with a way to route through the phone system as a means of convenience. Personal
feelings about speaking with a recorded voice aside, IVRs are actually a pretty clever
way of providing a caller with speedy call placement, taking much of the burden
away from agents or operators.
Today’s latest-generation IVR systems are built on VoiceXML interpreters, and
may have sophisticated development environments. IVR security is a largely unexplored
topic since each IVR system is like a unique application, but we occasionally
hear about poorly written IVR applications that are insecure or not sufficiently robust.