atcomsystems.ca/forum Forums TDM Business Telephone Systems Avaya - Lucent Telephones & Systems Partner Mail VS security / hacking - how to prevent?!

Hi, I just set up a Partner ACS 2.0 / Partner Mail VS 4.1 system. Everything's working great, but within 24 hours of setup I heard from the receptionist at the office that she can't log in to P Mail VS to update the auto-attendant greeting.

At first I thought I had written the instructions wrong, but it turns out that the admin password had actually been changed.. I did some reading on the net and was able to get in and reset the admin password, but.. UHHH, isn't this a HUGE problem?

I mean someone can get in and reset the voicemail system to defaults, taking all mailboxes & saved messages with it, in about 30 seconds if they know what they're doing. That could be disastrous for the organization I'm servicing.

They can't afford to upgrade to Partner Messaging; are there any kludges or external solutions to this problem, like putting a touch-tone interpreter on the CO lines and intercepting any sequence that starts with 99# ? I don't care if I have to completely disable external / off-site VM administration; I don't want the VM system to be hacked and messed with or reset.

Thanks for any remarks / tips on this glaring issue. Really idiotic of Avaya/Lucent to have put the dumb backdoor in there in the first place.

Really idiotic of Avaya/Lucent to have put the dumb backdoor in there in the first place.

Well, there has to be a backdoor to get into the system when the admin pass is not known. The Partner Messaging works the same way only those backdoors are not as well known YET. Don't blame Avaya, blame the internet. This is a perfect example of why we will not give out passwords here but will offer to reset your system for you.

As for your situation, can you think of anybody who would want to maliciously change the admin password? Sounds to me like it was done by someone in your office who thought it should be changed or by mistake. This is a new system. Check around, it's always the case that no one will own up to it but I wouldn't suspect a hacker.

-Hal

Hal has hit the nail right on the head, other sites and boards freely post passwords which is the WRONG thing to let happen and that is the problem not the equipment.

Example, saw the password string to default a PC mail the other day on a site (won't say which one but it wasn't this one) Any hacker or mad employee had access to it and could really do some damage with it. Not good.

There's no one else in the office even remotely capable of logging in to the voicemail admin account (i.e. they simply don't know how.) Also there are only 5 people in the office; I know them each personally.

The whole "protect the magic codes, don't put them on the Internet!" attitude is a kindergarten, ostrich-head-in-the-sand approach to security known as "Security through Obscurity." It doesn't works when it costs no one a red cent to freely post & copy the "key under the doormat" to a system. (See: en.wikipedia.org/wiki/Security_through_obscurity )

I know you all aren't the programmers of the system, but there's no excuse for putting such blatant back doors into any important system, none except sheer laziness. It should not be possible to reset the system password withou A) being physically on-site with the equipment or B) knowing some piece of unique information such as the system's serial number.

I strongly encourage you to shout at your telecom equipment makers about what a... I can't even find the words, it's so third-grade. What a stupid practice this is.

(P.S. I am not ranting about DEFAULT passwords, I am ranting about UNCLOSEABLE BACK DOORS written into systems.)

To start off with who did you purchase your equip. through?

The key to any telecom equip is getting a good vendor that will take care of you and your equip..

Telecom equip isn't something you go to best buy or e-bay and pick-up if you think anything about your company.

You communication to the outside world should be done by someone who knows what they are doing and not joe blow that does that on the side.

Second you may want to finsh your profile in order to get much help here.

Thanks,

It doesn't make sense for a hacker to just change the admin password and leave everything else alone, something else is going on here. The backdoor password was never a problem until the internet and people started posting it, you will find most all system have a back door to them.

To tell the truth you are the first person I have ever heard of to have this problem, and I have been selling Partner systems since they came out. So I don't think this is the big security issue you make it although I'm sure it happens.

People who own Avaya systems are supposed to have a relationship with a dealer who would handle such things a lost admin password and remote administration. There would be no reason for the customer to need the backdoor or even know one existed. Dealers do not divulge such information anyway.

Enter the internet. Buyers think they are getting a slick deal but there is no dealer that they can turn to and tech support is almost non existant or incompetant from gray market sellers. So not only is there a desire to know by the end user but now the information gets freely distributed when it is learned.

So basically by buying off the internet you have screwed yourselves on the security issue.


-Hal

Could not have said it better myself Hal!

:bow: :thumb:

Post retracted.

A brief follow-up to Hal:

Thanks for jumping to the wrong conclusions. I didn't buy the system off the Internet. It was donated to the non-profit organization I'm assisting (after it was decommissioned from another company.)

That non-profit happens not to be able to afford what are I'm sure your quite expensive service rates.

Again, this query has NOTHING to do with whether I do or don't have a service provider; clearly from all that I have read on the internet there simply ARE NO SOLUTIONS to the gaping, intentional security hole, and I find it unlikely that if I were to purchase service from you that I would learn different.

Here, I'll put my money where my mouth is. If someone here has knowledge of the system that would let me configure it such that it was NOT VULNERABLE to outside callers using the standard (very well known, try google) Partner VS 4.1 backdoor admin password to get into the system, I will gladly PAY you $100.00 by PayPal as soon as I verify that your fix, whatever it is, works.

(This offer applies only to the stock system as it is, I'm not paying someone $100 to be told, "Upgrade to Partner Messaging!" or "buy 4 of these gadgets to put on your 4 CO Lines!" If no one can come forward with an answer on my terms I'll consider it conclusive proof that there is no solution and that all that any of you can do is blow smoke about the warm happy feelings that come from an expensive service contract -- meanwhile not having any actual improvement of the disgustingly bad security of the system.)

Thanks.