A caller who apparently hacked the Haines Borough School District’s phone system may have accessed the system through a default password to an employee’s voice mail account, according to Bruce Messerschmidt of Alaska Power and Telephone.
A default password, a familiar sequence such as “1234,” typically is assigned when a phone system is installed. Then, individual users are asked to reset passwords to their individual accounts, using a less discernible series of numbers.
“It appears that the individuals accessed through the only voice mail that still had a default password. They then accessed to an outgoing line to complete the calls overseas,” Messerschmidt said last week.
All passwords have been changed and upgraded to a higher level of security, Messerschmidt said.
The district was notified in late October that more than 70 hours of calls were logged from a school district number to locations overseas, including Austria and Serbia.
How an infiltrating caller used access to a voice mail account to make a call on the same line wasn’t clear this week. “To gain access the way that they did, and find a way through to an outgoing line, would take somebody (with) intimate knowledge of the switch manufacture at the school,” Messerschmidt said.
Messerschmidt said all non-essential, long-distance access out of the school system has been locked down, as well as being locked down at the local AP&T switch.
As far as who pays for calls, Messerschmidt said, usually when the AT&T fraud division discovers fraudulent use and it’s curtailed in a timely manner, the long-distance charges are waived. “We will not know if this is the case, until the billing for this period is received by the school district,” Messerschmidt said.
“AP&T and the school district are considering this a closed issue,” he said.
Messerschmidt was unwilling to say if AP&T or anyone else made attempts to find the source or the destination of the fraudulent calls. He also wouldn’t say whether the utility knew with certainty that the calls were made by someone outside the school district.
Sam McPhetres, who troubleshoots technical issues for the district, said he understood the phone system had been compromised through a remote-access option for voice mail, which has since been shut down, as it wasn’t being used by school staff. Messerschmidt declined comment on the matter.
School superintendent Michael Byer said he would like to see the perpetrators of the scam caught and prosecuted. “But I understand that savvy Internet hackers have ways of hiding their tracks.”
District bookkeeper Judy Erekson said that around the time of the apparent hacking, the school received a number of suspicious phone calls from individuals claiming to be with a survey or clearinghouse, asking for certain school identification numbers.
“They said, ‘You put an application in and we want to make sure and we want to make sure your numbers are fine,’” Erekson said. “When I said, ‘Who’s asking?” they would be vague,” she said. Erekson took down the number of one such caller, which displayed on her phone. When she called it, seeking information, “they just kind of hung up,” Erekson said.
“We were kind of suspicious about that. Then (the calls) stopped. It seems like they were fishing for stuff,” she said.
Callers also asked to be transferred to other school officials. “I wonder if all those transfers are how they got into our voice mail,” Erekson said.