web statisticsweb stats

Business Phone Systems

Support Service-Disabled Veterans!
Discount software from Direct Deals
Previous Thread
Next Thread
Print Thread
Rate Thread
Page 1 of 4 1 2 3 4
Joined: Mar 2004
Posts: 20
Member
Member
Offline
Joined: Mar 2004
Posts: 20
Hi, I just set up a Partner ACS 2.0 / Partner Mail VS 4.1 system. Everything's working great, but within 24 hours of setup I heard from the receptionist at the office that she can't log in to P Mail VS to update the auto-attendant greeting.

At first I thought I had written the instructions wrong, but it turns out that the admin password had actually been changed.. I did some reading on the net and was able to get in and reset the admin password, but.. UHHH, isn't this a HUGE problem?

I mean someone can get in and reset the voicemail system to defaults, taking all mailboxes & saved messages with it, in about 30 seconds if they know what they're doing. That could be disastrous for the organization I'm servicing.

They can't afford to upgrade to Partner Messaging; are there any kludges or external solutions to this problem, like putting a touch-tone interpreter on the CO lines and intercepting any sequence that starts with 99# ? I don't care if I have to completely disable external / off-site VM administration; I don't want the VM system to be hacked and messed with or reset.

Thanks for any remarks / tips on this glaring issue. Really idiotic of Avaya/Lucent to have put the dumb backdoor in there in the first place.

Avaya IP Office Help & Support Website
IP Office Help

Avaya IP Office Help & Support Website


FAQs, documentation, videos, updates, and support for the Avaya IP Office business phone system!
Everything you need to know about installing, upgrading, and troubleshooting IP 500v2 and IPO Server Edition systems.

Joined: Feb 2005
Posts: 12,347
Likes: 4
Member
***
Member
***
Offline
Joined: Feb 2005
Posts: 12,347
Likes: 4
Really idiotic of Avaya/Lucent to have put the dumb backdoor in there in the first place.

Well, there has to be a backdoor to get into the system when the admin pass is not known. The Partner Messaging works the same way only those backdoors are not as well known YET. Don't blame Avaya, blame the internet. This is a perfect example of why we will not give out passwords here but will offer to reset your system for you.

As for your situation, can you think of anybody who would want to maliciously change the admin password? Sounds to me like it was done by someone in your office who thought it should be changed or by mistake. This is a new system. Check around, it's always the case that no one will own up to it but I wouldn't suspect a hacker.

-Hal


CALIFORNIA PROPOSITION 65 WARNING: Some comments made by me are known to the State of California to cause irreversible brain damage and serious mental disorders leading to confinement.
Joined: Mar 2001
Posts: 7,350
RIP Admin
*****
RIP Admin
*****
Offline
Joined: Mar 2001
Posts: 7,350
Hal has hit the nail right on the head, other sites and boards freely post passwords which is the WRONG thing to let happen and that is the problem not the equipment.

Example, saw the password string to default a PC mail the other day on a site (won't say which one but it wasn't this one) Any hacker or mad employee had access to it and could really do some damage with it. Not good.


Russ runs a local service and private tech center.

[Linked Image from sundance-communications.com][/url]
Joined: Mar 2004
Posts: 20
Member
Member
Offline
Joined: Mar 2004
Posts: 20
There's no one else in the office even remotely capable of logging in to the voicemail admin account (i.e. they simply don't know how.) Also there are only 5 people in the office; I know them each personally.

The whole "protect the magic codes, don't put them on the Internet!" attitude is a kindergarten, ostrich-head-in-the-sand approach to security known as "Security through Obscurity." It doesn't works when it costs no one a red cent to freely post & copy the "key under the doormat" to a system. (See: en.wikipedia.org/wiki/Security_through_obscurity )

I know you all aren't the programmers of the system, but there's no excuse for putting such blatant back doors into any important system, none except sheer laziness. It should not be possible to reset the system password withou A) being physically on-site with the equipment or B) knowing some piece of unique information such as the system's serial number.

I strongly encourage you to shout at your telecom equipment makers about what a... I can't even find the words, it's so third-grade. What a stupid practice this is.

(P.S. I am not ranting about DEFAULT passwords, I am ranting about UNCLOSEABLE BACK DOORS written into systems.)

Joined: Jun 2001
Posts: 10,949
Moderator-Avaya
*****
Moderator-Avaya
*****
Joined: Jun 2001
Posts: 10,949
To start off with who did you purchase your equip. through?

The key to any telecom equip is getting a good vendor that will take care of you and your equip..

Telecom equip isn't something you go to best buy or e-bay and pick-up if you think anything about your company.

You communication to the outside world should be done by someone who knows what they are doing and not joe blow that does that on the side.

Second you may want to finsh your profile in order to get much help here.

Thanks,


Avaya SMB Authorized Business Partner. ACIS/APSS
ESI Certified Reseller/Installer
www.regal-comm.com
Joined: Mar 2001
Posts: 7,350
RIP Admin
*****
RIP Admin
*****
Offline
Joined: Mar 2001
Posts: 7,350
It doesn't make sense for a hacker to just change the admin password and leave everything else alone, something else is going on here. The backdoor password was never a problem until the internet and people started posting it, you will find most all system have a back door to them.


Russ runs a local service and private tech center.

[Linked Image from sundance-communications.com][/url]
Joined: Feb 2005
Posts: 12,347
Likes: 4
Member
***
Member
***
Offline
Joined: Feb 2005
Posts: 12,347
Likes: 4
To tell the truth you are the first person I have ever heard of to have this problem, and I have been selling Partner systems since they came out. So I don't think this is the big security issue you make it although I'm sure it happens.

People who own Avaya systems are supposed to have a relationship with a dealer who would handle such things a lost admin password and remote administration. There would be no reason for the customer to need the backdoor or even know one existed. Dealers do not divulge such information anyway.

Enter the internet. Buyers think they are getting a slick deal but there is no dealer that they can turn to and tech support is almost non existant or incompetant from gray market sellers. So not only is there a desire to know by the end user but now the information gets freely distributed when it is learned.

So basically by buying off the internet you have screwed yourselves on the security issue.


-Hal


CALIFORNIA PROPOSITION 65 WARNING: Some comments made by me are known to the State of California to cause irreversible brain damage and serious mental disorders leading to confinement.
Joined: Jun 2001
Posts: 10,949
Moderator-Avaya
*****
Moderator-Avaya
*****
Joined: Jun 2001
Posts: 10,949
Could not have said it better myself Hal!

:bow: :thumb:


Avaya SMB Authorized Business Partner. ACIS/APSS
ESI Certified Reseller/Installer
www.regal-comm.com
Joined: Mar 2004
Posts: 20
Member
Member
Offline
Joined: Mar 2004
Posts: 20
Post retracted.

Joined: Mar 2004
Posts: 20
Member
Member
Offline
Joined: Mar 2004
Posts: 20
A brief follow-up to Hal:

Thanks for jumping to the wrong conclusions. I didn't buy the system off the Internet. It was donated to the non-profit organization I'm assisting (after it was decommissioned from another company.)

That non-profit happens not to be able to afford what are I'm sure your quite expensive service rates.

Again, this query has NOTHING to do with whether I do or don't have a service provider; clearly from all that I have read on the internet there simply ARE NO SOLUTIONS to the gaping, intentional security hole, and I find it unlikely that if I were to purchase service from you that I would learn different.

Here, I'll put my money where my mouth is. If someone here has knowledge of the system that would let me configure it such that it was NOT VULNERABLE to outside callers using the standard (very well known, try google) Partner VS 4.1 backdoor admin password to get into the system, I will gladly PAY you $100.00 by PayPal as soon as I verify that your fix, whatever it is, works.

(This offer applies only to the stock system as it is, I'm not paying someone $100 to be told, "Upgrade to Partner Messaging!" or "buy 4 of these gadgets to put on your 4 CO Lines!" If no one can come forward with an answer on my terms I'll consider it conclusive proof that there is no solution and that all that any of you can do is blow smoke about the warm happy feelings that come from an expensive service contract -- meanwhile not having any actual improvement of the disgustingly bad security of the system.)

Thanks.

Page 1 of 4 1 2 3 4

Link Copied to Clipboard
Newest Topics
OfficeServ 500
by phonman123 - 11/08/24 09:08 AM
OfficeServ 7200 enable 4 digit extensions
by Robert Stuart - 11/05/24 05:42 AM
OfficeServ 7200 v4.60b software?
by Robert Stuart - 11/04/24 05:38 PM
CTX 100 Can't Connect with eManager
by stwtech - 11/04/24 04:24 PM
Forum Statistics
Forums84
Topics94,428
Posts639,501
Members49,821
Most Online5,661
May 23rd, 2018
Newest Members
FooF, brianorbrain, AndyW251, Dean Badelek, PCCsup
49,820 Registered Users
Top Posters(30 Days)
Toner 10
pvj 9
R4+Z 4
Who's Online Now
1 members (nortelvoip), 285 guests, and 29 robots.
Key: Admin, Global Mod, Mod
Contact Us | Sponsored by Atcom: One of the best VoIP Phone Canada Suppliers for your business telephone system!| Terms of Service

Sundance Communications is not affiliated with any of the above manufacturers. Sundance Phone System Forums - VOIP & Cloud Phone Help
©Copyright Sundance Communications 1998 - 2024
Powered by UBB.threads™ PHP Forum Software 8.0.0