BELTON — It’s the classic conundrum of life in America: Security or freedom. Except in the case of Bell County’s phone system, where it’s security or convenience.
The county’s Technology Service Department updated the Commissioners Court on the anti-intrusion methods being considered to protect the county phone system.
The decision to adopt anti-intrusion measures came after Bell County’s phone systems were penetrated by an unknown number of hackers on two separate occasions.
The first attack, which started Nov. 30, targeted a weak password on an extension in the Road and Bridge Department. Cracking the four-digit password gave the hacker, or hackers, access to the phone’s automated menu system and allowed them to route calls to the Caribbean island nation of Grenada through Bell County’s switchboard.
Jim Chandler, director of Bell County’s Technology Service Department, told commissioners that before the attack, many county employees used their phone extensions as system passwords.
“If a phone number was 933-5000 the password was 5000,” Chandler said. After the attack, an auto-update program was implemented that required county employees to strengthen their phone system passwords.
By exploiting this weakness, the hackers were able to place outgoing calls that appeared to be coming from, and were billed to, Bell County. The attack went on until the morning of Dec. 2 and resulted in a $27,000 phone bill.
Precinct 1 Commissioner Richard Cortese said it was his understanding the messaging feature the hackers exploited had “been turned off at one point.”
It may have been, Chandler said, but the phone system recently “went through 18 software upgrades so it could receive maintenance. It’s possible that one of those upgrades restored default settings.”
A second incursion into the county phone system occurred Dec. 13. While it remains unclear if the two attacks were related, they both employed similar methodology.
The second attack also involved someone defeating the voicemail password on a different phone, Chandler said.
After gaining access to the voicemail system, the hackers “used the ‘forwarding voice message’ feature to leave an actual message on the phone and then forward the voice message to an international number” also located in Grenada, Chandler said.
He updated the commissioners about the results of an internal investigation into the Dec. 13 attack and a presumed attack Dec. 27.
“After reviewing our logs, we determined that the Dec. 13 attack only lasted about 20 seconds and cost the county 50 cents,” Chandler said.
“There also was no third attack. We looked at our logs and realized that it was a legitimate call.”
After the Dec. 13 attack, the Technology Services Department limited the forward message feature to be able only to send messages to county extensions.
Precinct 2 Commissioner Tim Brown asked why the feature wasn’t disabled completely.
“It’s used a lot by county employees,” said Claire Turner, a technology services employee who was present at the meeting. She provided the example of a phone call that comes in to one county commissioner’s office when, for whatever reason, it needed to go to another.
New security features
The new security features presented ranged from mildly intrusive, behind the scenes processes that restructured how the county addresses long distance access, to a plan that would create one single listed phone number for Bell County.
“It’d be like Scott & White or a large corporation,” Chandler said. “If someone called in, they’d have to either talk to an operator or go through an automated menu to find the department they want.”
The idea of installing what Chandler estimated could be up to “six or seven menus” on the county phone system before callers could speak to an employee was not warmly received by commissioners. “We’d have to have a huge bank of operators,” County Judge Jon Burrows said. “It’s just not practical.”