Where I currently work, we are quite pedantic when it comes to security. Our industry demands it, and our ability to function as a business demands it. Anyway, we've just found out that one of our telephony providers had a back door to our network for the last two years.

We use an Avaya IP phone system, supplied through another vendor (who shall remain nameless), through which all our office telephones and dial-up voice lines run. What we've just found out today is, there's a remote access point built into the system that allows them to jump in and configure the phones without having to come to our office. This happens through the ISDN line, something we have no control over or can't firewall.

All you have to do to connect is dial into a particular extension, and pop the password in. The box then acts as a remote access device, and hands out an IP from our DHCP server. We can't firewall the phone boxes, as there's just too many points. They have access to our internal network and the potential to do damage.

On top of this, they use the same password for each of their customers! Now we know the extension and the password, there's nothing to stop us from finding out their other customers (their website has testimonials on it) and dialing into their network.

I can't completely blame them. We put an appliance on our network that we didn't fully audit. At the same time, you'd think they'd at least put some decent practises around how they deal with this. We don't know if their hardware is safe, how many employees know the password, how many customers know the password.

This sort of lapse of security shouldn't happen these days. That's just too easy. We've taken measures now to close the hole. The extension has been shutdown, and we've changed the password. They're no longer allowed remote access into phone boxes. If they want to configure something, they have to come here and we'll just wear the cost of a site visit. The security of this company is not worth a couple of hundred bucks.

Live and learn, I suppose.