Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

Monthly Archives: September 2010

400% rise in telecom fraud in New Zealand


Telecommunications Industry Group (TIG) in New Zealand has seen the telecom fraud quadruple in 2010. Private Branch Exchanges (PABX) can be downloaded for free and installed on an (older) PC, but not secured enough. This makes the PABX open for exploiting. TIG has made a list of what minimum(!) need to do, to ensure that your system will more secure.

Some practical tips for preventing PABX hacking

  1. Choose a strong password: Voicemail and DISA passwords should be changed on a regular basis, avoiding factory defaults and obvious combinations such as 1234 or the extension number.
  2. Change it: Make sure all security features – passwords, PINS etc – are changed following installation, upgrade and fault/maintenance. Don’t forget to reset password defaults.
  3. Keep it confidential: Keep all internal information such as directories, call logging reports and audit logs confidential. Destroy them appropriately if no longer required.
  4. Regular Review:
    • Review system security and configuration settings regularly. Follow up any vulnerabilities or irregularities.
    • Review your PABX call logging/reporting material regularly and analyse it for increases in call volumes or suspicious destinations.
  5. Callers: Be vigilant against bogus callers – for example, people posing as company employees – who ask to be connected to switchboard operators to get an outgoing line.
  6. Employees: Develop processes to cover employee entry procedures, passcards, new employee vetting and people leaving and changing jobs. Formally evoke their access to systems, mailboxes and buildings.
  7. Vendor Terms and conditions: Make sure you have the right terms and conditions reflected in your contracts with your PABX, VoIP and/or voicemail maintainer in order to keep your system regularly maintained and serviced to stay safe.
  8. De-activate, Restrict, Bar:
    • Remove or de-activate all unnecessary system functionality including remote access ports. If remote access ports are used, consider using strong authentication such as smartcards/tokens.
    • Restrict any destinations that should not normally be dialed: for example, premium rate, international, operator and directory enquiry numbers.
    • Restrict access to equipment eg. your comms room and master terminals.
    • Only give the appropriate and minimum level of system access required to carry out a task.
    • Bar voicemail ports for outgoing access to trunks if possible.  If access to trunks via voicemail is necessary then implement suitable controls. Remove auto attendant options for accessing trunks.
    • Lock surplus mailboxes until allocated to a user.
    • If DISA is not used then disable it completely.
  9. Tones: Avoid using tones to prompt for password/PIN entry: these are often used by hacking programmers.

I would also like to add:

  • Security updates BOTH on your server and on the phones
  • Don’t expose the PABX nor the phones on public IPs.

The Honeynet Project has also picked up extensively scannings in Australia. Which country will be next?

VoIP Abuse project – block the scanners


People has gotten tired of the VoIP scannings. Sometimes they manage to abuse the PBX or just fill up the logs with all the attempts. So Mr. Oquendo started on a list of IP addresses and networks that should be blocked.

The VoIP Abuse Project is aimed at minimizing abuse for networks that have publicly accessible PBX’s. As a security engineer at a managed service provider, one of our services is VoIP. Throughout the course of the day, I got tired of seeing VoIP based brute force attempts that I decided to out companies who sit around and choose to do nothing about the attacks coming from their networks. As a courtesy I often take the time out of my work day to write constant emails to abuse and security desks which go nowhere.

The link: http://www.infiltrated.net/voipabuse/

Personally I think companies should have a white list, just enabling the IPs that you really need to allow traffic from, but that is not easy if you are a VoIP provider with clients all over the world.

Next step on this list would be to automate the whole process.

A new phrase: open sip relay


The most abuse nowadays are open SIP servers, just as the old open mail servers which spammers relayed spam through. So we will use the phrase open sip relay about the scanning going on nowadays. Nothing new, just another protocol (but with much more money in than spam when you find one… )

Open SIP Relay by my definition is: a SIP server open to send SIP messages from whoever to whoever (even channel it through the PSTN network)

Cool way to make a video


Xtranormal.com is an easy way to make simpel videos. You can see mine about telecom fraud here (37 seconds).

Enjoy!

Don't have your IP phone on a public IP


My friend Thomas sent me this. He has a Polycom telephone on a public IP. Nice when some computer calls you in the evening…

Picture: Copyright Thomas Nilsen (C) 3MT.no

The owner of the IP:
status:       ALLOCATED PORTABLE
source:       APNIC
person:       Chinanet Hostmaster
nic-hdl:      CH93-AP
e-mail:       anti-spam@ns.chinanet.cn.net

address:      No.31 ,jingrong street,beijing
address:      100032
phone:        +86-10-58501724
fax-no:       +86-10-58501724
country:      CN
changed:      dingsy@cndata.com 20070416

mnt-by:       MAINT-CHINANET
source:       APNIC
person:       Wu Xiao Li
address:      Room 805,61 North Si Chuan Road,Shanghai,200085,PRC

country:      CN
phone:        +86-21-63630562
fax-no:       +86-21-63630566
e-mail:       ip-admin@mail.online.sh.cn
nic-hdl:      XI5-AP
mnt-by:       MAINT-CHINANET-SH

changed:      ip-admin@mail.online.sh.cn 20010510
source:       APNIC

so hard to get any further on this…

An old SIP scanning has started again.


Now the scanning has started again.
For those remembering back in 2008 there was a large scanning in Germany, where customers with softphones experienced incoming calls (very annoying during the night..), it has now started again. A good paper from ipcom.at describing it extensively.

What caugt my attention was the very long branch and callid fields. They contain IP of the scanner, the scanned victim, the phone number trying to be called and several other fields (if you know what the rest of the codes are, please let me know!)

INVITE sip:82727117149111@the.honeypot.ip;transport=udp SIP/2.0
Via: SIP/2.0/UDP 202.71.111.5:3916;branch=11010010111010001010101000110202.71.111.5the.honeypot.ip751302518;rport
Max-Forwards: 70
From: <sip:736115896703798455@the.honeypot.ip>;tag=5475511560139881995954755115605475511560202.71.111.5
To: <sip:82727117149111@the.honeypot.ip>
Call-ID: ed6681d610110011110110100100110111000011010010111010001010101000110202.71.111.5the.honeypot.ip7513025181c895d9827271171491115475511560139881995954755115605475511560202.71.111.51621419374
CSeq: 1 INVITE
Contact: <sip:1c895d9@202.71.111.5:3916;transport=udp>
Content-Type: application/sdp
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: eyeBeam release 1003s stamp 31159
Content-Length: 208

v=0
o=- 16264 18299 IN IP4 the.honeypot.ip
s=CounterPath eyeBeam 1.5
c=IN IP4 the.honeypot.ip
t=0 0
m=audio 34222 RTP/AVP 18 0 8 101
– Hide quoted text –
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15

And no, it is definely not “CounterPath eyeBeam 1.5” but a custom-made scanner. This is just an indication that people are willing to put mony into developing software to attack these insecure VoIP servers.

Status now is frequent usage of stand-alone SIPviciuous and other scanners, and two kits doing extensively scanning:

the userAgent=sundayddr
they started this spring, getting scannings from all over the world, but an overweight of Chinese IP addresses.

the current scannings with “Counterpath” as user-agent.
They have been active before, and now started again (scanning latest month)

And this is just the beginning…. so secure your VoIP servers!