Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

Category Archives: VoIP

MeshPotato featured on Australian radio


David Rowe explaining the MeshPotato and Paul Gardner-Stephen telling about the very cool Serval project on the national radio in Australia. They had focus how to bridge the digital divine.

You hear it here (mesh potato from 17+ minutes and onwards)

Advertisements

VoIP and other presentations from the Honeynet Project


The yearly Honeynet Workshop has been great every time!

This year we also had a public day for those not a member. The presentations are publicaly available here.

Enjoy!

Detecting phrases in an encrypted VoIP call


Even if you use an encrypted VoIP connection, the content of your call can be picked up by analyzing the timing and size of the encrypted traffic. You must use a Variable Bit Rate (VBR) codec, which just compresses the speech which is said. If you would use encryption on G711 with no Voice Activation Detection (VAD) enabled (just a continous stream of data), this phrase recognition would not be possible.

This shows that it you need to see the “whole” picture when securing your communication.

The full paper is here for more information.

Also a 27 pages presentation here

GSoC project -> Dionea with SIP


Are you a student in need of a summer job and interested in VoIP?

Apply to become a Google Summer of Code student and help the Honeynet Project to improve the SIP module for Dionea!

Join the IRC channel on freenode for any questions on channel #gsoc-honeynet (web client available here)

 

Another day, another VoIP fraud (just 13 000 USD..)


This time it was h.323 on a Cisco CallManager which was exploited in some ways. My personal guess is just bad configuration, but maybe there also is a bug in it as well.From a mailing list:

A company we work closely with, but is not our customer, had their Cisco
Call Manager hacked due to some h.323 vulnerability that I don’t have
full details on yet.  There were a number of calls placed to:

881835211540
881835211556
881835211547

My findings indicate these are Globalstar satellite numbers that cost
somewhere between $4 and $7/minute to call, depending on carrier.  The
victim’s carrier is billing them at $6.50.  The total bill for the event
is around $13k.  This is a small company that can’t really afford this.

If I had a small company and connected to a carrier, I would demand credit limits. It is the same as I would not have a 1 million credit limit on my credit cards. Check with your VoIP carrier that he has effective credit limits!

400% rise in telecom fraud in New Zealand


Telecommunications Industry Group (TIG) in New Zealand has seen the telecom fraud quadruple in 2010. Private Branch Exchanges (PABX) can be downloaded for free and installed on an (older) PC, but not secured enough. This makes the PABX open for exploiting. TIG has made a list of what minimum(!) need to do, to ensure that your system will more secure.

Some practical tips for preventing PABX hacking

  1. Choose a strong password: Voicemail and DISA passwords should be changed on a regular basis, avoiding factory defaults and obvious combinations such as 1234 or the extension number.
  2. Change it: Make sure all security features – passwords, PINS etc – are changed following installation, upgrade and fault/maintenance. Don’t forget to reset password defaults.
  3. Keep it confidential: Keep all internal information such as directories, call logging reports and audit logs confidential. Destroy them appropriately if no longer required.
  4. Regular Review:
    • Review system security and configuration settings regularly. Follow up any vulnerabilities or irregularities.
    • Review your PABX call logging/reporting material regularly and analyse it for increases in call volumes or suspicious destinations.
  5. Callers: Be vigilant against bogus callers – for example, people posing as company employees – who ask to be connected to switchboard operators to get an outgoing line.
  6. Employees: Develop processes to cover employee entry procedures, passcards, new employee vetting and people leaving and changing jobs. Formally evoke their access to systems, mailboxes and buildings.
  7. Vendor Terms and conditions: Make sure you have the right terms and conditions reflected in your contracts with your PABX, VoIP and/or voicemail maintainer in order to keep your system regularly maintained and serviced to stay safe.
  8. De-activate, Restrict, Bar:
    • Remove or de-activate all unnecessary system functionality including remote access ports. If remote access ports are used, consider using strong authentication such as smartcards/tokens.
    • Restrict any destinations that should not normally be dialed: for example, premium rate, international, operator and directory enquiry numbers.
    • Restrict access to equipment eg. your comms room and master terminals.
    • Only give the appropriate and minimum level of system access required to carry out a task.
    • Bar voicemail ports for outgoing access to trunks if possible.  If access to trunks via voicemail is necessary then implement suitable controls. Remove auto attendant options for accessing trunks.
    • Lock surplus mailboxes until allocated to a user.
    • If DISA is not used then disable it completely.
  9. Tones: Avoid using tones to prompt for password/PIN entry: these are often used by hacking programmers.

I would also like to add:

  • Security updates BOTH on your server and on the phones
  • Don’t expose the PABX nor the phones on public IPs.

The Honeynet Project has also picked up extensively scannings in Australia. Which country will be next?

Cool way to make a video


Xtranormal.com is an easy way to make simpel videos. You can see mine about telecom fraud here (37 seconds).

Enjoy!

Don't have your IP phone on a public IP


My friend Thomas sent me this. He has a Polycom telephone on a public IP. Nice when some computer calls you in the evening…

Picture: Copyright Thomas Nilsen (C) 3MT.no

The owner of the IP:
status:       ALLOCATED PORTABLE
source:       APNIC
person:       Chinanet Hostmaster
nic-hdl:      CH93-AP
e-mail:       anti-spam@ns.chinanet.cn.net

address:      No.31 ,jingrong street,beijing
address:      100032
phone:        +86-10-58501724
fax-no:       +86-10-58501724
country:      CN
changed:      dingsy@cndata.com 20070416

mnt-by:       MAINT-CHINANET
source:       APNIC
person:       Wu Xiao Li
address:      Room 805,61 North Si Chuan Road,Shanghai,200085,PRC

country:      CN
phone:        +86-21-63630562
fax-no:       +86-21-63630566
e-mail:       ip-admin@mail.online.sh.cn
nic-hdl:      XI5-AP
mnt-by:       MAINT-CHINANET-SH

changed:      ip-admin@mail.online.sh.cn 20010510
source:       APNIC

so hard to get any further on this…

An old SIP scanning has started again.


Now the scanning has started again.
For those remembering back in 2008 there was a large scanning in Germany, where customers with softphones experienced incoming calls (very annoying during the night..), it has now started again. A good paper from ipcom.at describing it extensively.

What caugt my attention was the very long branch and callid fields. They contain IP of the scanner, the scanned victim, the phone number trying to be called and several other fields (if you know what the rest of the codes are, please let me know!)

INVITE sip:82727117149111@the.honeypot.ip;transport=udp SIP/2.0
Via: SIP/2.0/UDP 202.71.111.5:3916;branch=11010010111010001010101000110202.71.111.5the.honeypot.ip751302518;rport
Max-Forwards: 70
From: <sip:736115896703798455@the.honeypot.ip>;tag=5475511560139881995954755115605475511560202.71.111.5
To: <sip:82727117149111@the.honeypot.ip>
Call-ID: ed6681d610110011110110100100110111000011010010111010001010101000110202.71.111.5the.honeypot.ip7513025181c895d9827271171491115475511560139881995954755115605475511560202.71.111.51621419374
CSeq: 1 INVITE
Contact: <sip:1c895d9@202.71.111.5:3916;transport=udp>
Content-Type: application/sdp
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: eyeBeam release 1003s stamp 31159
Content-Length: 208

v=0
o=- 16264 18299 IN IP4 the.honeypot.ip
s=CounterPath eyeBeam 1.5
c=IN IP4 the.honeypot.ip
t=0 0
m=audio 34222 RTP/AVP 18 0 8 101
– Hide quoted text –
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15

And no, it is definely not “CounterPath eyeBeam 1.5” but a custom-made scanner. This is just an indication that people are willing to put mony into developing software to attack these insecure VoIP servers.

Status now is frequent usage of stand-alone SIPviciuous and other scanners, and two kits doing extensively scanning:

the userAgent=sundayddr
they started this spring, getting scannings from all over the world, but an overweight of Chinese IP addresses.

the current scannings with “Counterpath” as user-agent.
They have been active before, and now started again (scanning latest month)

And this is just the beginning…. so secure your VoIP servers!

Just 10 000 USD in hacking this time..


A VoIP hacking that actually reached the public, was just 10 000,- USD being frauded for. I would say they were lucky. This is just top of the iceberg, I hear about so many more not being reported because the firm or institution does not want to “have beeing hacked”. The latest news about it in Norwegian or translated to English