Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

MeshPotato gets press coverage!

The MeshPotato, the future of the Internet?


Imagine you had this technology which you only needed two devices to call to each other and get IP connection. If you got more members, only thing they needed was this device and the network would grow stronger and stronger, each member helping the network to grow in distance and robustness. Communication would be free, each member pays for their own device and this device would be a part of the network.

When the network has grown very large, there would be free management tools to map all devices to the map, giving a very good overview of the whole network and easy the further expanding.

And this is reality! The Village Telco project has spent three years making it real, creating the MeshPotato. The MeshPotato is a very low power WLAN mesh and VoIP device, creating its network while being rolled out. It uses 2,4GHz WLAN to create a mesh network and running IP and VoIP traffic over this network.
The Village Telco project uses open source tools like Afrimesh and A2Billing to create a full management and billing system, all free to download and deploy.
And all you needed to start is two MeshPotatoes. What is stopping you?
The future is bright!

400% rise in telecom fraud in New Zealand


Telecommunications Industry Group (TIG) in New Zealand has seen the telecom fraud quadruple in 2010. Private Branch Exchanges (PABX) can be downloaded for free and installed on an (older) PC, but not secured enough. This makes the PABX open for exploiting. TIG has made a list of what minimum(!) need to do, to ensure that your system will more secure.

Some practical tips for preventing PABX hacking

  1. Choose a strong password: Voicemail and DISA passwords should be changed on a regular basis, avoiding factory defaults and obvious combinations such as 1234 or the extension number.
  2. Change it: Make sure all security features – passwords, PINS etc – are changed following installation, upgrade and fault/maintenance. Don’t forget to reset password defaults.
  3. Keep it confidential: Keep all internal information such as directories, call logging reports and audit logs confidential. Destroy them appropriately if no longer required.
  4. Regular Review:
    • Review system security and configuration settings regularly. Follow up any vulnerabilities or irregularities.
    • Review your PABX call logging/reporting material regularly and analyse it for increases in call volumes or suspicious destinations.
  5. Callers: Be vigilant against bogus callers – for example, people posing as company employees – who ask to be connected to switchboard operators to get an outgoing line.
  6. Employees: Develop processes to cover employee entry procedures, passcards, new employee vetting and people leaving and changing jobs. Formally evoke their access to systems, mailboxes and buildings.
  7. Vendor Terms and conditions: Make sure you have the right terms and conditions reflected in your contracts with your PABX, VoIP and/or voicemail maintainer in order to keep your system regularly maintained and serviced to stay safe.
  8. De-activate, Restrict, Bar:
    • Remove or de-activate all unnecessary system functionality including remote access ports. If remote access ports are used, consider using strong authentication such as smartcards/tokens.
    • Restrict any destinations that should not normally be dialed: for example, premium rate, international, operator and directory enquiry numbers.
    • Restrict access to equipment eg. your comms room and master terminals.
    • Only give the appropriate and minimum level of system access required to carry out a task.
    • Bar voicemail ports for outgoing access to trunks if possible.  If access to trunks via voicemail is necessary then implement suitable controls. Remove auto attendant options for accessing trunks.
    • Lock surplus mailboxes until allocated to a user.
    • If DISA is not used then disable it completely.
  9. Tones: Avoid using tones to prompt for password/PIN entry: these are often used by hacking programmers.

I would also like to add:

  • Security updates BOTH on your server and on the phones
  • Don’t expose the PABX nor the phones on public IPs.

The Honeynet Project has also picked up extensively scannings in Australia. Which country will be next?

VoIP Abuse project – block the scanners


People has gotten tired of the VoIP scannings. Sometimes they manage to abuse the PBX or just fill up the logs with all the attempts. So Mr. Oquendo started on a list of IP addresses and networks that should be blocked.

The VoIP Abuse Project is aimed at minimizing abuse for networks that have publicly accessible PBX’s. As a security engineer at a managed service provider, one of our services is VoIP. Throughout the course of the day, I got tired of seeing VoIP based brute force attempts that I decided to out companies who sit around and choose to do nothing about the attacks coming from their networks. As a courtesy I often take the time out of my work day to write constant emails to abuse and security desks which go nowhere.

The link: http://www.infiltrated.net/voipabuse/

Personally I think companies should have a white list, just enabling the IPs that you really need to allow traffic from, but that is not easy if you are a VoIP provider with clients all over the world.

Next step on this list would be to automate the whole process.

A new phrase: open sip relay


The most abuse nowadays are open SIP servers, just as the old open mail servers which spammers relayed spam through. So we will use the phrase open sip relay about the scanning going on nowadays. Nothing new, just another protocol (but with much more money in than spam when you find one… )

Open SIP Relay by my definition is: a SIP server open to send SIP messages from whoever to whoever (even channel it through the PSTN network)

Cool way to make a video


Xtranormal.com is an easy way to make simpel videos. You can see mine about telecom fraud here (37 seconds).

Enjoy!

Don't have your IP phone on a public IP


My friend Thomas sent me this. He has a Polycom telephone on a public IP. Nice when some computer calls you in the evening…

Picture: Copyright Thomas Nilsen (C) 3MT.no

The owner of the IP:
status:       ALLOCATED PORTABLE
source:       APNIC
person:       Chinanet Hostmaster
nic-hdl:      CH93-AP
e-mail:       anti-spam@ns.chinanet.cn.net

address:      No.31 ,jingrong street,beijing
address:      100032
phone:        +86-10-58501724
fax-no:       +86-10-58501724
country:      CN
changed:      dingsy@cndata.com 20070416

mnt-by:       MAINT-CHINANET
source:       APNIC
person:       Wu Xiao Li
address:      Room 805,61 North Si Chuan Road,Shanghai,200085,PRC

country:      CN
phone:        +86-21-63630562
fax-no:       +86-21-63630566
e-mail:       ip-admin@mail.online.sh.cn
nic-hdl:      XI5-AP
mnt-by:       MAINT-CHINANET-SH

changed:      ip-admin@mail.online.sh.cn 20010510
source:       APNIC

so hard to get any further on this…

An old SIP scanning has started again.


Now the scanning has started again.
For those remembering back in 2008 there was a large scanning in Germany, where customers with softphones experienced incoming calls (very annoying during the night..), it has now started again. A good paper from ipcom.at describing it extensively.

What caugt my attention was the very long branch and callid fields. They contain IP of the scanner, the scanned victim, the phone number trying to be called and several other fields (if you know what the rest of the codes are, please let me know!)

INVITE sip:82727117149111@the.honeypot.ip;transport=udp SIP/2.0
Via: SIP/2.0/UDP 202.71.111.5:3916;branch=11010010111010001010101000110202.71.111.5the.honeypot.ip751302518;rport
Max-Forwards: 70
From: <sip:736115896703798455@the.honeypot.ip>;tag=5475511560139881995954755115605475511560202.71.111.5
To: <sip:82727117149111@the.honeypot.ip>
Call-ID: ed6681d610110011110110100100110111000011010010111010001010101000110202.71.111.5the.honeypot.ip7513025181c895d9827271171491115475511560139881995954755115605475511560202.71.111.51621419374
CSeq: 1 INVITE
Contact: <sip:1c895d9@202.71.111.5:3916;transport=udp>
Content-Type: application/sdp
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: eyeBeam release 1003s stamp 31159
Content-Length: 208

v=0
o=- 16264 18299 IN IP4 the.honeypot.ip
s=CounterPath eyeBeam 1.5
c=IN IP4 the.honeypot.ip
t=0 0
m=audio 34222 RTP/AVP 18 0 8 101
– Hide quoted text –
a=fmtp:18 annexb=no
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15

And no, it is definely not “CounterPath eyeBeam 1.5” but a custom-made scanner. This is just an indication that people are willing to put mony into developing software to attack these insecure VoIP servers.

Status now is frequent usage of stand-alone SIPviciuous and other scanners, and two kits doing extensively scanning:

the userAgent=sundayddr
they started this spring, getting scannings from all over the world, but an overweight of Chinese IP addresses.

the current scannings with “Counterpath” as user-agent.
They have been active before, and now started again (scanning latest month)

And this is just the beginning…. so secure your VoIP servers!

Just 10 000 USD in hacking this time..


A VoIP hacking that actually reached the public, was just 10 000,- USD being frauded for. I would say they were lucky. This is just top of the iceberg, I hear about so many more not being reported because the firm or institution does not want to “have beeing hacked”. The latest news about it in Norwegian or translated to English

Another VoIP hacking in Norway


The latest month of scanning has seemed valuable for the hackers. A Norwegian municipality has been hacked and their PBX has been calling Somalia and a lot of others destinations we have picked up on our VoIP honeypots during the last month.

If you have an unsecure IP PBX on the net, now it will only take hours before it will be detected. Most normal cause for this is misconfiguration. The people setting up the IP PBX has not taken security seriously and the IP PBX is wide open for calling.

The simplest ways is that inbound calls is routed out again if no local destination is found.  A little harder is to just brute-force the password on extensions. I can only say, there will be more like this!

Norwegian version

English version

The hacker can sell this “gateway” to a third party dealing with calling cards. I have investigated frauds in Norway where they managed to send 1,2 million NOK (approx 200 000 USD) within 10 days. This was a Cisco installation, but misconfigured Asterisk installations are also abused a lot.