Sjur Usken

Views on new technologies and business opportunities from Sjur Usken

Tag Archives: fraud

Another day, another fraud


Another day, another fraud… and there will be more… imagine your company getting hit with a 100 000 USD bill from your telco company? Who to blaim?
here is one company which did…

If you get a SIP trunk from a VoIP provider, make sure they have fraud management and credit limits!

Advertisements

400% rise in telecom fraud in New Zealand


Telecommunications Industry Group (TIG) in New Zealand has seen the telecom fraud quadruple in 2010. Private Branch Exchanges (PABX) can be downloaded for free and installed on an (older) PC, but not secured enough. This makes the PABX open for exploiting. TIG has made a list of what minimum(!) need to do, to ensure that your system will more secure.

Some practical tips for preventing PABX hacking

  1. Choose a strong password: Voicemail and DISA passwords should be changed on a regular basis, avoiding factory defaults and obvious combinations such as 1234 or the extension number.
  2. Change it: Make sure all security features – passwords, PINS etc – are changed following installation, upgrade and fault/maintenance. Don’t forget to reset password defaults.
  3. Keep it confidential: Keep all internal information such as directories, call logging reports and audit logs confidential. Destroy them appropriately if no longer required.
  4. Regular Review:
    • Review system security and configuration settings regularly. Follow up any vulnerabilities or irregularities.
    • Review your PABX call logging/reporting material regularly and analyse it for increases in call volumes or suspicious destinations.
  5. Callers: Be vigilant against bogus callers – for example, people posing as company employees – who ask to be connected to switchboard operators to get an outgoing line.
  6. Employees: Develop processes to cover employee entry procedures, passcards, new employee vetting and people leaving and changing jobs. Formally evoke their access to systems, mailboxes and buildings.
  7. Vendor Terms and conditions: Make sure you have the right terms and conditions reflected in your contracts with your PABX, VoIP and/or voicemail maintainer in order to keep your system regularly maintained and serviced to stay safe.
  8. De-activate, Restrict, Bar:
    • Remove or de-activate all unnecessary system functionality including remote access ports. If remote access ports are used, consider using strong authentication such as smartcards/tokens.
    • Restrict any destinations that should not normally be dialed: for example, premium rate, international, operator and directory enquiry numbers.
    • Restrict access to equipment eg. your comms room and master terminals.
    • Only give the appropriate and minimum level of system access required to carry out a task.
    • Bar voicemail ports for outgoing access to trunks if possible.  If access to trunks via voicemail is necessary then implement suitable controls. Remove auto attendant options for accessing trunks.
    • Lock surplus mailboxes until allocated to a user.
    • If DISA is not used then disable it completely.
  9. Tones: Avoid using tones to prompt for password/PIN entry: these are often used by hacking programmers.

I would also like to add:

  • Security updates BOTH on your server and on the phones
  • Don’t expose the PABX nor the phones on public IPs.

The Honeynet Project has also picked up extensively scannings in Australia. Which country will be next?

Cool way to make a video


Xtranormal.com is an easy way to make simpel videos. You can see mine about telecom fraud here (37 seconds).

Enjoy!

Just 10 000 USD in hacking this time..


A VoIP hacking that actually reached the public, was just 10 000,- USD being frauded for. I would say they were lucky. This is just top of the iceberg, I hear about so many more not being reported because the firm or institution does not want to “have beeing hacked”. The latest news about it in Norwegian or translated to English

Number of VoIP scannings has exploded


If you have an IP PBX on a public IP, and you are not quite sure if it is secure enough, you should get to it now!

Scannings on port 5060 has exploded the lastest days. Previously it was a couple hits in the week, now it’s up to a 100 a day. This means that if your VoIP setup is not 100% secure, others will find it and abuse it!And you will get the telephony bill!

Get to it, secure your VoIP communication platform right now!

Check the following:

  • All users has strong passwords
  • Access Lists are updated and preferably both ways (both incoming and outgoing traffic on the server)
  • No unused services are enabled
  • Latest patches are on the server OS
  • Latest patches are on the application
  • Latest SECURE firmware on the hardware endpoints (phones etc.)
  • Other services on the plattform like Web servers, TFTP, FTP, SSH are locked down or VERY strong passwords
  • Encrypt the traffic from the user and into the server (to make eavesdropping harder)
  • Make the PCs accessing your platform secure. Any keycatchers or sniffers installed here?
  • Forgotten someting? Please comment

[ad]

VoIP attacks are here again!


Have you seen the movie “The Lawnmower Man“? When, in the end, all phones in the whole world is ringing? This was the scenario for several firms in Norway this week. The phones rang every 20 minutes!

Whose fault is it?

And the guilty one? Several are to blame.

First; the Piradius (again…) network doing SIP and H.323 scans on open phones and gateways.
Second; the phone producer not making a secure enough phone.
Third; the people putting such a solution onto the Internet with no security.

What the attacker did

The Piradius network was scanning the network sequential and sending H.323 Call Connect to each IP address. The phones were open to invites from any IP address. The phones then rang, and when answered by some people there were nobody in the other end.

Information about the packet

In the h.323 packet the claim to use Cisco equipment, but I’ve never heard about a “balhophone”. If you do know, please comment! The version does sound too suspicious (1.666666). I’m guessing on an Asterisk….

vendor
           t35CountryCode: United States (181)
            t35Extension: 0
           manufacturerCode: 18
                             H.221 Manufacturer: Cisco (0xb5000012)
                            productId: balhophone
                            versionId: v 1.666666

The contact information within the H.323 packet for audio so totally different from where the TCP traffic is originated from. It is an unallocated space.

AS  | IP             | BGP Prefix   | CC | Registry | Allocated  | AS Name
NA | 36.27.177.136   | NA           |    |          |            | NA

The attacker has just used this IP address as a /dev/null for the audio of those that actually answered the phone. This RTP traffic back from mass calling can be a DoS attack in itself. If every packet you send on 1500 bytes generates a continues stream of 0,1Mbit (G711), it could take down the attacker itself….

The called number

Called party number: ’40#5926693444′

I’ve seen that they do include the # in several attacks previously, but this is not used in any part of Scandinavia to make an outbound call. If you know why an attacker is using the #, please let me know.
[ad]

Asterisk vulnerabilites can be abused


I remember in the old times when Cisco was running the Call Manager on a Windows 2000 system. The Call Manager servers were always six months behind with patches and updates, and had to be protected at all costs. Caution has to be taken as always when enabling new services, and especially when it can hurt financially. PC World reports that “yes, you can abuse Asterisk with a bug for a time ago” in this article. They sited the IC3s article about VoIP fraud.

Do we need another firewall for all new services? There are several Media specialized firewalls, often called Session Border Controller that does this, but is this the way to do it? Probably not. IMHO it is to have a good security audit and overview of your own infrastructure, take control! Don’t buy yourself out of the current biggest threats, there will be new! Take control with IDS and even IPS, and have backup plans in case serious bugs and flaws makes your services vulnerable!

And good there is several other people talking about security, like Mark Collier and the folks behind the bluebox security podcast! Good job!

[ad]

VoIP system abused in an English bank service company…


I’ve had several responses to my previous article about VoIP attacks, and people are approaching the Honeynet organisation for help to figure out what they to do after being abused. This is both good and bad. Good that they seek help, bad that they do not have a IT security plan.

IT hacking costs money, and when implementing mis configured VoIP it shows up on the telephony bill as well. Previously it was costs that were not that obvious, down-time for the firm, stolen documents used against them in business competitions or just abuse of their Internet bandwidth to hurt others. How would the world been if all the security faults a firm had would show up on their monthly Internet bill? “Your computers have been participating in a DDoS attacking costing a firm 5 million, this is your cost”

The companies need to take security more serious. It is a war going on on the Internet where the strongest one will survive. And the war has begun for a long time ago…
[ad]