CFCA Educational Event This Week

The Communciations  Fraud Control Association (CFCA) is hosting an educational event this week, running from 9/29 through 10/1. Voice fraud, in the service provider and enterprise networks, is a major issue - this event will spend most of its time covering the issues and ways to address them.

RSA Report on Voice Phishing, Fraud, Etc.

Here is a brief report from RSA that discusses various voice/VoIP security issues, including voice phishing, fraud, voice attacks, etc.

http://www.mag-securs.com/spip.php?article14354

Interesting RFC on VoIP Threats

Here is a link to a relatively recent RFP on VoIP threats. Take a look:

http://www.ietf.org/id/draft-ietf-speermint-voipthreats-01.txt

Whats going on with VoIP Security?

I just did a quick scan of the various VoIP security blogs and links, and things are pretty quiet. Here is a link to a post on VoIPSA, from Shawn Merdinger, that shows google searches for topics like "VoIP security" are way down.

http://voipsa.org/blog/2009/07/28/google-trends-on-voip-security/

There isn't much going on right now, other than application attacks (toll fraud and so on) are on the rise. There has been some activity there that I will write about in a bit.

New SANS Course

Brian Lutz and I have been updating the SANS course on VoIP security. This is a six day course and absolutely the best course in the industry on this topic. The course will be officially available next year. We are planning a presentation of the course in November or December down in San Antonio. This will be a great opportunity to particpate early in the course, with the actual authors.

I will post more information about the course when I have more details. If anyone is interested in more information, please comment on this post or send me an email at mark.collier@securelogix.com.

Another Example of Toll Fraud

Here is another example of a real-world toll fraud attack.

http://www.wsoctv.com/news/20653994/detail.html

New Nmap Available

As a result of my interest in Information Security, I have been using Nmap in some capacity for several years and have followed each release of the tool with perhaps more than a little interest.  That having been said, I am pleased to note that Nmap version 5.0 has just been released!   The Nmap 5.0 release is noted as the most important release since 1997, according to the nmap website.

Out of the over 600 significant changes for the new release, the top five features according to the authors in the new release include the following:

1. The new Ncat tool will be your tool of choice for data transfer, redirection, and debugging.  Details are available here: http://nmap.org/5/#changes-ncat

2. The addition of the Ndiff scan comparison tool enables users the ability to note changes that occur on the network to include new systems or services running on your network for example. Details are available here: http://nmap.org/5/#changes-ndiff
3. Nmap performance has improved dramatically thanks to the ability to utilize existing data and improved congestion control algorithms.  Details are available here: http://nmap.org/5/#changes-performance
4. The official Nmap guide to network discovery and security scanning, “Nmap Network Scanning” has been released.  More than half the book is available in the online edition located here http://nmap.org/book/toc.html.  Additional details are available here: http://nmap.org/5/#changes-book
5. The Nmap Scripting Engine (NSE) allows users to write scripts to automate a wide variety of networking tasks.  All NSE scripts and modules are described in the new NSE documentation portal.  Details are available here: http://nmap.org/5/#changes-nse

So when you have a moment, download the new Nmap 5.0 and enjoy some happy hacking with the latest and greatest features it has to offer.

VoIP PBX and Telephone Passwords are “The Weakest Link”

Here is a guest post from Matt Reedy, our Director of Research and Development. Matt is currently leading our SIP firewall development:

Toll fraud is currently the single biggest risk to organizations implementing a VoIP solution.  If fraudsters can gain administrative access to your IP/PBX or one or more of your telephone handsets, then they can pretty much roam free through your telephone network and quickly rack up significant toll charges. 

The majority of toll fraud cases that have been publicized recently involve criminals gaining control of a VoIP phone or phone system simply because of missing or weak passwords.  As Anne Robinson, the host of the once-popular TV show The Weakest Link said, “Who fell off the tree of knowledge?”  Unfortunately, that question applies to many of us involved in VoIP security.

The most common examples of how systems have been compromised in this manner are 1) installing a VoIP phone system without changing the default administrative password, 2) configuring telephone extensions with the password the same as the extension, or some other phrase that is easily guessed, and 3) setting up a VoIP system for development or testing and leaving it connected and accessible to the outside world.  As obvious as we may think these mistakes are, they continue to be made. 

A VoIP security best practice is to scan your network immediately after installation of your VoIP PBX with a SIP detection tool such as svmap and svwar in the SIPVicious suite (http://code.google.com/p/sipvicious/), and then again every week thereafter.  These tools will quickly identify all SIP devices that are attached to your network, allowing you to remove any devices that should not be exposed to the internet.

If a VoIP PBX truly needs to be connected and accessible to the outside network, be sure the administrative password complies with a robust password policy.  Then run the svcrack SIPVicious tool to ensure that telephone extension passwords are not missing and are not easily deduced. 

If your organization does not have a published telephone password policy, then consider adopting the policy published by the SANS Institute, at http://www.sans.org/resources/policies/Password_Policy.pdf.

Finally, think about installing a voice security platform that allows you to define telephone call policies which are enforced on the voice network.  Using a product such as our ETM system, you can significantly limit the damage caused by fraudsters by controlling when and how many toll calls can legitimately be made. 

Remember a VoIP PBX and telephones are simply nodes on your data network and must be protected in the same way.

Reports that Toll Fraud Are On the Rise

Here is a link to an article by Sipera (there are several other sites that covered the story as well) which state that toll fraud is on the rise. I of course agree and am glad to see more voice/VoIP security vendors stating that. Sorry to harp on toll fraud, but it is really the only real-world voice/VoIP attack we are seeing. Toll fraud has been around for a long time, but insecure VoIP architectures/systems are making it easier to exploit. Here is the link:

http://www.itnewsonline.com/showprnstory.php?storyid=50098

I will add though that toll fraud is not a SIP trunking issue. Toll fraud can and does occur, whether the enterprise trunking infrastructure is TDM or SIP. I would like to learn more about how SBCs are misconfigured, allowing toll fraud to take place. However, this is really not the point. The vast vast majority of enterprise trunking, at least in North America is still TDM, especially with middle to large sized enterprises. Trying to improve the toll fraud issue with a SIP trunk security technology doesn't make a lot of sense right now, because it would be blind to 99% of the issue. I can say this with authority, because my company has a SIP-based toll fraud detection/mitigation solution. Focusing on SIP is like living in a mansion in a bad part of town and leaving all your doors and windows open, but putting an expensive set of locks on a 6x6" doggie door. Now I agree that this will change, but for now, if you want to mitigate toll fraud, you need to secure all your PBXs and provide TDM/SIP trunk security.

Some More Information on Toll Fraud

Here is some information about some events/services offered by British Telecom to help deal with toll fraud/dial through fraud:

http://www.btintheloop.com/april_2009/free_events_help_cps_fight_1_3_billion_fraud_risks