Here is a link to a YouTube video describing a new VoIP Security scanner/penetration tool named "Bluebox-ng". I have not played with it, but it looks pretty cool. It has been a while since we have seen any new VoIP security tools.
I haven't been posting much to my blog. It is so easy to post info to LinkedIn, Twitter, and Google+. I need to get back into it. I have several posts that I will be putting up soon. I am also making sure that all my lists are fresh and up to date.
I attached a briefing from the Florida Department of Law Enforcement describing a threat from Anonymous to target federal and local law enforcement and Child Protective Services (CPS) with Telephony Denial of Service (TDoS) attacks. The attack is supposed to occur 3/21/2015. Anonymous is also calling for website defacements from now up to the TDoS attack date.
The bulletin includes links with contact information, instructions for the attacks, and background on alleged corruption. This includes a link to a Facebook page, which is a way to use social networking to organize the TDoS attack (encourage many people to call in).
As stated in the article, TDoS is a flood of inbound calls, which target a set of phones critical to business operation. The target phones (and numbers) can be any part of a business or enterprise, but are generally those making up a public facing contact center, including those used for banking, finance, health care (emergency rooms and ICUs), government, and public safety. A TDoS attack may be of sufficient volume to overwhelm an entire business or enterprise, but can be equally effective with a smaller amount of traffic, if targeting critical resources. In this way, it is more about selecting the proper target phones and numbers (normally pulled of of public websites), timing (during the busiest part of the day and season), and complexity of the attack (spoofing the calling number), than it is about an overwhelming amount of traffic.
There are a number of ways to generate TDoS attacks, including use of SIP trunks and free PBX software such as Asterisk, possibly using Skype as referenced in the article, or using a tool like the one described in the article. The advantage of a tool such as this is:
It can generate a sufficient number of concurrent calls to overwhelm a small or moderately sized target.
Is turnkey and easier to set up than a SIP trunk and Asterisk.
Can generate a complex attack (assuming that it can indeed spoof the calling number for all calls).
Is anonymous and hard to track. It can be used anywhere where there is cellular coverage.
Is difficult for a service provider to shut down, because the calls are coming in through the cellular network
The last point is significant, because this means of originating TDoS calls is more difficult for the service provider to isolate, than say many calls coming from a single SIP trunking provider.
The TDoS attacks enabled by this tool can be used purely for disruption, as a threat to enable extortion, or to flood a victim with calls (or texts) to prevent authentication calls from the victim’s bank.
There have been several advertisements for Telephony Denial of Service (TDoS) attack services popping up. I provided a link to one below. These seem to come and go, as they are removed from sites, but this one has been up for a while. The service is very cheap, $70 for week, which if targeted towards a hospital emergency room, Intensive Care Unit (ICU), public safety site, or any small business, where there are a handful of critical phones and attendants, this service would be very disruptive. Of course there are other ways to do this yourself - using Asterisk and SIP trunking, but this is easier for a non-technical attacker.
They even offer a 10 minute free trial :)
Since I saw the service, it has been enhanced to state that the calls can be made with different source numbers. I don't know how sophisticated this is - are they random, legit numbers, etc., but of course this makes an attack much harder to deal with.
It isn't clear what the flood capacity is. it says the interval between calls is 1-3 seconds. The calls are automatically generated. You have the option of playing an audio file, but that costs more (requires the attacker to generate RTP).
Here is a link to a good article in a national publication, the New York Times, on the growing issue of toll fraud. Toll fraud has been around for many years, but continues to get worse for a number of reasons. Attackers set up premium (think 1-900) numbers and are incented to drive traffic to these numbers. They look for ways to generate the traffic and leave a victim with the bill. Small businesses are an attractive target. They often deploy new VoIP systems, but do not spend the time to secure them, and address issues such as default open ports and passwords. The attackers scan for these systems and when found, use them to launch 100's, 1000's, or 10,000's of calls to their premium numbers. Or they hire attackers to do this for them and share the revenue.
The issue doesn't have a lot to do with VoIP, it can occur with legacy TDM PBXs and trunking, but is often associated with VoIP, because it is often the new low-end VoIP systems that are being attacked. Also, the attackers often use low-cost VoIP and SIP services to generate inbound calls to the compromised PBXs, which "hairpin" out to the premium numbers.
Since these calls cost the service provider money to deliver, they can't usually credit the victim.
There are a number of solutions to this issue, including the SecureLogix (www.securelogix.com) voice security/firewall application. Using a cloud-based delivery option makes this solution very attractive for small businesses, who don't have the expertise or budget to deploy and manage a premises based solution.
Here is a link on Youtube of a recent video we did on Telephony Denial of Service (TDoS). It covers the concept and then the various types of attacks that we are seeing, including manual TDoS, social networking TDoS, and then different types of automated TDoS. We also briefly cover the Payday Loan Scam/Attack, which is affecting many hospitals and public safety sites: