[AusNOG] VoIP Hack Attempts [SEC=UNCLASSIFIED]

Skeeve Stevens Skeeve at eintellego.net
Thu Sep 30 13:19:55 EST 2010 

Hey Alex,

Can you give us some advice on if it is possible to pursue these sort of crimes if they are off-shore?

Hacking and general damage is one thing, but these VoIP hacks can cost large amounts of money.... if they are coming from Europe or Asia, I am assuming there is little chance of getting your money back for this sort of crime?

...Skeeve

--
Skeeve Stevens, CEO
eintellego Pty Ltd - The Networking Specialists
skeeve at eintellego.net / www.eintellego.net
Phone: 1300 753 383, Fax: (+612) 8572 9954
Cell +61 (0)414 753 383 / skype://skeeve
www.linkedin.com/in/skeeve ; facebook.com/eintellego
--
eintellego - The Experts that the Experts call
- Juniper - HP Networking - CIsco - Arista -


> -----Original Message-----
> From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-
> bounces at lists.ausnog.net] On Behalf Of Tilley, Alex
> Sent: Thursday, 30 September 2010 12:59 PM
> To: ausnog at ausnog.net
> Subject: Re: [AusNOG] VoIP Hack Attempts [SEC=UNCLASSIFIED]
> 
> 
>  The Australian Honeynet project has posted some information about SIP
> scanning.
> http://honeynet.org.au/
> 
> 
> 
> ALEX TILLEY
> TECHNICAL SPECIALIST
> HIGH TECH CRIME OPERATIONS
> AUSTRALIAN FEDERAL POLICE
> 
> Tel +61(0) 3 96077500 Mob +61(0) 411068284
> www.afp.gov.au
> 
> -----Original Message-----
> From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-
> bounces at lists.ausnog.net] On Behalf Of Bradley Falzon
> Sent: Thursday, 30 September 2010 10:50 AM
> To: ausnog at ausnog.net List
> Subject: Re: [AusNOG] VoIP Hack Attempts
> 
> The following notes are based upon my limited experience, assuming the
> attackers already have the username and password - did not perform
> brute force / dictionary attacks on VoIP System (fail2ban is
> ineffective).
> 
> The two protections most effective are simply limiting the damage to
> your customers - in turn limiting the gain of each attack.
> 
> 1) Limit monthly bills to something reasonable, for example, if your
> customers normal bills are $20/month, perhaps $50 is the limit.
> 2) Limit the number of calls (perhaps daily)
> 
> Of course, these preventions combined with notifying the support team /
> customer for a reasonable response is also suggested - leaving the
> account 'suspended' to prevent further attacks the next day / billing
> period.
> 
> Blocking Non Australian IP Addresses will simply changed the attackers
> location from some other country to an Australia compromised/zombie
> hosts.
> 
> Limiting the monthly call bill may change the attacks from calling
> International Numbers to Australian land lines. Limiting the number of
> calls reduces the effectiveness of this attack vector.
> 
> The idea of these two limits simply encourages the attacker the move on
> (or conversely, compromise more accounts - but that has diminishing
> returns in itself).
> 
> These limits also protect against other attackers and bad
> configurations, it ensures customers bills do not get excessive from
> daughter Jane calling mobile numbers for too long, or son Jack playing
> with SIP or firmware updates causing a bug in signalling.
> 
> 
> Of course, the other secondary defences are as already stated:
> . Enforcing strong passwords (doesn't protect against reuse / key
> loggers / increased service desk load) . Blocking Non Australian IP
> Addresses (limits iPhone applications such as Fring, customers overseas
> and the obvious - Australias IP Addresses aren't exactly role models) .
> Blocking International Calls by default (highly effective combined with
> protection 2 - but fails if the customer requires International Calls -
> conversely, perhaps permitting US / UK but blocking expensive countries
> like Estonia and the like) . Some statistical engine monitoring trends
> in usage on the billing platform (I would argue the other protections
> are simpler the deploy and support - but it is a viable option).
> 
> On Wed, Sep 29, 2010 at 10:23 PM, Richard Stephens
> <richard.stephens at neural.com.au> wrote:
> >
> > As far as blocking destinations goes - the attackers seem to have
> > cottoned on to this as of late - the last two attacks we've seen that
> > got as far as pushing calls through were pushing them to France and
> the UK.
> > We've found that all the successful attacks we've had to deal with
> > have fallen into one of two categories 1. Client-set stupid passwords
> > (password blank or same as extension number) or 2. Calls coming from
> a
> > legitimate source such as a wholesale client who has had their VOIP
> > system compromised.
> > 1 is fairly straightforward to deal with - our web interface now
> > enforces strong passwords.  2 is a bit harder but is best dealt with
> > by monitoring at the billing level - setting say a
> > minimum-spend-per-hour for a client, and create alerts or block
> > international calls completely if it goes above an appropriate level
> for a certain client.
> > We've also found that blocking all non-Australian IP's virtually
> > eliminates 1.
> > Regards,
> > Richard Stephens
> >
> > Neural Networks
> > The way information moves.
> > ACN 124 535 075
> >
> > Phone: (07) 3123 - 5311
> > Fax: (07) 3319 - 6095
> > Mobile:  0410 - 111 - 570
> > E-Mail: richard.stephens at neural.com.au
> > ________________________________
> > From: ausnog-bounces at lists.ausnog.net
> > [ausnog-bounces at lists.ausnog.net] on behalf of Skeeve Stevens
> > [Skeeve at eintellego.net]
> > Sent: Tuesday, 28 September 2010 12:13 AM
> > To: ausnog at ausnog.net List
> > Subject: [AusNOG] VoIP Hack Attempts
> >
> > Hey all,
> >
> >
> >
> > I've got a few customers who have noticed a large recent jump in SIP
> > scans against their networks.
> >
> >
> >
> > Null routing helps the response but doesn't stop the registration
> > initiation - loading up servers with registrations.
> >
> >
> >
> > This is easy to stop on closed VoIP systems, but not on hosted Voice
> > platforms which users come from other ISP's/networks, this seems to
> be
> > very difficult.
> >
> >
> >
> > Does anyone have any ideas - we are fresh out at the moment, apart
> > from beefing up security on the VoIP servers themselves using
> fail2ban
> > or other things that detect rapid registrations and then firewalls
> them.
> >
> >
> >
> > Having a normal server hacked is one thing but VoIP hacking has taken
> > on a new intensity as the hackers can make a LARGE amount of money by
> > comprising a VoIP system.
> >
> >
> >
> > Recently, we've been brought in to clean up the mess in several
> > incidents where a couple of VoIP systems have been compromised in
> > incidents totalling over AU$100,000.
> >
> >
> >
> > And the carriers are rarely sympathetic.
> >
> >
> >
> > If it isn't obvious as to how/why they're doing this - the hackers
> get
> > in, open a SIP account so their VoIP system can register, and then
> > they channel certain calls via the comprised system.  This has the
> > effect of them charging the end user and making money, while not
> > paying for the calls to be delivered to the destination.
> >
> >
> >
> > Advice:
> >
> > -          Block destinations to obscure places that your customers
> > are unlikely to call, and only unblock them if they request
> >
> > -          Watch billing to certain locations and if there is a
> > massive jump, do something
> >
> > -          Watch your customers and if their billing jumps by a
> > massive amount, alert them as fast as you can - or you just might be
> > liable
> >
> >
> >
> > ...Skeeve
> >
> >
> >
> > --
> >
> > Skeeve Stevens, CEO
> >
> > eintellego Pty Ltd - The Networking Specialists
> >
> > skeeve at eintellego.net / www.eintellego.net
> >
> > Phone: 1300 753 383, Fax: (+612) 8572 9954
> >
> > Cell +61 (0)414 753 383 / skype://skeeve
> >
> > www.linkedin.com/in/skeeve ; facebook.com/eintellego
> >
> > --
> >
> > eintellego - The Experts that the Experts call
> >
> > - Juniper - HP Networking - Cisco - Arista -
> >
> >
> >
> > Disclaimer: Limits of Liability and Disclaimer: This message is for
> > the named person's use only. It may contain sensitive and private
> > proprietary or legally privileged information. You must not, directly
> > or indirectly, use, disclose, distribute, print, or copy any part of
> > this message if you are not the intended recipient. eintellego Pty
> Ltd
> > and each legal entity in the Tefilah Pty Ltd group of companies
> > reserve the right to monitor all e-mail communications through its
> > networks.  Any views expressed in this message are those of the
> > individual sender, except where the message states otherwise and the
> > sender is authorised to state them to be the views of any such
> entity.
> > Any reference to costs, fee quotations, contractual transactions and
> > variations to contract terms is subject to separate confirmation in
> > writing signed by an authorised representative of eintellego. Whilst
> > all efforts are made to safeguard inbound and outbound e-mails, we
> > cannot guarantee that attachments are virus-free or compatible with
> > your systems and do not accept any liability in respect of viruses or
> computer problems experienced.
> >
> >
> >
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> >
> >
> 
> 
> 
> --
> Bradley Falzon
> brad at teambrad.net
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> **********************************************************************
>                                 WARNING
> 
> This email message and any attached files may contain information
> that is confidential and subject of legal privilege intended only for
> use by the individual or entity to whom they are addressed.   If you
> are not the intended recipient or the person responsible for
> delivering the message to the intended recipient be advised that you
> have received this message in error and that any use, copying,
> circulation, forwarding, printing or publication of this message or
> attached files is strictly forbidden, as is the disclosure of the
> information contained therein. If you have received this message in
> error, please notify the sender immediately and delete it from your
> inbox.
> 
> AFP Web site: http://www.afp.gov.au
> **********************************************************************
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

More information about the AusNOG mailing list