VOIP, Why you shouldn’t listen to the IT expert when choosing your Telephone System

VOIP, what the experts don’t tell you!

Sometimes old is better

I have written several articles before on VOIP and the vulnerabilities that it poses to us, yet we still have the IT Experts out there pushing it. The latest wheeze is free calls from Gamma, yep free call, not just for you but for everyone who chooses to hack into your network. The only challenge is that YOU are left to foot the bill.

I recently came across an article by Dave Paresh in the Los Angeles Times, read it in full HERE.

By the end of this article if you still think VOIP is going to be a great investment for your business . . . hell mend you, you deserve everything that may come your way!

From the article:

” Wall Street firms, schools, media giants, insurance companies and customer service call centers have also temporarily lost phone service because of the attacks, according to telecommunications industry officials. Many of the victims want to remain anonymous out of fear of being attacked again or opening themselves up to lawsuits from customers.

The Marquette incident is noteworthy because when the business owner involved the Marquette County Sheriff’s Department, the scammer bombarded one of the county’s two 911 lines for 3 1/2 hours.

“The few people I’ve talked to about it have said that you just have to take it and that there’s no way to stop this,” Sheriff’s Capt. Chris Kuhl said.”

No way to stop this . . .  Just have to take it . . .

Interesting comments by the Captain . . . There is one way . . . Don’t go VOIP!

That’s not to say traditional services cannot be hacked, they can, but it’s a heck of a lot harder than leaving the back door open, which VOIP does!

The main thrust of the article, a hospitals A&E department losing their phone service for 3 days, just think if you had an emergency with your child, mother, wife, husband and they passed away because of it, how would that make you feel?

Because of some IT bod saying, hey I can save you a few pennies you end up losing a loved one, doesn’t bare thinking about does it?

No Disrespect to IT experts, but maybe they should stay away from VOICE, it’s not their forty afterall. Think about it, would you get a plumber to rewire your electrics? No, neither would I, so why get an IT expert to sell you VOICE communications when it’s not their area of expertise.

Cisco do not give voice priority in their routers, and we all know Cisco make up the vast majority of the hardware backbone to the internet, it’s hardly likely to be very secure then, is it?

 

VOIP Phone Systems

I have come across an increasingly high number of clients and prospects investigating the implementation of VOIP, or Internet telephone systems, within their organisations.

The underlying belief is that VOIP is cheaper, in some instances it may well be, set up costs etc etc, certainly can be less expensive than traditional. However, what about security?  Save now pay later springs to mind when discussing VOIP.

I recently came across this article from Liquid Communications:

Internet Phone Systems Become the Fraudster’s Tool

Cybercriminals have found a new launching pad for their scams: the phone systems of small and medium-sized businesses across the U.S.

In recent weeks, they have hacked into dozens of telephone systems across the country, using them as a way to contact unsuspecting bank customers and trick them into divulging their bank account numbers and passwords.

Click Here to be re directed to the whole article

This type of fraud allied to Phreaking should make any business think twice before choosing the cheap option.

Business Urged to Protect Against Hacking Attacks

 

The UK Government has recently published a guide on Risks associated with cyber attacks.

Questions (below, from the guide), ask CEO’s and board members what the strategic, operational and financial benefits are to their organisation.

 

 

 

 

 

Protection of key information assets is critical
1. How confident are we that our company’s most important
information is being properly managed, and is safe from cyber
threats?
2. Are we clear that the Board are likely to be key targets?
3. Do we have a full and accurate picture of:
the impact on our company’s reputation, share price or existence if
sensitive internal or customer information held by the company were to
be lost or stolen ?
the impact on the business if our online services were disrupted for a
short or sustained period?
Exploring who might compromise our information and why is critical

4. Do we receive regular intelligence from the Chief Information
Officer/Head of Security on who may be targeting our company, their
methods and their motivations?
5. Do we encourage our technical staff to enter into information sharing
exchanges with other companies in our sector and/or across the
economy in order to benchmark, learn from others and help identify
emerging threats?

Pro-active management of the cyber risk at Board level is critical

6. The cyber security risk impacts share value, mergers, pricing,
reputation, culture, staff, information, process control, brand,
technology, and finance. Are we confident that:
we have identified our key information assets and thoroughly assessed
their vulnerability to attack?
responsibility for the cyber risk has been allocated appropriately? Is it on
the risk register?
we have a written information security policy in place, which is
championed by us and supported through regular staff training? Are we
confident the entire workforce understands and follows it?

 

A copy of the guide is available here

Another useful guide also published by the government to help business with cyber security is called 10 steps to cyber security Click on the link to download it.

 

The European Commission launched a consultation  in July, within the consultation are proposals that could see businesses required to report when their “essential” systems, including the internet, have been disrupted due to “cyber incidents”. The Commission said its aim is to “enhance preparedness, strengthen the resilience of critical infrastructure as well as to foster a cyber-security culture in the EU.”

Now, rather than later, is the time to start looking at how to secure your IT Networks, telecom networks and internet sites.

 

Phonehacked | A non profit organisations bill shock

Vicki Swan works for RAYS, Renton Area Youth and Family Services.  The organization provides counseling services for those in need.

“This is a get to the meat of the world job and how we service people,” said Vicki.  Vicki’s job is to keep the non-profit’s books balanced, something she says can be difficult in a tough economy.  “We are a break even organization.”

In June, RAYS received an unexpected letter that almost broke the bank.  It was a $3,400 bill from their phone provider, Integra Telecom. It appeared the organization’s phone system had been hacked.

See the news video and read the full report here

VOIP | How secure are your communications?

VOIP solutions, and indeed real time IP solutions like social media chat, vide0 conferencing etc could in actual fact be leaving the back door open for hackers.

Lets look briefly at the requirements for PCI DSS, part of the security requirement on the standard is that companies block all non approved channels of communication, screen all traffic and prohibit direct routes for inbound and outbound internet traffic (IP traffic). The trouble is many organisations forget about the communication traffic they cannot see, ones that use highly evasive techniques and are easily able to circumvent traditional security methods used to control the network.

Today, for example, our workforce expects instant messaging and other real-time communications tools e.g. IP Video conferencing (Skype for example), Voice over IP, and social networking to be ‘always on.

Using Skype as an example of how these operate,  Skype uses a peer-to-peer connection, is encrypted end-to-end,  and very often  tunnels through HTTP if that is the only firewall port open to it, negating the use of a URL filtering solution to control it.

This may result in many organisations who do not realise that their users have even installed real-time communications applications, such as Skype.

In August 2011, the ICO (information commissioners office) stated that companies who were not PCI DSS compliant could also be considered to be in breech of the Data protection Act.

Whilst PCI is concerned only with payment card protection, it can and should be used as a measure by which all orginisations secure their network. Payment Card fraud costs the UK over £300m per annum purely on card fraud, this does not take in to consideration other costs, or indeed the cost of network theft (known as Phreaking), which in the UK alone is costing us £1.6Billion.

As an example of what could happen, 45 million credit and debit card numbers were stolen from TKX, owners of TK Maxx, when a computer hacker broke into the TK Maxx wireless network and stole unencrypted credit card numbers.  TK Maxx failed to encrypt or truncate the card numbers and the loss to TKX is estimated to be between £328 million for card scheme fines, law suits, costs and management time and £1 billion in terms of loss of business and reputational damage. You can bet your last penny that TK Maxx increased security on their networks after this.

 

 

 

Phreaking Attack on Public Sector

 

 

 

 

 

 

Phreaking attack on Scottish public sector offices.

I’ve recently been made aware of an attack over several offices of a government department. The attack happened over a few days before being discovered, costing Scottish tax payers thousands of pounds.

The attackers accessed the systems not just via telephone VOIP solution but also via the IP based Video conferencing highlighting yet again the vulnerability of VOIP based solutions.

I am also led to believe the cost for investigating how secure the departments voice systems are is also going to run to five figures, again this tab is being picked up by the Scottish tax payer.

With Credit card fraud running at over £300m per annum and highly publicised within the UK, we have got to start asking why more is not being done to help business understand the cost of Phreaking to them, currently running at more than 5 times the cost of credit card fraud to the UK.

We spend millions in the UK securing our offices, computers etc from attack, yet we pay absolutely no heed to our telephone systems. the majority of us have probably never experienced a break in or a virus attack, yet securing these two areas is now second nature to us.

For those who have never heard of Phreaking here’s a quick intro to what it actually is:

Phreaking is where your telephone system is hacked, allowing the hackers to steal your lines to make calls free of charge for them, exceptionally costly for you. There are proven links between Phreaking and worldwide organised crime and terrorism. Providing a massive revenue stream for those criminals. Whilst the network companies may show some sympathy, the reality is YOU will still have to pay their bill, which can be anything between 10 and 100 times more expensive than normal.

It pays to be safe, how secure is your telephone system?

Phone Hacker Leaves Town Hall with $20k phone bill

A hacker in the US has left a town hall facing a $20,000.00 telephone bill.

Some of the calls were streamed through the UK

Normal bill for the town hall was $1300 per month, this mammoth bill of $20,000 was run up over just 2 days in calls to the UK

and Philippines.

 

Read the full story here

If you haven’t thought about securing your telephone system, then after reading this story of a small organisation and how their system was hacked via voicemail then you should.

Even simple precautions like changing passwords regularly, can help prevent such phreaking attacks.

 

PCI DSS, CVV seller network closed down

The Serious Organised Crime Agency (SOCA), working in collaboration with the FBI and the US Ministry of Justice, has shut down 36 major CVV sellers’ websites that were trading in stolen credit card details and online banking credentials. SOCA says the closures will reduce international fraud by more than £500 million a year.

The carder sites acted as online marketplaces for stolen card data, using e-commerce platforms known as Automated Vending Carts (AVCs) to collect the card data from criminals and then resell the account details to buyers around the world.

SOCA, the UK national police agency whose auspices include fraud and computer crime, said it has been tracking the development of AVCs and monitoring their use for some time. Over a two-year period, it worked with the FBI in the US, the BKA in Germany, the KLPD in the Netherlands, the Ukraine Ministry of Internal Affairs, the Australian Federal Police and the Romanian National Police, to recover more than 2.5 million cards and credentials of compromised personal and financial information. It said the recovered data has been passed to UK and overseas financial institutions to help prevent further fraud from taking place against the accounts.

The case underlines the need for merchants and service providers to “ensure they comply with the requirements of PCI DSS to protect card holder data and prevent it from ending up on sites where the data can be sold for a couple of pounds.”

For the full story visit Search Security

A Phreaking Story

A little back story on the setup first; We have a Cisco VoIP setup at our remote office(where I’m at) and the main CCM/CCX/Unity setup is at the parent company across the US in Connecticut. We have MPLS tunneling the VoIP traffic between the two offices. Very inefficient, but that’s the cheap solution they went with to avoid the extra licensing of a second CCM/CCX. Also no one at the company works on the phone system, it is all outsourced to a third party, which stopped responding to my pleas for help a month or so ago.

Anyways, the way it works now, is if you call our 800# it goes to the main Auto-Attendant in Connecticut, and then is routed to our office, with 4 digit dial. If you call our local direct number, it rings through to the receptionist.

So the problem that I need your help with is; I am under a constant attack on my local #. If I leave my phone line plugged in to my VoIP router after 3:30, I will have upwards of 1000 voice mail messages in the morning by 7 am. It basically continues to try and bounce it’s calls through our system until the voice mail box is full. I tried working with the tech company managing the system, and they basically came to the conclusion that we need to change our number or unplug the line every night.

The phone company also doesn’t seem to know what to do either, I worked with a senior-level tech for a few hours, and he said the return field was being randomly generated/spoofed for each call that came through, so there was really no way for them to block them either.

The messages are usually just a minute or two of “Beep..Beep..Beep..Beep,” and also hardly occur at all during the day.

 

Do not believe that because this event happened in the USA that it cannot happen to you, PBX Fraud costs us £1.5billion, and rising, here in the UK.

How many times have you answered a call and thought it was a mis dialled fax?

Telephone System Fraud

Here is a video from callista telling exactly what Phreaking is and how it affects us.

Introduction to phreaking HR