VOIP Phone Systems

December 6, 2012 by william

I have come across an increasingly high number of clients and prospects investigating the implementation of VOIP, or Internet telephone systems, within their organisations.

The underlying belief is that VOIP is cheaper, in some instances it may well be, set up costs etc etc, certainly can be less expensive than traditional. However, what about security? Save now pay later springs to mind when discussing VOIP.

I recently came across this article from Liquid Communications:

Internet Phone Systems Become the Fraudster’s Tool

Cybercriminals have found a new launching pad for their scams: the phone systems of small and medium-sized businesses across the U.S.

In recent weeks, they have hacked into dozens of telephone systems across the country, using them as a way to contact unsuspecting bank customers and trick them into divulging their bank account numbers and passwords.

Click Here to be re directed to the whole article

This type of fraud allied to Phreaking should make any business think twice before choosing the cheap option.

Filed Under: Telecoms Tagged With: phone systems, Phreaking, Telecoms, Voip

Business Urged to Protect Against Hacking Attacks

September 7, 2012 by william

The UK Government has recently published a guide on Risks associated with cyber attacks.

Questions (below, from the guide), ask CEO’s and board members what the strategic, operational and financial benefits are to their organisation.

Protection of key information assets is critical
1. How confident are we that our company’s most important
information is being properly managed, and is safe from cyber
threats?
2. Are we clear that the Board are likely to be key targets?
3. Do we have a full and accurate picture of:
the impact on our company’s reputation, share price or existence if
sensitive internal or customer information held by the company were to
be lost or stolen ?
the impact on the business if our online services were disrupted for a
short or sustained period?
Exploring who might compromise our information and why is critical

4. Do we receive regular intelligence from the Chief Information
Officer/Head of Security on who may be targeting our company, their
methods and their motivations?
5. Do we encourage our technical staff to enter into information sharing
exchanges with other companies in our sector and/or across the
economy in order to benchmark, learn from others and help identify
emerging threats?

Pro-active management of the cyber risk at Board level is critical

6. The cyber security risk impacts share value, mergers, pricing,
reputation, culture, staff, information, process control, brand,
technology, and finance. Are we confident that:
we have identified our key information assets and thoroughly assessed
their vulnerability to attack?
responsibility for the cyber risk has been allocated appropriately? Is it on
the risk register?
we have a written information security policy in place, which is
championed by us and supported through regular staff training? Are we
confident the entire workforce understands and follows it?

A copy of the guide is available here

Another useful guide also published by the government to help business with cyber security is called 10 steps to cyber security Click on the link to download it.

The European Commission launched a consultation in July, within the consultation are proposals that could see businesses required to report when their “essential” systems, including the internet, have been disrupted due to “cyber incidents”. The Commission said its aim is to “enhance preparedness, strengthen the resilience of critical infrastructure as well as to foster a cyber-security culture in the EU.”

Now, rather than later, is the time to start looking at how to secure your IT Networks, telecom networks and internet sites.

Filed Under: Data Tagged With: Cyber security, Hacking, IP Networks, Phreaking, Telephone Systems, Voip

Phonehacked | A non profit organisations bill shock

September 3, 2012 by william

Vicki Swan works for RAYS, Renton Area Youth and Family Services. The organization provides counseling services for those in need.

“This is a get to the meat of the world job and how we service people,” said Vicki. Vicki’s job is to keep the non-profit’s books balanced, something she says can be difficult in a tough economy. “We are a break even organization.”

In June, RAYS received an unexpected letter that almost broke the bank. It was a $3,400 bill from their phone provider, Integra Telecom. It appeared the organization’s phone system had been hacked.

See the news video and read the full report here

Filed Under: Telecoms Tagged With: phone systems, Phreaking, Telecoms, Voip

VOIP | How secure are your communications?

August 22, 2012 by william

VOIP solutions, and indeed real time IP solutions like social media chat, vide0 conferencing etc could in actual fact be leaving the back door open for hackers.

Lets look briefly at the requirements for PCI DSS, part of the security requirement on the standard is that companies block all non approved channels of communication, screen all traffic and prohibit direct routes for inbound and outbound internet traffic (IP traffic). The trouble is many organisations forget about the communication traffic they cannot see, ones that use highly evasive techniques and are easily able to circumvent traditional security methods used to control the network.

Today, for example, our workforce expects instant messaging and other real-time communications tools e.g. IP Video conferencing (Skype for example), Voice over IP, and social networking to be ‘always on.

Using Skype as an example of how these operate, Skype uses a peer-to-peer connection, is encrypted end-to-end, and very often tunnels through HTTP if that is the only firewall port open to it, negating the use of a URL filtering solution to control it.

This may result in many organisations who do not realise that their users have even installed real-time communications applications, such as Skype.

In August 2011, the ICO (information commissioners office) stated that companies who were not PCI DSS compliant could also be considered to be in breech of the Data protection Act.

Whilst PCI is concerned only with payment card protection, it can and should be used as a measure by which all orginisations secure their network. Payment Card fraud costs the UK over £300m per annum purely on card fraud, this does not take in to consideration other costs, or indeed the cost of network theft (known as Phreaking), which in the UK alone is costing us £1.6Billion.

As an example of what could happen, 45 million credit and debit card numbers were stolen from TKX, owners of TK Maxx, when a computer hacker broke into the TK Maxx wireless network and stole unencrypted credit card numbers. TK Maxx failed to encrypt or truncate the card numbers and the loss to TKX is estimated to be between £328 million for card scheme fines, law suits, costs and management time and £1 billion in terms of loss of business and reputational damage. You can bet your last penny that TK Maxx increased security on their networks after this.

Filed Under: Data Tagged With: data, Phreaking, Telephone Systems, Voip

Phreaking Attack on Public Sector

August 16, 2012 by william

Phreaking attack on Scottish public sector offices.

I’ve recently been made aware of an attack over several offices of a government department. The attack happened over a few days before being discovered, costing Scottish tax payers thousands of pounds.

The attackers accessed the systems not just via telephone VOIP solution but also via the IP based Video conferencing highlighting yet again the vulnerability of VOIP based solutions.

I am also led to believe the cost for investigating how secure the departments voice systems are is also going to run to five figures, again this tab is being picked up by the Scottish tax payer.

With Credit card fraud running at over £300m per annum and highly publicised within the UK, we have got to start asking why more is not being done to help business understand the cost of Phreaking to them, currently running at more than 5 times the cost of credit card fraud to the UK.

We spend millions in the UK securing our offices, computers etc from attack, yet we pay absolutely no heed to our telephone systems. the majority of us have probably never experienced a break in or a virus attack, yet securing these two areas is now second nature to us.

For those who have never heard of Phreaking here’s a quick intro to what it actually is:

Phreaking is where your telephone system is hacked, allowing the hackers to steal your lines to make calls free of charge for them, exceptionally costly for you. There are proven links between Phreaking and worldwide organised crime and terrorism. Providing a massive revenue stream for those criminals. Whilst the network companies may show some sympathy, the reality is YOU will still have to pay their bill, which can be anything between 10 and 100 times more expensive than normal.

It pays to be safe, how secure is your telephone system?

Filed Under: Telecoms Tagged With: phone systems, Phreaking, Security, system security, Telecoms

Phone Hacker Leaves Town Hall with $20k phone bill

August 3, 2012 by william

A hacker in the US has left a town hall facing a $20,000.00 telephone bill.

Some of the calls were streamed through the UK

Normal bill for the town hall was $1300 per month, this mammoth bill of $20,000 was run up over just 2 days in calls to the UK

and Philippines.

Read the full story here

If you haven’t thought about securing your telephone system, then after reading this story of a small organisation and how their system was hacked via voicemail then you should.

Even simple precautions like changing passwords regularly, can help prevent such phreaking attacks.

Filed Under: Telecoms Tagged With: phone hacking, phone systems, Phreaking, Telephone Systems, voicemail

PCI DSS, CVV seller network closed down

June 29, 2012 by william

The Serious Organised Crime Agency (SOCA), working in collaboration with the FBI and the US Ministry of Justice, has shut down 36 major CVV sellers’ websites that were trading in stolen credit card details and online banking credentials. SOCA says the closures will reduce international fraud by more than £500 million a year.

The carder sites acted as online marketplaces for stolen card data, using e-commerce platforms known as Automated Vending Carts (AVCs) to collect the card data from criminals and then resell the account details to buyers around the world.

SOCA, the UK national police agency whose auspices include fraud and computer crime, said it has been tracking the development of AVCs and monitoring their use for some time. Over a two-year period, it worked with the FBI in the US, the BKA in Germany, the KLPD in the Netherlands, the Ukraine Ministry of Internal Affairs, the Australian Federal Police and the Romanian National Police, to recover more than 2.5 million cards and credentials of compromised personal and financial information. It said the recovered data has been passed to UK and overseas financial institutions to help prevent further fraud from taking place against the accounts.

The case underlines the need for merchants and service providers to “ensure they comply with the requirements of PCI DSS to protect card holder data and prevent it from ending up on sites where the data can be sold for a couple of pounds.”

For the full story visit Search Security

Filed Under: Data Tagged With: call centre, home business, Mastercard, PCi-DSS, Phreaking, Visa

A Phreaking Story

June 22, 2012 by william

A little back story on the setup first; We have a Cisco VoIP setup at our remote office(where I’m at) and the main CCM/CCX/Unity setup is at the parent company across the US in Connecticut. We have MPLS tunneling the VoIP traffic between the two offices. Very inefficient, but that’s the cheap solution they went with to avoid the extra licensing of a second CCM/CCX. Also no one at the company works on the phone system, it is all outsourced to a third party, which stopped responding to my pleas for help a month or so ago.

Anyways, the way it works now, is if you call our 800# it goes to the main Auto-Attendant in Connecticut, and then is routed to our office, with 4 digit dial. If you call our local direct number, it rings through to the receptionist.

So the problem that I need your help with is; I am under a constant attack on my local #. If I leave my phone line plugged in to my VoIP router after 3:30, I will have upwards of 1000 voice mail messages in the morning by 7 am. It basically continues to try and bounce it’s calls through our system until the voice mail box is full. I tried working with the tech company managing the system, and they basically came to the conclusion that we need to change our number or unplug the line every night.

The phone company also doesn’t seem to know what to do either, I worked with a senior-level tech for a few hours, and he said the return field was being randomly generated/spoofed for each call that came through, so there was really no way for them to block them either.

The messages are usually just a minute or two of “Beep..Beep..Beep..Beep,” and also hardly occur at all during the day.

Do not believe that because this event happened in the USA that it cannot happen to you, PBX Fraud costs us £1.5billion, and rising, here in the UK.

How many times have you answered a call and thought it was a mis dialled fax?

Filed Under: Telecoms Tagged With: pbx fraud, Phreaking, Telecoms News, Telephone Systems

Telephone System Fraud

June 18, 2012 by william

Here is a video from callista telling exactly what Phreaking is and how it affects us.

Introduction to phreaking HR

Filed Under: Data Tagged With: phone systems, Phreaking, telecommunications, Telecoms, Telephone Systems, Voip

Telephone System Fraud – PHREAKING

June 15, 2012 by william

Phone hacking, or phreaking as it is known, is more widespead than we could ever imagine.

The most common way in which a business is “phreaked” is via their voicemail system, a good tip to remember here is to change passwords regulary, and as an absolute bare minimum CHANGE THE DEFAULT PASSWORD IMMEDIATELY, if you don’t it could be a very expensive business.

Phreaking is more costly than credit card fraud to the UK, yet we hardly ever hear of it. The businesses I’ve heard of that have been subject to an attack often claim that when reporting to the police, the police often do not know how to deal with the situation and often advise not to pay the bill. This advice is wrong, unfortunately, at the end of the day you have to pay the network company, why should they be out of pocket for your errors? We all have a responsibility to ensure that our office equipment is secure from all sorts of attack, after all you pay for virus protection to prevent an attack on your computer system, you pay for firewall to prevent hacking to your computer system, it there for begs the question why we fail to protect our telephone systems.

From the last recorded data available, 2009, PHREAKING via voicemail cost $22 billion globally, total telephone fraud that year was estimated to be between $75-80 billion.

In the UK, from the same year, a survey on VOIP hacking cost UK Business £1.2 billion.

The following is taken from the BBC News website from Feb 2012

Hacking network Anonymous has released a recording of a conference call between the FBI and UK police in which they discuss efforts against hackers.

The call, said to have taken place last month, covers the tracking of Anonymous and similar groups, dates of planned arrests and details of evidence held.

To try and sum up : Phreaking is controlled by organised crime and big business which funds international terrorism – and they could cost you a fortune in telephone calls you didn’t make but your telco will demand you pay because they were made from your exchange lines and extensions via your phone system

Filed Under: Telecoms Tagged With: Fraud, Phreaking, Telephone system fraud