Wednesday, January 23, 2013

Interesting Article on the Challenges and Prevention in a VoIP Environment

 As I have been writing here, VoIP service has become more common and thus more of an attractive target for fraud attacks.

Jim Murphy, President of Phone Power has a nicely written article on TMCNet titled Toll Fraud Challenges and Prevention in a VoIP Environment

He discusses the fact that there are always new targets to attack and that many PBXs use default or easy to crack passwords (1234).

But to me the most worrying thing he mentions is how much this can cost a company:
The risks of toll fraud within a VoIP network are severe. Some hackers are able to hijack systems and push through charges that can total $2,000 an hour or more.
Now we have seen companies hit in a few days with $25,000 - $50,000 in fraud, or even 1 case for $400,000 over 2 days, so this number of $2,000 per hour sounds quite plausible to me.

This is why I moved to Greenfield Technologies and am specializing in doing Security Audits for Asterisk based VoIP PBXs.

After performing auditing on more than 35  PBXs

We have found that the most common Policy issues are:
Incomplete, non-existent, unenforced Password policies:

Many had identical default SIP passwords for all phones that were never changed
Many had identical default voice-mail passwords for all extensions that were never changed

Server / PBX Passwords

Multiple PBXs using the same password
Root access and web client interface using the same password (if any)

No update policy

Server OS
PBX software
Phone firmware

No mailbox polices

Who get voice-mail
When to close them
No policy to monitor phone usage / activity