Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Making your Asterisk System Secure


Published on

Over the past few years Eric has shown that telecom fraud is a growing problem, and basic fixes for protecting your (and your customers) PBX. This time he will show the basic configuration considerations that you can take to protect a PBX. Come to this session to find out: Who is out there looking to attack your PBX? How do they find it? How can you protect your PBX?

Published in: Technology
  • Be the first to comment

Making your Asterisk System Secure

  1. 1. Making your Asterisk System Secure Who is out there looking to attack your PBX? How do they find it? How can you protect your PBX PRESENT BY: ERIC KLEIN SR. CONSUL TANT
  3. 3. Ok, just 1 picture
  5. 5. CFCA Global Fraud Key Findings Global Fraud Loss:  2011 $40.1 Billion (USD) annually  2013 $46.3 Billion (USD) annually Top Fraud types 2011  Compromised PBX/Voicemail $4.96 Billion  Internal/Employee Theft $1.44 Billion Source: The 15% increase from 2011 is a result of increased fraudulent activity targeting the wireless industry. 2013 $10.03 Billion $2.53 Billion *Notes:  In 2011 the Global Fraud Loss Estimate was recalibrated to include the sizes of the CSPs being surveyed.  In 2013 fraud classifications were divided into methods and type categories
  6. 6. Source:
  7. 7. Why They Attack
  8. 8. How it Works Hackers sign up to lease premium-rate phone numbers, often used for sexual-chat or psychic lines, from one of dozens of web-based services that charge dialers over $1 a minute and give the lessee a cut. In the United States, premium-rate numbers are easily identified by 1-900 prefixes, and callers are informed they will be charged higher rates. But elsewhere, like in Latvia and Estonia, they can be trickier to spot. The payout to the lessees can be as high as 24 cents for every minute spent on the phone. Hackers then break into a business’s phone system and make calls through it to their premium number, typically over a weekend, when nobody is there to notice. With high-speed computers, they can make hundreds of calls simultaneously, forwarding as many as 220 minutes’ worth of phone calls a minute to the pay line. The hacker gets a cut of the charges, typically delivered through a Western Union, MoneyGram or wire transfer. In part because the plan is so profitable, premium rate number resellers are multiplying rapidly. There were 17 in 2009; last year there were 85
  9. 9. Who Pays?
  10. 10. Who is Responsible for Losses from Hacks? In almost all cases the customer is contractually responsible for losses from a hacked system. Major carriers have sophisticated fraud systems in place to catch hackers before they run up false six-figure charges, and they can afford to credit customers for millions of fraudulent charges every year. But small businesses often use local carriers, which lack such antifraud systems. And some of those carriers are leaving customers to foot the bill.
  11. 11. Rare exception: Frip Finishing vs. Voiceflex Frip Finishing of Leicestershire was hacked over Halloween weekend of October 2011 Internet hackers infiltrated Frip’s PBX and made 10,366 calls international phone card calls creating a bill of £35,000 – most to a premium telephone number in Poland Judge David Grant rejected arguments the company had failed to adequately maintain the security of its. On the court’s interpretation of the contract, Frip was only obliged to pay for calls that it had actually made.
  12. 12. Phone Hackers Dial and Redial to Steal Billions In a weekend last March Foreman Seeley Fountain Architecture, (in Norcross, Ga.) was hack for $166,000 worth of calls to premium- rate telephone numbers in Gambia, Somalia and the Maldives.
  13. 13. Need to Change the Laws The law is not much help, because no regulations require carriers to reimburse customers for fraud the way credit card companies must. Lawmakers have taken the issue up from time to time, but little progress has been made.
  14. 14. What to watch for
  15. 15. Something New Has Started Mysterious fake mobile phone towers discovered across America could be listening in on unsuspecting callers. They were discovered by people using a heavily customised Android device called the CryptoPhone 500. "They can listen to all of your voice calls and they can grab all of your text” said Buzz Bruner of EDS America. Sources:
  16. 16. Detected in Many Locations During a road trip from Florida to North Carolina and he found eight different interceptors on that trip. After publication an interceptor was detected near the vicinity of South Point Casino in Las Vegas. Several of the masts were situated near US military bases. he towers are located near the White House, the United States Capitol and the Supreme Court. "Whose interceptor is it? Who are they, that's listening to calls around military bases? Is it just the US military, or are they foreign governments doing it? The point is: we don't really know whose they are.“ - Les Goldsmith, chief executive of security firm ESD America
  17. 17. Detection is Hard “If you've been intercepted, in some cases it might show at the top that you've been forced from 4G down to 2G. But a decent interceptor won't show that,” says Goldsmith. “It'll be set up to show you [falsely] that you're still on 4G. You'll think that you're on 4G, but you're actually being forced back to 2G.” Some devices can not only capture calls and texts, but even actively control the phone and send spoof texts.
  18. 18. How they find you
  19. 19. More Examples from Shodan Remember that last year someone in the room was able to hack a Polycom phone within 30 sec of it being displayed via Shodan page – Default Passwords are a problem.
  20. 20. Security Resources from
  21. 21. Take the updated Asterisk Advanced Class for the basics. Asterisk Security Considerations
  22. 22. Copyright © 2014 Digium, The Asterisk Company 22 Goals • Security overview • Survey of common threats • Layer-by-layer security and best practice suggestions – physical – OS – network – Asterisk – SIP – dialplan • Resources
  23. 23. Look at the Asterisk Wiki
  24. 24. Asterisk Security Framework Article by Malcolm Davenport Attacks on Voice over IP networks are becoming increasingly more common. It has become clear that we must do something within Asterisk to help mitigate these attacks. Through a number of discussions with groups of developers in the Asterisk community, the general consensus is that the best thing that we can do within Asterisk is to build a framework which recognizes and reports events that could potentially have security implications. Discussion has subpages for:  Security Framework Overview  Security Event Generation  Asterisk Security Event Logger  Security Events to Log  Security Log File Format
  25. 25. Secure Calling Specifics Article by Malcolm Davenport Asterisk supports a channel-agnostic method for handling secure call requirements. Since there is no single meaning of what constitutes a "secure call," Asterisk allows the administrator the control to define "secure" for themselves via the dialplan and channel-specific configuration files. Article includes explanations and examples for:  Channel-specific configuration  Security-based dialplan branching  Forcing bridged channels to be secure
  26. 26. Secure Calling Tutorial Original tutorial by Malcolm Davenport, last modified by Rusty Newton Transport Layer Security (TLS) provides encryption for call signaling. (1.8 and above) Tutorial outline:  Overview  Part 1 (TLS) Keys The Asterisk SIP configuration Configuring a TLS-enabled SIP peer within Asterisk Configuring a TLS-enabled SIP client to talk to Asterisk Problems with server verification  Part 2 (SRTP)
  27. 27. Pay Attention to Vendor Warnings
  28. 28. FreePBX Very good at notifying of potential problems and regular updates: Pay attention to the FreePBX dashboard for update notifications  Critical FreePBX RCE Vulnerability (ALL Versions) We have been made aware of a critical Zero-Day Remote Code Execution and Privilege Escalation exploit within the legacy “FreePBX ARI Framework module/Asterisk Recording Interface (ARI)”. This affects any user who has installed FreePBX prior to version 12, and users who have updated to FreePBX 12 from a prior version and did not remove the legacy FreePBX ARI Framework module.
  29. 29. Watch out for OS Level Alerts Shellshock on Shellshock, also known as Bashdoor, is a family of security bugs (with 6 CVE's filed at the time of this page) in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet daemons, such as web servers, use Bash to process certain commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
  30. 30. Protect Your System Watch for and install regular updates Do not ignore the OS updates and fixes – Run Yum update at least quarterly. Always change the default user names and passwords Keep up on the news and new attacks – Inside fraud and Phishing will remain big problems for years to come.
  32. 32. Regular Firewall Palo Alto firewalls have known problems with SIP and SIP ALG, calls can complete but no audio (media channel). Checkpoint Firewalls work fine with SIP. Fail2Ban can still cause additional problems with triggering massive whois processes that take a lot of CPU resources. (Need to kill PID for the process – sometimes you need to kill multiple PIDs).
  33. 33. Single PBX or Phone Level New products have come out in the past few years to protect SIP at the phone or enterprise PBX level. Coordinate the install with your ITSP, as there may be configuration issues to be managed (ports to open, NAT, etc.).
  34. 34. SIP Threat Manager STM is installed in front of any SIP based PBX or gateway offering several layers of security against numerous types of attacks. Block specific IPs or countries, protect your PBX against hackers trying user names and passwords, someone is trying to flood your PBX with a DDos attacks? No problem! Using the SNORT based Real Time Deep packet inspection engine, our STM analyzes each SIP packet going to your phone system, identifies the malicious and abnormal ones blocking the originating IP.
  35. 35. Firewall Example from Allo On Youtube:
  36. 36. μFirewall Using a revolutionary, patent pending process, it identifies and prevents toll fraud on a premise-based IP PBX before it happens:  Analyzes SIP packets through deep packet inspection  Stops abnormal SIP protocol usage based on pre-determined parameters  Prevents SIP denial-of-service attacks  Quietly drops malicious SIP packets rather than responding with an error to help prevent continued attacks  Neutralizes SIP attacks while they are occurring rather than identifying attacks after the fact
  37. 37. PHPARI ARI i s a mind bl owing jump f o r t r adi t i ona l a s t e r i s k int e g r a t o r s . Our obj e c t i v e i s t o c r e a t e a s impl e onl ine eng ine , tha t wi l l a l l ow f o r p e op l e t o de v e l op sho r t s t a s i s /ARI a p p l i c a t i ons , e i the r on the i r own s e r v e r s o r on a ho s t ed ins t anc e - and e xpe r iment wi th how ARI wo r k s . The s andbo x a l l ows y ou t o e xpe r iment wi th ARI and PHPARI , wi thout a ne ed t o a c tua l l y s t a r t c oding the ent i r e s t a s i s appl i c a t ion, but a c tua l l y e xpe r iment ins ide s e l f c ont a ined c ode snippe t s - v e r y much l i k e tha t J a v a s c r ipt t o o l s on the ne t .
  38. 38. Check out our Hackathon Project Check it out (and vote for it) at: 916-asterisk-ari-sandbox
  39. 39. Thank You CONTACT ME AT: