Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

VoIP Security 101 what you need to know

As presented at ITExpo 2017 and the April Peerlyst Tel-Aviv security Meetup.
Can your company afford to ignore VoIP security? With the number of attacks on your telephone services and mobile devices your chance of being attacked and financial liability is at an all time high. This session offers an introductory primer to securing your VoIP PBX. This talk will include explanations about common attacks, how they can find you, and common techniques you can use to defend your company.

  • Login to see the comments

  • Be the first to like this

VoIP Security 101 what you need to know

  1. 1. VoIP Security 101 - What You Need to Know ERIC KLEIN, VP OPERATIONS
  2. 2. My name is Eric Klein 2 VoIP Fraud Prevention evangelist Startup advisor and enthusiast Author, blogger for Technology and travel • Security chapter out this week • 1st novel in edit A Little about myself… Relatively new grandfather (photos upon request)
  3. 3. 3 Passionate about delivering the right telecom solutions Greenfield provides creative high-end solutions and services for telecom operators, enterprises, and start-ups. We enjoy making tech dreams a reality – by developing and delivering simple, feasible, affordable and reliable solutions to challenges that seem ‘impossible’. We believe that in order to help you achieve your goals, we must fully immerse ourselves in your business and see ourselves as a part of your organization. We sometimes speak out when other consultants would not, with your best interests in mind.
  4. 4. Who is Attacking 4
  5. 5. 5 – low risk, high return crime Organized Crime – use the funds to fund more terror Terrorists - for fun and bragging rights (think Steve Jobs) Kids - As a fully outsourced service for criminal or terrorist organizations Hackers for hire Who is out there looking for your phone? Who is Attacking
  6. 6. How Much Are They Attacking Source: Next report should come out in November 2017 6
  7. 7. 7 Key Findings • 2015 Global Fraud Loss: $38.1 Billion (USD) annually • 89% of operators surveyed said fraud losses had increased or stayed the same as previous year • Top 5 Fraud Methods: • $3.93 B – PBX Hacking • $3.53 B – IP PBX Hacking • $3.53 B – Subscription Fraud (Application) • $3.14 B – Dealer Fraud • $2.55 B – Subscription Fraud (Identity) Source: This means you or your customers can be hit.
  8. 8. Where do they call? Source: 8 Do you need to allow traffic to these destinations?
  9. 9. 9 What They Get From Attacking Easy cash from: Free phone calls at your expense Reselling phone services Cash from Premium calls (1- 900) where they get revenue share In very rare cases – Bragging rights (but now that is mostly history)
  10. 10. 1 0 Fast and Furious They were Fast and He was Furious: Story was told by audience member at Security Panel on the last day of Astricon 2011 in Denver A customer called and asked for default password as they wanted to configure their PBX and connect to the internet He gave them the password and then connected to the PB himself to watch what would happen In under 10 min. the PBX was found and hacked, with new extensions created and outbound calls being made So how did they find this PBX?
  11. 11. How they find you? 11
  12. 12. Internet Census  50 GB of data Collected and published  Collected by using bots on unsecure internet devices (default username/password)  If one client scans ten IP addresses per second, it requires approximately 4000 clients to scan one port on all 3.6 billion IP addresses of the Internet in one day  They used ~420K Clients Botnet distribution shown Source: 12
  13. 13. Be Careful in What You Advertise Which is scarier: Exposing that you are accessible via Port 22 or port 80? 13
  14. 14. Shodan Found: 11,192,438 for SIP devices By using a simple Google Like search 14
  15. 15. Be Careful in What You Advertise Why make it easy for them to not only find you, but to know what you are running? Do you want to let them exploit known security holes or default passwords? 15
  16. 16. • SIPVicious suite is a set of tools that can be used to audit SIP based VoIP systems. It currently consists of four tools: • svmap This is a sip scanner. When launched against ranges of IP address space, it will identify any SIP servers which it finds on the way. Also has the option to scan hosts on ranges of ports. • svwar Traditionally a war dialer used to call up numbers on the phone network to identify ones that are interesting from ones that are not. With SIP, you can do something similar to identify active users • svcrack This is a password cracker making use of digest authentication. It is able to crack passwords on both registrar servers and proxy servers. It can make use of ranges of numbers or a dictionary file full of possible passwords. • svreport Able to manage sessions created by the rest of the tools and export to pdf, xml, csv and plain text. (Lists SIP devices found on an IP range) (Identifies active extensions on a PBX) (An online password cracker for SIP PBX) 16
  17. 17. What can you do? 17
  18. 18. 1 8 Hardening your system Basic methodologies and best practices for configuring Asterisk PBXs. What have we learned from monitoring and auditing Asterisk PBXs and how can you avoid the common mistakes?
  19. 19. Lets start with the Corporate level 19
  20. 20. 2 0 Common Policy Problems Incomplete, Non-existent, Unenforced Password Policies Server / PBX Passwords Multiple PBXs using the same password Root access and web client interface using the same password (if any) Phones and Extension Passwords Default Password on the PBX (or GUI) Identical or default SIP passwords for all phones Identical or default Voicemail passwords for all extensions No Update Policy PBX Software Phone Firmware No Mailbox Polices Who/what extensions get voicemail When to close them No Allowed / Denied Destines Policies Do all employees need to call all countries? Who does / does not? No Policy To Monitor Phone Usage / Activity
  21. 21. 2 1 Internal Fraud the Worst Do you need a courtesy phone? Does it really need long distance dialing? Does it really need international dialing? Does it really need a voice- mailbox? What about break room, copy, or conference rooms? Do you need these 24 x 7?
  22. 22. 2 2 Be aware of the problem Harden your system Set proper policies Does everyone need it (international calls, call via PBX, etc.)? Who needs it? Why and is there a better solution or security option? Lock things down if they are not needed Don’t allow pass through dialing (unless needed, and then limit it) Use multi-layer solutions Use audit and monitoring solutions
  23. 23. 2 3 Don’t Use Default Passwords Why make it easier for them? Look to use harder to hack passwords/phrases Longer is better (they now have a bot that can crack a 4 digit cell phone screen lock automatically, similar things work for electronic passwords Consider using Fail2BAN as one of the layers in your security as it will lock out repeat attempts to hack a password Make sure that only a few people have access to the system – humans are one of the weakest links in security via phishing or internal attacks
  24. 24. 2 4 Check Your Contracts (Liability) Find out what your contract includes in terms of text about fraudulent calls and your liability Learn how to activate these if needed Find out if your carrier offers Monitoring or limiting amounts me countries Which are automatic? Can you set the limits? Do they notify you or cut you off? Blocking premium numbers or calls to international destinations Can they be configured by extension (let President’s Assistant call anywhere but not lobby phone)? Can they be configured by day of week/time of day?
  25. 25. Lets look at the operating system level 25
  26. 26. 2 6 Common Server Policy Problems Incomplete, non-existent, unenforced Password policies: Many had identical default SIP passwords for all phones that were never changed Many had identical default Voicemail passwords for all extensions that were never changed Server / PBX Passwords Multiple PBXs using the same password Root access and web client interface using the same password (if any) No update policy Server OS Apache Server software
  27. 27. Audit Results: Server and OS level problems found 18.6 117 8.75 54 8.8 32 0 20 40 60 80 100 120 140 Average Most High Medium Low Conclusion: You need to have an update policy with regular security updates for the server, not just the Asterisk software. 27
  28. 28. Examples of OS and Server Level http (80/tcp) High (CVSS: 7.8) NVT: Apache httpd Web Server Range Header Denial of Service Vulnerability (OID: general/tcp High (CVSS: 10.0) NVT: Kerberos5 Multiple Integer Underflow Vulnerabilities (OID: general/tcp High (CVSS: 10.0) NVT: CentOS Update for kernel CESA-2010:0610 centos5 i386 (OID: general/tcp High (CVSS: 10.0) NVT: mpg123 Player Denial of Service Vulnerability (Linux) (OID: To Fix: perform a full system update, type this command: Eg: su -c 'yum update' 28
  29. 29. Lets Consider The Asterisk pbx 29
  30. 30. 3 0 Common Configuration Problems Not protecting from common attacks Context for SIP trunks to external destinations set as if they were internal extensions Old PBXs, extensions, SIP trunks still configured even though they are not in use Voice and Data configured in a flat configuration (both on the same subnet) Misconfiguration of Dial Commands
  31. 31. 3 1 Block Simple Enumeration Attacks Systems like SIPVicious use Enumeration Attacks to identify target SIP devices In Asterisk, you can enable this protection by setting the following in your sip.conf: alwaysauthreject=yes This can be configured in FreePBX Recent versions via the SIP Settings option under the Settings tab (use the Other SIP Settings options at the bottom of the page). Older versions will require that you change it in the sip.conf manually.
  32. 32. 3 2 Prevent Basic Hack Attempts Don’t be on the public Internet (have SBC, Firewall, NAT in front of the PBX) Don’t keep the default passwords on Server or PBX Use Fail2BAN to help block repeated attempts to login to the server Change the advertised name of the PBX (so sites like Shodan will not display it)
  33. 33. 3 3 Incorrect Contexts Using the from-internal context means All calls on that route or trunk are treated as if they came from an internal phone – with all the rights and privileges that includes: Make outbound calls Set call forwarding Combining the 2 makes it possible to use your PBX as a free long distance phone company Be generous use as many contexts as you have different dialing authority or use cases: from =Sip-provider from=IAX2 from=Sales-employees from=courtesy-phone
  34. 34. 3 4 Be Careful With Dial Commands In order to enable call transfers, you have to utilize either the “t” or “T” parameters of the Dial command Due to lack of understanding by many admins – here is a common configuration mistake: Doing this opened a way for anyone who dials in to forward their call to any PBX function – including call forwarding, voicemail, etc.
  35. 35. Lets Finish at the Physical level 35
  36. 36. Who has access • To server room • To the office in off hours (nights/weekends/holidays) 36
  37. 37. Keep up with current events 37
  38. 38. Watch the news and follow events • 2 years ago the European courts killed the Safe Harbor provided the legal ability for US companies to serve European customers. • A new law went into effect last July. More than 1,500 companies including Apple, Google and Microsoft had agreed to abide by the Privacy Shield agreement, which requires the US Department of Commerce to ensure that American companies are operating in compliance with EU privacy laws. • It is now in very real danger of unravelling. And it's all thanks to an Executive Order that Trump signed against refugees. Specifically, it's Section 14, which reads: • Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information. 38 Full text: executive-order-enhancing-public-safety-interior-united
  39. 39. Shameless plug 3 9
  40. 40. More about this topic is in Peerlyst eBook 2 - Essentials of Cybersecurity • Chapter 9 is Telecom 101 You can download it for free here (requires signup): 4 0 More details in free book
  41. 41. 41 Thank You Contact Me at: Skype: EricLKlein US +1 805 410 1010 UK +44 291 100 8888 Il +972 73 255 7799