funsec mailing list archives
Re: VoIP phone bills
From: "Tomas L. Byrnes" <tomb () byrneit net>
Date: Mon, 11 Oct 2010 21:49:23 -0700
-----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Rob, grandpa of Ryan, Trevor, Devon & Hannah Sent: Monday, October 11, 2010 1:33 PM To: funsec () linuxbox org Subject: [funsec] VoIP phone bills Poorly configured VoIP systems triggering enormous phone bills http://bit.ly/c63yEx+ Intriguing, given that many companies get into VoIP more for the cost savings than the extra features. We (computer geeks) do not understand telephony.
[Tomas L. Byrnes] Umm speak for yourself: Me- First Job out of High School: CIT Alcatel. First Job in the US: AT&T First voice over data (56kbps point to point meshed network using MICOM) network implementation: 1993 Founder, and teacher of the first 2 Voice Over IP Days @ N+I, 1999 and 2000. Securing VOIP is actually not that hard. Follow the same principles as securing a mail server: only allow authenticated, encrypted, connections, and use known trunks. If you have open anonymous SIP, you're the same thing as an open relay. That having been said, you're always at the mercy of brute forcers, and ENUM is a disaster waiting to happen (and my contention that this was the case led to a rather heated exchange between myself and Shockey at VON several years ago). The good news is, in most cases, your PBX needs to talk to a very limited number of very well known, static, IPs. For those who need to be more world-accessible. There are a few people working on SPIT block lists, and ThreatSTOP is testing them on our own VOIP systems. We'll probably offer one in the near future. Yet
we are willing to roll these unknown threats into our known data network threats and create one giant insecurity. And, as I keep telling people, phreaking is the one form of attack
that
costs you real money, right now.
[Tomas L. Byrnes] And has since before the Internet was available outside of academia. Long before there was much in the way of cracking computers there was blue-boxing. Even without blue-boxing, individuals have been bypassing tolls using known dial-ins to various private branch exchanges of large distributed companies (retail chains have always been a favorite) that allowed dial-out for decades. There's nothing new under the sun, just new ways of doing it. (Even phishing only gets them the account
numbers, and then they have to do something else to get the money.) ====================== (quote inserted randomly by Pegasus Mailer) rslade () vcn bc ca slade () victoria tc ca rslade () computercrime org If you're not part of the solution, you're part of the precipitate victoria.tc.ca/techrev/rms.htm
blog.isc2.org/isc2_blog/slade/index.html
http://blogs.securiteam.com/index.php/archives/author/p1/ http://www.infosecbc.org/links http://twitter.com/rslade _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- VoIP phone bills Rob, grandpa of Ryan, Trevor, Devon & Hannah (Oct 11)
- Re: VoIP phone bills der Mouse (Oct 11)
- Re: VoIP phone bills Tomas L. Byrnes (Oct 11)