Re: VoIP phone bills

["Tomas L. Byrnes" <tomb () byrneit net>]

> -----Original Message-----
> From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
> On Behalf Of Rob, grandpa of Ryan, Trevor, Devon & Hannah
> Sent: Monday, October 11, 2010 1:33 PM
> To: funsec () linuxbox org
> Subject: [funsec] VoIP phone bills
>
> Poorly configured VoIP systems triggering enormous phone bills
>
> http://bit.ly/c63yEx+
>
> Intriguing, given that many companies get into VoIP more for the cost
> savings
> than the extra features.  We (computer geeks) do not understand
> telephony. 
[Tomas L. Byrnes] 

Umm speak for yourself:

Me- 

First Job out of High School: CIT Alcatel.

First Job in the US: AT&T

First voice over data (56kbps point to point meshed network using MICOM)
network implementation: 1993

Founder, and teacher of the first 2 Voice Over IP Days @ N+I, 1999 and
2000.

Securing VOIP is actually not that hard. Follow the same principles as
securing a mail server: only allow authenticated, encrypted,
connections, and use known trunks. If you have open anonymous SIP,
you're the same thing as an open relay.

That having been said, you're always at the mercy of brute forcers, and
ENUM is a disaster waiting to happen (and my contention that this was
the case led to a rather heated exchange between myself and Shockey at
VON several years ago). 

The good news is, in most cases, your PBX needs to talk to a very
limited number of very well known, static, IPs. For those who need to be
more world-accessible. There are a few people working on SPIT block
lists, and ThreatSTOP is testing them on our own VOIP systems. We'll
probably offer one in the near future.



 Yet
> we are willing to roll these unknown threats into our known data
> network threats
> and create one giant insecurity.
>
> And, as I keep telling people, phreaking is the one form of attack
that
> costs you
> real money, right now. 
[Tomas L. Byrnes] 

And has since before the Internet was available outside of academia.

Long before there was much in the way of cracking computers there was
blue-boxing. Even without blue-boxing, individuals have been bypassing
tolls using known dial-ins to various private branch exchanges of large
distributed companies (retail chains have always been a favorite) that
allowed dial-out for decades. 

There's nothing new under the sun, just new ways of doing it. 

 (Even phishing only gets them the account
> numbers, and
> then they have to do something else to get the money.)
>
> ======================  (quote inserted randomly by Pegasus Mailer)
> rslade () vcn bc ca     slade () victoria tc ca     rslade () computercrime org
>  If you're not part of the solution, you're part of the precipitate
> victoria.tc.ca/techrev/rms.htm
blog.isc2.org/isc2_blog/slade/index.html
> http://blogs.securiteam.com/index.php/archives/author/p1/
> http://www.infosecbc.org/links http://twitter.com/rslade
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.