> -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Rob, grandpa of Ryan, Trevor, Devon & Hannah > Sent: Monday, October 11, 2010 1:33 PM > To: [email protected] > Subject: [funsec] VoIP phone bills > > Poorly configured VoIP systems triggering enormous phone bills > > http://bit.ly/c63yEx+ > > Intriguing, given that many companies get into VoIP more for the cost > savings > than the extra features. We (computer geeks) do not understand > telephony. [Tomas L. Byrnes]
Umm speak for yourself: Me- First Job out of High School: CIT Alcatel. First Job in the US: AT&T First voice over data (56kbps point to point meshed network using MICOM) network implementation: 1993 Founder, and teacher of the first 2 Voice Over IP Days @ N+I, 1999 and 2000. Securing VOIP is actually not that hard. Follow the same principles as securing a mail server: only allow authenticated, encrypted, connections, and use known trunks. If you have open anonymous SIP, you're the same thing as an open relay. That having been said, you're always at the mercy of brute forcers, and ENUM is a disaster waiting to happen (and my contention that this was the case led to a rather heated exchange between myself and Shockey at VON several years ago). The good news is, in most cases, your PBX needs to talk to a very limited number of very well known, static, IPs. For those who need to be more world-accessible. There are a few people working on SPIT block lists, and ThreatSTOP is testing them on our own VOIP systems. We'll probably offer one in the near future. Yet > we are willing to roll these unknown threats into our known data > network threats > and create one giant insecurity. > > And, as I keep telling people, phreaking is the one form of attack that > costs you > real money, right now. [Tomas L. Byrnes] And has since before the Internet was available outside of academia. Long before there was much in the way of cracking computers there was blue-boxing. Even without blue-boxing, individuals have been bypassing tolls using known dial-ins to various private branch exchanges of large distributed companies (retail chains have always been a favorite) that allowed dial-out for decades. There's nothing new under the sun, just new ways of doing it. (Even phishing only gets them the account > numbers, and > then they have to do something else to get the money.) > > ====================== (quote inserted randomly by Pegasus Mailer) > [email protected] [email protected] [email protected] > If you're not part of the solution, you're part of the precipitate > victoria.tc.ca/techrev/rms.htm blog.isc2.org/isc2_blog/slade/index.html > http://blogs.securiteam.com/index.php/archives/author/p1/ > http://www.infosecbc.org/links http://twitter.com/rslade > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
