Re: [asterisk-users] fraud advice
On 10/14/10 9:10 PM, Jeff LaCoursiere wrote: Hi, Embarrassed as I am to write this, I am hoping for some advice. One of our very first PBX installs, now six years old, was taken advantage of over the past few weeks. A victim of sipvicious, I assume, that managed to guess one of the SIP passwords. 4000 calls to various middle eastern destinations have been placed, which ended up being sent over our customer's PSTN trunk, and of course there was no warning until the bill came today. Unfortunately the bill only covered the first few days of this fiasco, and was only $700. I am afraid the one that is on the way will be tens of thousands. ONE CALL on the bill that just arrived was $200 (80 minutes to Sierra Leone). I'm sure this started out as a single scan. It must have been posted, because I have at least ten IP addresses now that were placing calls via the same peer. They are from all over the world. So what is the accepted procedure? I'm in the US Virgin Islands, so do I go to the FBI? Police? Is their some telecom fraud body to report such things to? Does any one ever get any relief from such events? I'm basically sick to my stomach right now. j We were hit several times in our early days with PRS fraud that ended up costing us DEARLY. We contacted the FBI, but they were completely unhelpful. The origin of the caller was Egypt (using a network in Egypt that has long been a front for criminal activity, so the networking people on that end were less than useless), and the Egyptian cyber fraud division is two guys with a yahoo email address. The FBI contacted them, but they were neither equipped nor entirely willing to be of any real help in tracking down the perpetrator. It doesn't hurt to contact the FBI, though. They may already have an open investigation into the individual or group responsible and need the information for their case. But do not expect them to be able to do much. Eventually, some of our debt was quashed by the provider who had violated their own policies in charging us for unlisted premium rate services, but it changed the entire way we do business. Unfortunately, it's now MUCH more difficult to pay us money than it used to be, and that's turned a lot of customers off, but we've had no problems with PRS fraud since. N. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fraud advice (Also advice on using ipbanning)
- Original Message - When we designed our systems on asterisk we designed it to me multi-tenant. Se we use customer prefixes on all extensions. This allows us to have multiple customers using the same extension pools. It also reduces the hack foot print as hackers must know the prefix for a customer to try and brute force things. All passwords use 8+ characters with alfa/numeric and special characters. As I see it Asterisk does very good keeping out the hackers if you use a solid design in your peer and dialplans. At the least put an alpha character post or pre other wise you are just asking for it. Use your head you can be smarter then they are. We are looking into ipban as well. If any one has an example of ipban I would love to see how best to implement it. In a 4 year period we have not had a breach but we do get about 10 to 15 hack attempts a week. We have blocking scripts that block ip's at the primary firewall but I would like to trigger the ipban at each switch level. Could I also use the ipban method to trigger the audo updates to our primary firewalls? Any advice is appreciated. Bryant You could also use OSSEC http://www.ossec.net and a custom decoder and rule: decoder name=local-asterisk-denied prematchNOTICE[\d+] \S+: Registration from /prematch regex offset=after_prematch^\S+ failed for '(\d+.\d+.\d+.\d+)'/regex ordersrcip/order /decoder rule id=110005 level=5 decoded_aslocal-asterisk-denied/decoded_as descriptionAsterisk Potentially Under Attack/description /rule rule id=110006 level=10 frequency=5 timeframe=10 if_matched_sid110005/if_matched_sid same_source_ip / descriptionAsterisk Under Brute Force Attack/description /rule -- Thanks, Phil -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fraud advice (Also advice on using ipbanning)
When we designed our systems on asterisk we designed it to me multi-tenant. Se we use customer prefixes on all extensions. This allows us to have multiple customers using the same extension pools. It also reduces the hack foot print as hackers must know the prefix for a customer to try and brute force things. All passwords use 8+ characters with alfa/numeric and special characters. As I see it Asterisk does very good keeping out the hackers if you use a solid design in your peer and dialplans. At the least put an alpha character post or pre other wise you are just asking for it. Use your head you can be smarter then they are. We are looking into ipban as well. If any one has an example of ipban I would love to see how best to implement it. In a 4 year period we have not had a breach but we do get about 10 to 15 hack attempts a week. We have blocking scripts that block ip's at the primary firewall but I would like to trigger the ipban at each switch level. Could I also use the ipban method to trigger the audo updates to our primary firewalls? Any advice is appreciated. Bryant From: Steve Totaro stot...@totarotechnologies.com Sent: Friday, October 15, 2010 11:22 AM To: Asterisk Users Mailing List - Non-Commercial Discussion asterisk-users@lists.digium.com Subject: Re: [asterisk-users] fraud advice On Fri, Oct 15, 2010 at 10:29 AM, Steve Edwards asterisk@sedwards.com wrote: On Thu, 14 Oct 2010, bruce bruce wrote: But it also sickens me at how badly Asterisk is made to not cope with situations like this and worse than that is FreePBX. Kind of like blaming the gun manufacturer instead of the criminal with their finger on the trigger? Is there some gaping hole in Asterisk security or are you just asleep at the wheel? -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 This is nothing new. Trunk to trunk transfers and other exploits could be used on old school phone systems to do the same thing. I would start with getting the current balance, if over $10k call the FBI, call them anyways, it couldn't hurt. You want the Feds to check things out before local police if possible. Gather as much info as possible, along with police and FBI case numbers and then call the carrier and see what can be done. A friend of mine took what was supposed to be my one month rotation to Iraq. I had too much going on to be in Iraq for a month and a half and had taken the last rotation so it wasn't even my turn. The phone bill came for his cell (company provided on Asia Cell) for $4k in just a couple weeks. It turns out that he was not using the cell and one of the cleaning people stole his SIM. After contacting Asia Cell a few times about the matter, they credited the whole amount back. So you never know. As for security, I assume you need to allow these extensions to register from outside the LAN? If not, then only allow them to register via a LAN IP, I would do it with iptables, only allow the provider IP through. I am curious what your user:pass was? something like 1000:1000, I see many systems setup like this and am surprised they haven't been hit yet. In the future, you could use a scheme that makes it much more secure and also pretty easy to maintain. The username could be the MAC and the pass could be the serial number or asset tags if you use them. I know there must be dozens of people reading this that have had the same issue but are embarrassed to speak up. (BTW Sierra Leone is in West Africa, not the Middle East.) Thanks, Steve T -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fraud advice
On Thu, 14 Oct 2010, bruce bruce wrote: But it also sickens me at how badly Asterisk is made to not cope with situations like this and worse than that is FreePBX. Kind of like blaming the gun manufacturer instead of the criminal with their finger on the trigger? Is there some gaping hole in Asterisk security or are you just asleep at the wheel? -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fraud advice
For future I would highly recommend to have at least fail2ban installed. This way sipvicous IPs will be blocked instantly before they could create any damage. Also I prefer to limit International calling to only certain limit, e.g. only for $10 per account, but this depends upon how your business deals with international calls. I get a few IPs blocked everyday by fail2ban, though by default no new connections are allowed international calls on my system. Zeeshan A Zakaria -- www.ilovetovoip.com On 2010-10-15 10:40 AM, Steve Edwards asterisk@sedwards.com wrote: On Thu, 14 Oct 2010, bruce bruce wrote: But it also sickens me at how badly Asterisk is made to n... Kind of like blaming the gun manufacturer instead of the criminal with their finger on the trigger? Is there some gaping hole in Asterisk security or are you just asleep at the wheel? -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Pr... -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fraud advice
On Fri, Oct 15, 2010 at 10:29 AM, Steve Edwards asterisk@sedwards.com wrote: On Thu, 14 Oct 2010, bruce bruce wrote: But it also sickens me at how badly Asterisk is made to not cope with situations like this and worse than that is FreePBX. Kind of like blaming the gun manufacturer instead of the criminal with their finger on the trigger? Is there some gaping hole in Asterisk security or are you just asleep at the wheel? -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 This is nothing new. Trunk to trunk transfers and other exploits could be used on old school phone systems to do the same thing. I would start with getting the current balance, if over $10k call the FBI, call them anyways, it couldn't hurt. You want the Feds to check things out before local police if possible. Gather as much info as possible, along with police and FBI case numbers and then call the carrier and see what can be done. A friend of mine took what was supposed to be my one month rotation to Iraq. I had too much going on to be in Iraq for a month and a half and had taken the last rotation so it wasn't even my turn. The phone bill came for his cell (company provided on Asia Cell) for $4k in just a couple weeks. It turns out that he was not using the cell and one of the cleaning people stole his SIM. After contacting Asia Cell a few times about the matter, they credited the whole amount back. So you never know. As for security, I assume you need to allow these extensions to register from outside the LAN? If not, then only allow them to register via a LAN IP, I would do it with iptables, only allow the provider IP through. I am curious what your user:pass was? something like 1000:1000, I see many systems setup like this and am surprised they haven't been hit yet. In the future, you could use a scheme that makes it much more secure and also pretty easy to maintain. The username could be the MAC and the pass could be the serial number or asset tags if you use them. I know there must be dozens of people reading this that have had the same issue but are embarrassed to speak up. (BTW Sierra Leone is in West Africa, not the Middle East.) Thanks, Steve T -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fraud advice
We took a pretty nasty hit one time, a system administrator didnt listen to us about changing the passwords. Luckily they took part of the blame in that, and we split the 1800$ it cost us in half. We could have changed them, and she didnt change them, so we were both at fault. Like said previously, fail2ban is a pretty good start. Weak secrets definitely dont help. An interesting project to look into and i'm working with right now, i've got a honeypot set up in the wild, but havent gotten anything really worth while yet... http://www.infiltrated.net/voipabuse/defensive.html I'd also suggest, if you dont *have* to have international dialing on the trunk. Turn it off, put a pin on it, or just send it to a dummy trunk that doesnt do anything or route anywhere. I really hope this helps, and best of luck with cleaning up from the aftermath. I know ours was a pretty good wake up call to us to really start locking things down. I know its lame, but from Network Security Hacks. Security isn't a noun, it's a verb; not a product, but a process --Matt On Fri, Oct 15, 2010 at 11:50 AM, Jeff LaCoursiere j...@sunfone.com wrote: On Fri, 2010-10-15 at 11:20 -0400, Steve Totaro wrote: This is nothing new. Trunk to trunk transfers and other exploits could be used on old school phone systems to do the same thing. I would start with getting the current balance, if over $10k call the FBI, call them anyways, it couldn't hurt. You want the Feds to check things out before local police if possible. Gather as much info as possible, along with police and FBI case numbers and then call the carrier and see what can be done. A friend of mine took what was supposed to be my one month rotation to Iraq. I had too much going on to be in Iraq for a month and a half and had taken the last rotation so it wasn't even my turn. The phone bill came for his cell (company provided on Asia Cell) for $4k in just a couple weeks. It turns out that he was not using the cell and one of the cleaning people stole his SIM. After contacting Asia Cell a few times about the matter, they credited the whole amount back. So you never know. As for security, I assume you need to allow these extensions to register from outside the LAN? If not, then only allow them to register via a LAN IP, I would do it with iptables, only allow the provider IP through. I am curious what your user:pass was? something like 1000:1000, I see many systems setup like this and am surprised they haven't been hit yet. In the future, you could use a scheme that makes it much more secure and also pretty easy to maintain. The username could be the MAC and the pass could be the serial number or asset tags if you use them. I know there must be dozens of people reading this that have had the same issue but are embarrassed to speak up. Thanks Steve - that is the kind of advice I was looking for. I'm willing to take my lumps for the weak passwords on those accounts, and the lack of any filtering. I do understand the issues and the steps I need to take to better secure the switches in service, and just need to get off my a$$ and do it. Mainly I am hoping to hear from someone who has gone through the aftermath - as you mention above. So far I have had a discussion with the carrier who is opening an investigation. I'll contact the FBI today as well. I'll send an update when this is all over for posterity. (BTW Sierra Leone is in West Africa, not the Middle East.) True ;) Most of the calls were Iraq, UAE, Lebanon... Found another one today that was 2.5 DAYS long to Chile. Bizarre. j -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fraud advice
On Fri, Oct 15, 2010 at 11:50 AM, Jeff LaCoursiere j...@sunfone.com wrote: snipped (BTW Sierra Leone is in West Africa, not the Middle East.) True ;) Most of the calls were Iraq, UAE, Lebanon... Found another one today that was 2.5 DAYS long to Chile. Bizarre. j Not bizarre at all. You being in the Virgin Islands should know what that is probably about. http://www.snopes.com/fraud/telephone/809.asp I have a general questionnaire prior to planning the installation. One question is about international calls and using a PIN (Authenticate(1234356)), totally blocking, having a few phones in a separate context that can dial international. Usually, I will explain the nature of an IP PBX and the dangers of fraud, then go over what they NEED. If you do this along with locking things down, hopefully you won't run into any more fraud, but as you have seen first hand, there is big money to be made, so assume you are defending against an international crime ring with lots of time and knowledge. Once you do your bit and cover your bases, then if there is fraud, you save face and provide guidance rather than damage control. http://www.infiltrated.net/asterisk-ips.html found that link while looking googling for Nufone. It appears there is may be more to the story than I knew. I know JerJer claimed to have received a bill for $500k due to fraud. I am not sure what happened after that but I am seeing information about charges against him for mail fraud. Thanks, Steve T -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fraud advice
On Fri, 2010-10-15 at 07:29 -0700, Steve Edwards wrote: On Thu, 14 Oct 2010, bruce bruce wrote: But it also sickens me at how badly Asterisk is made to not cope with situations like this and worse than that is FreePBX. Kind of like blaming the gun manufacturer instead of the criminal with their finger on the trigger? Is there some gaping hole in Asterisk security or are you just asleep at the wheel? Asterisk is just doing what you tell it to do, process calls. If you have no authentication or route blocking how do you expect Asterisk to know that there is a problem? I was just in a similar situation where someone guessed the username and password of my SIP trunk. The provider called me the next day to tell me that they detected strange traffic on my line and asked if I was making those calls. Now that is good service from a provider. -- Telecomunicaciones Abiertas de México S.A. de C.V. Carlos Chávez Prats Director de Tecnología +52-55-91169161 ext 2001 signature.asc Description: This is a digitally signed message part -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] fraud advice
Hi, Embarrassed as I am to write this, I am hoping for some advice. One of our very first PBX installs, now six years old, was taken advantage of over the past few weeks. A victim of sipvicious, I assume, that managed to guess one of the SIP passwords. 4000 calls to various middle eastern destinations have been placed, which ended up being sent over our customer's PSTN trunk, and of course there was no warning until the bill came today. Unfortunately the bill only covered the first few days of this fiasco, and was only $700. I am afraid the one that is on the way will be tens of thousands. ONE CALL on the bill that just arrived was $200 (80 minutes to Sierra Leone). I'm sure this started out as a single scan. It must have been posted, because I have at least ten IP addresses now that were placing calls via the same peer. They are from all over the world. So what is the accepted procedure? I'm in the US Virgin Islands, so do I go to the FBI? Police? Is their some telecom fraud body to report such things to? Does any one ever get any relief from such events? I'm basically sick to my stomach right now. j -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fraud advice
As a practical matter, on anything that can generate endless billings, there should be a dumb trap that compares current usage to history (last month) and if usage exceeds 2/1 or 3/1 for instance then usage is choked or denied enough to cause the user to complain or perhaps generate a message to call customer support, (or call your cell phone!) Then if it is valid, raise last month's reference enough to let current calling continue. If it isn't valid you have found a problem and saved your or your customer's caboose. As to who to complain to, gather all info possible and report to everyone you can find. Someone may investigate, but there isn't likely anyone who will absolve the problem. Some will just take the report and ... as far as you are concerned, do nothing. There isn't much a local police dept. can do about a hacker in Western Slobovia cracking your server. Generally the FBI doesn't take matters of less than $10,000. But it sounds like you may meet that test. But they could take months or years or never finding the culprit and finding the culprit will likely net you nothing financial for you will be 1/10,000 of the fraud they did. This is a problem like spam in email. But this has cash costs to the server operator/customer. Passwords need to be un-crack-able, and there should be usage alarms, as described above. Depending on the situation even a single counter to your upstream billable sip server for all usage would likely trip on excessive usage and save your bacon. Cary Fitch -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Jeff LaCoursiere Sent: Thursday, October 14, 2010 8:11 PM To: asterisk-users@lists.digium.com Subject: [asterisk-users] fraud advice Hi, Embarrassed as I am to write this, I am hoping for some advice. One of our very first PBX installs, now six years old, was taken advantage of over the past few weeks. A victim of sipvicious, I assume, that managed to guess one of the SIP passwords. 4000 calls to various middle eastern destinations have been placed, which ended up being sent over our customer's PSTN trunk, and of course there was no warning until the bill came today. Unfortunately the bill only covered the first few days of this fiasco, and was only $700. I am afraid the one that is on the way will be tens of thousands. ONE CALL on the bill that just arrived was $200 (80 minutes to Sierra Leone). I'm sure this started out as a single scan. It must have been posted, because I have at least ten IP addresses now that were placing calls via the same peer. They are from all over the world. So what is the accepted procedure? I'm in the US Virgin Islands, so do I go to the FBI? Police? Is their some telecom fraud body to report such things to? Does any one ever get any relief from such events? I'm basically sick to my stomach right now. j -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] fraud advice
Jeff, I suggest talking to your PSTN/VoIP provider. We had a large amount going through TATA communications and have not accepted their word for payment because they had a duty to not allow traffic if our credit went down to $1k while the calls charged were actually more than that. Unfortunately, probably there is no one you can complain to. But it also sickens me at how badly Asterisk is made to not cope with situations like this and worse than that is FreePBX. I suggest checking your contract terms with your provider as they might have some sort of restrictions. At the very least PSTN providers try to bring the price per minute lowered to their buy rate which is usually less than half of the original bill. Regards, Bruce On Thu, Oct 14, 2010 at 9:10 PM, Jeff LaCoursiere j...@sunfone.com wrote: Hi, Embarrassed as I am to write this, I am hoping for some advice. One of our very first PBX installs, now six years old, was taken advantage of over the past few weeks. A victim of sipvicious, I assume, that managed to guess one of the SIP passwords. 4000 calls to various middle eastern destinations have been placed, which ended up being sent over our customer's PSTN trunk, and of course there was no warning until the bill came today. Unfortunately the bill only covered the first few days of this fiasco, and was only $700. I am afraid the one that is on the way will be tens of thousands. ONE CALL on the bill that just arrived was $200 (80 minutes to Sierra Leone). I'm sure this started out as a single scan. It must have been posted, because I have at least ten IP addresses now that were placing calls via the same peer. They are from all over the world. So what is the accepted procedure? I'm in the US Virgin Islands, so do I go to the FBI? Police? Is their some telecom fraud body to report such things to? Does any one ever get any relief from such events? I'm basically sick to my stomach right now. j -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
