Send VoiceOps mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://puck.nether.net/mailman/listinfo/voiceops
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of VoiceOps digest..."
Today's Topics:
1. Re: Allworx Security Advisory (Stappenbeck, Mark)
2. Re: Interesting lead on international fraud (Carlos A. Alvarez)
3. Re: Interesting lead on international fraud (J. Oquendo)
----------------------------------------------------------------------
Message: 1
Date: Mon, 13 May 2013 16:31:14 +0000
From: "Stappenbeck, Mark" <[email protected]>
To: "J. Oquendo" <[email protected]>, "[email protected]"
<[email protected]>, "[email protected]" <[email protected]>
Subject: Re: [VoiceOps] Allworx Security Advisory
Message-ID:
<91f472bddc65554db36e0f14e0d4f502194c8...@nyrocpexmbx02.corp.paetec.com>
Content-Type: text/plain; charset="us-ascii"
J.,
Thank you for posting the advisory in a public place for the users of the list.
It had been distributed to our partners, and distributors, and they passed the
information on to their customers.
The recent round of fraudulent calls were almost all the result of systems
being installed in a manner that would leave the administrative interface open
to the internet (not a system default configuration) and with either weak or
default admin passwords.
Some were the result of registering to the server using SIP credentials for
third party (non Allworx) devices with weak, and sometimes matching, username
and passwords.
Some others occurred because Allworx handsets had been placed directly on the
internet and either had the password for the phones administrative interface
set to null, or the default.
And lastly, there were a few cases with older phone software, if the handset
was accessible from the internet, where copying part of a URI could allow
access to the config file stored on the phone, and get the SIP registration
parameters in the clear.
The last one was definitely our bug, and has been remedied in later versions of
software.
Each release of new software includes security features along with normal "new"
customer features.
We also advise partners to keep the customers updated with the latest releases
for these very reasons.
I will not say that Allworx brushed any known issues off.
I will say that we have taken many different approaches to let our partner
community know what had been taking place, and reiterating the need to take all
necessary precautions to keep their customers systems secure.
I have seen very little from other manufacturers regarding these recent rounds
of fraud attempts, and know that they have been compromised also, but I would
hope that the fact that we have been open about them shows our dedication to
keeping our customers secure and confident in our system.
Thanks again,
Mark Stappenbeck
-----Original Message-----
From: VoiceOps [mailto:[email protected]] On Behalf Of J. Oquendo
Sent: Monday, May 13, 2013 9:27 AM
To: [email protected]; [email protected]
Subject: [VoiceOps] Allworx Security Advisory
Unsure why some of these vendors don't join this list. One of my clients who is
an Allworx reseller, passed on the advisory.
www.infiltrated.net/Allworx_Service_Bulletin_Security_Advisory.pdf
I may (from the security standpoint) switch things up this year (vendors on
this list beware). There are so many vulnerabilities that have yet to be
addressed and although I am often torn about "disclosure," I WILL GO OUT on a
whim and say Allworx knew this was an issue, and likely brushed it off as it
was not reported.
So back to my "switching things up", to those vendors on this list, I suggest
you go back to your security queues and get things in order. In these days and
times, its darn right absurd for backdoor accounts, and letting security issues
linger for years.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
------------------------------
Message: 2
Date: Mon, 13 May 2013 16:53:37 +0000
From: "Carlos A. Alvarez" <[email protected]>
To: Shripal Daphtary <[email protected]>, "[email protected]"
<[email protected]>, "[email protected]"
<[email protected]>
Subject: Re: [VoiceOps] Interesting lead on international fraud
Message-ID:
<799f96041e4ed74fb0c285ce2dfef70323e78...@ponycwsex01.pressone.net>
Content-Type: text/plain; charset="us-ascii"
;^)
Regards,
Carlos
From: VoiceOps [mailto:[email protected]] On Behalf Of Shripal
Daphtary
Sent: Monday, May 13, 2013 10:07 AM
To: [email protected]; [email protected]
Subject: Re: [VoiceOps] Interesting lead on international fraud
this was one of them,
http://www.dial2win.com/ - this is the reward site.
the other was http://bluechip-telecom.com/, which throws as 403 when you go to
it, which is good i guess. but i think they are the same as
bctelecomm.com<http://bctelecomm.com> - which is listed now as a malware site
by google...
On Sat, May 11, 2013 at 4:46 PM, Jim Dalton
<[email protected]<mailto:[email protected]>> wrote:
Do you recall the name of the site that advertised numbers?
>From: VoiceOps
>[mailto:[email protected]<mailto:[email protected]>]
>On Behalf Of Shripal
Daphtary
>Sent: Saturday, May 11, 2013 2:28 PM
>To: Paul Timmins
>Cc: [email protected]<mailto:[email protected]>
>Subject: Re: [VoiceOps] Interesting lead on international fraud
>
> We had something similar where a site had a huge list of numbers and they
would offer people rewards or credits toward a reward if they called them.
>
> Some of the fraud calls from our switch were destined to those numbers.
>
>So definitely some arbitrage scam.
>>On May 11, 2013, at 11:17 AM, Paul Timmins
>><[email protected]<mailto:[email protected]>> wrote:
>>
>> I've seen a lot of my fraud calls start with numbers on this website and
then move to other ones.
>>
>>
http://www.world-premium-telecom.com/index.php?type=static_page&page=about
>>
>> I think these people are the genesis of a whole lot of international
fraud.
>>
>> Thoughts? Ideas?
>>
>> -Paul
>> _______________________________________________
>> VoiceOps mailing list
>> [email protected]<mailto:[email protected]>
>> https://puck.nether.net/mailman/listinfo/voiceops
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://puck.nether.net/pipermail/voiceops/attachments/20130513/039b763a/attachment-0001.html>
------------------------------
Message: 3
Date: Mon, 13 May 2013 11:57:48 -0500
From: "J. Oquendo" <[email protected]>
To: "Carlos A. Alvarez" <[email protected]>
Cc: "[email protected]" <[email protected]>
Subject: Re: [VoiceOps] Interesting lead on international fraud
Message-ID: <[email protected]>
Content-Type: text/plain; charset=us-ascii
A while back, when I started streaming to Twitter
(https://twitter.com/efensive) I had wanted to post the
numbers being dialed by fraudsters so that others would
be able to see these numbers and block them. Difficult
to get a list of numbers called, in fact, I would hope
that no one would have a number to add, as that would mean
one was compromised. However, if anyone wants to share
#'s being dialed fraudulently, I will add them to the
Twitter stream and perhaps make an all inclusive list
freely available.
I added a few here and there, but I have also taken a lot
of proactive steps to reduce fraud. (Hello Jim and others
at Transnexus ;)) This is what I (we were I work) have
done.
I parse the logs on my SBCs on an hourly basis. The log
parsing does two distinct things, 1) tallies the volume
of calls, and two dissects which calls are going to
high rated areas.
STEP 1)
Download SBC logs
Perform a count against client trunks
Compare that count against a 90 day baseline
Report anomalies
This allows me to see when a trunk is generating a lot of
calls. Period
STEP 2)
Parse through SBC logs
Parse out DESTINATION (country code area code)
Check DESTINATIONS against a rate deck where price exceeds
N amount per minute (I have this set to about .21 (USD) per
minute. Report which trunk is making that call.
The reporting is automated and if anomalies are detected,
emails are sent and ALSO a call is generated to a group so
that we will know ASAP that something has happened.
We use Transnexus in ONE of our facilities, but have legacy
Netrakes in another. So we had to improvise.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
------------------------------
Subject: Digest Footer
_______________________________________________
VoiceOps mailing list
[email protected]
https://puck.nether.net/mailman/listinfo/voiceops
------------------------------
End of VoiceOps Digest, Vol 47, Issue 8
***************************************
