[asterisk-users] fraud advice

Matt Desbiens desbiensm at gmail.com
Fri Oct 15 11:04:52 CDT 2010 

We took a pretty nasty hit one time, a system administrator didnt listen to
us about changing the passwords.  Luckily they took part of the blame in
that, and we split the 1800$ it cost us in half.  We could have changed
them, and she didnt change them, so we were both at fault.

Like said previously, fail2ban is a pretty good start.  Weak secrets
definitely dont help.

An interesting project to look into and i'm working with right now, i've got
a honeypot set up in the wild, but havent gotten anything really worth while
yet...

http://www.infiltrated.net/voipabuse/defensive.html

I'd also suggest, if you dont *have* to have international dialing on the
trunk.  Turn it off, put a pin on it, or just send it to a dummy trunk that
doesnt do anything or route anywhere.

I really hope this helps, and best of luck with cleaning up from the
aftermath.  I know ours was a pretty good wake up call to us to really start
locking things down.

I know its lame, but from Network Security Hacks.

Security isn't a noun, it's a verb; not a product, but a process
--Matt


On Fri, Oct 15, 2010 at 11:50 AM, Jeff LaCoursiere <jeff at sunfone.com> wrote:

> On Fri, 2010-10-15 at 11:20 -0400, Steve Totaro wrote:
>
> > This is nothing new.  Trunk to trunk transfers and other exploits
> > could be used on old school phone systems to do the same thing.
> >
> > I would start with getting the current balance, if over $10k call the
> > FBI, call them anyways, it couldn't hurt.  You want the Feds to check
> > things out before local police if possible.
> >
> > Gather as much info as possible, along with police and FBI case
> > numbers and then call the carrier and see what can be done.
> >
> > A friend of mine took what was supposed to be my one month rotation to
> > Iraq.  I had too much going on to be in Iraq for a month and a half
> > and had taken the last rotation so it wasn't even my turn.
> >
> > The phone bill came for his cell (company provided on Asia Cell) for
> > $4k in just a couple weeks.  It turns out that he was not using the
> > cell and one of the cleaning people stole his SIM.
> >
> > After contacting Asia Cell a few times about the matter, they credited
> > the whole amount back.  So you never know.
> >
> > As for security, I assume you need to allow these extensions to
> > register from outside the LAN?  If not, then only allow them to
> > register via a LAN IP, I would do it with iptables, only allow the
> > provider IP through.
> >
> > I am curious what your user:pass was?  something like 1000:1000, I see
> > many systems setup like this and am surprised they haven't been hit
> > yet.
> >
> > In the future, you could use a scheme that makes it much more secure
> > and also pretty easy to maintain.
> >
> > The username could be the MAC and the pass could be the serial number
> > or asset tags if you use them.
> >
> > I know there must be dozens of people reading this that have had the
> > same issue but are embarrassed to speak up.
> >
>
> Thanks Steve - that is the kind of advice I was looking for.  I'm
> willing to take my lumps for the weak passwords on those accounts, and
> the lack of any filtering.  I do understand the issues and the steps I
> need to take to better secure the switches in service, and just need to
> get off my a$$ and do it.
>
> Mainly I am hoping to hear from someone who has gone through the
> aftermath - as you mention above.  So far I have had a discussion with
> the carrier who is "opening an investigation".  I'll contact the FBI
> today as well.  I'll send an update when this is all over for posterity.
>
>
> > (BTW Sierra Leone is in West Africa, not the Middle East.)
> >
>
> True ;)  Most of the calls were Iraq, UAE, Lebanon... Found another one
> today that was 2.5 DAYS long to Chile.  Bizarre.
>
> j
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20101015/4959c49f/attachment.htm

More information about the asterisk-users mailing list