VoIPowering Your Office: Vishing, Hijacking, Bots, and Other Entertainments
Last week we took a look at SPIT and the potential problems it represents. Today we're going to take a quick look at a few more VoIP threats, and then look at some ways to stave off troubles.
Vishing you were here
Vishing is the telephone equivalent of phishing; that is, conning people into giving up personal and financial information by pretending to be a legitimate business, or fooling them into thinking they'll profit somehow. E-mail phishing in endemicthis is why you get all those e-mails that claim you need to log in to your PayPal account right away (or Ebay, or any number of banks and online storefronts) to correct a serious problem, whether you actually have an account with them or not. But the URLs in the e-mails are fake, and it's trivially easy to copy a genuine Web page and insert fake URLs. Spoofed URLs are ridiculously easy. For example, both of these will take you to Voipplanet.com:
So vishing is not very exotic from a technical perspective, because it's just another form of social engineering, and it's been going on as long as there have been telephones. But VoIP offers some powerful tools to make vishing a more attractive endeavor over VoIP than the old-fashioned PSTN. It's a lot easier to hide your back trail over the data networks (thanks to the the World Wide Botnet), it's easy to spoof Caller ID: Automated calling tools are cheap and easy, and it's dirt cheap to call anywhere. You'd think the bottleneck would be having to have humans to carry on the conversations, but even this can be automated convincingly with bots. No need for humans at all. It's analogous to paper junk mail vs. e-mail spam; paper mail is expensive and cumbersome. Who cares if you only hook one fish for every million calls when it's all automated, and it costs you next to nothing? Of course as we discussed last week, it costs everyone else plenty.
An old scam on the PSTN is to sucker people into calling what appear to be toll-free numbers, but are actually very expensive toll calls. As VoIP becomes more widespread we're going to see more opportunities for even sneakier call hijacking, because it's going to be just like the data networknetwork devices with well-known default vendor passwords and other weaknesses will all but beg to be compromised, just like this example from the VOIPSA.org mailing list:
...if the victim visits our evil proof-of-concept webpage, his/her browser sends a HTTP request to the BT Home Hub's web interface. After this, the Home Hub starts a VoIP/telephone connection to the recipient's phone number specified in the exploit page. This is what the attack looks like: the victim's VoIP telephone starts ringing and shows an external call message on the LCD screen along with the recipient's phone number. However, what's interesting is that from the point of view of the victim, it looks like he/she is receiving a phone call from the number shown on the screen, but in fact he/she is calling that number!
As long as Microsoft continues to deliver tightly integrated software suites that all but roll out the welcome mat to malware, and then tightly integrate it into every nook and cranny of the system, spammers and fraudsters will happily continue to exploit it. So the release of Microsoft Office Communications Server 2007 (OCS 2007) makes me nervous. Is this shiny new Unified Communications (UC) package going to translate into Unified Malware delivery, and even more warm welcomes into the World Wide Botnet? I sure hope not, but given Microsoft's security track record, I'm letting other admins go first.
What to do
Joe Roper, one of the brains behind PBX in a Flash, has some good advice on protecting yourself. He recommends putting your PBX and phones on a separate network segment. This makes it easier to troubleshoot, and adds a layer of protection. He also draws a distinction between VoIP and Voice over Internet. Using a local iPBX that interfaces with the PSTN is pretty much the same as using the traditional phone system, in terms of security risks. But connecting your iPBX to the Internet exposes you to an additional set of risks, such as the Phreaking the BT Home Hub example, and all the usual Internet nasties such as eavesdropping and external attacks on your server. Mr. Roper also says:
"We do have more tools to encrypt VoIPe.g. using a VPN circuit, it seems that laying VoIP through a VPN tunnel makes little or no difference to the latency, and there are some studies out there to suggest that the latency is better.As usual, it comes down to the hardworking network administrator being on the ball: watching for problems, and being careful with configurations, and yes, even obvious, but often-overlooked, stuff like changing default passwords.
"The other area of concern is fraud, and fraudulent use of the telephonethis can be divided into areas.
"1. Fraud in company, dialing relatives in Outer Japonia at huge expense or dialing the Sticky Vicky Hotline, fortunately with PiaF and similar systems, the admin has view of all calls made, and can restrict access on certain routes.
"2. People breaking into the system, possibly via the IVR menus and making calls at the owner's expense...Fortunately, a switched on Admin should be able to spot this very quickly..."
But we also need more powerful tools, such as ways to authenticate callers. This alone would prevent 95 percent of mischiefs. But how can this be done without making VoIP too cumbersome to be worth the bother? We'll take a look at this next week.