Security Manager's Journal: Slammed with a $100,000 phone bill
The way VoIP works, the company will have to pay for calls made by hackers, but it doesn't want that to happen again.
Computerworld - Last week, my company got a $100,000 phone bill. Turns out, some enterprising types have been bouncing their calls off our voice network. This allowed them to make numerous calls to a foreign country using our equipment. And it looks like we're stuck with the bill.
The problem is that our voice over IP (VoIP) network is set up to receive incoming call requests from the general public. This is the normal way these phone calls work. We use the SIP protocol, which is designed to accept voice connections from anywhere. This protocol is not particularly secure; it's designed to promote global communication rather than validate that those connections are legitimate or authorized. The default behavior is to accept connections from anywhere. The way it works is that a call request comes in to a gateway like ours with some information about who's calling and where they are calling to, and the gateway (not being a particularly smart device) happily routes the call. Unfortunately, the "from" and "to" information can be any numbers, and attackers can simply put in any numbers they want. There's no authentication or validation built into the protocol. Our attackers took advantage of this to bounce calls off our gateway, in a way that made it appear the calls were originating from within our company.
Because our device is actually making the phone calls, the liability for the cost is ours. There's no built-in liability protection or limitation in our phone infrastructure to protect customers like us. It's kind of like having your bank account number stolen -- if somebody uses it to steal money from your account, you're out of luck, unlike with credit cards, where there is a limit to how much you owe for fraudulent purchases. And there's no way to find out who made the calls, because the source information was fake, so we can't put the blame on someone else.
So there's nothing I can do to repair the damage that was already done. All I can do is figure out a way to prevent a recurrence of this situation in the future. I don't know much about VoIP security, so I'm doing some research and trying to learn fast. I know that SIP traffic comes through the Internet to get to our gateway, which then routes calls to the phone company's voice network. This is regular TCP/IP network traffic that can be protected by a firewall that only allows connections from known good addresses and blocks connections from known bad addresses. I'm not sure how I'm going to determine which IP addresses are good and bad, so I'll have to figure that out. In addition, the SIP gateway itself is a network device that I might be able to harden with configuration entries that are more discriminating than the default settings. This requires specialized knowledge, so I may have to bring in an expert to help.
It seems like every day brings a new security challenge to light at my company. This situation is something new for me, so I'm viewing it as a learning experience. I just wish it didn't have to be such an expensive lesson.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at jf.rice@engineer.com.
Join in
To join in the discussions about security, go to blogs.computerworld.com/security.
More by J.F. Rice
- Security Manager's Journal: SOX is out of control
- Security Manager's Journal: Shrinking staff, and a time crunch
- Security Manager's Journal: When executives want to be above the law
- Security Manager's Journal: Should physical security belong to us?
- Security Manager's Journal: End of year brings SOX, deadlines and layoffs
- Security Manager's Journal: Why would a company not spring for Cadillac security?
- Security Manager's Journal: Sometimes even managers get their hands dirty
- Security Manager's Journal: The bad guys are in the house
- Security Manager's Journal: New economic woes lead to deep cuts
- Security Manager's Journal: Shrinking IT staff leaves security projects in the lurch
Read more about Security in Computerworld's Security Topic Center.


- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Driving Secure Enterprise File Sharing and Syncing in the Enterprise
- GroupLogic's new activEcho is the industry's only secure Enterprise File Sharing and Synching solution that balances the need for simplicity for the end...
- The Enterprise File Sharing Option
- Enterprises and IT departments need to address several critical security issues when considering file sharing and syncing products. Many of today's solutions do...
- Security Strategies to Virtualizing Internet-Facing Applications
- The IT organization at Intel has set a goal to transition their enterprise to a private cloud for their Office and Enterprise applications....
- Cloud Security Planning Guide
- Cloud security considerations span protecting hardware and platform technologies in the data center to enabling regulatory compliance and defending cloud access through different...
- Cloud Security Vendor Round Table
- This vendor round table guide will help you to evaluate different cloud technology vendors and service providers based on a series of questions... All Security White Papers
- Live Webcast
Data Privacy and Protection in Production Environments: New Research from Ponemon Institute - Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT
In a recent study conducted by Ponemon Institute, fifty-five percent of respondents... - Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- Date: Wednesday, June 13, 2012, 1:00 PM EDT / 10:00 AM PDT
In a recent study conducted by Ponemon Institute, fifty-five percent of respondents... - Security Certifications 101 - BlackBerry and all those acronyms what do they mean and why they matter?
- FIPS, Common Criteria, CAPS, AISEP, NFC, NIST, Fraunhofer SIT, CESG, DSD - these are just some of the government and industry certifications which...
- BlackBerry PlayBook OS 2.0 Security Overview
- The presentation provides an overview of BlackBerry PlayBook OS 2.0 security capabilities and features, including: BlackBerry® Balance™ technology, BlackBerry® Bridge, data-at-rest protection, and...
- BlackBerry NFC Security Overview
- The presentation on NFC security will provide an overview of the security protections built into the BlackBerry platform to protect users, application developers...
- Playing Defense: Staying on Top of Your Disaster Recovery Game
- When it comes to disaster recovery, rapidly growing data volumes, distributed computing models, and new technologies all combine to present an ever-changing playing... All Security Webcasts
