Security Manager's Journal: Slammed with a $100,000 phone bill
The way VoIP works, the company will have to pay for calls made by hackers, but it doesn't want that to happen again.
Computerworld - Last week, my company got a $100,000 phone bill. Turns out, some enterprising types have been bouncing their calls off our voice network. This allowed them to make numerous calls to a foreign country using our equipment. And it looks like we're stuck with the bill.
The problem is that our voice over IP (VoIP) network is set up to receive incoming call requests from the general public. This is the normal way these phone calls work. We use the SIP protocol, which is designed to accept voice connections from anywhere. This protocol is not particularly secure; it's designed to promote global communication rather than validate that those connections are legitimate or authorized. The default behavior is to accept connections from anywhere. The way it works is that a call request comes in to a gateway like ours with some information about who's calling and where they are calling to, and the gateway (not being a particularly smart device) happily routes the call. Unfortunately, the "from" and "to" information can be any numbers, and attackers can simply put in any numbers they want. There's no authentication or validation built into the protocol. Our attackers took advantage of this to bounce calls off our gateway, in a way that made it appear the calls were originating from within our company.
Because our device is actually making the phone calls, the liability for the cost is ours. There's no built-in liability protection or limitation in our phone infrastructure to protect customers like us. It's kind of like having your bank account number stolen -- if somebody uses it to steal money from your account, you're out of luck, unlike with credit cards, where there is a limit to how much you owe for fraudulent purchases. And there's no way to find out who made the calls, because the source information was fake, so we can't put the blame on someone else.
So there's nothing I can do to repair the damage that was already done. All I can do is figure out a way to prevent a recurrence of this situation in the future. I don't know much about VoIP security, so I'm doing some research and trying to learn fast. I know that SIP traffic comes through the Internet to get to our gateway, which then routes calls to the phone company's voice network. This is regular TCP/IP network traffic that can be protected by a firewall that only allows connections from known good addresses and blocks connections from known bad addresses. I'm not sure how I'm going to determine which IP addresses are good and bad, so I'll have to figure that out. In addition, the SIP gateway itself is a network device that I might be able to harden with configuration entries that are more discriminating than the default settings. This requires specialized knowledge, so I may have to bring in an expert to help.
It seems like every day brings a new security challenge to light at my company. This situation is something new for me, so I'm viewing it as a learning experience. I just wish it didn't have to be such an expensive lesson.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.
More by J.F. Rice
- Security Manager's Journal: A rush to XP's end of life
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
- Security Manager's Journal: Why the shutdown is like the cloud
- Security Manager's Journal: Thinking about passwords
- Security Manager's Journal: Android panic
- Security Manager's Journal: Auto-forwarded emails could be a huge problem
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts