making your asterisk system secure
TRANSCRIPT
Making your Asterisk System Secure
Who is out there looking to attack your PBX?
How do they find it?
How can you protect your PBX
P R E S E N T B Y : E R I C K L E I N
S R . C O N S U L T A N T
• NEW GRANDFATHER ( P I C T U R E S U P O N R E Q U E S T )
• VOIP FRAUD PREVENTION EVANGELIST
• STARTUP ADVISOR AND ENTHUSIAST
• AUTHOR , BLOGGER FOR TECHNOLOGY AND TRAVEL
• AMATEUR PHOTOGRAPHER AND CHEF
/home/ericlklein/.finger
Ok, just 1 picture
2013
GLOBAL FRAUD SURVEY
RESULTS
CFCA Global Fraud Key Findings
Global Fraud Loss: 2011 $40.1 Billion (USD) annually
2013 $46.3 Billion (USD) annually
Source: www.cfca.org/fraudlosssurvey/
Top Fraud types 2011 Compromised PBX/Voicemail $4.96 Billion
Internal/Employee Theft $1.44 Billion
The 15% increase from 2011 is a result of increased fraudulent activity targeting the
wireless industry.
2013$10.03 Billion
$2.53 Billion
*Notes:
In 2011 the Global Fraud Loss Estimate was recalibrated to include the sizes of the CSPs being surveyed.
In 2013 fraud classifications were divided into methods and type categories
Source: www.cfca.org/fraudlosssurvey/
Why They Attack
How it WorksHackers sign up to lease premium-rate phone numbers, often used for sexual-chat or psychic lines, from one of dozens of web-based services that charge dialers over $1 a minute and give the lessee a cut. In the United States, premium-rate numbers are easily identified by 1-900 prefixes, and callers are informed they will be charged higher rates. But elsewhere, like in Latvia and Estonia, they can be trickier to spot. The payout to the lessees can be as high as 24 cents for every minute spent on the phone.Hackers then break into a business’s phone system and make calls through it to their premium number, typically over a weekend, when nobody is there to notice. With high-speed computers, they can make hundreds of calls simultaneously, forwarding as many as 220 minutes’ worth of phone calls a minute to the pay line. The hacker gets a cut of the charges, typically delivered through a Western Union, MoneyGram or wire transfer.In part because the plan is so profitable, premium rate number resellers are multiplying rapidly. There were 17 in 2009; last year there were 85
www.nytimes.com/2014/10/20/technology/dial-and-redial-phone-hackers-stealing-billions-.html
Who Pays?
Who is Responsible for Losses from Hacks?
In almost all cases the customer is contractually responsible for losses from a hacked system.
Major carriers have sophisticated fraud systems in place to catch hackers before they run up false six-figure charges, and they can afford to credit customers for millions of fraudulent charges every year. But small businesses often use local carriers, which lack such antifraud systems. And some of those carriers are leaving customers to foot the bill.
Rare exception: Frip Finishing vs. Voiceflex
Frip Finishing of Leicestershire was hacked over Halloween weekend of October 2011
Internet hackers infiltrated Frip’s PBX and made 10,366 calls international phone card calls creating a bill of £35,000 – most to a premium telephone number in Poland
Judge David Grant rejected arguments the company had failed to adequately maintain the security of its. On the court’s interpretation of the contract, Frip was only obliged to pay for calls that it had actually made.
http://commsbusiness.co.uk/features/halloween-bill-shocker/
Phone Hackers Dial and Redial to Steal Billions
In a weekend last March Foreman Seeley Fountain Architecture, (in Norcross, Ga.) was hack for $166,000 worth of calls to premium- rate telephone numbers in Gambia, Somalia and the Maldives.
www.nytimes.com/2014/10/20/technology/dial-and-redial-phone-hackers-stealing-billions-.html
Need to Change the Laws
The law is not much help, because no regulations require carriers to reimburse customers for fraud the way credit card companies must. Lawmakers have taken the issue up from time to time, but little progress has been made.
What to watch for
Something New Has Started
Mysterious fake mobile phone towers discovered across America could be listening in on unsuspecting callers.
They were discovered by people using a heavily customised Android device called the CryptoPhone500.
Sources:http://www.popsci.com/article/technology/mysterious-phony-cell-towers-could-be-intercepting-your-callshttp://www.myfoxdc.com/story/26610194/tech-company-finds-mysterious-fake-cell-towers-in-dc-area
"They can listen to all of your voice calls and they can grab all of your text” said Buzz Bruner of EDS America.
Detected in Many LocationsDuring a road trip from Florida to North Carolina and he found eight different interceptors on that trip.
"Whose interceptor is it? Who are they, that's listening to calls around military bases? Is it just the US military, or are they foreign governments doing it? The point is: we don't really know whose they are.“ - Les Goldsmith, chief executive of security firm ESD America
After publication an interceptor was detected near the vicinity of South Point Casino in Las Vegas.Several of the masts were situated near US military bases. he towers are located near the White House, the United States Capitol and the Supreme Court.
Detection is Hard“If you've been intercepted, in some cases it might show at the top that you've been forced from 4G down to 2G. But a decent interceptor won't show that,” says Goldsmith. “It'll be set up to show you [falsely] that you're still on 4G. You'll think that you're on 4G, but you're actually being forced back to 2G.”
Some devices can not only capture calls and texts, but even actively control the phone and send spoof texts.
How they find you
More Examples from Shodan
Remember that last year someone in the room was able to hack a Polycom phone within 30 sec of it being displayed via Shodan page – Default Passwords are a problem.
Security Resources from
Asterisk Security Considerations
Take the updated Asterisk
Advanced Class for the
basics.
22Copyright © 2014 Digium, The Asterisk Company
Goals
• Security overview
• Survey of common threats
• Layer-by-layer security and best practice suggestions – physical
– OS
– network
– Asterisk
– SIP
– dialplan
• Resources
Look at the Asterisk Wiki
Asterisk Security Framework
Article by Malcolm Davenport
Attacks on Voice over IP networks are becoming increasingly more common. It has become clear that we must do something within Asterisk to help mitigate these attacks.
Through a number of discussions with groups of developers in the Asterisk community, the general consensus is that the best thing that we can do within Asterisk is to build a framework which recognizes and reports events that could potentially have security implications.
Discussion has subpages for: Security Framework Overview
Security Event Generation
Asterisk Security Event Logger
Security Events to Log
Security Log File Formathttps://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Framework
Secure Calling Specifics
Article by Malcolm Davenport
Asterisk supports a channel-agnostic method for handling secure call requirements. Since there is no single meaning of what constitutes a "secure call," Asterisk allows the administrator the control to define "secure" for themselves via the dialplan and channel-specific configuration files.
Article includes explanations and examples for:
Channel-specific configuration
Security-based dialplan branching
Forcing bridged channels to be secure
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Specifics
Secure Calling Tutorial
Original tutorial by Malcolm Davenport, last modified by Rusty Newton Transport Layer Security (TLS) provides encryption for call signaling. (1.8 and above)
Tutorial outline: Overview
Part 1 (TLS)
Keys
The Asterisk SIP configuration
Configuring a TLS-enabled SIP peer within Asterisk
Configuring a TLS-enabled SIP client to talk to Asterisk
Problems with server verification
Part 2 (SRTP)
https://wiki.asterisk.org/wiki/display/AST/Secure+Calling+Tutorial
Pay Attention to Vendor Warnings
FreePBX
Very good at notifying of potential problems and regular updates:
Pay attention to the FreePBX dashboard for update notifications
Critical FreePBX RCE Vulnerability (ALL Versions)
We have been made aware of a critical Zero-Day Remote Code Execution and Privilege Escalation exploit within the legacy “FreePBX ARI Framework module/Asterisk Recording Interface (ARI)”. This affects any user who has installed FreePBX prior to version 12, and users who have updated to FreePBX 12 from a prior version and did not remove the legacy FreePBX ARI Framework module.
http://www.freepbx.org/node/92822
Watch out for OS Level Alerts
Shellshock on
Shellshock, also known as Bashdoor, is a family of security bugs (with 6 CVE's filed at the time of this page) in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet daemons, such as web servers, use Bash to process certain commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
http://wiki.centos.org/Security/Shellshock
Protect Your System
Watch for and install regular updates
Do not ignore the OS updates and fixes – Run Yum update at least quarterly.
Always change the default user names and passwords
Keep up on the news and new attacks – Inside fraud and Phishing will remain big problems for years to come.
O N E S T O L O O K A T A N D S E E W H A T B E S T F I T S Y O U R N E E D S
VoIP Security Products
Regular Firewall
Palo Alto firewalls have known problems with SIP and SIP ALG, calls can complete but no audio (media channel).
Checkpoint Firewalls work fine with SIP.
Fail2Ban can still cause additional problems with triggering massive whois processes that take a lot of CPU resources. (Need to kill PID for the process –sometimes you need to kill multiple PIDs).
Single PBX or Phone Level
New products have come out in the past few years to protect SIP at the phone or enterprise PBX level.
Coordinate the install with your ITSP, as there may be configuration issues to be managed (ports to open, NAT, etc.).
SIP Threat ManagerSTM is installed in front of any SIP based PBX or gateway offering several layers of security against numerous types of attacks. Block specific IPs or countries, protect your PBX against hackers trying user names and passwords, someone is trying to flood your PBX with a DDos attacks? No problem!Using the SNORT based Real Time Deep packet inspection engine, our STM analyzes each SIP packet going to your phone system, identifies the malicious and abnormal ones blocking the originating IP.
Firewall Example from Allo
On Youtube: http://www.youtube.com/watch?v=iEwfH5j9ZfE
µFirewall
Using a revolutionary, patent pending process, it identifies and prevents toll fraud on a premise-based IP PBX before it happens: Analyzes SIP packets through deep packet
inspection
Stops abnormal SIP protocol usage based on pre-determined parameters
Prevents SIP denial-of-service attacks
Quietly drops malicious SIP packets rather than responding with an error to help prevent continued attacks
Neutralizes SIP attacks while they are occurring rather than identifying attacks after the fact
A R I i s a m i n d b l o w i n g j u m p f o r t r a d i t i o n a l a s t e r i s k i n t e g r a t o r s .
O u r o b j e c t i v e i s t o c r e a t e a s i m p l e o n l i n e e n g i n e , t h a t w i l l a l l o w f o r p e o p l e t o d e v e l o p s h o r t s t a s i s / A R I a p p l i c a t i o n s , e i t h e r o n
t h e i r o w n s e r v e r s o r o n a h o s t e d i n s t a n c e - a n d e x p e r i m e n t w i t h h o w A R I w o r k s .
T h e s a n d b o x a l l o w s y o u t o e x p e r i m e n t w i t h A R I a n d P H P A R I , w i t h o u t a n e e d t o a c t u a l l y s t a r t c o d i n g t h e e n t i r e s t a s i s
a p p l i c a t i o n , b u t a c t u a l l y e x p e r i m e n t i n s i d e s e l f c o n t a i n e d c o d e s n i p p e t s - v e r y m u c h l i k e t h a t J a v a s c r i p t t o o l s o n t h e n e t .
PHPARI
Check out our Hackathon Project
Check it out (and vote for it) at:http://astriconhackathon.challengepost.com/submissions/28916-asterisk-ari-sandbox