Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.
- 10 March, 2014 13:49
As a security manager, I expect my company to be hit by malware infestations, data theft, denial-of-service attacks and attempts at unauthorized access. I deal with them all as they arise, and they do keep things interesting.
At issue: The company has been charged thousands of dollars for calls to Latin America.
Action plan: Find out how the telephony gateway was compromised, seal it and recoup the losses.
But some incidents get attention not just from me, but also from management. Those tend to be incidents that result in the direct loss of either money or extremely sensitive data. Naturally, those are the types of incidents that I most want to prevent, interesting or not. And things quickly go from interesting to frustrating when you get hit with the same type of security event resulting in dollar loss several times in one year.
Last week, a financial analyst who processes payments for the IT department told me she had received an alert from our telecommunications provider that several thousand dollars in charges for phone calls to Costa Rica, Bolivia and Colombia had been racked up in less than a day. Since we don't typically do business in any of those countries or place several thousand dollars' worth of international calls in less than 12 hours, some sort of breach seemed likely.
But how? Just a few months ago, our phone system had been compromised, and my team had spent weeks working with our in-house telco department on finalizing and deploying a secure configuration to our IP telephony gateways. I had complete confidence in our gateways' security. So what had happened?
When I talked to our telco manager about the latest batch of long-distance charges, he had a dawning suspicion of what might have happened. And a little bit of digging proved his suspicion to be correct.
A contractor had been working on a new videoconferencing infrastructure, including a server residing in our DMZ for handling video calls to and from remote locations. People from our company had provided oversight. The architecture review board had held several sessions with the vendor to ensure that it was following a secure policy and configuration. The vendor's compliance had been verified several times during the deployment. Nonetheless, a review of the current configuration of the videoconferencing server (VCS) showed that the consultant had made a configuration change, opening up Port 5060, Session Initiation Protocol and other control ports to the Internet, with no authentication required.
We Will Not Accept the Charges
We had the consultant immediately close off the vulnerability to prevent any new unauthorized calls. Then we began sniffing the network connection to the VCS and looking at its connection state table. And what do you know: We discovered hundreds of connection attempts from servers in places that included Costa Rica, Bolivia and Colombia.
Clearly, while our telephony gateway sat naked on the Internet, someone had scanned our IP address space (an activity that we have found to be constant) and discovered the open port. It was a simple matter after that for that person to point his own IP gateway to our infrastructure and route calls through us. Such activities can be profitable. They can be done with free, open-source PBX software such as Asterisk or SIP Witch. Once an open and unauthenticated port has been found, the bad guys can either sell the discovery to others, who can then make a free connection, or sell discounted minutes.
So we were able to plug a hole that had cost us several thousand dollars, but management wouldn't really be happy unless we could recoup those losses. Our telco provider wasn't encouraging. It said our losses didn't justify the resources necessary to conduct an investigation and a hunt for the bad guys. The consultant, on the other hand, has acknowledged its error and has promised to reimburse us.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.