http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2011-01-19 12:06:55 - usken.no VoIP news : From one of the mailing lists Recently we have been hit by the attackers during the weekend causing more than 100 K USD bill They were dialing payphone type numbers dial to win by compromsing one of our DID number Mostly calls were placed to Lithuania, and sierraleone But guys buckle up, there are some gangs using sophisticated mechanisms to get into http://www.secuobs.com/revue/news/279198.shtmlhttp://www.secuobs.com/revue/news/279198.shtml Secuobs.com : 2011-01-14 16:45:30 - usken.no VoIP news - 32 people was apprehended in Romania, but the VoIP hacking continues from this country Low wages, highly educated people and not too many jobs often forces people to start hacking, combined with low risk of being caught This was from IP 18824194155 caught in a SIP honeypot belonging to Honeynet Project REGISTER sip IPremoved SIP 20 Via SIP 20 UDP 1921680135 5060 rport branch z9hG4bK6640 From tag 3202 To http://www.secuobs.com/revue/news/278273.shtmlhttp://www.secuobs.com/revue/news/278273.shtml Secuobs.com : 2010-12-14 14:21:48 - usken.no VoIP news - This morning, officers conducted 42 raids, apprehending 42 people specializing in VoIP hacking DIICOT Have the homes of members of attacks by groups Specialized in Voice over IP Internet telephony updates will come on this numbers so far is 11,5 million euros in fraudulent VoIP traffic http://www.secuobs.com/revue/news/271526.shtmlhttp://www.secuobs.com/revue/news/271526.shtml Secuobs.com : 2010-11-05 16:49:30 - usken.no VoIP news - Another day, another fraud and there will be more imagine your company getting hit with a 100 000 USD bill from your telco company Who to blaim here is one company which did If you get a SIP trunk from a VoIP provider, make sure they have fraud management and credit limits http://www.secuobs.com/revue/news/262724.shtmlhttp://www.secuobs.com/revue/news/262724.shtml Secuobs.com : 2010-11-04 16:15:02 - usken.no VoIP news - The Norwegian part of Computerworld has a great article about the MeshPotato English version Norwegian version http://www.secuobs.com/revue/news/262431.shtmlhttp://www.secuobs.com/revue/news/262431.shtml Secuobs.com : 2010-10-22 21:02:51 - usken.no VoIP news - meshpotato is creating the future for internet for the poor one http://www.secuobs.com/revue/news/259295.shtmlhttp://www.secuobs.com/revue/news/259295.shtml Secuobs.com : 2010-09-27 17:58:02 - usken.no VoIP news - Telecommunications Industry Group TIG in New Zealand has seen the telecom fraud quadruple in 2010 Private Branch Exchanges PABX can be downloaded for free and installed on an older PC, but not secured enough This makes the PABX open for exploiting TIG has made a list of what minimum need to do, to ensure that http://www.secuobs.com/revue/news/252034.shtmlhttp://www.secuobs.com/revue/news/252034.shtml Secuobs.com : 2010-09-27 14:42:36 - usken.no VoIP news - People has gotten tired of the VoIP scannings Sometimes they manage to abuse the PBX or just fill up the logs with all the attempts So Mr Oquendo started on a list of IP addresses and networks that should be blocked The VoIP Abuse Project is aimed at minimizing abuse for networks that have publicly http://www.secuobs.com/revue/news/251975.shtmlhttp://www.secuobs.com/revue/news/251975.shtml Secuobs.com : 2010-09-17 01:53:52 - usken.no VoIP news - A VoIP hacking that actually reached the public, was just 10 000,- USD being frauded for I would say they were lucky This is just top of the iceberg, I hear about so many more not being reported because the firm or institution does not want to have beeing hacked The latest news about it http://www.secuobs.com/revue/news/247825.shtmlhttp://www.secuobs.com/revue/news/247825.shtml Secuobs.com : 2010-09-17 01:53:52 - usken.no VoIP news - Now the scanning has started again For those remembering back in 2008 there was a large scanning in Germany, where customers with softphones experienced incoming calls very annoying during the night , it has now started again A good paper from ipcomat describing it extensively What caugt my attention was the very long branch and callid fields They http://www.secuobs.com/revue/news/247824.shtmlhttp://www.secuobs.com/revue/news/247824.shtml Secuobs.com : 2010-09-17 01:53:52 - usken.no VoIP news - My friend Thomas sent me this He has a Polycom telephone on a public IP Nice when some computer calls you in the evening Picture Copyright Thomas Nilsen C 3MTno The owner of the IP status ALLOCATED PORTABLE source APNIC person Chinanet Hostmaster nic-hdl CH93-AP e-mail anti-spam nschinanetcnnet address No31 ,jingrong street,beijing address 100032 phone 86-10-58501724 fax-no 86-10-58501724 country CN changed dingsy cndatacom 20070416 mnt-by MAINT-CHINANET source APNIC person Wu Xiao Li address Room http://www.secuobs.com/revue/news/247823.shtmlhttp://www.secuobs.com/revue/news/247823.shtml Secuobs.com : 2010-09-17 01:53:52 - usken.no VoIP news - Xtranormalcom is an easy way to make simpel videos You can see mine about telecom fraud here 37 seconds Enjoy http://www.secuobs.com/revue/news/247822.shtmlhttp://www.secuobs.com/revue/news/247822.shtml Secuobs.com : 2010-09-17 01:53:52 - usken.no VoIP news - The most abuse nowadays are open SIP servers, just as the old open mail servers which spammers relayed spam through So we will use the phrase open sip relay about the scanning going on nowadays Nothing new, just another protocol but with much more money in than spam when you find one Open SIP Relay http://www.secuobs.com/revue/news/247821.shtmlhttp://www.secuobs.com/revue/news/247821.shtml Secuobs.com : 2010-07-28 12:23:34 - usken.no VoIP news - The latest month of scanning has seemed valuable for the hackers A Norwegian municipality has been hacked and their PBX has been calling Somalia and a lot of others destinations we have picked up on our VoIP honeypots during the last month If you have an unsecure IP PBX on the net, now it will only http://www.secuobs.com/revue/news/244546.shtmlhttp://www.secuobs.com/revue/news/244546.shtml Secuobs.com : 2010-07-11 13:30:31 - usken.no VoIP news - The lastest week there has been a tremendous SIP scanning from IPs all over the world latest week The scannings are coming from a lot of IPs but the same signature, so it is probably only one person firm behind this The scanning is this OPTIONS sip 100 XXXX SIP 20 Via SIP 20 UDP 19216819 5060 branch z9hG4bK-31055767 rport Content-Length 0 From sipsscuser tag 01669016334862887007103185718785156498385702949 Accept application sdp User-Agent sundayddr To sipssc Contact sip 100 19216819 5060 CSeq http://www.secuobs.com/revue/news/239493.shtmlhttp://www.secuobs.com/revue/news/239493.shtml Secuobs.com : 2010-06-01 11:40:34 - usken.no VoIP news - The Honeynet project released VoIP challenge of the month http://www.secuobs.com/revue/news/227437.shtmlhttp://www.secuobs.com/revue/news/227437.shtml Secuobs.com : 2010-04-14 19:12:51 - usken.no VoIP news - There have never been so many SIP scannings in so short time for all my VoIP honeypotsThey have tried all types, INVITES, REGISTER, SUBSCRIBES and OPTIONS A short list of some of the attackes latest 48 hours Normally just doing a couple hundred extensions and passwords, some of these IPs trying up to 10 000 http://www.secuobs.com/revue/news/212146.shtmlhttp://www.secuobs.com/revue/news/212146.shtml Secuobs.com : 2010-02-28 18:57:25 - usken.no VoIP news - I have written a letter to the people in charge of the SIP scanning and owner of the network I have now sent it to several IP responsible for those IP addresses - Dear support personnel We have repeatedly been scanned for open SIP VoIP access from IP adresses 113105152101, 113105152102 and 113105152104 The last time was February 27th 2010, http://www.secuobs.com/revue/news/196392.shtmlhttp://www.secuobs.com/revue/news/196392.shtml Secuobs.com : 2010-02-22 23:17:25 - usken.no VoIP news - A Chinese based server has been very active latest days, and googling the IP addresses 113105152102 and 113105152104 tells me they have been scanning a long time One guy with an Asterisk got hit December 2009 and others back in November Others starts debugging and asks what it is in public support forums There http://www.secuobs.com/revue/news/194348.shtmlhttp://www.secuobs.com/revue/news/194348.shtml Secuobs.com : 2010-02-20 17:12:36 - usken.no VoIP news - Old news for us in the VoIP, but a reminder for you who think you can abuse VoIP systems and get away with it Dan York has a good overview of it on his blog Updating a story we have literally been following for years ever since it broke back in July 2006, the FBI recently issued http://www.secuobs.com/revue/news/193814.shtmlhttp://www.secuobs.com/revue/news/193814.shtml Secuobs.com : 2010-02-04 13:28:43 - usken.no VoIP news - RIPE said a long time ago that IPv4 is running out of addresses Now they are also allocating the 1xxx network for production traffic But this is a bit problematic, since people have been using IP addresses like 1111 and 1234 as examples in scripts, tools and manuals People who don t know any better, they http://www.secuobs.com/revue/news/188536.shtmlhttp://www.secuobs.com/revue/news/188536.shtml Secuobs.com : 2010-01-21 13:22:39 - usken.no VoIP news - The Exploit Database reports that FreePBX version 25 and 26 is vulnerable to Cross-Site Scripting XSS An affected user may unintentionally execute scripts or actions written by an attacker In addition, an attacker may obtain authorization cookies that would allow him to gain unauthorized access to the application This is just the beginning of vulnerabilities in different VoIP applications http://www.secuobs.com/revue/news/183993.shtmlhttp://www.secuobs.com/revue/news/183993.shtml Secuobs.com : 2010-01-18 10:15:10 - usken.no VoIP news - Slightly interested in security Do you want to learn more about investigating attacks Here is your challenge The Honeynet Project has released this years first Scan of the Month challenge It has many levels and now you can test if you are up to it http://www.secuobs.com/revue/news/182663.shtmlhttp://www.secuobs.com/revue/news/182663.shtml Secuobs.com : 2010-01-16 16:51:39 - usken.no VoIP news - Mark Waters had his Asterisk scanned for extensions without passwords or easy passwords Mark writes I have now set allowguest no in etc asterisk sipconf and will monitor how this affects regular incoming calls and also the next attack If he really need his Asterisk available on port 5060, he could use SSH tunneling for the SIP signalling or http://www.secuobs.com/revue/news/182402.shtmlhttp://www.secuobs.com/revue/news/182402.shtml Secuobs.com : 2010-01-14 17:53:56 - usken.no VoIP news - Over 10 000 hits on one single VoIP honeypot within minutes This is becoming the norm How they do it They use SIPVicious to scan with SIP OPTIONS messages If they get a response, this scan followed up with SIP REGISTER on all extensions from 100 to 9999 Then they pick an EXTENSION and do brute force password on http://www.secuobs.com/revue/news/181603.shtmlhttp://www.secuobs.com/revue/news/181603.shtml Secuobs.com : 2010-01-13 14:59:00 - usken.no VoIP news - SecSIP makes SIP more secure http://www.secuobs.com/revue/news/181100.shtmlhttp://www.secuobs.com/revue/news/181100.shtml Secuobs.com : 2010-01-11 09:25:26 - usken.no VoIP news - If you have an IP PBX on a public IP, and you are not quite sure if it is secure enough, you should get to it now Scannings on port 5060 has exploded the lastest days Previously it was a couple hits in the week, now it s up to a 100 a day This means that http://www.secuobs.com/revue/news/180146.shtmlhttp://www.secuobs.com/revue/news/180146.shtml Secuobs.com : 2009-12-28 12:18:06 - usken.no VoIP news - VoIP attacks coming from port 3058 http://www.secuobs.com/revue/news/176100.shtmlhttp://www.secuobs.com/revue/news/176100.shtml Secuobs.com : 2009-12-18 12:26:59 - usken.no VoIP news - Inspired by this talk at Ecomm 2009 by Michael Calabrese It s time to let the intelligent wireless units utilize the available spectrum Why allocate all the frequencies static, when you can divide them both in time, location, height on ground, in planes and dynamically back-off channles in use If I had done the same spectrum scan http://www.secuobs.com/revue/news/173831.shtmlhttp://www.secuobs.com/revue/news/173831.shtml Secuobs.com : 2009-12-17 16:36:51 - usken.no VoIP news - Direct VoIP attacks are escalating, but even as scary is using a hacked VoIP system to extend your social engineering in a firm This can be done automatically by using hacked PBXes to make the call, to direct attacks towards a larger institution where you first hack their VoIP phone central, and then use real http://www.secuobs.com/revue/news/173398.shtmlhttp://www.secuobs.com/revue/news/173398.shtml Secuobs.com : 2009-12-09 18:40:48 - usken.no VoIP news - I m glad when people are taking VoIP security more seriously VoIP will become an even more important service, integrated into everyday life on the Internet Ben in the Australian Honeynet Project is now on his third article about VoIP frauds It is for the general audience and gives you a insight of what drives the hackers http://www.secuobs.com/revue/news/170283.shtmlhttp://www.secuobs.com/revue/news/170283.shtml Secuobs.com : 2009-11-24 14:56:49 - usken.no VoIP news - Computerworld in Norway published an article about The Honeynet Project and the Norwegian Honeynet Chapter This is one of the main tools to learn the tools of how attackers abuse VoIP targets Her is the Norwegian and English version http://www.secuobs.com/revue/news/164529.shtmlhttp://www.secuobs.com/revue/news/164529.shtml Secuobs.com : 2009-11-09 17:38:37 - usken.no VoIP news - SIP TLS is better but still TLS has its own security challenges http://www.secuobs.com/revue/news/158886.shtmlhttp://www.secuobs.com/revue/news/158886.shtml Secuobs.com : 2009-10-21 23:05:20 - usken.no VoIP news - What the heck is the customers Asterisk calling Guatemala about quarter to five in the morning 1000 calls to Guatemala, but very few actually went through or had any long duration This was around 11 o clock in the evening for Guatemala What was the purpose of this abuse It would have been nice to have a http://www.secuobs.com/revue/news/152735.shtmlhttp://www.secuobs.com/revue/news/152735.shtml Secuobs.com : 2009-10-19 15:21:43 - usken.no VoIP news - Microsoft OCS went down because of a patch http://www.secuobs.com/revue/news/151815.shtmlhttp://www.secuobs.com/revue/news/151815.shtml Secuobs.com : 2009-10-09 15:13:53 - usken.no VoIP news - There is a lot of people trying to make money illegal Some are good at it, some are not that good Like this guy Tony trying to sell Vedio Phone He sent a word document with cut n'paste pictures and spec s from several very different SIP Video phones as a reply to my account at wwwalibabacom http://www.secuobs.com/revue/news/148943.shtmlhttp://www.secuobs.com/revue/news/148943.shtml Secuobs.com : 2009-09-21 13:22:57 - usken.no VoIP news - The SIP attack yesterday hit several Norwegian IP addresses, where several insecure IP PBXes were located The attacker managed to several of these ringing the Citibank number I have confirmed from different sources that minimum four PBXes were abused the last 24 hours These were Cisco and Asterisk PBXes, but configured insecure There were no http://www.secuobs.com/revue/news/142782.shtmlhttp://www.secuobs.com/revue/news/142782.shtml Secuobs.com : 2009-09-20 19:46:29 - usken.no VoIP news - Citibank is or has been under a telephone calling attack latest 12 hours Here I will explain the attack and how it was done Have you seen the movie lawnmower man , when in the end, all phones rings in the who city This was the aim for todays attack on Citibank in UK The attack was http://www.secuobs.com/revue/news/142657.shtmlhttp://www.secuobs.com/revue/news/142657.shtml Secuobs.com : 2009-09-09 11:01:38 - usken.no VoIP news - I m a gadget person and I like cool technologies I get a lot of e-mails with new products and I let my mind spin around this product how it can be used the best way and in which situations I do notice that there is a lot of copy products All from an iPhone with dual http://www.secuobs.com/revue/news/139099.shtmlhttp://www.secuobs.com/revue/news/139099.shtml Secuobs.com : 2009-09-04 19:53:26 - usken.no VoIP news - A very good RFC that walks you through the VoIP Security issues http://www.secuobs.com/revue/news/137979.shtmlhttp://www.secuobs.com/revue/news/137979.shtml Secuobs.com : 2009-09-01 23:13:30 - usken.no VoIP news - The Norwegian Police are limping after web 20 and finally made a website where you can report a crime only if your wallet, bicycle or mobile phone is stolen The only stupid thing is that it results in an e-mail sent to another system But hey, they promise to send a letter in your snail http://www.secuobs.com/revue/news/136687.shtmlhttp://www.secuobs.com/revue/news/136687.shtml Secuobs.com : 2009-07-13 22:21:11 - usken.no VoIP news - Companies are jumping on the VoIP wagon, but need to do their homework before implementing it locally and choosing a provider Tyler Merritt has written a nice article about it, I borrowed the bullet points Ask the provider detailed questions about their backbone Do they host their servers in a reputable data center Do they get their bandwidth http://www.secuobs.com/revue/news/120079.shtmlhttp://www.secuobs.com/revue/news/120079.shtml Secuobs.com : 2009-07-13 22:21:11 - usken.no VoIP news - If I know the IP address of your SIP User-Agent and your extension, I can get your password Not true Here is how Sandro and I did it Sandro Gauci also has a tool voippack for Canvas which automates the whole process, you can watch the video here The fault is that a User-Agent actually answers http://www.secuobs.com/revue/news/120078.shtmlhttp://www.secuobs.com/revue/news/120078.shtml Secuobs.com : 2009-07-13 22:21:11 - usken.no VoIP news - Just setting up a Cisco UC500 and notice how old fashioned the VoIP settings are The setup still believes that the provider only has one major IP address and one backup Of course, to have one basic IP address where all traffic is routed to, and make this redudant through virtual IP or IP take-over , http://www.secuobs.com/revue/news/120077.shtmlhttp://www.secuobs.com/revue/news/120077.shtml Secuobs.com : 2009-07-13 22:21:11 - usken.no VoIP news - The snom phone seems to have a built-in brute-force blocker After a short while it does not even allow me into the web interface This is a good idea, but can also be misused as a Denial-of-Service DoS attack Will write more about this phone when I have time http://www.secuobs.com/revue/news/120076.shtmlhttp://www.secuobs.com/revue/news/120076.shtml Secuobs.com : 2009-07-13 22:21:11 - usken.no VoIP news - There are not much publicity about this project, so I wanted to explain what it s all aboutThe ultimate goal is to make it easy to spread information eg people send a SMS and get a call informing them about HIV AIDS or the weather The Freedom Fone is a universal media conveyor, it should take most media http://www.secuobs.com/revue/news/120075.shtmlhttp://www.secuobs.com/revue/news/120075.shtml Secuobs.com : 2009-07-13 22:21:11 - usken.no VoIP news - Browsed through the Internet for the Freedom Fone Project and came over the LinuxMCE I have been dreaming about a project like this, and was really amazed about the possibilities included already They have done a smart thing dividing it up in two parts one powerful core server for doing encoding of incoming media one or more http://www.secuobs.com/revue/news/120074.shtmlhttp://www.secuobs.com/revue/news/120074.shtml Secuobs.com : 2009-07-13 22:21:11 - usken.no VoIP news - Updates to Cain Abel makes MitM attacks on SIP TLS easy http://www.secuobs.com/revue/news/120073.shtmlhttp://www.secuobs.com/revue/news/120073.shtml