Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Communications Crime Security The Almighty Buck IT

In Australia, Rising VoIP Attacks Mean Huge Bills For Victims 178

Posted by timothy
from the that's-off-the-hook dept.
mask.of.sanity writes with this excerpt from ZDNet Australia: "Australian network companies have told of clients receiving phone bills including $100,000 worth of unauthorised calls placed over compromised VoIP servers. Smaller attacks have netted criminals tens of thousands of dollars worth of calls. A Perth business was hit with a $120,000 bill after hackers exploited its VoIP server to place some 11,000 calls over 46 hours last year. ... Local network providers and the SANs Institute have reported recent spikes in Session Initiation Protocol (SIP) scanning — a process to identify poorly configured VoIP systems — and brute-force attacks against publicly-accessible SIP systems, notably on UDP port 5060."
This discussion has been archived. No new comments can be posted.

In Australia, Rising VoIP Attacks Mean Huge Bills For Victims

Comments Filter:
  • by Anonymous Coward on Sunday October 10, 2010 @06:29PM (#33855184)

    like the co. doesn't know what/who is using their networks? what even more horseshit. reminds us of the bank charging overages without paying out a dime to anybody. of course they 'forgive' them when one complains. i think they depend on some folks not bothering. it reads like it's the customers' fault & problem & that the co.s are just peripheral victims themselves, although they've lost nothing & are probably raking in unmentioned extra $ on the folks who don't pay attention or have a low illicit use rate.

  • by Anonymous Coward on Sunday October 10, 2010 @06:51PM (#33855272)

    Maybe theY should not be ISP's if they can not handle it.

    This is like 'identity theft'.

    Is your name no longer Bill?

    The bank fails to protect you and your money from fraud. The money you put into the bank for safe keeping, got stole from the bank, not you. The bank failed to do it's job. The criminal who stole the money is the criminal.

    Rather than tighten up security, put the crook in jail, SPEND SOME MONEY, HIRE SOME REAL TECHS, they hire lawyers and media people to rebrand this as 'Identity Theft'.

    Sure that is a cool mindfuck, but come on, people are going to eventually catch on and burn your house down, hopefully with you in it.

    Just another part of the backstory in yet another run up to another failed attempt to shut down the internet.

    Please. We're computer nerds. The smartest bunch on the planet. Cut this crap out. You've been called on it. Go back home. The cheque is not going to clear.

    At least give us some new creative propaganda, fear, FUD, booga booga and doom. This same old, same old, with a dull twist makes me want to watch Hanna Montanna.

    REALITY! IT"S OUT THERE! IT'S REAL!

  • by postbigbang (761081) on Sunday October 10, 2010 @06:53PM (#33855288)

    Point to point personal VoIP can be pretty free.

    But then there's the cost of the Internet connection. There's a capex cost of the home router you use, and the cost of the power it uses as well as your 'phone' device, whatever that might be.

    The ISP then has a last mile capital cost, to run a cable to your place or deliver a wireless signal that you can use.

    Then there's the interconnect equipment that's used on the backhaul, landline gateway interconnect costs (capex and opex), the rent for the building, the power, the people, their benefits, the diesel generator if you're lucky. Then there are the returns paid to the people that invested in all of that; taxpayers in some realms, stockholders in others.

    Then there are the costs associated with upstream routing. Maybe there's a SIP server with its incumbent costs, support, programmers, power, and so on.

    The Internet isn't free. Phone costs aren't free. Each has a cost.

    But what happened in the TFA is that people exploited SIP security and found a way to make people's toll avoidance become a nightmare for them. Not free. Not at all.

  • by erroneus (253617) on Sunday October 10, 2010 @07:14PM (#33855386) Homepage

    Did you forget to mention that the exact same networks that are used to router phone calls are the exact same networks that are used to route internet traffic?

    You can dress up the costs of this that and the other and make a "phone bill" look quite justified, but if those costs were really justified, then the cost of access to the internet would be simply astronomical. It isn't.

    Telco profits are higher than ever before and they are, of course, enjoying it. They aren't resting, though... oh no... they are still looking for new and novel ways to screw customers over. As for me? I'm way too savvy to play their game. Sadly, I am among the 0.001% who are... so everyone else gets hosed.

    I recall when voice communications over the internet was young. The telcos were suing everyone who tried it just as the music companies were suing everyone who wrote MP3 software. Well that didn't last long, but the games are all being played just the same.

    So what have we learned? Don't pay for crap you don't have to. Diamonds are worthless. Don't believe me? Try reselling one. New cars are over-priced. Same deal as diamonds only not as profound. Credit cards and credit scores? Debt-financed lifestyle might feel rich, but you aren't saving your money any more and neither is the majority of Americans. Credit scores depend almost entirely on your ability to maintain debt. You could be a billionaire and have a horrible credit score because you pay for everything in cash. Huge misrepresentation in all of that. Long distance phone service? Set up your own network and run your own VoIP -- it's cheaper in the long run. Hell, even now, my company here in the U.S. communicates regularly over voice AND video with our parent company in Japan. We only pay for the network connection and it goes over the internet.

    The reality is that people are too lazy to learn the truth and act on it to change. In the short term, it's great to be smarter than everyone else, but when things go bad, it doesn't matter -- the whole world comes down at once.

  • by mspohr (589790) on Sunday October 10, 2010 @07:58PM (#33855552)

    A Perth business was hit with a $120,000 bill after hackers exploited its VoIP server to place some 11,000 calls over 46 hours last year. ...

    My Skype VOIP would only charge $10.00 for 10,000 calls. These businesses must be really stupid.

  • by postbigbang (761081) on Sunday October 10, 2010 @08:20PM (#33855642)

    True. This is because traditionally, voice and data were two separately tariffed ideas. Landline equipment can be tip/ring or can be DSL VoIP.... or a cable VoIP-- depending on what state and which part of the world you're in.

    QoS and low latency to support voice are a bit different when you use bi-directional telephony on top of data lines. I'm not trying to justify what PTTs and telcos charge here. But voice telephony is different than data telephony and VoIP is different still. Personally, I prefer Skype. But Business Skype is an oxymoron. Those in the business VoIP business range from reasonable to totally sucks. The "free" part of the OP's message is what I have issue with. Data is asynchronous, and voice is isochronous and the two take different equipment and have different historical infrastructure. When voice is data and actually rides over wires in bit frames, it may or may not be part of IP protocols. If it rides over IP as isochronous media, then call quality depends on deterministic routing as well as low fundamental line latency.

    If you use SIP or ENUM/ENUM2, then the additional problems of gateway protection is important and costs money. Don't pay the money or let a fool guard it, and you get $100K surprises.

  • by Pharmboy (216950) on Sunday October 10, 2010 @08:26PM (#33855664) Journal

    I agree with your logic, but understand that many people ARE dropping the traditional phone companies. I haven't had a land line in a few years, and just switched my office from POTS to Time Warner Biz Cable. Dropping two T1s for data and 12 phones, and picking up two 5/1.5 data lines and 12 phone lines with UNLIMITED nationwide LD (and very low overseas rates) will save our small company $30,000+ this year, and our bill will be the same every month (excepting a small amount of European calls). A direct quote: POTS = $50 line + $15 for rolloever service + usage. TWC costs $39.99 including rollover and LD. We switched a month ago. Our system was down for 10 minutes during the change, and has worked flawlessly ever since.

    Half the people I know (mainly younger) don't have land lines. Mainly small businesses are changing to cable solutions (ours was said to be one of the larger ones). The traditional phone companies are soon to be hurting, give it 2 or 3 years. This is why they are making hay while they can, and expanding into other markets.

  • by AK Marc (707885) on Sunday October 10, 2010 @08:53PM (#33855780)
    A phone call over satellite is just fine. In Alaska, that's about all you get in most areas. Browsing the web doesn't work that great. The non-local DNS servers take a few seconds to respond, often resulting in a timeout for the first click so you have to refresh every new page. And the TCP limit causes downloads to be slow.

    But a good fix would be to have higher bandwidth calls that include FEC so that a lost or late packet could be reconstructed. That would greatly improve call quality in jittery/lossy environments. But that's a whole new set of standards, and even though a common sense combination of two related technologies used for 20+ years, someone would patent it and start charging everyone for it the moment it gets brought up. But it would help on long fat pipe situations, like satellite and across the world (not as long, but often more jitter).
  • Interesting timing (Score:2, Interesting)

    by Buzzard2501 (834714) on Sunday October 10, 2010 @08:58PM (#33855806)
    Yesterday afternoon (and then again at 9pm) I watched an IP from Korea use a dictionary attack against our PABX (Asterisk) located in Australia. It used a standard list of usernames and passwords, and then every extension from 0000 to 9999. While our setup would protects us from any substantial loss (most extensions are setup to allow 1-3 simultaneous calls, premium calls are disabled, and our VoIP billing is pre-paid), Fail2Ban is in the process of being setup.
  • by e9th (652576) <e9th@@@tupodex...com> on Sunday October 10, 2010 @10:19PM (#33856270)
    By all means use fail2ban. But setting alwaysauthreject=yes in sip.conf will generally stop the attacks faster, and also in cases where they try s-l-o-w-l-y, hoping to slip under fail2ban's radar.

    Setting alwaysauthreject causes asterisk to respond the same way to an invalid peer registration as to a valid one using a bad secret. In other words, the attacker can't get a list of valid extensions for later password cracking attempts. Note that this violates RFC3261, but I'm unaware of anything that it will actually break, and in fact it's the default in asterisk 1.8.
  • Same at my office. The provider insisted that we install no firewall or antivirus on their Win2K3 box, and they wanted remote desktop enabled and a public IP. We said hell no. This is sitting behind our firewalls and if you need access, we'll setup some port forwarding pinholes THEN.

  • by Anonymous Coward on Sunday October 10, 2010 @11:00PM (#33856452)

    Just to add a little scope to the 1TB thing - that was an offer only made available this year, the culmunation of about 6 months of renewed plan competition between first- and second-tier ISPs in response to the NBN publicity. Prior to this typical quotas were in the 10GB to 50GB range.

    Oh, and for a little more context, the 1TB plan that I'm aware of is actually 500GB onpeak, and 500GB offpeak, offpeak being between 2am and 7am. So realistically, it still is really only good for 500GB. This biased-distribution 'doubling' strategy is pretty typical of current plans.

  • by smash (1351) on Sunday October 10, 2010 @11:45PM (#33856616) Homepage Journal

    Reconstructing / resending packets on a VOIP call doesn't help, as it is too late. VOIP needs decent prioritised QOS to work. If you get bits of audio out of order or dropped, retransmits can't help you as its too late by that point (the listener didn't get the audio in time - they hear a bit of silence in the audio).

    The only real way of making it work is ensuring VOIP traffic is prirotised so that it doesn't get dropped in the first place. Hence different cost/QOS rules to other generic data that is extremely tolerant of out of order packets and delays.

    Unlike streaming audio / video from youtube or whatever, you can't simply buffer 30 sec of audio to work around this, as two-way conversations are real time...

  • by mcrbids (148650) on Monday October 11, 2010 @01:02AM (#33856888) Journal

    Browsing the web on a geostationary satellite connection is OK. A phone call on one is pretty crappy.

    I called my daughter who was a foreign exchange student in Germany. We talked for several hours. I did my research, I was signed up for a plan at $0.05/minute. AT&T (with whom I now refuse to transact) charged me almost $4.00 per minute. I spent hours going through their "customer support" speaking to numerous people with names like "Michael" and "Robert" who had strangely Indian accents. See, it turns out that it's CHEAPER to route my call to INDIA and save perhaps $3 of the $6 PER HOUR to have an Indian take that call than an American. Which means that, at maximum, the cost of getting my call to India is actually costing them, at most, $3 per hour. This number matches quite closely to the $0.05 per minute I expected to pay, which works out to $3/hour. This seems to support your point,doesn't it?

    But on the flip side, after getting the almost $1,000 phone bill, I went to my cell phone provider (much love for Metro PCS! [metropcs.com]) and got an unlimited international calling (to most first world countries) for just $5/month! We spent the rest of the year my daughter was in Germany blabbing away monthly on my wife's cell phone, with decent call quality and NO HIDDEN COSTS for just $5.

    So what's the actual cost of an International call? Certainly, AT&T has a very expensive way to do it, Metro-PCS [metropcs.com] can do a good job of it for prices too cheap to meter!

    PS: I have no affiliation with MetroPCS other than being a satisfied customer. Don't expect super-friendly, great tech support from them, they are a discount cellular service provider. But their stuff works, it's cheap, and I'm happy. =)

  • by EdIII (1114411) on Monday October 11, 2010 @01:44AM (#33857032)

    If you use SIP or ENUM/ENUM2, then the additional problems of gateway protection is important and costs money. Don't pay the money or let a fool guard it, and you get $100K surprises.

    You just can't overstate that last part.

    A *huge* amount of VOIP fraud and hacking is against Asterisk based systems.

    Nearly all of the stories I hear are about Asterisk based systems that had their SIP port opened up to the Internet. A lot of those involve Trixbox. Trixbox, is by and large, just like slathering a nice thick layer of stupid and apathy on top of an otherwise really solid system. Please, I am not trolling here. I am no fan of Trixbox, due to how impossible it is to manage or get anything done. It's a really pretty front end for Asterisk, and that is about it. Which is why it is so damned dangerous.

    The problem is how many people are getting really interested in VOIP, but don't have the expertise, training, or initiative to do it correctly. From enthusiasts, to IT departments pressured to cut costs with, "with that whole VOIP thingy I read in a business magazine" from their pointy-haired-bosses, VOIP is getting really hot for a lot of people. VOIP providers are plentiful now and pretty darned easy to setup. Most of the ones I have evaluated ALL have tutorials for setting them up on Asterisk and Trixbox.

    Biggest problem with Trixbox? People go for the free and are not paying the money for the Trixbox support contracts or the professional offerings. To be fair, it is not just Trixbox either... Stuff like PBX in a Flash is just as problematic.

    What we have is a large number of people that using Asterisk based systems (there is not a whole lot of other options out there. YATE is the only one I know of, and the others are based on Asterisk) not being managed correctly .

    When you don't understand the dialplan, concepts behind a dialplan, extensions, SIP security, media, etc. you setup yourself up for a situation very similar to a router with a default password or an email server setup as an open mail relay.

    For me personally, I found Trixbox, PiaF, and others to just not work, and be nearly impossible to configure or customize to do what I wanted to do. As a result, I threw myself into learning as much as possible and started from scratch with a bare metal Asterisk with no configuration files. It took awhile, and I had the Asterisk Bible on me too, but I learned. I think I am in a much better position for it too. Would not call myself an expert yet, but I am not an amateur either.

    90% of this fraud would go away if the people using Asterisk/Trixbox would follow some very basic rules and configure their systems correctly from the start. I have received at least a million attacks on my PBX systems in the last 3-4 months and they never succeed. Mostly because I researched and read about the best ways to defend against it....

    Surprise... by not running a default system open to the internet. Shocking...

    It's really just like you said. Pay the money and don't put somebody inexperienced in a position of responsibility over the VOIP. Unfortunately, when you screw up with VOIP it can very expensive since they can rack your bills up *really* fast.

  • by Bert64 (520050) <bert@s[ ]hdot.fi ... m ['las' in gap]> on Monday October 11, 2010 @02:00AM (#33857086) Homepage

    That only works if they operate a premium rate phone scam with the stolen accounts...

    On the other hand, many criminals will sell 'minutes' to various countries at below the standard rates to service providers.. These providers then route calls from unsuspecting users over the questionable routes.
    Many of those calling cards being offered at unbelievable prices work this way.. Lots of people living in the west come from countries which are extremely expensive to call, and still have family there, and they will lap up these unbelievably cheap cards.

  • by Anonymous Coward on Monday October 11, 2010 @03:11AM (#33857324)

    Ohho, you might have overlooked one thing, bullet point #1 of MetroPCS terms and conditions for international calling:

    "The International Long Distance (“ILD”) Services provided by MetroPCS is intended for your personal use and not for commercial use or for resale.Loaning or renting your handset to third parties for their use is not considered personal use. We will presume certain usage, dialing, or calling patterns indicate that you are not using the ILD service for your personal use and we reserve the right to suspend, terminate or restrict your services within no prior notice. If you believe that we are in error, you may contact customer service at 1-888-8metro8 and depending on the circumstances we may reactivate your ILD Service. However, if the usage, dialing or calling patterns we deem connote non-personal use continues, we reserve the right to suspend, terminate or restrict your services within no prior notice and not allow you to reactivate service."

    What are these "certain usage, dialing, or calling patterns" that will cause them to shut off your service without warning? They won't tell you, and in fact, their customer service line CANNOT tell you (as they are outsourced and are not given the information to be able to tell you). Rest assured, the primary component of those calling patterns is calling frequently or for long periods of time.

    So, if you're only calling internationally rarely, MetroPCS is the way to go. But beware, they'll shut you down without warning with literally no reason given but "your calling patterns show that you are in breach of your terms and conditions".

"In the face of entropy and nothingness, you kind of have to pretend it's not there if you want to keep writing good code." -- Karl Lehenbauer

Working...