Forgot your password?
typodupeerror
Communications Crime Security The Almighty Buck IT

In Australia, Rising VoIP Attacks Mean Huge Bills For Victims 178

Posted by timothy
from the that's-off-the-hook dept.
mask.of.sanity writes with this excerpt from ZDNet Australia: "Australian network companies have told of clients receiving phone bills including $100,000 worth of unauthorised calls placed over compromised VoIP servers. Smaller attacks have netted criminals tens of thousands of dollars worth of calls. A Perth business was hit with a $120,000 bill after hackers exploited its VoIP server to place some 11,000 calls over 46 hours last year. ... Local network providers and the SANs Institute have reported recent spikes in Session Initiation Protocol (SIP) scanning — a process to identify poorly configured VoIP systems — and brute-force attacks against publicly-accessible SIP systems, notably on UDP port 5060."
This discussion has been archived. No new comments can be posted.

In Australia, Rising VoIP Attacks Mean Huge Bills For Victims

Comments Filter:
  • by erroneus (253617) on Sunday October 10, 2010 @07:25PM (#33855160) Homepage

    It isn't the people hacking into systems they aren't authorized to, it's the price and value of phone calls. In this day and age, we still have "long distance charges" and all that? Really? I can reach web pages hosted all over the globe but I can't make a phone call? It's not the technology, it's the abusive business models. Phone calls should be as free as the internet.

    • by Duradin (1261418) on Sunday October 10, 2010 @07:39PM (#33855228)

      And that website on the other side of the world totally has the same level of Quality of Service as a phone call.

      People put up with crappy cell phone calls, d ppin ev ry ther s lla le, but complain to high hell when there's the least bit of echo or static on a (non-VoIP) land line.

      • by Angst Badger (8636) on Sunday October 10, 2010 @09:26PM (#33855668)

        And that website on the other side of the world totally has the same level of Quality of Service as a phone call. People put up with crappy cell phone calls, d ppin ev ry ther s lla le, but complain to high hell when there's the least bit of echo or static on a (non-VoIP) land line.

        Funny, but that website on the other side of the world comes through perfectly without any data corruption or loss of quality even when I'm downloading tens or hundreds of megabytes of data more than I'd be receiving through a several hour long phone call. Hell, I can stream HD video just fine most of the time, but I can't get better than 3.3 kHz on a voice call -- by design.

        If voice telephone service sucked as bad as the channel I get to someone's cheap personal website, it would be a vast improvement.

        • by GigsVT (208848) on Sunday October 10, 2010 @09:36PM (#33855698) Journal

          A web site doesn't have any particular latency requirements, other than 1 second or so.

          Browsing the web on a geostationary satellite connection is OK. A phone call on one is pretty crappy.

          This doesn't refute the original poster, but it's not as simple as you make out either.

          • Re: (Score:3, Interesting)

            by AK Marc (707885)
            A phone call over satellite is just fine. In Alaska, that's about all you get in most areas. Browsing the web doesn't work that great. The non-local DNS servers take a few seconds to respond, often resulting in a timeout for the first click so you have to refresh every new page. And the TCP limit causes downloads to be slow.

            But a good fix would be to have higher bandwidth calls that include FEC so that a lost or late packet could be reconstructed. That would greatly improve call quality in jittery/los
            • by smash (1351) on Monday October 11, 2010 @12:45AM (#33856616) Homepage Journal

              Reconstructing / resending packets on a VOIP call doesn't help, as it is too late. VOIP needs decent prioritised QOS to work. If you get bits of audio out of order or dropped, retransmits can't help you as its too late by that point (the listener didn't get the audio in time - they hear a bit of silence in the audio).

              The only real way of making it work is ensuring VOIP traffic is prirotised so that it doesn't get dropped in the first place. Hence different cost/QOS rules to other generic data that is extremely tolerant of out of order packets and delays.

              Unlike streaming audio / video from youtube or whatever, you can't simply buffer 30 sec of audio to work around this, as two-way conversations are real time...

              • by AK Marc (707885)
                Reconstructing / resending packets on a VOIP call doesn't help, as it is too late.

                That makes me think you don't know what FEC is, yet are telling me that I don't know what I'm talking about. Sending FEC with a jitter buffer big enough (just 40 ms more would be enough, based on normalish settings) and you can reconstruct a packet in real time. No resending needed. It's not too late, it comes just in time.

                The only real way of making it work is ensuring VOIP traffic is prirotised so that it doesn't get
                • Re: (Score:3, Insightful)

                  by Rising Ape (1620461)

                  Most packet loss is due to congestion, which using FEC is only going to make worse. So you'll gain your phone call clarity at the expense of other traffic.

                  • by smash (1351)
                    Exactly... particularly here in AU where bandwidth is way more expensive than in the US...
                  • by AK Marc (707885)
                    So you'll gain your phone call clarity at the expense of other traffic.

                    And people like that. That's the whole point of QoS.
                  • Most packet loss is due to congestion
                    And most congestion is due to the fact that things like file downloads work on the principle of trying to and go as fast as the host can manage and then throttling back if/when that causes congestion.

                    which using FEC is only going to make worse.
                    It will mean that the voip call uses more bandwidth which means something else will have to throttle back slightly sooner.

                    So you'll gain your phone call clarity at the expense of other traffic.
                    meh, Given the relatively low bandwidt

                • by Nethead (1563)

                  Many years back when working on a VoIP project for ACS we found the best way to deal with sat hops was to deal with the remote end as analog (FXS) and do the analog to VoIP conversion back in the Anchorage CO. Cisco VoIP of the day just didn't like to deal with the RTT.

                  Bellcore specs call up to 150ms toll quality. Anything beyond that is out of spec, But a geo-hop is about 250ms, maybe a bit more with the angles involved that far north.

                  AK is a great testbed to push protocols to their limits. If I was a b

              • by VoidCrow (836595)

                FEC = FORWARD ERROR CORRECTION...

                It's data packaged with the original data packet which allows the original to be reconstructed (with reasonable certainty), if corrupted.

            • The obvious way to fix most web browsing issues with satellite would be to build a split proxy.

              A program running on the internet side would talk to webservers, a program running on the client side would talk to the web browser and then they would talk to each other with a protocol specifically optimised for high latency links.

          • by mcrbids (148650) on Monday October 11, 2010 @02:02AM (#33856888) Journal

            Browsing the web on a geostationary satellite connection is OK. A phone call on one is pretty crappy.

            I called my daughter who was a foreign exchange student in Germany. We talked for several hours. I did my research, I was signed up for a plan at $0.05/minute. AT&T (with whom I now refuse to transact) charged me almost $4.00 per minute. I spent hours going through their "customer support" speaking to numerous people with names like "Michael" and "Robert" who had strangely Indian accents. See, it turns out that it's CHEAPER to route my call to INDIA and save perhaps $3 of the $6 PER HOUR to have an Indian take that call than an American. Which means that, at maximum, the cost of getting my call to India is actually costing them, at most, $3 per hour. This number matches quite closely to the $0.05 per minute I expected to pay, which works out to $3/hour. This seems to support your point,doesn't it?

            But on the flip side, after getting the almost $1,000 phone bill, I went to my cell phone provider (much love for Metro PCS! [metropcs.com]) and got an unlimited international calling (to most first world countries) for just $5/month! We spent the rest of the year my daughter was in Germany blabbing away monthly on my wife's cell phone, with decent call quality and NO HIDDEN COSTS for just $5.

            So what's the actual cost of an International call? Certainly, AT&T has a very expensive way to do it, Metro-PCS [metropcs.com] can do a good job of it for prices too cheap to meter!

            PS: I have no affiliation with MetroPCS other than being a satisfied customer. Don't expect super-friendly, great tech support from them, they are a discount cellular service provider. But their stuff works, it's cheap, and I'm happy. =)

            • Re: (Score:3, Funny)

              by mcrbids (148650)

              PPS: AT&T waived almost all of that $1,000 when I tried to cancel my account with them. After they did so, I waited a month before canceling service. They overcharged me $20 on my very next bill!

              Friends don't let friends use AT&T!

            • by houghi (78078)

              I call over VoIP. I call a fixed number that then will call the international number. Some price comparison right here: http://www.backsla.sh/betamax [backsla.sh] Prices are lowest available, so it could be that you need to pay a bit more after a while.

              The one I took was 90 days free and now I pay 1.5 euro cents per minute.

              Downside is that calling the number takes a bit longer. First the local number, then a pause (needed to look in my phones manual to know what it was) then the remote number, then a message telling nme

            • by MogNuts (97512)

              This is such a spam post. Mods, please mod the post into oblivion.

              How this got through I have no idea.

          • by ultranova (717540)

            A web site doesn't have any particular latency requirements, other than 1 second or so.

            Browsing the web on a geostationary satellite connection is OK. A phone call on one is pretty crappy.

            Gesynchronous orbit is about 30,000 kilometers from Earth. Speed of light is about 300,000 kilometers/second. I can live with a half second latency on a round-trip to the other person and back if that means I don't have to pay long distance charges.

            I don't understand, however, why you need geosynchronous satellites for a

      • Re: (Score:3, Insightful)

        by bemymonkey (1244086)

        Most of the audio issues with VoIP calls end up being caused by end-user misconfiguration (hardware or software).

        Unlike a regular phone connection, you have to deal with a bunch of end-user variables: Different mics and speakers, people sitting 3 feet away from their mics, people trying to use the crappy speakers on their laptop as a speakerphone without any echo- and/or feedback-cancellation other than what's built into the VoIP software (probably even on the server end).

        Just try comparing Skype with lapto

        • by MogNuts (97512)

          Please mod parent up. This is probably the most informative post in this thread.

          Although I have to disagree with you about calling over a cell phone. Maybe your Android phone has a better mic (I have an IPhone). But I find with my 3GS calls sound very unclear for the receiver, and you can't make out most words. When I fire up VoIP on my computer with a headset, however, they sound clearer than a landline amazingly.

          How do you address the issue of a VoIP for the receiver being too loud? It seems the codec is

          • Sounds a bit like the SIP software you're using on the iPhone is to blame. Are there any alternative SIP clients you could try?

            SIPDroid on Android allows you to adjust both Mic and earpiece gain, so volume is not a problem here.

            And obviously the quality of the microphone built into the phone will differ from manufacturer to manufacturer, but I'm not sure I'd believe that Apple is using sub par mics in their iPhones... It's their flagship product, after all.

            • by MogNuts (97512)

              I thought that too. So I tested it on Skype, Fring, and then Acrobits Softphone. All different clients and even different protocols. No luck though.

              The only possibility I can think of is either a sub-par mic on the 3GS (and please Slashdotters I'm not flaming the 3GS here--maybe the reason is simply because the mic is optimized for the cell phone codec and not the higher quality VoIP codecs), or maybe you have noise cancellation on your Android phone and that produces clarity on a codec that takes in more q

      • by Yer Mom (78107)

        People put up with crappy cell phone calls, d ppin ev ry ther s lla le, but complain to high hell when there's the least bit of echo or static on a (non-VoIP) land line.

        Damn right. That echo/static is nerfing my DSL.

    • by v1 (525388) on Sunday October 10, 2010 @07:40PM (#33855230) Homepage Journal

      well maybe not that free, but they certainly do run a racket. It's basically an international Collusion [wikipedia.org] or Price Fixing [wikipedia.org].

      Basically the long distance phone racket is a global Price Fix. Though they don't have any way to combat voip and the increasing options such as skype and telephones tied to cable modems. (we have those here in town... one cable modem provides your house with cable tv, internet, and phone service) Though the phone service I think is still using traditional long distance, but that may change. I suppose it's possible they're working hard behind to scenes to try to keep such digital phone service reliant on their "land lines", even though the calls would be going over the same fibers either way. Kinda funny how the same bits are being priced vastly differently, isn't it?

      I can sell you this nail for two cents. Or would you prefer one of my high-tensile-strength wood adhesion devices for a quarter?

    • by postbigbang (761081) on Sunday October 10, 2010 @07:53PM (#33855288)

      Point to point personal VoIP can be pretty free.

      But then there's the cost of the Internet connection. There's a capex cost of the home router you use, and the cost of the power it uses as well as your 'phone' device, whatever that might be.

      The ISP then has a last mile capital cost, to run a cable to your place or deliver a wireless signal that you can use.

      Then there's the interconnect equipment that's used on the backhaul, landline gateway interconnect costs (capex and opex), the rent for the building, the power, the people, their benefits, the diesel generator if you're lucky. Then there are the returns paid to the people that invested in all of that; taxpayers in some realms, stockholders in others.

      Then there are the costs associated with upstream routing. Maybe there's a SIP server with its incumbent costs, support, programmers, power, and so on.

      The Internet isn't free. Phone costs aren't free. Each has a cost.

      But what happened in the TFA is that people exploited SIP security and found a way to make people's toll avoidance become a nightmare for them. Not free. Not at all.

      • by erroneus (253617) on Sunday October 10, 2010 @08:14PM (#33855386) Homepage

        Did you forget to mention that the exact same networks that are used to router phone calls are the exact same networks that are used to route internet traffic?

        You can dress up the costs of this that and the other and make a "phone bill" look quite justified, but if those costs were really justified, then the cost of access to the internet would be simply astronomical. It isn't.

        Telco profits are higher than ever before and they are, of course, enjoying it. They aren't resting, though... oh no... they are still looking for new and novel ways to screw customers over. As for me? I'm way too savvy to play their game. Sadly, I am among the 0.001% who are... so everyone else gets hosed.

        I recall when voice communications over the internet was young. The telcos were suing everyone who tried it just as the music companies were suing everyone who wrote MP3 software. Well that didn't last long, but the games are all being played just the same.

        So what have we learned? Don't pay for crap you don't have to. Diamonds are worthless. Don't believe me? Try reselling one. New cars are over-priced. Same deal as diamonds only not as profound. Credit cards and credit scores? Debt-financed lifestyle might feel rich, but you aren't saving your money any more and neither is the majority of Americans. Credit scores depend almost entirely on your ability to maintain debt. You could be a billionaire and have a horrible credit score because you pay for everything in cash. Huge misrepresentation in all of that. Long distance phone service? Set up your own network and run your own VoIP -- it's cheaper in the long run. Hell, even now, my company here in the U.S. communicates regularly over voice AND video with our parent company in Japan. We only pay for the network connection and it goes over the internet.

        The reality is that people are too lazy to learn the truth and act on it to change. In the short term, it's great to be smarter than everyone else, but when things go bad, it doesn't matter -- the whole world comes down at once.

        • by Pharmboy (216950) on Sunday October 10, 2010 @09:26PM (#33855664) Journal

          I agree with your logic, but understand that many people ARE dropping the traditional phone companies. I haven't had a land line in a few years, and just switched my office from POTS to Time Warner Biz Cable. Dropping two T1s for data and 12 phones, and picking up two 5/1.5 data lines and 12 phone lines with UNLIMITED nationwide LD (and very low overseas rates) will save our small company $30,000+ this year, and our bill will be the same every month (excepting a small amount of European calls). A direct quote: POTS = $50 line + $15 for rolloever service + usage. TWC costs $39.99 including rollover and LD. We switched a month ago. Our system was down for 10 minutes during the change, and has worked flawlessly ever since.

          Half the people I know (mainly younger) don't have land lines. Mainly small businesses are changing to cable solutions (ours was said to be one of the larger ones). The traditional phone companies are soon to be hurting, give it 2 or 3 years. This is why they are making hay while they can, and expanding into other markets.

          • Half the people I know (mainly younger) don't have land lines.

            Not just young people. We stopped having a land line about 8 years ago - cell phone service became so cheap. Everyone in the family has their own cellphone (cost each: euro0.67 per month, euro0.07 per minute/SMS http://www.dna.fi/en/privatecustomers/mobilecommunication/Subscriptions/Sivut/dnaOnni.aspx [www.dna.fi]). My teenage daughter's phone service was recently upgraded to have 384kbps data (cost: euro2.95 per month, no capacity limit, http://www.dna.fi/webshop/Sivut/Default.aspx [www.dna.fi]). The combined monthly bill for the 4

        • That is not what she said for "diamonds are worthless" comment. :P

        • by RajivSLK (398494)

          You are correct about credit scores. If you have money and don't use credit you don't have a credit rating. But guess what? it doesn't really matter. If you need to finance something simply prepare something called a net worth statement where you list all of your assets. Then go to the bank and they will happy give you loan. Credit ratings are for people with little or no net worth.

          It makes sense. How else do you, as a bank, tell two people both living pay check to pay check apart? One could have a muc

      • by sjames (1099)

        That doesn't come anywhere near explaining it though. If I and someone else have an internet connection, we can talk 24/7 for less than $50/month flat rate each (with plenty of bandwidth left over for other internet uses). The protocols for VoIP are so baroque specifically so they match up with SS7 (spoken by the old POTS network). The only reason they haven't tied to two to make POTS just as cheap is that they don't want to.

        To add to it, MANY of the internet connections are actually nailed up digital voice

        • by postbigbang (761081) on Sunday October 10, 2010 @09:20PM (#33855642)

          True. This is because traditionally, voice and data were two separately tariffed ideas. Landline equipment can be tip/ring or can be DSL VoIP.... or a cable VoIP-- depending on what state and which part of the world you're in.

          QoS and low latency to support voice are a bit different when you use bi-directional telephony on top of data lines. I'm not trying to justify what PTTs and telcos charge here. But voice telephony is different than data telephony and VoIP is different still. Personally, I prefer Skype. But Business Skype is an oxymoron. Those in the business VoIP business range from reasonable to totally sucks. The "free" part of the OP's message is what I have issue with. Data is asynchronous, and voice is isochronous and the two take different equipment and have different historical infrastructure. When voice is data and actually rides over wires in bit frames, it may or may not be part of IP protocols. If it rides over IP as isochronous media, then call quality depends on deterministic routing as well as low fundamental line latency.

          If you use SIP or ENUM/ENUM2, then the additional problems of gateway protection is important and costs money. Don't pay the money or let a fool guard it, and you get $100K surprises.

          • by EdIII (1114411) on Monday October 11, 2010 @02:44AM (#33857032)

            If you use SIP or ENUM/ENUM2, then the additional problems of gateway protection is important and costs money. Don't pay the money or let a fool guard it, and you get $100K surprises.

            You just can't overstate that last part.

            A *huge* amount of VOIP fraud and hacking is against Asterisk based systems.

            Nearly all of the stories I hear are about Asterisk based systems that had their SIP port opened up to the Internet. A lot of those involve Trixbox. Trixbox, is by and large, just like slathering a nice thick layer of stupid and apathy on top of an otherwise really solid system. Please, I am not trolling here. I am no fan of Trixbox, due to how impossible it is to manage or get anything done. It's a really pretty front end for Asterisk, and that is about it. Which is why it is so damned dangerous.

            The problem is how many people are getting really interested in VOIP, but don't have the expertise, training, or initiative to do it correctly. From enthusiasts, to IT departments pressured to cut costs with, "with that whole VOIP thingy I read in a business magazine" from their pointy-haired-bosses, VOIP is getting really hot for a lot of people. VOIP providers are plentiful now and pretty darned easy to setup. Most of the ones I have evaluated ALL have tutorials for setting them up on Asterisk and Trixbox.

            Biggest problem with Trixbox? People go for the free and are not paying the money for the Trixbox support contracts or the professional offerings. To be fair, it is not just Trixbox either... Stuff like PBX in a Flash is just as problematic.

            What we have is a large number of people that using Asterisk based systems (there is not a whole lot of other options out there. YATE is the only one I know of, and the others are based on Asterisk) not being managed correctly .

            When you don't understand the dialplan, concepts behind a dialplan, extensions, SIP security, media, etc. you setup yourself up for a situation very similar to a router with a default password or an email server setup as an open mail relay.

            For me personally, I found Trixbox, PiaF, and others to just not work, and be nearly impossible to configure or customize to do what I wanted to do. As a result, I threw myself into learning as much as possible and started from scratch with a bare metal Asterisk with no configuration files. It took awhile, and I had the Asterisk Bible on me too, but I learned. I think I am in a much better position for it too. Would not call myself an expert yet, but I am not an amateur either.

            90% of this fraud would go away if the people using Asterisk/Trixbox would follow some very basic rules and configure their systems correctly from the start. I have received at least a million attacks on my PBX systems in the last 3-4 months and they never succeed. Mostly because I researched and read about the best ways to defend against it....

            Surprise... by not running a default system open to the internet. Shocking...

            It's really just like you said. Pay the money and don't put somebody inexperienced in a position of responsibility over the VOIP. Unfortunately, when you screw up with VOIP it can very expensive since they can rack your bills up *really* fast.

            • by Sique (173459)

              There are other SIP based VoIP-Systems out there. Cisco Callmanager comes to mind, and OpenScape Voice. Alas both are neither free as in freedom nor free as in beer.

      • by Z00L00K (682162)

        Just make sure that when you set up SIP also add a firewall filter to limit the number of clients able to access the service. Even if you can't dedicate an address it would help a lot to limit the attack possibilities by only opening for a certain subnet into the server.

        And for roaming users a VPN tunnel should be the way to go to be able to access the SIP account.

    • by LBt1st (709520)

      Much like gas prices, cable TV and various other products/services; The prices are high because people continue to pay them.

    • It was probably not the "long distance charges" in this case that rang up the large bill, but rather the types of numbers that were being auto-dialed. Notice that "premium numbers" were mentioned in the article which seems to imply that numbers which incurred additional charges, which phone network operators are required by law to collect and then remit to the owners of the "premium number", are the culprit. Probably some number in Nigeria which costs $20 per minute, or whatever the maximum allowed by law i
    • by Tom (822)

      Which isn't. The real crime is that ISPs have been running a ruinous business model for years, in attempts to drive out competition and gain market share. The prices that are currently everywhere here in Europe are below costs already. Yes I got that info first-hand from the CEO of a large Telco/ISP.

      It's all driven by investors, because "the stock market" (whoever that is) believes that only the first 2-3 (depending on country size) competitors can be profitable. Ironically, this belief is the direct cause

    • Considering how free my internet is..... Thats not very free at all.
    • by arivanov (12034)

      You do not understand the actual setup. I had to help a friend of mine recently (from the USA) who had 500$ clocked on his asterisk in a day or so from his parents VOIP extension in Canada. It is basically a version of the old "porn dialer" scam.

      1. The criminals call high-toll lines (AKA porn numbers) and get a cut back. In order to do that there has to be at least one operator assisting them. In most cases it is the incumbent telco in some god foresaken lawless country in Africa. If the telco, police and t

  • by Anonymous Coward on Sunday October 10, 2010 @07:31PM (#33855190)

    don't use unbounded plans. If your provider doesn't offer hard limits for post-paid plans, choose pre-paid and never put more money into the account than you can afford to lose. Instead of looking out for their customers and telling them when their bill climbs to astronomical heights, telcos will gladly stand by and reap the insane profit. Consumers can only reasonably choose to treat their telco like a kid with a small cash allowance instead of a platinum credit card.

    • by mjwx (966435) on Sunday October 10, 2010 @08:33PM (#33855454)

      don't use unbounded plans. If your provider doesn't offer hard limits for post-paid plans, choose pre-paid and never put more money into the account than you can afford to lose

      G'day mate,

      In Australia we dont have so called "unlimited" plans, for A$99 a month you get 1 TB of data (upload and download) on an ADSL connection. After reaching your data cap your connection is shaped to just above dialup speed (somewhere between 64K and 256K as our Luddite government still defines anything above 56K as broadband). If you want unmetered plans, expect to pay $450+ (+ == plus GST (Goods and Services Tax) which is 10%) for 2 Mbit, if you want 10 Mbit, expect to pay $1400+ for fibre.

      Side note: this is why the NBN at 43 Bn AU$ (26 Bn public money) is an absolute bargain.

      Now that I've clued you in about the sorry state of internet in Australia, the charges are not from downloads but from using the ISP's SIP gateway. Traffic between your router and the ISP's SIP gateway will not be metered by all but the most unscrupulous of telco's in AU. But you still pay a per call charge on VOIP because the ISP is providing a service which costs them money (calls within their network are typically free however). It would be quite easy to rack up hefty bill if you have a script that can call internationally. What the service providers should be doing is this, when a bill reaches a suspicious amount (use $150 as a yardstick for home services) then the ISP notifies the customer, once the bill reaches a second milestone (say $300) the service is suspended (incoming calls only) until the issue is rectified unless the user expressly requests otherwise.

      • by Cimexus (1355033)

        To be fair, 1 TB for $99 ain't bad at all, and much better than the state of affairs in previous years. Keep in mind that in many other countries with 'unlimited' plans, there can be soft caps or fair use agreements that kick in at substantially less than that. Not to mention that throttling/QoSing 'undesirable' traffic types (e.g. torrents) is commonplace on residential-grade unlimited plans in many countries. At least in Australia you get what you pay for and they don't screw around with your packets (the

        • by mjwx (966435)

          . It's very unlikely the NBN or any other technology will see true unlimited plans at rock bottom prices in Australia anytime soon

          Not unlimited, but we'll see a lot of restrictions that come with DSL disappear. What the NBN will bring is a highly reliable network with consistent speeds to over 95% of Australian homes and businesses. This kind of connection is something that is very very expensive at the moment.

          the inescapable fact remains: we are an English speaking country wishing to consume mostly Engli

  • I thought voip was supposed to be cheaper than anything else?

    anyone? how is 11k calls worth a 120k bill?

    • by Trekologer (86619)

      The scam artists typically are pumping traffic to revenue share numbers (think the international equivalent of 1-900 numbers), where they get a cut of the call termination cost. And the revenue share numbers are in countries that many people have never heard of, such as Tuvalu.

  • by OnePumpChump (1560417) on Sunday October 10, 2010 @07:44PM (#33855246)
    Is this stolen VOIP service being resold via phone cards, or what?
    • Re: (Score:3, Informative)

      by bcmm (768152)
      Premium lines run by the scammers, presumably.
      • by Barny (103770)

        Would need to be hosted off-shore, otherwise would be too easy to find them.

  • by dbIII (701233) on Sunday October 10, 2010 @08:14PM (#33855388)
    Some idiots turned up to install a phone system here, and after a Darwin award attempt by sitting their drinks on the UPS they asked for telnet to be open to their system from the internet - and it has no password! They also wanted 5060 open so they could do remote tests.
    • Re: (Score:3, Interesting)

      by Dynedain (141758)

      Same at my office. The provider insisted that we install no firewall or antivirus on their Win2K3 box, and they wanted remote desktop enabled and a public IP. We said hell no. This is sitting behind our firewalls and if you need access, we'll setup some port forwarding pinholes THEN.

  • by Charliemopps (1157495) on Sunday October 10, 2010 @08:57PM (#33855538)
    This happens all the time in the USA as well. Either their voip server is compromised or their PBX... often because they leave the password set to whatever the default was. In some instances I've seen businesses that had proprietary voicemail systems, that had a "feature" in which a user could setup their voicemail to transfer a call to another number. The pin numbers are only 4 digits and they have dozens of users so it's relatively trivial for the attacker to just try random mailboxes until they find one that's got 1111 or 2222 as their pin. Once inside they set the mailbox to forward calls to some international location. Over a weekend a business can rack up $50k-$100k in charges. Most of the charges are international and therefor non-refundable.
  • by mspohr (589790) on Sunday October 10, 2010 @08:58PM (#33855552)

    A Perth business was hit with a $120,000 bill after hackers exploited its VoIP server to place some 11,000 calls over 46 hours last year. ...

    My Skype VOIP would only charge $10.00 for 10,000 calls. These businesses must be really stupid.

    • by Kjella (173770)

      Umm do you think they're doing it just for the phone minutes? They're dialing special numbers that you get billed extra for, so they get $$$. And the ones who take the money just act all innocent "Hacked? Don't know what you're talking about. You call, you pay."

    • by Kalriath (849904)

      Businesses don't use Skype. Period.

      • LOL is the only appropriate response i could think of.
    • by Cimexus (1355033)

      They aren't dialing 'regular' phone numbers. They are dialing premium numbers (you know, those $10/minute or whatever lines). Internationally. The idea being that the scammers themselves are running the premium lines (or at least have some financial interest in them), so they are essentially making free money.

      • by ockegheim (808089)
        Ah, that makes sense... I was thinking someone was spending an inordinate amount of time talking with Auntie Doris. And it also explains why someone might actually call one of those $10/min services.
  • I've seen a lot of posts from know it alls who talk about how Skype is so cheap, and how they can talk to their office in Asia over VoIP for nothing more than the cost of an internet line. Skype and VoIP for internal communications might be great, but they are not suitable for business. Until everyone who you want to sell a product to has a Skype account or a VoIP connection, you need a regular phone line to talk to them. Except for some fringe cases of small businesses that can do everything over email

    • by JohnFluxx (413620)

      I'm a contractor living in the UK and have a customer in Germany and a customer in Finland. I speak to them every single weekday for half an hour (daily scrum..) and do so by skype.

      I use a "real phone" (the N900) and I dial their real phone. My N900 uses the wireless connection in my house to connect to skype. They can even call me since skype gives me a real phone number. I do pay for both services, but it's not very much.

      It's not even hard or complex to setup. The N900 comes with skype built into it.

      • by Bert64 (520050)

        So you pay for a proprietary service? If you start talking to all your clients through skype, what happens if they decide to crank up the prices? By locking yourself into a proprietary service like that you are taking a step backwards.
        They are like BT, only worse, BT are heavily regulated, skype is not... It may be cheap right now, but for how long? It's a classic bait and switch.

        • by JohnFluxx (413620)

          > So you pay for a proprietary service? If you start talking to all your clients through skype, what happens if they decide to crank up the prices?

          Then I switch to a different service? There are various equivalent services that can dial normal phone numbers.

          > By locking yourself into a proprietary service like that you are taking a step backwards.

          I'm not locked in at all. There's absolutely nothing preventing me from switching to a another SIP service or to a BT landline. My clients would not notic

          • by Bert64 (520050)

            You would need to replace your client, change your workflow to accommodate a new client, replace any hardware handsets you had etc.
            Any of your clients that you actually talk to through skype instead of bridging to the PSTN would also need to change.
            You would lose any custom hacks/scripts you've done to the skype client etc.

            And if your just using skype for calls to regular phones you really are missing out, skype typically have much worse rates/packages than most standard sip providers

            I typically have accoun

            • by JohnFluxx (413620)

              > And if your just using skype for calls to regular phones you really are missing out, skype typically have much worse rates/packages than most standard sip providers

              It's good enough though, and simple to setup for my friends and family, and works on linux and windows.

    • I was with you until you referred to Skype as being 'in the playground' You do know that with google voice you can make calls right through the browser right, for free. No need to install anything other then a modern browser.
  • The International Drainage Commission really needs to know.

  • Interesting timing (Score:2, Interesting)

    by Buzzard2501 (834714)
    Yesterday afternoon (and then again at 9pm) I watched an IP from Korea use a dictionary attack against our PABX (Asterisk) located in Australia. It used a standard list of usernames and passwords, and then every extension from 0000 to 9999. While our setup would protects us from any substantial loss (most extensions are setup to allow 1-3 simultaneous calls, premium calls are disabled, and our VoIP billing is pre-paid), Fail2Ban is in the process of being setup.
    • by e9th (652576) <e9th.tupodex@com> on Sunday October 10, 2010 @11:19PM (#33856270)
      By all means use fail2ban. But setting alwaysauthreject=yes in sip.conf will generally stop the attacks faster, and also in cases where they try s-l-o-w-l-y, hoping to slip under fail2ban's radar.

      Setting alwaysauthreject causes asterisk to respond the same way to an invalid peer registration as to a valid one using a bad secret. In other words, the attacker can't get a list of valid extensions for later password cracking attempts. Note that this violates RFC3261, but I'm unaware of anything that it will actually break, and in fact it's the default in asterisk 1.8.
  • I was pulling 60+ login attempts a second for almost the entire month. I had at least 4 separate colleges around the world hammering at my system. I provided log snippets to their abuse depts & got no response, although I did receive an increase in attempts from the tech school in S. Korea.
    • by Albanach (527650)

      I was pulling 60+ login attempts a second for almost the entire month.

      fail2ban is your friend. Simply block their IP after three failed attempts.

      Actually, I think this should become a standard feature for most VoIP software. It's simply too easy to scan for weak passwords.

      When I've seen scans they tend to be numerical too. I wonder if it's worth having honeypot extensions in the low numbers.

      Of course, if you're using asterisk and allow registrations from remote IPs and you have extensions.conf configured t

      • Of course, if you're using asterisk and allow registrations from remote IPs and you have extensions.conf configured to allow calls to international destinations that you're unlikely to call then that's a bit foolhardy.

        Fortunately, it's configured as a dial-in service only. It's a message service & conference room box only.

  • Stop placing calls over the legacy switched telephone number. Instead, make calls directly over the internet itself. It's cheaper that way. You just need to know what "numbers" go to what peer VoIP switch. Eventually, everything can go this way and we have no more "per call" charges.

  • by randallman (605329) on Sunday October 10, 2010 @11:09PM (#33856212)
    So I setup an account that was easy to hack into. It plays back screaming monkey sounds (included with Asterisk) to the caller and records the conversation. Most of the time, the caller is a machine, but a few times I've had a real person on the line and those were interesting.
    • by Bert64 (520050)

      I used to use the asterisk monkey sounds, they even have one which says "something is terribly wrong.. they have been taken away by monkeys"...
      But more recently i've been taking apart soundboards and making a script of some celebrity, if you have someone say helo a few times, ask the caller who they are and what they want they tend to stay on the line a lot longer, even if its borat talking to them.

There are worse things in life than death. Have you ever spent an evening with an insurance salesman? -- Woody Allen

Working...