Asterisk and Vicidial Hacking

Facebooktwittergoogle_plusredditpinterestlinkedinmail

Securing SIP Asterisk installations effectively is a “must” today and by taking a few easy steps you can go a long way towards a more secure phone system. 

There are a few easy preventative steps that you can take which will make malicious intruders have a much harder time in abusing your SIP phone system.  Unfortunately, there are some easily obtainable SIP scanners widely available that make it much easier today for hacking into a ]system.  It was not long ago when these attempts were fairly prevalent and some systems were compromised allowing culprits to make thousands of toll calls at the owners expense.  Since that time awareness of potential SIP  vulnerabilities has increased and many installations of Asterisk have been “hardened”, but many others may not have been.   For those we recommend the following easy steps that will make any attempts to exploit an easy target much more difficult, and in most cases not worth the effort.

5 Steps to securing Asterisk

  • Change default passwords.  Certain default passwords that come with Linux, such as root and password need to be changed to one that is unique and follows good password rules.  Others that are part of the Asterisk@Home such as the maint login should be changed right away as well.  Additionally, disable the Alt+F9 access which bypasses directly to the administration console.
  • Do not use the extension number as the SIP name.   While convenience plays a part in making the extension number the same as the SIP entry, this will be the first guess of an attacker.
  • Use strong passwords.  Brute force attacks, where large numbers of word or number sequences are tried have become easier and quicker to launch now that processors are more robust.  Make your systems more secure by using long passwords with a combination of letters, numbers, and other symbols using both upper and lower case.
  • Limit access to SIP authentication.   By restricting which IP addresses can access each user in the sip.conf file you can limit allowable requests to a reasonable set of IP addresses.  This can be done by using permit= and deny=in the sip.conf file.
  • Set your system to reject bad authentication requests. An option that will reject non-rusticated requests to valid usernames is alwaysauthreject=yes in the sip.conf file. This option will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks.
  • Disable International Calling.  Most attempts at using a hacked phone system (not only Asterisk) is to make International calls.  An easy way to limit liability from fraudulent charges is to have your Phone or SIP provider disable International calling on your account.
Facebooktwittergoogle_plusredditpinterestlinkedinmail

‘Cyber attack war games’ to be staged by UK and US

Facebooktwittergoogle_plusredditpinterestlinkedinmail

The UK and US are to carry out “war game” cyber attacks on each other as part of a new joint defence against online criminals.

The first exercise, a staged attack on the financial sector, will take place later this year, Downing Street said.

The “unprecedented” arrangement between the two countries was announced by Prime Minister David Cameron ahead of talks with US President Barack Obama.

The two men discussed a range of other issues, including counter-terrorism.

They are holding a press conference in the Oval Office of The White House after talks lasting about an hour.

Mr Cameron has previously said in relation to cyber attacks that there should be no “means of communication” which “we cannot read”.

He is expected to talk to the US president about getting companies such as Google and Facebook to allow governments to view encrypted messages.

‘Modern threat’

In terms of the planned cyber war games Downing Street said they will aim to improve the flow of information between the US and UK about threats.

No 10 said agents will co-operate in “cyber cells”, involving MI5 and the FBI, and they will be the first the UK has established with another country.

Speaking to BBC political editor Nick Robinson after arriving in Washington on Thursday night for a two-day visit, Mr Cameron said cyber attacks were “one of the big modern threats that we face”.

The first war game will involve the Bank of England and commercial banks, targeting the City of London and Wall Street, and will be followed by “further exercises to test critical national infrastructure”, Downing Street said.

Money will also be made available to train “the next generation” of cyber agents.

Analysis by Gordon Corera, BBC security correspondent

The tensions and confusions over what cyber security means are all too apparent this week.

Is it about defending corporate networks against hostile attackers of the type who targeted Sony? That’s the focus of today’s announcements about war-gaming and threat cells.

Or is it about getting hold of data and communications about terrorists? That seemed to be the focus earlier in the week, with briefings that the visit would focus on getting US companies to be more helpful in providing data to British authorities.

The two are different in focus and it is not yet clear how much progress on the latter the prime minister will make with a president whose relations with the tech sector are already difficult post-Snowden.

There is also some tricky overlap between the two fields, for instance on how far information should be encrypted so it cannot be read or stolen.

Encryption may foil foreign cyber spies but also stymie law enforcement.

line

The measures come in the wake of the recent hacking of Sony Pictures’ computers and the US military’s Central Command’s Twitter feed, where comments were posted promoting Islamic State (IS) militants.

The cyber attack on Sony Pictures led to data being leaked from its computers exposing emails and personal details about staff and stars.

The hackers, who called themselves #GOP or Guardians of Peace, also threatened cinema chains planning to screen Sony’s satirical North Korea comedy, The Interview, the plot of which involves a bid to assassinate the country’s leader Kim Jong-un.

Sony initially cancelled the film’s release after leading US cinema groups said they would not screen it, a move which Mr Obama later described as “a mistake”.

Mr Obama has said cyber threats were an “urgent and growing danger” and unveiled domestic proposals to strengthen the law.

The UK’s National Audit Office warned in 2013 that a lack of skilled workers was hampering the fight against cyber crime.

Mr Cameron said the UK was already prepared for a cyber attack, saying GCHQ had “massive expertise”, but added more needed to be done.

He said: “We need to be able in extremis to interrupt the contact between terrorists.

“It’s also about protecting people’s data, people’s finances – these attacks can have real consequences to people’s prosperity.”

‘Beef up filters’

The BBC’s technology correspondent Rory Cellan-Jones said there had been a lot of concern over Mr Cameron’s inference that governments should be able to view encrypted data.

He said not only were civil rights groups worried, but major players in the technology industry said banning encrypted messages could harm British trade if UK companies were seen to be not private.

Our correspondent also told BBC Radio 4’s Today programme that smaller social networking sites were just as well used by potential hackers as the well-known ones.

He said he had found an example of an exchange on the site Ask.fm which appeared to be from an IS fighter asking another user which country he should go to for weapons training.

In relation to the site being used for this type of communication Doug Leeds, the chief executive of Ask.com, which owns Ask.fm, said: “We have taken some action, and we’re looking to take more, what we have done so far is beef up our filters to try and look for patterns that would suggest that this is going on.”

Howard Schmidt, a former eBay and Microsoft executive, told the BBC attitudes around privacy and the right to encrypt personal data were still hotly debated in the US in light of the revelations disclosed by fugitive US intelligence leaker Edward Snowden.

Among other things, Snowden’s leaks detailed the National Security Agency’s practice of harvesting data on millions of telephone calls made in the US and around the world, and revealed the CIA intelligence agency had snooped on foreign leaders.

A recent report by GCHQ, the UK government’s communications security agency, on the issue of cyber attacks said that more than 80% of large UK companies experienced some form of security breach in 2014, and attacks were on the rise.

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail