Nir Simionovich, CEO Greenfield Technologies Ltd @NirSimionovich Developer http://www.github.com/greenfieldtech-nirs Author AsteriskNOW Asterisk AGI Programming Blogger http://www.simionovich.com Father I have 2 amazing daughters Security Researcher and Hacker Facts Lets get a few facts straightened out
The Simwood Honeypot network About 18 months ago, a study conducted by Simwood had produced interesting results The study involved the deployment of multiple honeypots in their network Each honeypot would reports SIP attacks back to a central database These results can be viewed in raw form at http://mirror.simwood.com/honeypot/
clientip method user_agent dialled latest earliest count dialled 5.200.14.140 INVITE VaxSIPUserAgent 258258 1399859382.323963 1399779834.556501 2398 258258 37.8.14.2 INVITE eyeBeam 00972592871997 1409435023.422622 1409434894.821695 1005 972592871997 77.245.75.218 INVITE eyeBeam 00972598610074 1396816479.544600 1396816450.489367 934 972598610074 188.161.14.248 INVITE VaxSIPUserAgent 1011 1386184504.965029 1386184424.547129 892 1011 77.245.75.218 INVITE eyeBeam 900972548747167 1396816480.853917 1396816454.514624 767 972548747167 175.107.181.25 INVITE VaxSIPUserAgent 400500600 1399816064.980052 1399816019.412260 758 400500600 81.94.205.122 INVITE sipcli 00972595108539 1399241123.925033 1398554479.122285 707 972595108539 81.94.205.122 INVITE sipcli 000972595108539 1399241711.560072 1398555296.067902 704 972595108539 195.154.181.28 INVITE sipcli 00972595108539 1401635235.106407 1400793716.214106 638 972595108539 62.210.167.126 INVITE sipcli 00972598779187 1402441694.752727 1401841159.568917 637 972598779187 195.154.181.28 INVITE sipcli 000972595108539 1401633678.219079 1400794204.202833 624 972595108539 107.150.52.234 INVITE sipcli 00972592167944 1408455732.586712 1408038629.117835 593 972592167944 107.150.52.234 INVITE sipcli 000972592167944 1408456180.716562 1408039016.331728 583 972592167944 195.154.181.28 INVITE sipcli 00972592590896 1402920378.657869 1400604522.779263 583 972592590896 195.154.181.28 INVITE sipcli 000972592590896 1402921502.136256 1400604946.152949 576 972592590896 195.154.181.176 INVITE sipcli 00972592167944 1403632675.452118 1402422064.930485 543 972592167944 Data from 23/09/2014 Top 15 Records Can anyone tell me what is country code 972? Can anyone tell me what does +97259 means? Vishing Voice Phishing A criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward. Sometimes referred to as 'vishing',
the word is a combination of "voice" and phishing. Voice phishing exploits the public's trust in landline telephone services, which have traditionally terminated in physical locations known to the telephone company, and associated with a bill-payer. Voice phishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals. http://en.wikipedia.org/wiki/Voice_phishing Smishing SMS Phishing In computing, SMS phishing is a form of criminal activity using social engineering techniques. Phishing is the act of attempting to acquire personal information such as passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. SMS (Short Message Service) is the technology used for text messages on cell phones. SMS phishing uses cell phone text messages to deliver the bait to induce people to divulge their personal information. The hook (the method used to actually capture people's information) in the text message may be a website URL, but it has become more common to see a telephone number that connects to an automated voice response system. http://en.wikipedia.org/wiki/SMS_phishing Phreaking Phreaking is a slang term coined to describe the activity of a culture of people who study, experiment with, or explore telecommunication systems, such as equipment and systems connected to public telephone networks. The term phreakis a portmanteau of the words phone and freak, and may also refer to the use of various audio frequencies to manipulate a phone system. Phreak, phreaker, orphone phreak are names used for and by individuals who participate in phreaking. http://en.wikipedia.org/wiki/Phreaking A good attack is combined Recent investigations weve conducted have indicated the following:
Vishing is used to obtain information about your PBX Smishing is used to create a falsified trust between the attacker and the target Phreaking is used to investigate your PBX Followed by a targeted attack on your PBX to obtain control Hackers share information Shodan Sample Output <?xml version="1.0" encoding="UTF-8"?> <shodan> <summary date="2013-08-06 13:20:52.034972" query="country:IL port:5060 net:213.151.0.0/16" total="1125"/> <host country="ISR" ip="213.151.35.76" latitude="31.5" longitude="34.75" port="5060" updated="09.04.2011"> <data>HTTP/1.0 200 OK Connection: close Rimon: RWC_BLOCK Content-type: text/html Refresh: 15 Content-Length: 132 Date: Sat, 09 Apr 2011 19:21:38 GMT Expire: Fri, 08 Apr 2011 10:01:38 Pragma: no-cache Cache-Control: no-cache Server: lighttpd/1.4.19<html><head></head><body><center><b>You are not recognized in the system !!!</b></center><!-- Cdata_cleaner_module --></body></html> </data> </host> </shodan> Is ShodanHQ a hack engine? Shodan is not a hack engine It is merely an Internet of Things scanner If you IP phone or PBX is open on the net, Shodan will find it The service is very cheap and easy to operate Fail2Ban will not protect you Fail2Ban can assist in protecting against un- wanted SIP traffic It can not protect you from Vishing Attacks It can not protect you from a faulty IVR configuration It can not protect you from Voicemail fraud It can not protect you from Call-Divert fraud It can not protect you from internal employee fraud What can we do? Dont be nave, trusting your firewall is just stupid Dont look for a magic solution Security is a process, not a tool Lets establish a few ground rules: Contact information (w) http://www.simionovich.com (w) http://www.phpari.org (w) http://www.greenfieldtech.net (e) nir.simionovich at gmail.com