Information security largely focuses on data communications, and voice is often ignored. Every successful hack or extortion has a phone involved somewhere in the process, but in most cases the phone is a silent and overlooked component in the forensics. The hacking of telecommunications is usually termed phreaking as opposed to the more common term, hacking, which is related to data systems. An extraordinary culture has developed around phreaks, whereby they are treated with less severe persecution as hackers. As an example, Steve Jobs, is a revered business leader but Kevin Mitnick is a hacker. However, Jobs participated in dubious activities that were no less serious than Mitnick's contraventions. Society lets the guy who abuses a phone off the hook, but alternatively want to lock the hacker up and throw away the key. Neither activity should be condoned and both should be treated with equal disdain.An impression exists that phreaking is an activity of a bygone age. This is not true and it continues, even more intensely to this day! The ignorance is bliss to such an extent that the forensics pertaining to the actual commercial losses related to phone fraud are not readily available. Many companies have been unknown victims of fraud by phreaks, and the service providers have billed these companies without any further due diligence. The company pays, the service provider receives revenue and the phreak walks the street freely.
Many companies do not secure their voice and almost all voice systems are inherently insecure. There are very few voice systems that are authenticated even at a rudimentary level. Companies need to establish their own voice security measures as service provider and regulator measures are lacking.
The reasons is that people and regulators are ignorant and in transient. Take for example, Caller ID Spoofing. This is a malicious action by an individual but it has not yet been criminalized. People who spoof caller IDs are crooks and companies who supply the service are the equivalence of technology brothels, pimping illicit services.
Many companies and individuals also withhold caller ID. When I see a withheld caller ID, I often ignore it. Withheld caller ID should go into a holding pattern DMZ and not permitted to use direct inward dial. A company that programs it's systems or PBX to withhold caller ID is up to no good. The motives for this type of configuration are highly questionable!
Caller ID like IP addresses would form the basis of any voice firewalling. Most hijacked phone calls made by phreaks in this neck of the Kalahari are made to Cuba, Nigeria, India, Russia and Pakistan, so a voice firewall would stop this in its tracks. The voice firewall, like a data firewall would as default deny all traffic. Based on originating caller ID and destination called ID a rule would permit the call. The rule could be granular to country, network, city, company or individual destination number! In would also be possible to group calls into categories, i.e. internal, external, business, emergency, personal, mobile, residential, etc. In addition rules can be defined around call type, i.e. voice, modem, fax, and IVR (via DTMF).
Many voice vendors ship their equipment with shoddy security. The defaults are well know and no forced process exists for an installer to change these defaults when taking a system live. This problem exists with all manner of PBXs, modems, voice gateways, video conferencing equipment, IVRs and voice mail systems. Ironically, you will find many companies with large investments in data security systems and nothing in voice security systems. In actual fact, I doubt that any vendor, especially the 800 pound gorillas have put any research or effort into voice security. Often their investment in data security is put forward as their offering which is inappropriate.
Not only is the equipment vulnerable but the processes are flawed. The three blind mice, highlighted service provider process flaws but I doubt that to this day any lessons have been learned and the exploits continue on a daily basis. Mitnick make the point about social engineering, and just as we have the ability to use voice firewalls as described above, we can also have voice IDS/IPS. There are social engineering signatures and phreaking profiles that can be created and triggered via scanning mechanisms. Such as:
- Profiling: A voice IPS would use speaker recognition to associate profiles to phone numbers. A profile not associated with a valid phone number raises an alert.
- Voice filtering: A phone call that that is made to an invalid phone location is either blocked, or goes into a queue where a password/pin is required to proceed. (similar to url filtering for the web).
- War or demon dialing: When the system detects sequential dialing from a common phone location, then that location is blocked.
- Vulnerability signatures: Similar to antivirus signatures the system detects any sequence of activity that attempts to exploit a known vulnerability and blocks the phone location. This includes the use of known equipment default passwords or a sequence of known DTMF vulnerabilities.
- Spikes: If a level of activity occurs to resource, e.g. voice mail system, that is above the normal mean an alert is raised.
The level of sophistication in the above mentioned approach will allow companies to nail insider or rogue traders and call centre leaks. The reason is that there are detectable patterns around phone calls, transactions and emails (including IM) when fraud is being committed. These patterns become visible when viewed together, but are not identifiable when investigated in isolation. These patterns can be predefined to trigger alerts when they happen. A truly unified threat management solution would have stopped Jerome Kerviel of Société Générale in his tracks, as well as being able to prevent the loss of many credit card leaks.
* I wonder how much of this the CIA does - like in the movie "Zero Dark Thirty" - with tradecraft.
Comments
Post a Comment