Security Manager's Journal: Hackers phone home -- on our dime

Trouble Ticket

At issue: A small office in Europe discovers that someone has hacked its IP telephony router.

Action plan:: Update the operating system to prevent toll fraud, and assess the IP telephony setups at offices around the world.

It's been a while since we've had a security breach worth mentioning (that we know of). Last week we had one, and it was an eye-opener.

A small development office in Western Europe was informed by the local telephone company that a high number of calls were being made from the office's IP telephony setup to a Middle Eastern country. When we looked into it, we found that in just 15 days, over $30,000 in calls had been made to several Middle Eastern countries, as well as Russia, China and a couple of Central American nations.

I immediately told the folks in the European office to have the phone company block the suspect call locations, file a police report and send me the complete running configuration from the router.

The office in question came to us through an acquisition about four years ago, well before my arrival. Apparently, the acquired company had just purchased new equipment, including a Cisco router used as a voice gateway for communicating with several other offices around the world. After the acquisition, we retained the Cisco routers, since we use IP telephony extensively.

When the configuration report arrived, I gave it to my security analysts and a few colleagues who are familiar with the secure configuration of Cisco phone gateways. As suspected, an early version of Cisco's IOS software was running on this router and it had no toll-fraud prevention configuration. Since the router wasn't properly locked down, an outside caller could connect to our phone gateway on TCP 5060, obtain a dial tone and make calls.

Unfortunately, it wasn't just a lone hacker who was making calls on our system. The call setup logs had captured IP addresses from around the world, suggesting that the hacker had shared our vulnerability with hundreds of people. While we can't know for sure, it would seem that our configuration was either sold or traded on the black market.

Having diagnosed the problem, we set out to rectify it. We scheduled a change control to have the router upgraded to the most current supported version of IOS, which includes support for toll fraud, and then configured the router to prevent this and other forms of toll fraud.

Next, we took the lessons learned from this one office and applied them to our locations worldwide. We conducted an assessment of all of our Cisco call gateways to determine if any of them were susceptible. Sure enough, three other small offices in Europe and one office in Austin were running vulnerable versions of IOS. (Coincidentally, all of the offices had come to us in various acquisitions over the past three to four years.)

Some Relief

We are fully cooperating with law enforcement and the phone company, and as a result, we may actually be granted some relief from the $30,000 bill.

But this incident has spurred me to further action. I plan to use some of my quarterly budget for vulnerability assessments and penetration testing by hiring a reputable organization to conduct a complete assessment of our global IP telephony environment -- everything from phones and the call manager to unity messaging and the underlying network equipment that enables IP telephony.

And because we acquired so many of these vulnerabilities, I am going to update my M&A playbook to emphasize the need to assess any IP telephony infrastructure we inherit. One final precaution we are taking is to evaluate our options for correlating Cisco call log data and other relevant logs within our recently purchased security incident and event management tool.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at mathias_thurman@yahoo.com.

Join in the discussions about security!