Security Manager's Journal: Thousands of dollars in phone calls? Management hates that.

As a security manager, I expect my company to be hit by malware infestations, data theft, denial-of-service attacks and attempts at unauthorized access. I deal with them all as they arise, and they do keep things interesting.

Trouble Ticket

At issue: The company has been charged thousands of dollars for calls to Latin America.

Action plan: Find out how the telephony gateway was compromised, seal it and recoup the losses.

But some incidents get attention not just from me, but also from management. Those tend to be incidents that result in the direct loss of either money or extremely sensitive data. Naturally, those are the types of incidents that I most want to prevent, interesting or not. And things quickly go from interesting to frustrating when you get hit with the same type of security event resulting in dollar loss several times in one year.

Last week, a financial analyst who processes payments for the IT department told me she had received an alert from our telecommunications provider that several thousand dollars in charges for phone calls to Costa Rica, Bolivia and Colombia had been racked up in less than a day. Since we don't typically do business in any of those countries or place several thousand dollars' worth of international calls in less than 12 hours, some sort of breach seemed likely.

But how? Just a few months ago, our phone system had been compromised, and my team had spent weeks working with our in-house telco department on finalizing and deploying a secure configuration to our IP telephony gateways. I had complete confidence in our gateways' security. So what had happened?

When I talked to our telco manager about the latest batch of long-distance charges, he had a dawning suspicion of what might have happened. And a little bit of digging proved his suspicion to be correct.

A contractor had been working on a new videoconferencing infrastructure, including a server residing in our DMZ for handling video calls to and from remote locations. People from our company had provided oversight. The architecture review board had held several sessions with the vendor to ensure that it was following a secure policy and configuration. The vendor's compliance had been verified several times during the deployment. Nonetheless, a review of the current configuration of the videoconferencing server (VCS) showed that the consultant had made a configuration change, opening up Port 5060, Session Initiation Protocol and other control ports to the Internet, with no authentication required.

We Will Not Accept the Charges

We had the consultant immediately close off the vulnerability to prevent any new unauthorized calls. Then we began sniffing the network connection to the VCS and looking at its connection state table. And what do you know: We discovered hundreds of connection attempts from servers in places that included Costa Rica, Bolivia and Colombia.

Clearly, while our telephony gateway sat naked on the Internet, someone had scanned our IP address space (an activity that we have found to be constant) and discovered the open port. It was a simple matter after that for that person to point his own IP gateway to our infrastructure and route calls through us. Such activities can be profitable. They can be done with free, open-source PBX software such as Asterisk or SIP Witch. Once an open and unauthenticated port has been found, the bad guys can either sell the discovery to others, who can then make a free connection, or sell discounted minutes.

So we were able to plug a hole that had cost us several thousand dollars, but management wouldn't really be happy unless we could recoup those losses. Our telco provider wasn't encouraging. It said our losses didn't justify the resources necessary to conduct an investigation and a hunt for the bad guys. The consultant, on the other hand, has acknowledged its error and has promised to reimburse us.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Asterisk

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place