back to article IP telephony biz VoIPtalk quietly admits to possible data breach

UK-based IP Telephony service VoIPtalk warned customers of a potential data breach over the weekend. The firm has implemented tighter security controls and advised customers to change their passwords in response to the suspected hacker incident, which is still under investigation. In a notice (re-posted on a VoIP user forum …

  1. Voland's right hand Silver badge

    Most importantly, they implemented a SP side blacklist

    They also implemented a provider side blacklist. So you can blacklist most destinations which run the "charging endpoint" of a VOIP scam.

    The way VOIP scams work nowdays is - the scammer registers a toll number in a "friendly" country like Maldives, Nigeria, etc. It searches for PBXes exposed to the internet, then sets as many calls as they can to the number they have created in a "friendly country".

    A SP side blacklist drops this dead. If your provider does not have it, I would suggest blacklisting anything except "well known" destination countries/regions for all international calls. Thankfully, the number system is somewhat hierarchical so blacklisting anything that starts with 4,5,6,7,8 and 9 goes a very long way.

    One thing I have noted is that while automated scans are done by botnets, if they return something weird, it notifies a human which runs a more extensive break-in attempt. These do not even try to conceal their IPs and the sources where they come from are usually in "interesting" locations around the Middle East. So you can make your own guesses what will the money leached off your PBX used for.

    1. Anonymous Coward
      Anonymous Coward

      Re: Most importantly, they implemented a SP side blacklist

      "Thankfully, the number system is somewhat hierarchical so blacklisting anything that starts with 4,5,6,7,8"

      4 would drop dead a large chunk of Europe.

    2. jason_n

      Re: Most importantly, they implemented a SP side blacklist

      Asterisk based security system apply lots more rules than that to detect hacking. For example, geographic location of the source IP address, rate at which calls are attempted, checking dialed numbers against a known fraudulent number database, etc. Carriers and ITSP's use something like SecData to monitor every call setup attempt. (same as SecAst integrated with an on-premise Asterisk PBX).

  2. Warm Braw

    On attempting to access my SIP details, I was prompted to create a new password of " Up to 10 characters, no less then 9". That seems curiously specific.

    Personally, I would never use VoIP with an unlimited credit billing system - the potential for abuse is just too high for my comfort level. I even have a fairly low monthly limit on the amount I can be charged for landline calls in case someone manages to hop through to it via SIP. Unfortunately, businesses can't often afford to be quite so paranoid.

    1. John Brown (no body) Silver badge

      "I was prompted to create a new password of " Up to 10 characters, no less then 9". That seems curiously specific."

      Most likely it's an "old" password system with a maximum of 10 characters as specified, but the minimum probably defaulted to 6 in the past and now they are trying to mitigate against quickly brute forced short passwords and setting the minimum to 9 is a simple and instant fix that even a PHB could implement. Enforcing or even allowing longer than 10 char passwords probably needs a lot more than a simple boundary limit change on the data entry form so you end up with an apparently highly specific range. They probably can't even set the minimum to 10 because there's probably a MIN<MAX test in the logic.

    2. FrogsAndChips Silver badge

      I'm with them and using one of their fixed-price packages, for a 1000-minute credit of landline calls (UK + some international). Everything else (mobiles, premium rate numbers, non-included countries) would be chargeable, but I've never credited my balance, so any attempt to call these numbers is rejected. At worst, someone who could break into my account would siphon my monthly allowance, but not incur extra costs.

  3. Zap

    I got email warning me of incident then one for each account that appeared insecure, I have about 12 numbers with them. Worst case for me is they use a few pounds credit on each account.

    I suppose we will get calls telling us they are Microsoft and they have a fix for our windows!

    I use Twilio to route calls to VoIP I have my CLI so I only answer the numbers I know.

    I have same policy on iPhone, if I know you I answer otherwise you can speak to my secretary on voicemail. I look up numbers I do not know and block them if they come up on Google as PPI etc.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon