Security in a VoIP World

“…you can be a bit paranoid about your security. As long as you are able to send and receive your calls there is nothing wrong with being too secure.”

We would like to follow up our introductory article with advice on one of our top three issues relating to VoIP: Security. We will continue later with articles on Quality and Choice. With this article we will bring to light a few points regarding SIP (Session Initiation Protocol) and VoIP (Voice over IP), general online security, and basic security practices that will help protect and secure your Callcentric service and your privacy.

We will restate some of the points mentioned on our security advisement page as well as points from industry experts and our own personal experiences. We will follow a category based format and will explain each point as it relates to you and VoIP. We will also include resources to help better improve your security. If we missed anything or if there are comments about practices or any other points which may be relevant we would be happy to know about them.

PASSWORD SECURITY

You would not leave the front door to your house open in the middle of the night correct? A weak password used with your online accounts is analogous to a house with a front door left open to all. The use of weak passwords affects not just your VoIP account but could also leave your overall privacy up for grabs. According to a Symantec security article by Sarah Granger:

“..passwords are often the first (and possibly only) defense against intrusion (MacGregor). They protect personal information – information we don’t want anyone and everyone to know.”

Passwords are not just a cumbersome extra step to logging into the services and tools you use. A strong password increases the protection of your private information.

To create a strong password you will want something containing both letters and numbers with a minimum of 7 characters. A quick and effective way to acquire a unique password for your various accounts is to use a random password generator such as the one on http://www.random.org. You can also see from this Google page that we’re not the only ones concerned with password security.

Going further you can use multiple passwords for the services you use online. We recommend that you not use the same password for your VoIP account as you would with your email account or other accounts. The idea here is to give yourself diversity. Diversified security begins protecting you immediately, and in the long run can protect more than just your Callcentric and facebook accounts. At Callcentric we exemplify this process by allowing you to use two different passwords: One for your SIP login and one for your Web login. If you don’t already have different passwords then take this opportunity to make changes!

Having multiple passwords can be cumbersome so you may consider password aggregator software/tools such as LastPass or KeePass. An post on lifehacker.com provides some other options.

A single password to protect them all is something we would all love to have. However the truth is that with so many services and options becoming available to us, the password is our first line of defense against invasion of privacy. But don’t be scared. If you follow the advice in this first point you are already on the way to protecting yourself better than most!

NETWORK AND COMPUTER SECURITY

“…be careful with torrents, software, movies and more acquired for “free”… downloading software, music, movies and more from questionable sources leaves you at a bigger risk.”

Some users understand that network security may consist of firewalls, port sentries, log watchers, alerts and countless other lockdown techniques. Some of these may be excessive; however you should remember that even the most security conscious people and organizations are constantly adapting their practices.

First firewalls and port management tools are absolutely necessary and generally painless to setup. It would be foolish to have your firewall disabled or to not take advantage or port blocking. Routers today come with built in firewalls and other advanced options. When configuring your network and router make sure that all incoming traffic is blocked by default and only traffic triggered from inside the network is allowed. If you are not hosting a server on your network do not leave common ports such as HTTP:80, TELNET:23, FTP:21…etc enabled. The idea is to minimize your presence on the internet. For the purpose of VoIP, specifically SIP, you will want to use a port other than the default SIP 5060-5080 port range. You can achieve this by port forwarding or simply by enabling the random port feature if your UA (User Agent)/software or hardware supports it.

Second do the same on the machines connected to your network. Sometimes the threat comes from inside the network in the form of a trojan/virus which has infected a local machine. This brings up the point of virus and malware scanning. If you use Windows then install the MSE (Microsoft Security Essentials) addon. You can also run other security scanners in the background such as MalwareBytes, AVG and Avira. Don’t overload your system but make sure to have at least two of these available to you at anytime.

Third be careful with torrents, software, movies and more acquired for “free”. Your system can definitely be attacked by legitimately paid for software, through rootkits, trojans and others; however downloading software, music, movies and more from questionable sources leaves you at a bigger risk. Be sure to disable any bittorrent clients after you are done downloading your latest linux distro and make sure to scan downloaded executables before installing them. The idea here is to be proactive about your security. Blindly downloading and installing any and everything can lead to major problems.

At Callcentric we have come across scenarios where account information was compromised on the user end. In the majority of the cases there was a trojan or keylogger on the compromised machine which acquired the password for the email account. From there attackers were able to login to the email accounts. Not surprisingly the same password used for email was the same password used to login to their Callcentric accounts as well as their SIP accounts. So take our advice: Perform a security audit on your network and make sure you have secured yourself as best you can.

SPECIAL CONSIDERATIONS

The processing power available today is definitely overwhelming. A cellphone can push almost as many polygons as a PS3. Not only that, one can download software in the blink of an eye and even run a business at home on a high capacity connection. With all of this freedom and capability comes the incentive to become a master of all trades. The simplest way a VoIP user can get into this situation is by configuring their own IP PBX (Internet Protocol Private Branch Exchange). Whenever you call to a toll free number and hear a menu it’s delivered through a PBX, possibly an IP PBX. There are many such solutions available for SIP:

  • Asterisk and it’s various flavors (FreePBX, Trixbox, Switchvox and others)
  • Grandstream GXE
  • Cisco SPA9000
  • snom One
  • 3CX
  • Voicent
  • …and more

The simplicity of these solutions allows users to configure extensions, departments, business hours, family hours and more in a relatively short time. While the feature sets can be incredible so can the consequences of poor security. Most users use the default configurations, including default passwords. This is simply poor security and leaves you open to a successful attack. If you don’t believe us search online for some ardent advice, such as from makeitsecure.org:

“The main risk to organisations [and individuals] is financial; the owner of the phone system will receive a bill for all calls that are made using their phones lines. This can add up to tens of thousands of [dollars] if unauthorised use goes undetected for even a few days.”

Take the following recommendations seriously and secure your PBX, as we have seen many users fall into the “noob security” trap:

*As we mention in our security guide, some of this information may be advanced for some users; however performing at least five of the below points can help improve your security.

Level: Network

  • Use firewalls to secure the system locally by limiting access for the services you actually need to run on your system
  • Block ports at the gateway/router level to provide extra security for your network
  • Check your running services and disable any unneeded services. For example if you do not need an ftp server you may want to disable it . Block these services using xinetd.conf or inetd.conf, Control Panel or System Preferences

Level: Operating System/User

  • Use port security options, such as fail2ban, portsentry, portmap…etc to secure local ports and monitor for unwanted traffic
  • Properly secure ssh, ftp and/or telnet services to prevent unwanted access
  • Make sure the sudo command allows access to only the necessary users. This is done in the /etc/sudoers file on most unix systems
  • Make sure that the root/Super Administrator account is secured and if necessary is disabled in favor of a user who can use the sudo command or escalated privileges. Using a secure password is also recommended

Level: PBX/Software

  • Do not use the default extensions. In other words do not use 100, 101, 102, 103. Try using numbers or names in a different range to decrease the possibility of drive by attacks
  • Make sure that local extensions on your PBX have secured passwords to prevent easy access
  • Keep up to date with your PBX version. Security vulnerabilities are constantly being resolved. Update at least once a month if possible
  • Keep backups of your configuration

If you are curious as to why so many points are necessary, take into consideration the experience of a Callcentric employee who ran Asterisk behind a router with port forwarding and relatively insecure passwords. Other support personnel noticed peculiar calling activity from this employee’s PBX and immediately flagged the account. It turns out that due to a vulnerability in Asterisk 1.6.2 attackers were able to send calls through the PBX without much hassle. Luckily this employee had fail2ban which caught some of the attacks, blocked IPs and helped to prevent any major damage.

In short you can be a bit paranoid about your security. As long as you are able to send and receive your calls there is nothing wrong with being too secure. If you’re a one man shop simply try to keep up to date with firmware and software releases. An audit every few months can help you immensely.

CALLCENTRIC TOOLS

Finally at your account level we provide you with tools to assist in preventing fraud and securing your account. We are constantly monitoring our network and are seeing very ingenious methods used by hackers. We adapt and try to stay on top of our game with logical and usable security features on our end and on the end user side:

Calling Destinations

Limit the locations you are allowed to call. For example there’s no reason to allow calling to anywhere else in the world if you only call the US. Or if you only call to the UK you can allow calling only to the UK. This simple yet powerful feature allows you to further protect your account from unsolicited calls even if your network gets compromised. Check out your My Callcentric preferences for the full list to enable specific calling destinations.

Auto Recharge

Limit the amount you are allowed to charge to your credit card per month. This option has greatly reduced the risk of fraud with our clients and allows them to be alerted whenever there is suspicious financial activity on their accounts. Use this tool to your advantage and help prevent such possible fraud.

Email Alerts

We send email alerts for various activities on your account. Do not simply send all Callcentric email to spam or the trash. Instead categorize them in a special folder and look out for password changes, low balance alerts, auto recharge alerts and any other activity which may indicate suspicious behavior.

Support

This is probably the most effective tool available to you. Contact support if you have any questions whatsoever. Simply open a ticket on your account and get a quick, helpful response within minutes. You do not need to spend your time on a telephone waiting for an answer and can ask a question or make a request even while you’re on the go.

Although this isn’t the be all end all solution to your online security we hope it has provided you with some extra information that can be used not only with your Callcentric account but with your other online accounts and services as well.

RESOURCES

Network
Cert Network Security: http://www.cert.org/tech_tips/home_networks.html
Network World: http://www.informationweek.com/news/telecom/voip/212200539

Passwords
Shannon Riley, University of Wichita: http://psychology.wichita.edu/surl/usabilitynews/81/passwords.asp

VoIP
voipsa.org: http://www.voipsa.org/

PBX

Asterisk security: http://blogs.digium.com/2009/03/28/sip-security/
3CX security: http://www.3cx.com/blog/voip-howto/voip-security/