TELECOM FRAUD

February 2005 Network Security17

cynics might say because it has only beena Microsoft product for two months. Atthe same time there are still gaps to beplugged for the final version.

Not surprisingly the product has beenquickly put through its paces by a num-ber of laboratories. It generally succeedsin removing at least 95% of spyware oradware (the latter defined as software theuser knowingly installed but still mightfind a nuisance and hard to remove sub-sequently). This is a very high hit ratecompared with most products, but stillmeans that some spyware goes undetect-ed, so that Microsoft's stated goal ofcompletely marginalising the problem issome way off, if it can be attained at all.Furthermore some components that arenot recognized can continue to down-load other spyware. In this way the sys-tem could end up accumulating spywarethat is not recognized, rather as bacteriathat are resistant to antibiotics can buildup in hospitals. There is a clear need for generic techniques capable of com-bating any spyware, just as is the case forviruses.

Microsoft Antispyware does thoughmonitor the registry to prevent spywarethat it has detected from reinstallingitself - an issue with some anti-spywaresoftware.

All this apart there are the usual glitch-es one expects from beta software caus-ing the occasional system crash. Thegeneral advice not to install such soft-ware on critical production machinesdoes hold.

On top of the technical creases still tobe ironed out, there are legal issues.Whereas blocking viruses is uncontrover-sial because everyone is agreed they serve

no useful purpose, this is not the case forall adware. When the adware alwaysseeks the user's permission and does notattempt to hide or hinder its subsequentremoval, it may be that the legal boot ison the other foot. The anti-spyware ven-dor may even face prosecution forincluding such software on its bannedlist. Users would be free to configure thesoftware to ban any site or adware prod-uct they like, but then this negates theadvantage of having anti-spyware per-form the filtering automatically, againjust like anti virus software. If vendorswhose products are labelled spyware suc-ceed by threat of legal action, or just bycomplaining, to persuade Microsoft toreverse a ban on them, this may send asignal to other security vendors to steerclear of controversial detections. On theother hand litigation may result in moreclear-cut definitions of what adware andspyware are. This then may clear the airand allow other mainstream anti-spywarescanners to evolve.

Microsoft has said far less about itsforthcoming antivirus software, but

some details have leaked out. It appearsthat the software will combine conven-tional signature based virus scanningwith a second engine capable of identify-ing the signs of recent virus activity inorder to assess the level of exposure tovirus infection. How well this genericidentification will work is not yet clear,or whether it will be capable of actingdirectly against the virus.

There is a potential conflict of interestif Microsoft's anti-virus software becomesa commercial product rather than onegiven away free or bundled with theoperating system or browser. The ques-tion is whether Microsoft would be lessassiduous in removing weaknesses thatvirus writers could exploit in order tomake its software more appealing? Butconspiracy theories are usually wrong,and in this case it is more likely fact thatits experiences in the anti-viral field willhelp Microsoft root out problems in theoperating system.

It should be emphasised as well thatMicrosoft has already embodied someanti-virus protection in its XP operatingsystem with the latest upgrade, calledWindows XP Service Pack 2. Thisrelease focused on security and includesWindows Firewall, Pop-up blocker forInternet, and Window Security Centre.This will then provide a foundation forthe subsequent full-blown anti-virusand anti-spyware products, whether ornot they come as a single package.

The overall significance of all this isthat Microsoft has over the last few yearswoken up to the need to take the securi-ty bull by the horns and spare its cus-tomers from wasting their time acting asamateur fire fighters.

Emotive terms such as “cyber attack”and “cyber-terrorism” are always certainto generate plenty of media excitement,with science-fiction visions of malevo-lent hackers creating vicious computerviruses to rampage through cyberspace,doing unseen and untold damage to theinfrastructures that support our way oflife. However, while the reality of ITsecurity is far more mundane than such

Telecom fraud: the cost ofdoing nothing just went upCraig Pollard, Head of Security Solutions, Siemens Communications

In today's business environment, IT network security is vitally impor-tant, with security breaches across voice and data networks growingby the day.

“There is a

potential

conflict of

interest if MS’s

a-v product is

commercial”

TELECOM FRAUD

Network Security February 200518

science-fiction ideas, the threat to a network from malicious attackremains real and the consequences just as frightening. Every business isdependent upon information technolo-gy, which brings with it inevitable vulnerability.

Dark rumours of underground hackernetworks and conferences give rise to thebelief in a vast and growing number ofaggressive, deliberately destructive hack-ers. Significantly, the methods thesehackers adopt to gain unauthorizedaccess to corporate resources are nowalso extending to embrace telecommuni-cations systems.

The terrorist threatThe hacker phenomenon has a seriousand far-reaching influence. Were com-munications on two continents ever dis-rupted by moving telecommunicationssatellites? Have computing resourcesbelonging to government agencies everbeen hacked? Have environmental con-trols in a shopping centre ever beenaltered via modem? The answer to all ofthese questions is yes. But, unlike othercrime groups who receive high profilecoverage in the media, the individualsresponsible for these incidents are rarelycaught.

As if that is not enough, unauthorizeduse of telecommunications facilities isthe preferred methodology for peoplewho sympathise or support terroristorganizations, and want their activitiesto remain invisible.

The French authorities studying the Madrid train bombings in March2004, for example, are investigatingwhether the bombers hacked into thetelephone exchange of a bank near Paris as they were planning their attack.The telephone calls involved were madeby phreaking - a practice similar tohacking that bypasses the charging system.

Combating telephonyfraudThe PBX is among the most susceptibleareas to telecommunications fraud.

Typical methods of fraudulent abuseinvolve the misuse of common PBXfunctions such as DISA (Direct InwardSystem Access), looping, call forward-ing, voicemail and auto attendant features.

Another area popular for frequentfraudulent exploitation is the maintenance port of PBXs. Hackersoften use the dial-up modem attachedto such ports to assist in remote maintenance activities. When a PBX is linked to an organization’s ITnetwork – as is increasingly the casewith call centres, for instance – a poorly protected maintenance port canoffer hackers an open and undefended“back door” into such critical assets ascustomer databases and business applications.

When things go wrongIt is clearly important to balance the costof securing your voice infrastructurefrom attack against the cost of doingnothing. The consequences from inac-tion can include:

• Direct financial loss through fraudu-lent call misuse (internal or external).

• Missed cost saving opportunitiesthrough identification on surplus circuits.

• Adverse publicity, damage to reputa-tion and loss of customer confidence.

• Litigation and consequential finan-cial loss.

• Loss of service and inability to dis-pense contractual obligations.

• Regulatory fines or increased regula-tory supervision.

The threat from withinAs is the trend with hacking data net-works, the threat to PBXs comes pri-marily from within. For example, anemployee, a contractor, or even a cleaner could forward an extension in aseldom-used meeting room to an over-seas number and make internationalcalls by calling a local rate number inthe office.

The perpetrator could likewise be thebeneficiary of a premium rate telephonenumber in this country or abroad andcontinue to leave phones off the hook oron a re-direct to that number nettingthousands of pounds in illicit gains in aweekend.

And, of course, let's not forget about the new telecommunicationstechnologies which are based aroundopen communications via the Internet.These include IP-driven PBXs supported by all the adjunct devices,the deployment of CTS (ComputerisedTelephone Systems), CTI (ComputerTelephony Integration) and Voice over IP. The introduction of thesetechnologies means IT and telecomsmanagers need now to become evenmore alert to prevent new and existingthreats that are typically associated with data networks, now impactingupon voice networks. Without diligent attention, telecoms systems arein grave danger of becoming the weaklink in the network and utterlydefenceless against targeted attacks byhackers.

So what practical measures can tele-com or IT managers take to help pre-vent becoming a victim of telecomfraud? One of the most effectiveapproaches to improving the security oftelephony systems includes conductingregular audits of:

• Station privileges and restrictions.

• Voice and data calling patterns.• Public and private network routing

access.• Automatic route selection.• Software defined networks.• Private switched and tandem

networks.• System management and mainte-

nance capabilities.• Auto attendant and voicemail.• Direct inward system access

(DISA).• Call centre services (ACD).• Station message detail reporting.• Adjunct system privileges.• Remote maintenance protection.

VULNERABILITY ANALYSIS

February 2005 Network Security19

A demonstration is available for peo-ple to test if their systems are affected.It can be found athttp://secunia.com/internet_xplorer_command_execution_vulnerability_test/.

The criticality rating was increaseddue to exploit code being released on

public mailing lists, and the fact thatno solution was available from the vendor.

However, only four days laterMicrosoft issued a patch for InternetExplorer that fixed two of the vulnerabilities described in SA12889. This effectively rendered

the exploit’s useless against patched systems.http://secunia.com/SA12889/

IE againA new vulnerability in InternetExplorer was also discovered in January. This could potentially beexploited by a malicious FTP server toplace files in arbitrary locations on theuser's system. This is due to a directorytraversal vulnerability during FTPtransfers.http://secunia.com/SA13704/

Icon cursorIn addition, Microsoft issued two other security bulletins. These correctvulnerabilities in the handling of Icon and Cursor files and in theIndexing Service. The Icon and Cursor

IE patched after ‘extremelycritical’ warningThomas Kristensen, chief technical officer, Secunia

In the beginning of January, new exploit code was released for theInternet Explorer HTML Help control vulnerabilities. Based on thisinformation, Secunia has raised the rating from “Highly Critical” to“Extremely Critical”, which is our most severe rating for vulnerabilities.

• Primary cable terminations andphysical security of the site andequipment rooms.

Other measures include reviewing theconfiguration of your PBX againstknown hacking techniques, comparingconfiguration details against best prac-tice and any regulatory requirementsthat may pertain to your industry sector.

Ensure default voicemail and mainte-nance passwords are changed and intro-duce a policy to prevent easily guessablepasswords being used. Make sure thatthe policy demands regular passwordchanges and take steps to ensure the pol-icy is enforced.

Installing a call logging solution, toprovide notification of suspicious activi-ty on your PBX, is a useful measure andone that can often give valuable earlywarning of an attack. In addition, reviewexisting PBX control functions thatmight be at risk or which could allowerrors to occur.

Be aware that many voice systems nowhave an IP address and are thereforeconnected to your data network. Youtherefore must assess what provisions

you have to segment both networks.Security exposures can also result fromthe way multiple PBX platforms are

connected across a corporate network orfrom interconnectivity with existingapplications.

Research and investigate operating system weaknesses, including analytical

findings, manufacturer recommenda-tions, prioritisation and mitigation orclosure needs - and implement a regularschedule of reviewing server servicepacks, patches, hot-fixes and anti-virussoftware.

Finally, formalise and instigate a regu-lar testing plan that includes prioritisa-tion of the elements and components tobe assessed, and supplement this by con-ducting a series of probing exercises toconfirm the effectiveness of the securitycontrols used.

Insight Consulting, a division of Siemens plc are are exhibiting atInfosecurity Europe 2005 which isEurope's number one informationSecurity Event. Now in its 10th anniversary year, Infosecurity Europe con-tinues to provide an unrivalled educationprogramme, new products & services, over250 exhibitors and over 10,000 visitorsfrom every segment of the industry. Heldon the 26th - 28th April 2005 in theGrand Hall, Olympia, this is a mustattend event for all IT professionalsinvolved in Information Security.www.infosec.co.uk

“authorities are

investigating

whether the

Madrid

bombers first

hacked into a

bank telephone

exchange”