TUTORIAL Telephony Fraud Whitepaper

[leemason]

Before the big forum crash I posted a link to a useful telephony fraud whitepaper that I picked up after attending a course on telephony fraud at Spitfire Network Services in London (UK). I thought I'd post it again here in case anyone is interested. If you want to take a look it's here:

http://www.opl.co.uk/whitepapers/PBX Security in the VoIP environment.pdf

Remember that PBX security is not just about securing port 5060. It's a lot more than that!

 

[snarpatroid]

A good paper and well worth a read, thanks for posting.

 

[leemason]

Not written by me but I will pass on your comments to the author. Thanks.

 

[LesD]

Thanks for making it available.

The first paragraph on page 13 does not make sense to me.

 

[leemason]

That part related to the "Office Hours" section on the previous page. It's basically making the point that if you setup your PBX to disallow calls to expensive destinations outside of normal office hours then the only security breach that can get around this strategy is if the hacker gains control of the PBX and can override the out of hours restrictions.

 

[LesD]

Understood but I still think the sentence is wrong. The "as" reads as if it is a reason for 'overcoming' while in fact it harps back to just describing the security measure of the previous paragraph.

It says:

In fact one of the few attacks that will overcome this security is
PBX control as outgoing calls are barred from dialling expensive
numbers.

while I think what it means to say is:

In fact one of the few attacks that can overcome this security measure is
when the attacker manages to take control of the PBX.