The variety of security threats faced by telecom providers has increased as they have expanded their offerings beyond circuit switched voice. Telecoms have dealt with service theft for years, but today's threats can be much more damaging than the payphone coin thefts of yesterday.
Threats can take the form of denial of service attempts in which an attacker disrupts operation of the network itself. Since the same converged network carries voice, email and web access, all are blocked by an attack.
The increase in threats is due to two factors:
- IP networks are more vulnerable to attack than circuit switched networks
- Each Internet-based service can be attacked in specific ways. Service providers must employ protective techniques appropriate for each service.
IP network vulnerability
The protocols used in IP networks are all based on publicly available standards. Detailed information on their operation is available to anyone. Security issues and problems are freely discussed on the Internet. Information and software tools for hackers are openly offered.
Network elements such as DHCP servers, DNS servers and routers must be accessible to customer equipment to provide service. Customer access to this equipment makes it possible to try to gain control by methods like guessing administrator passwords.
Even when administrator access is blocked, other techniques like SNMP can be used to gain information about configuration details and revision levels. Network equipment vendors frequently publish notices describing security problems in a specific revision level. Any network element that is not immediately updated following a security notice is therefore vulnerable to attack.
The worldwide nature of the Internet means that threats can come from anywhere -- from Russian hackers collecting ransom from a UK betting firm to stop its denial of service attack to Chinese hackers breaking into U.S. department store systems to steal credit card information. The difficulties of working across national boundaries often make apprehending and prosecuting attackers difficult or impossible.
Of course a variety of Internet services equals a variety of attack possibilities. Each service available via the Internet has attracted attacks. Email brought with it SPAM and phishing. Web access made site sites carrying malware like Trojan horses and key loggers possible.
VoIP theft possibilities
Theft of service from service providers has received less discussion that fraud attempts against end users, but Internet service theft has been a continuing problem. VoIP provides additional theft opportunities.
Modem cloning and modem uncapping are two methods used to steal cable Internet service. Modem cloning makes it possible to access Internet service without paying for it. Uncapping makes it possible to pay for low bandwidth access while utilizing high bandwidth. Detailed instructions and software tools for both are easily found on the web. DSL modems cannot be uncapped, but it is possible to steal service by scanning the network for modems that retain the default administrator username and password.
VoIP offers multiple avenues for fraud and theft of service. A single infected computer within a large enterprise can reveal usernames and passwords for all users. This information can enable an attacker to not only steal VoIP service but also to monitor VoIP traffic.
In a more sophisticated theft, a Miami man was arrested after allegedly operating what appeared to be a legitimate wholesale VoIP provider for two years in which he stole $1 million. He was able to offer low prices because he had hacked into legitimate providers and was routing traffic over their networks.
Defending against fraud
There is no single foolproof method to protect against threats. Telecoms must follow security guidelines carefully:
- Choose passwords carefully and change them often
- Update quickly when vendors release security patches
- Block probes of network elements
- Don't permit user access to administrator interfaces and block SNMP access
- Protect dial up access to console ports with two factor authentication.
Take advantage of security features. For example, the DOCSIS standard for cable modems includes features to make cloning and uncapping more difficult, but many providers have not taken advantage of them.
Monitor network statistics carefully. The wholesale VoIP theft was detected only when the victimized providers reconciled their traffic levels with billing information. Cable providers can detect cloned modems by noticing that the number of IP addresses in use on a link exceeds the number allocated for legitimate users.
Finally, maintain close contact with equipment vendors and industry groups. Monitor Internet discussion forums to remain informed about the latest targets and threat techniques.
About the author: David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software start-ups.