Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

VoIP Spam (Vonage?)

Published: 2007-10-29
Last Updated: 2007-10-29 17:37:06 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

I just may have gotten my first VoIP spam. My VoIP line (which I have with Vonage) rang once. It should be configured to forward calls to my "real" phone. But this didn't happen. Instead, shortly after the phone rang, I received a new voicemail. The voice mail was about 4 minutes long and consisted of a recording of some comedian. Nothing particular special or offensive. Mostly the usual joke referring to US political issues like healthcare and Iraq. The recording starts and ends suddenly without introduction and it sounds like it is part of a larger program. Haven't listened to the full recording yet.

Has anybody else experienced this issue?

Two more details: My Vonage console shows the call duration as exactly 5 minutes and the caller id as 1111111111


Update: John pointed to an older article in a Vonage user forum. That, and some additional Googeling kind of leads to the idea that '111-111-1111' is a frequently used caller ID used by companies with the ability to adjust the caller ID. Larger phone systems will allow you to adjust caller IDs for outbound calls. "all 1" appears to be a popular configuration for such systems.
0 comment(s)

Cyber Security Awareness Tip #29: Insider Threats

Published: 2007-10-29
Last Updated: 2007-10-29 16:28:50 UTC
by Johannes Ullrich (Version: 4)
0 comment(s)

I find this to be one of the hardest to mitigate threats in information security. Frequently, fighting insider threats prevents people from doing work. Another problem is that too much restrictions and surveillance leads to distrust between employer and employee. So what's the right balance? What worked for you? In my opinion, the following idea usually work:

  • keep good logs. Logs should show who is doing what to your data. In particular, if insiders use admin level access to change data or review users data.
  • avoid "loners". Have people work in teams. Not only is this good for cross training in case an employee is out on vacation, but it also provides a second set of eyes to catch intentional or unintentional mistakes.
  • keep good backups. If things go bad, its good to be able to recover. Of course, backups are made by insiders as well.
  • stay in touch with your employees and care about them. Make sure they are paid well and don't have a reason to be mad at you. If they are: make sure you are able to discover issues early. But treating your employees well goes a long way to mitigating insider threats.

An even worse problem I don't even dare to cover: Insiders who get blackmailed. Again, if they trust you maybe they will come forward first. But that's a lot of trust.

So any good ideas you have to implement insider protections like that? Trust me... I will publish them. After all, I am an insider here ;-) (Thanks to Bill for pointing this out).

Couple Updates from Scott, Mark, "Alerter", Gary, Jerry:

  • separation of duties. For example, setup an auditors group or a backup group that does not share duties with other system administrators or developers.
  • minimize privileges. Developers usually don't need root access.
  • use individual credentials. In the unix world, this translates to "use sudo instead of logging in as root".
  • as you setup new accounts, in particular for temporary workers / contractors: Configure them to expire at the date the contract expires.
  • link user management to payroll. If they are no longer paid, they don't need accounts.
  • suspend accounts if they haven't been used in a time (2 weeks? depends on how much vacation people have).





Johannes B. Ullrich Ph.D., SANS Institute.



0 comment(s)
Diary Archives