In the February 15th issue of his Crypto-Gram newsletter, Bruce Schneier wrote an in-depth analysis on need for securing the Internet of Things (https://www.schneier.com/crypto-gram/archives/2017/0215.html#1). Bruce's contention is that the Internet of Things is growing into a world-sized robot, and we don't even realise it.
The Internet of Things is composed of sensors (for example temperature monitors), actuators (for example switches to control heating or air conditioning) and stuff in the middle which decides what to do with the information from the sensors and how to control the actuators. In his analogy Bruce likens the sensors to the eyes and ears of the robot, the actuators to the hands and feet and the stuff in the middle to the brains.
Allowing a world-sized robot to evolve from the rush to implement IoT is dangerous as the level of security applied to IoT development is nowhere near adequate. The need for computer security is understood, and while implementation is not always perfect in Bruce Schneier's words:
Companies like Microsoft, Apple, and Google spend a lot of time testing their code before it's released, and quickly patch vulnerabilities when they're discovered.
The same cannot be said for the sensors and actuators of IoT; the eyes, ears, hands and feet of the robot.
Those systems are sold at a much lower margin, and are often built by offshore third parties. The companies involved simply don't have the expertise to make them secure.
The global robot is developing to the point where uncontrolled security vulnerabilities can have life threatening consequences.
There is a fundamental difference between crashing your computer and losing your spreadsheet data, and crashing your pacemaker and losing your life. This isn't hyperbole; recently researchers found serious security vulnerabilities in St. Jude Medical's implantable heart devices. Give the Internet hands and feet, and it will have the ability to punch and kick.
One of Bruce Schneier's suggestions to address this problem is to start disconnecting systems:
If we cannot secure complex systems to the level required by their real-world capabilities, then we must not build a world where everything is computerized and interconnected.
UM Labs R&D have recognised this challenge and have also recognised that the race to adopt and implement IoT is hard to stop. The development of the Internet over the past 30 years has shown us that security concerns are brushed aside until attacks start to hurt. The problem is that in the IoT world security attacks that hurt can mean fatalities. To address this problem, the UM Labs R&D IoT security architecture recognises the challenges of securing sensors and actuators and provides a distributed mechanism to identify and authenticate these devices before they connect to the central IoT application. The architecture then secures the communications to and from these devices. To extend the robot analogy, UM Labs R&D provided the neurons which connect the hands and feet to the brain.
Quocirca's 2016 research showed the average European business expects to be dealing with 7,000 IoT devices over the coming 18 months. It recommends that IoT deployments are managed as a series of hubs or gateways that interoperate with spokes (IoT devices) on closed networks using network address translations (NATs). IoT gateways many be purpose-built or adaptations of existing devices, network routers, set-top boxes, smartphones, will be found wanting as legacy. These gateways, which control communications with the world at large, need unique IPV6 addresses. UM-Labs R&D compliant ready.
Key point is that to be compliant
set against new Cyber Security and Data Protection regulations, old designs for
protection must now evolve to provide protection across multi-layered attacks,
as the attack surface is cleverer with better spoofing and layered attacks.
It is not good enough in this new world
of real-time IP communication to have everyday use for corporate or consumer
users to be hacked, having to be at the mercy of Cyber Criminal businesses running
parallel value chains to that of corporate businesses, where their profit
improves the higher up the technology levels they can access.
So many existing designs for legacy
technology installed and employed at the network layer were designed many years
ago, the fact that these designs are independent in operation with little
reflection on what is happening at the other layers, such as the application
layer and definitely the content level, means that action taken by the cybercriminal
can be a route cause of a simultaneous attacks at the next level up and then
the golden nugget the content level.
In a desperate attempt to bring a
more modern twist to how the designs should evolve, suppliers talk SDN and NFV,
recent blogs from UM-Labs R&D reveal the tragic failure here with all
existing hardware designs being morphed into a software layer that can be used
in an NFV implementation, but as isolated designs, predominately at the network
only with some application aspects, does not fulfil the need to integrate with each
level to respond to the attack surface now created by the cybercriminal.
In recent and many aspects of
testing these designs, UM-Labs R&D have proven the case with real ethical
hacking (under licence and certification), of the current designs out in the
market, audited again and again, showing simple use of SIPVicious, which
according to a legacy provider moving to NFV based on historical development,
has now become a favourite tool for hackers. The problem is that that most try
to attempt to position Session Border Controllers as the solution for VoIP and
UC problems, (NFV based or not).
Not leaving you
hanging, let me explain some small facts, SIPVicious is widely used in call
fraud attacks. If you examine the logs of any Internet connected system (not
just VoIP systems, but also web servers, email servers and anything else SIP
based) you will see the characteristic SIP OPTIONS requests generated by SIPVicious
scans. This means that any SIP system with an Internet connection is likely to
be found. Once detected, an attacker will then try other SIPVicious options to
try and make calls via that system. If the system is not adequately protected,
then the attacker will exploit the compromised system to make fraudulent calls
in large volumes. The cost to the victim organisation can exceed $100K +.
Legacy products fail to provide effective protection against
SIPVicious, and many other attacks, which is the point in question, no point if
you try and attempt protection for spoofing then find the DDOS attack has
opened up to harvesting, man in the middle, malware on remote devices and more.
The proof of this is in a number of detailed security audits which have shown that
the legacy technology design fails to detect and block SIPVicious. 2016 saw
multiple successful call fraud attacks on VoIP/UC deployments relying on SBCs
As stated in my
making the shift to SDN and NFV can be key, but in a cloud world, be this
private (on premise) or public, (Azure, AWS, Softlayer) and Hybrid combination thereof,
realising there needs to be a floating
point by which protection must operate over multi-levels, integrated and awake
to attacks, over the top monitoring is essential, which means having a distinct
design that both works with SDN and again operates as a true OSi Layer , integrated
stack based on a defined rules table.
The explosion of mobile devices and
content, server virtualization, and advent of cloud services are among the
trends driving the networking industry to re-examine traditional network
architectures. Many conventional networks are hierarchical, built
with tiers of Ethernet switches arranged in a tree structure. This design made
sense when client-server computing was dominant, but such a static architecture
is ill-suited to the dynamic computing and storage needs of today’s enterprise
data centres, campuses, and carrier environments.
The UM Labs
Cyber Security OS layered stack, extends the use of SDN beyond simple deployment
management. The platform functions by detecting security threats and taking the
appropriate blocking action. Threat detection and blocking actions are
implemented at multiple levels. In many cases the most efficient method of
blocking a threat is to implement the blocking action at a lower level than the
example a call-fraud attack can only be detected at the application level, but
the most efficient
blocking mechanism is to instruct the network security layer to implement the
blocking action. Having a 21st century design based
on Cyber Security needs, will have all of the networking, routing, mobile, IP
V4 and IPV6 interop, inter-op for any SIP UC solution such as IPPBX, Skype for
Business, Cisco Spark etc., that includes this level of feed-back between
threat detection and blocking action at all 3 security levels. SDN/NFV enables this
feedback to be extended into the cloud where all NSP’s, hosting and new ‘Cyber
Security as a Service’ (CSaaS) providers will need to be, especially set
against regulations for data protection and ENISA guidelines from which
penalties will be gauged.
As by way
of a footnote, UM Labs R&D in conjunction with
ITSPA (itspa.org.uk) is addressing this problem
with a real-time analysis of fraud attacks and sharing that data as an
effective defence against fraud and other SIPVicious attacks. This capability
in conjunction with the multi-layered security provided by UM Labs R&D is
the only ‘effective’ assured defence against SIPVicious attacks and many other
security threats facing real-time communications such as UC (VOIP, Video, IM,
A GDPR study by the IAPP and TRUSTe has revealed that nine in 10 companies have actively started to address the regulation, including 43% who have a plan in place and 49% who have started implementing their GDPR compliance plan.
About 67% of EU companies said that their implementation is underway or completed, compared to 42% for the US. 43% of companies report they already carry out data inventory and mapping projects, and another 30% are planning to do so in the next 12 months. 71% of organisations are currently undertaking data privacy impact assessments.
Data Protection regulation in Europe under GDPR, HR1770 in the USA on cyber security breaches, EU MiFiDII for financial services, which includes call recording and this brings a huge wall of potential pitfalls and fines for those corporates that ignore these moves by the governments of the globe.
Mixed in this, because cyber crime is the 21st century scurge, is legal intercept, authorties trying to protect the country's jewells, a necessary ability to have for law enforcement and you will find the Data protection offices (DPO-to be 75000 globally) will become very frustrated that they have to work with 20th century cyber security legacy designs for protection and cannot avoid being hacked.
They will see guidelines from authorities such as ENISA stating clearly, that this out of date protection with legacy firewalls, routers and gateways that do not work as Integrated solutions between the network, application and content layers. They are never going to be compliant for the regulation, as they already have a huge amount of proof and blame attached to this technology, so many have been hacked todate.
Take one aspect of real-time communications as RT is a complex thing, UC/RT much needed set of tools in the 21st century, the call fraud alone associated with IPPBX and UC platforms, being totally open to attack, now mounting to $7.5billion loss in 2015.
Existing technology such as SBC, Firewalls, not being able to determine if the call is legit or not and this allows access following DDOS attacks to all three layers, legacy can never be assigned compliance approval, so why keep with the status quo!
The change is that with 21st century design and complete design from the bottom up, you can have a multi-level cyber security, this can be run a SECURITY as a SERVICE to your business, it will reflect the value chain of cyber crime based on rules and by design run in any cloud implmentation, be it public, private or hybrid cloud offerings.
Already proven compliant, tested by creditable red teams, and matching the ENISA guidelines, the R&D shows leadership and will be a good choice for the new army of DPO's for whom there is only pain today.
Summary of unique points:-
1. UM-Labs R&D provide a unique premium protection for real-time communication cyber
security based on op-ex.
2. The solution is currently the only compliant and tested platform under
ENISA guidelines. (Covers GDPR and NIS with multi-level integrated security,
legal intercept and EAL-4 Encryption)
3. The solution has been through rigorous pen tests and set against legacy
offerings, showing SBC’s, Application Gateway and Proxy Gateway redundant.
4. The solution is designed to meet evolving situ’s, such as IPV4 and IPV6
(IOT/IOE) transparency. Provides transparent inter-op between V4 and V6.
5. The solution scales to 100,000 of users +, so carrier grade.
6. The solution can be implemented in an hour, not days or months.
7. The solution is the first cyber security cloud layer OS.
8. The solution takes into consideration SDN and NFV, but based on a new
design, not a legacy transfer as with existing hardware offerings.
9. The solution covers all mobile as well as desk top. (All connectivity,
Wi-Fi, LTE or SIP Trunking)
10. The solution is available and has a ROI set against the cost of not
Set by the new policy back drop of researched needs makes good perfect business sense.
The Register reports that the UK government is proposing to request that Interception of Communications Commissioner's Office is tasked to monitor the growing use of
IMSI Catchers in and around UK Prisions.
IMSI catchers are fake mobile network base stations which can be used to intercept and monitor calls made from smartphones. IMSI stands for International Mobile Subscriber Identity and is a unique identity carried by each mobile device. The ease with which IMSI catchers can be used to intercept calls has lead some to claim it stands for
Idiots Missed Security Implementation.
Their use in and around prisions enables the authorities to monitor prisioner's communications, but these devices are not selective, anyone using their phone in the vicinity of a prision risks having their commuications intercepted.
The Register article also points out that there are growing number of fake base stations in and around London. There is a real risk that any call made from a smartphone could be intercepted. Any breach of confidentiality resulting from the interception of a call is a violation of the new European General Date Protection Regulation.
UM Labs has developed an easy to deploy service to encrypt calls, protecting confidentiality and ensure compliance.
In other European reaction, the Italian data-protection authority said the changes raise concerns for “the protection of the data of millions of citizens and numerous users of WhatsApp.” The U.K. Information Commissioner said in an Aug. 26 statement that its role is to “pull back the curtain on things like this, ensuring that companies are being transparent with the public about how their personal data is being shared.”
WhatsApp said in a blog post announcing the changes on Aug. 25 that its users’ “encrypted messages stay private and no one else can read them. Not WhatsApp, not Facebook, nor anyone else” and that they “won’t post or share your WhatsApp number with others, including on Facebook, and we still won’t sell, share, or give your phone number to advertisers.”
Another consideration for every social platform is that they can be abused by third parties in a variety of legal and illegal ways. Programs can replicate user behaviour and, armed with a valid user account, quickly and efficiently access all available contact accounts and harvest their data. Businesses cannot assume that online services provide any guarantee of security:
"That profile, that picture, that browsing habit or that buying pattern makes this generation the easiest and more importantly the quickest, target for fraudulent misuse of identity since the practice began." Computer Fraud and Security-Reed publication.
Individuals and business leaders must understand and accept that it is an imperative for any online service to be able to supply their services and cover their costs while making a profit for their shareholders. We can benefit from these services but we should not presume they are mature, stable or secure. Whilst money may not have changed hands, your participation in the service represents a level of investment and "caveat emptor" still applies.
The revelation coincides with fresh concern over the latest version of the “snooper’s charter”, which will give the police powers to access everyone’s web browsing histories and hack into phones. Therefore this must place Whats App and Facebook in a tricky position as there is no legal intercept service for de-encyption that is known, other than UM-Labs ofcourse and compliant with legal intercept.
Our increasing reliance on fast and efficient communications in both our business and personal lives increases our exposure to cyber threats. These threats are nothing new. Since the emergence of the World Wide Web in the early 1990s and the growth in the use of Internet based email services we have become accustomed to the fact that connectivity brings both benefits and risks. Whether we have taken effective steps to control those risks is another question. The new generation of real-time communications applications are potential targets for the existing cyber threats but also introduce new threats. This review covers both sets of security threat.
Businesses need faster forms of communication to improve productivity and reduce costs. The new generation of workers are turning towards familiar applications to achieve this. These new applications include IP applications for voice (VoIP) and video calls, conferencing services and messaging. These are made more effective through the use of presence services, the ability to track the availability of colleagues. These new services have developed in the absence of clear controls and regulation, exposing the business to new cyber threats. However recent moves by governments both in Europe and North America are pressuring business to ensure that their security policies cover all methods of data processing and communication.
Europe is taking a lead on this initiative. In December 2015, the European Union published the General Data Protection Regulation (GDPR) (European Parliament, 2016). This builds on previous EU initiatives, including provisions for data erasure (right-to-be-forgotten) and data portability. To assist businesses in meeting the new regulations, the European Union Agency for Network and Information Security (ENISA), have published a set of technical guidelines. These guidelines specifically include the new generation of communications services and extend to the networks commonly used by those services (public WiFi, 3G/4G, VoIP services).
Government has been understandably reticent about regulating real-time communication, until it became a risk to commerce and trade with Cyber Crime growing to a level that represents a real threat to data privacy and has significant economic impact. Board level ignorance is no longer acceptable. While the concept of reasonableness is somewhat subjective, the questions for CEO, COO and CISOs to ponder are these: Does my security program constitute reasonable protections for a company in my industry, and would the program withstand legal scrutiny? If my company suffers a security breach, and I have to explain my actions a year from now in front of a court, will those actions show that I did what was reasonable to protect my company's information assets?
Thus it is important to have a set of rules that show the value chain working from cyber security protection upwards through to compliance and policy directives. The resulting cyber security policy must be clear and concise, understandable and acceptable at board level and most importantly able to demonstrate that all reasonable efforts had been made to protect against cyber threats. In the event of a security or compliance breach, the ability to show that the organisation's cyber security policy recognised the threats, used the most appropriate available technology to protect against those threats and that the policy was fully implemented, is an effective method to reduce the penalties imposed by the data protection authorities.
Take a lead, self-regulate and provide support to the business, large and small, in addressing this challenging and dynamic environment. This Paper is designed to help business leaders develop informed cybercrime policies which are effective in protecting the business and ensuring conformance to compliance regulations.
The New Communications Paradigm -The communications revolution gathers pace - never before have so many people communicated so much so often.
Generation Y and Generation Z will automatically use instant messaging rather than email, text messaging rather than voice calling, video calling rather than face-to-face meetings and share personal data about their lives in a page on a social network.
Messaging is the new phone call, so it would appear, as 'WhatsApp' has demonstrated by surpassing 900 million active users every day, but only recently providing encryption for their traffic as a way to prevent breaching the confidentiality of personal data.
Like it or not, the business world is well and truly online and inextricably linked with this communications revolution. All this can be considered progress, but the rules of engagement in this brave new world are far from clear. Technologies provide the tools to achieve real-time communications, delivered by multiple companies, but not all products are inter-operable and not all are able to protect against cyber-attacks. Multi-vendor systems are the reality, but mixing products where some have limited security controls makes providing 'end-to-end' compliant cyber security a challenge.
Good business management requires clear strategies for successful online engagement, with clear guidelines and policies to manage potential risk to companies and their employees.
Broadly understood, compliance is an important mechanism that supports effective governance. Compliance with regulatory requirements and the organization's own policies are a critical component of effective risk management. Monitoring and maintaining compliance is not just to keep the regulators happy, it is one of the most important ways for an organization to maintain its ethical health, support its long-term prosperity, and preserve and promote its values.
FULL POLICY PAPER TO BE RELEASED FRIDAY 26.8.2016
Compliance for Real-time communications is a process, the key steps in this process are:
1. Understand which of the many regulations apply.
2. Audit your platforms, Social Collaboration and telephony systems to ensure that they are adequately protected from attacks that could lead to the compromise of personal information. This audit should check for both generic network security vulnerabilities and vulnerabilities specific to the protocols used.
3. Review your existing security measures, recognising that most IT data security measures (Firewalls, VPNs etc.) do not adequately protect UC applications.
4. Review the need for call encryption, particularly for mobile devices used to communicate sensitive information.
5. Review the need for call recording, any financial sector organisation subject to MIFID will need to implement this if not already obliged to do so by other regulations.
6. Implement an effective UC security system which meets the compliance requirements.
1. What should
a Cyber Security policy cover?
The explosion of mobile devices and content, server
virtualization, and advent of cloud services are among the trends driving the
networking industry to reexamine traditional network architectures. Many conventional networks are hierarchical, built with
tiers of Ethernet switches arranged in a tree structure. This design made sense
when client-server computing was dominant, but such a static architecture is
ill-suited to the dynamic computing and storage needs of today’s enterprise
data centers, campuses, and carrier environments. Some of the key computing
trends driving the need for a new network paradigm include:
Software-defined networking (SDN) is an
approach to computer networking that allows network administrators to manage
network services through abstraction of lower-level functionality. SDN is meant
to address the fact that the static architecture of traditional networks
doesn't support the dynamic, scalable computing and storage needs of more
modern computing environments such as data centers. This is done by decoupling
or disassociating the system that makes decisions about where traffic is sent
(the control plane) from the underlying systems that forward traffic to the
selected destination (the data plane).
architecture may enable, facilitate or enhance network-related security
applications due to the controller’s central view of the network, and its
capacity to reprogram the data plane at any time. While security of SDN
architecture itself remains an open question that has already been studied a
couple of times in the research community, the following paragraphs only focus
on the security applications made possible or revisited using SDN.
Security and dependability are
becoming the top priorities for SDN. Flexibility provided by SDN can enhance
the security by facilitating the implementation of a number of security
controls for the entire managed network. For example, centralization as a
single point of control and monitoring, enables more consistent enforcement and
control of security policies through fewer and uniformly accessible
controllers. In the same manner the deployment of different virtual devices
(but not legacy designed firewalling, packet filtering, IDS, IPS, load balancing, etc.) a new designed alignment to the OSI 7 layers can provide a
better Quality of Service (QoS), resilience and protection. Finally, automation
will allow to facilitate quicker response to malware or DDoS attacks by
isolation or reaction to changes of the network state, while maintaining the
high-level policies in place. Security
within the SDN paradigm is a challenge, as all layers, sub-layers and
components need to communicate according to strict security policies. Some of
the new challenges on protecting SDN relies on the main features of this
paradigm: centralization, abstraction and programmability. Efforts and advances
are being done in order to improve the trust between third party applications
and the controller, a better cross domain connection, implementing correct isolation
of traffic and resources and integrating and improving the compatibility of
not yet met in the wild, incidents related to SDN, NFV and 5G will orient
themselves towards lower level threats and weaknesses (i.e. concerning low
technological network layers) that will then affect higher level of components
and functions. Concrete impacts on these components are difficult to assess at
the time being. To this extend, we follow a “bottom-up” approach by estimating
threats that exploit more “traditional” network components that will be
extrapolated to assumed SDN/NFV levels. UM-Labs R&D by design have implmented a rules based stack to work with SDN and the 7 layer model, because of this design it is not taking existing legacy hardware routers, firewalls, SBC's proxy gateways and having SDN make them a data access plane, which means non compliant security across multi-layers of attack surfaces in cyber security.
In December 2014 and again in 2015, ENISA published a set of technical guidelines, with which anorganization can implement processes and security measures that comply with the legislativerequirements for the security of electronic communications of the European Union. HR 1770, theData Security and Breach Notification Act of 2015 in the USA along withthe EU Directive 95/46/EC now the new General Data ProtectionRegulationin Europe presentsmajor milestones for CyberSecurity compliance.
It also requires service providers, Enterprise in high risk areas (finance, govt, Oil and Gas, Health etc.)and their service providers to alert breaches of data to the authority list within 72 hours in Europe.
If found to have not aligned to the guidelines on security technology defences and compliance rules, a fine of up to4% of annual turnover is attributed to the increased costs of doing business.
The opportunities for hacking businesses are very similar to the opportunities for legitimate organizations. The difference is that legitimate businesses are moving to mobile technologies, SaaS, and growing economies to grow our businesses. Attackers view these emerging technologies as opportunities for weaknesses in our organizations that they can exploit. Developing countries are adopting new technologies to pay bills and access the Internet. Unfortunately, these new technologies and developing infrastructures do not always employ the most advanced security making them an easy target for attackers.
Read more by downloading the white paper:- http://www.um-labs.com/SiteAssets/technical-white-papers/Cyber%20Criminal%20Value%20chain%20and%20UM-Labs%20R%26D%20design%20for%20the%2021st%20century.pdf
Call fraud is a growing problem for telecommunications providers, especially for carriers providing service delivery via SIP trunks. The risks of connecting any data application server to public IP networks have been well understood for some time. These risks lead to the growth of the Firewall market in the early 1990, followed by the development of application specific security controls for Web, Email and other applications. Unfortunately, there is a lower level of understanding of the risks associated with real-time applications such SIP based VoIP services and Unified Communication (UC). As a consequence, development of application level security controls for SIP based services has not kept pace with the increasing risk. Many providers continue to rely on Session Border Controllers (SBCs) to deliver security for SIP trunk services and for Unified Communications (UC) applications. SBCs are demonstrably unable to protect against many of the application level security threats faced by SIP based UC applications and services. These threats include break-ins which enable attackers to make calls via compromised systems leading to costly call fraud.
Call fraud is a growing problem for two reasons. Firstly fraudsters can make money. Secondly there are a growing number of IP connected PBXs and UC servers which can be located and identified by fraudsters. Many of these systems have ineffective security controls making them easy for fraudsters exploit.
There are two categories of call fraud. The first is the obvious one of making calls at someone else's expense. The second and by far the most serious is premium rate fraud also known as international revenue sharing fraud (IRSF). Premium rate fraud occurs when a fraudster sets up a premium rate number, locates a poorly protected IP connected phone system and then forces that phone system to dial the premium rate number. The fraudster then collects a share of the premium rate fee.
One of the motivations for UM Labs to design and implement a next generation SIP Security platform was the recognition that call fraud, along with other security challenges, was a serious threat to the deployment of 21st century real-time communication services. From the outset, the UM Labs architecture included specific defences for these challenges, where appropriate borrowing technology from other network applications.
UM Labs adopts a layered approach to protecting against the call fraud threat.
- Prevent potential fraudsters from identifying the protected system(s) as potential targets. This requires an application level analysis of all SIP OPTIONS requests identifying those likely to originate from fraudsters searching for potential targets. A database of unique signatures, which identifies the scanning tools used, blocks these exploratory OPTIONS requests while allowing those requests needed to enable legitimate services.
- Block SIP INVITE (call setup) requests originating from fraudsters. Several security measures contribute to this defence including validating the URIs used and checking the source of each request.
- Block directory harvesting scans, this prevents an attacker from compiling a list of valid user accounts.
- Enforce the use of authentication on all requests. Most break-ins succeed because the attacker finds an account with no authentication or with a weak password. While authentication is normally the responsibility of the PBX or UC application server, the UM Labs platform is able to supplement or replace this authentication service. This is often necessary because many IP-PBXs provide limited authentication services or have been configured in a way that allows an attacker to bypass the authentication process. The UM Labs platform is able to utilise existing authentication databases via RADIUS or LDAP. This means that existing authentication databases, including Active Directory can be utilised. These database are more likely to implement and enforce a robust password policy that an IP-PBX.
- Enforce the use of encryption. Most observed call fraud attempts rely upon the default SIP transport, UDP. UDP is a connectionless unencrypted transport. Simply by blocking the use of UDP and enforcing the use of an encrypted transport, the UM Labs platform will block most call fraud related beak-ins. The UM Labs platform provides SIP transport conversion and can be configured with multiple network interfaces. This enables the platform to enforce encryption for all external connections while connecting to an internal system incapable of handling encryption.
- The UM Labs portal uses a real-time blacklist to detect and block known fraudulent calls. The blacklist includes both source IP addresses and dialled numbers. The source IP addresses in the database are the recorded source addresses of known fraudulent SIP OPTIONS, SIP REGISTER requests and SIP INVITE requests. OPTIONS and INVITE requests are used by attackers to located targets and attempt to make calls. SIP REGISTER requests are used when an attacker is attempting to guess a user's password. The numbers in the database are dialled numbers (B-numbers) known to be associated with call fraud attacks. The database is updated in real-time by input from UM Labs system detecting break-in attempts. It also includes honey-pot data and data from other trusted sources. All UM Labs system with this option enabled can check inbound calls in real-time and refuse the call if the source IP address or the dialled numbers are known to be associated with recent attacks.
The problem of call fraud has grown to the extent that the UK Internet Telephony Service Providers Association (www.itspa.org.uk) has set up a project to combat call fraud. UM Labs, a member of ITSPA's operations group, is leading this initiative.