The Vulnerability We All Love to Ignore

Right now sensitive propriety information is leaving your organization and falling into the hands of your competitors. But your executive management team has strongly supported your efforts to secure the enterprise over the past few years. You’ve used this support to build a world-class security program.

Protection starts with the data and works its way out through all applications, hosts, and networks. Baseline security technologies, like antivirus, intrustion detection/prevention systems (IDS/IPS), and firewalls exist at each of these layers. You keep all you systems patched … yes, even the third party applications. The latest advanced protection tools, like data loss prevention (DLP), whitelisting, data activity monitoring (DAM), and two-factor authentication, add to your extensive repertoire of controls all tuned to stop and/or detect those trying to infiltrate you organization.

A strict configuration management program manages all of these controls and dedicated and well trained security staff monitor all application, host, network, and security control events through a highly tuned security information and event management (SIEM) system on a 24×7 basis. Lastly, you meet all necessary compliance standards for your industry and your security awareness program is second to none.

Nevertheless data critical to the success of your organization is slowly leaking out … and you don’t even know it. None of your controls can even detect this exfiltration. No, we’re not talking about some state-sponsored division performing an advanced persistent threat 0-day attack or an activism group posting sensitive information. … Your competitors are simply dialing into insecure conference call lines and silently listening in. This happens at all levels … from the executive team making bajillion dollar decisions all the way down to those of us in the trenches talking shop on the technologies we use to build solutions. And the problem is only going to get worse as the workforce continues to migrate to more distributed environments.

When we look back at these conference call systems, most deployed today are back in the stone ages of information security. They break some of the most basic security rules we have accepted and implemented in modern day IT systems.

• Shared Username (phone number)
• Shared Password (participant code)
• Password that Never Changes

Without these basic identification and authentication mechanisms, hosts have no idea who or what (a recorder) is dialing in to your conference calls. There may be some logging in terms of a phone number back at the provider but I’ve personally never seen this capability.

I did a quick search for “hacking security teleconference conference call systems” and Google returned practically no articles describing how to defend these systems. Maybe the provider offers those basic security controls but they don’t seem to offer guidance on using them. Again ease-of-use trumps security.

So how do we fix this? Well, Alan Brill in one of his recent articles recommends the following suggestions.

• Change passcodes and/or dial-in number when hosts/participants no longer need access
• Review call email distribution lists prior to sending out revised meeting invitations with the new codes
• Regularly review call email distribution lists to verify it’s current
• Cancel conference bridge numbers that were assigned to former employees
• If you have a bad feeling that someone has been listening in, call your company’s general counsel

You can read more detailed versions of Alan’s suggestions over in his “Who’s listening to your conference calls?” article. He touches on ways attackers could easily infiltrate your calls. From personal experience and conversations with many others, NONE of Alan’s suggestions are EVER done. People keep the same conference lines … with the same participant and host codes for eternities. They pass them out to a range of internal and external people for regular and ad-hoc meetings. The credentials simply NEVER change! I understand why … implementing Alan’s suggestions are hard but there has to be something we can do.

I was thinking of other ways to address this gapping security hole with less hassle. Three thoughts that come to mind include:

• Force pseudo-one-time use passcodes per call; prevents “replay attacks” from prior call participants
• Each user having their own id pin/passcode; hosts add users for a call based on their id pin
• Drop the whole existing conference call infrastructure and migrate to more modern day collaboration technologies that tie into some type of backend authentication system

Regarding the last suggestion, many poo-poo Skype security but I think they got it right … at least a lot more right than many of these legacy conference call solutions. Users authenticate to the system and hosts invite the people they want to participate into the conference. Personally, I would much rather use Skype to hold my company conference calls. It’s A LOT more secure. Unfortunately, most organizations block Skype so we are back to competitors listening in to our insecure conference call lines.

I don’t think anything is going to change … well, until there is a major incident or breach that involves attackers infiltrating these conference calls to collect and post sensitive information on the Internet. And as usual … we will be in our typical reactive state.

#####

Do you know of any conference call systems that implement some of the suggestions mentioned above? Let us know in the comments below. Today’s perfectly fitting post photo comes from ConferenceCallReviews.com. See ya!

Related posts:

1. Another Skype XSS Vulnerability

Tags: passcode, shared, skype, voip