european voip summit london 2017 // itspa sessions
TRANSCRIPT
The Victim• Organisation in leisure
and hospitality industry• Extensive facilities and
grounds• Existing Avaya phone
system, fixed handsets, problem free
• International calls routed via manned reception desk
• Needed to improve staff communication
Avaya
PBX
Voice VLAN
ISDN 30 toPSTN
The Attempted Solution• New WiFi/VoIP system
covering all facilities
• Zycoo PBX (Asterisk based)
• WiFi VoIP handsets for staff
• FXS/FXO Link to Existing Avaya PBX and PSTN
• Zycoo linked to Internet for remote support
Avaya
PBX
Voice VLAN
ISDN 30 toPSTN
Zycoo PBX
FXS/FXO Connection
Campus WiFi
WiFi handsets
Internet
Firewall
Fraud Timescale and Partial Call LogDays: 0 14 21
Installation Commenced
Fraudulent Calls
Remedial work
Fraudulent Calls
Permanent shutdown
Time Number Dialled Detail Duration (H:MM:SS) Cost (£)
23:59 00870773106590 Inmarsat 0:20:29 102.42
00:58 00870773106590 Inmarsat 0:20:33 102.75
01:20 00870773303338 Inmarsat 0:20:30 102.50
01:45 00870773303338 Inmarsat 2:26:30 732.50
03:35 00870773303338 Inmarsat 2:23:42 718.50
Primary Factor Allowing Fraudulent Calls
• Zycoo PBX was configured withoutpasswords for connecting extensions
• Easy to connect to the VoIP network via WiFior the Internet and enumerate the extensions
• Easy to make calls to PSTN number
| Extension | Password |-----------------------------| 350 | [no password] || Extension | Password |-----------------------------| 351 | [no password] || Extension | Password |-----------------------------| 352 | [no password] || Extension | Password |-----------------------------| 353 | [no password] |
Secondary Factors Allowing Fraudulent Calls
• The Avaya PBX was reconfigured to allow direct dialling of International calls*
• No controls on access from the Internet to the Zycoo PBX (any port, any IP address)*
• WiFi SSID visible, weak and guessable password
• Poor project management
* No one would admit responsibility for either of these changes
ITSPA Checklist for Secure Deployment of a PBX
• Ensure that every extension configured on your system has a password
• Setup the IP-PBX behind a firewall
• Limit external access to known IPs only
• Failing to follow these simple steps can cost tens of thousands
• If you need help, ask an ITSPA member!
http://www.itspa.org.uk/wp-content/uploads/161125_IPPBX_BCP.pdf
Anatomy of a PBX Hack
1:40 am, Sunday a customer’s PBX is hacked
1st Successful Call - Testing
- 5 second call to Palestine.
Voipfone
1st Hour – Searching
• 91 attempted calls to
Grenada, Nicaragua, Democratic Republic of Congo, Kiribati, Latvia, Maldives, Morocco, Burma (Myanmar), Nauru, Ukraine, Gambia, Norway, Bosnia and Herzegovina, Jamaica, Somalia, Serbia and Togo.
None of the calls connected
Voipfone
2nd Hour – well, who knows? I don’t
• 312 calls
• 22 were successful
• Repeat calls of zero duration were made to the same numbers in succession in no obvious pattern
A search for successfully connectable numbers was in progress, but that it was non-systematic and ham-fisted.
Voipfone
3rd hour - Operational:
• 1,106 calls, 281 (25%) were successful
• £617.92. 1,079 (98%) to Burkina Faso mobile numbers
• 946 (86%) were to a single number.
The fact that a single number could accept so many simultaneous connections means the calls were being terminated on a commercial platform, suggesting a large-scale operation.
Voipfone
4th Hour - Intervention:
• 95 calls in 9 minutes at a total cost of £115.01
• (98%) to the Burkina Faso Mobile numbers
• 53% to the same number
Account disabled, maximum spend exceeded
Voipfone
Result
Total 1,604 calls,
352 (22%) successful, £738.32.
Finally generating £766 per hour
48hrs over weekend = £36,768
Voipfone
Voiceflex and Frip Finishing Ltd
“This case concerns the consequences of a fraud carried out by unknown third-party hackers ("the hackers") between about 21.40 p.m. on Saturday, 29 October 2011 and about 10:22 a.m. the following Monday, 31 October 2011, when they hacked into Frip's router and/or PBX, with the consequence that some 10,366 telephone calls were made by persons unknown […] The majority of the telephone calls were made to a premium rate telephone number based in Poland […] As a result, the claimant rendered its invoice [which] came to a total of £35,560.20.”
(EWHC, 2014).
Voipfone
Risk Indicators(Statistically significant p>0.001)
• Time of day & Day of Week
• Cost of call
• Repeat calls to same number
• Intensity of calling
• High % unsuccessful calls
• Non-Western countries
• Nation states with micro-populations
• Non-UK sign-up (x9.43)
Voipfone
What Can Be Done?
• Create Rules – call risk characteristics– Build country risk indexes – Black list of bad numbers – eg TUFF, ITSPA SNITCH List– Use wholesalers that use anti-fraud tools– Ban 09 and 070 – allow by account on request– Key risk indicators are call price and call frequency
• Real time, automatic intervention required– notification or retrospective systems don’t work
• Disable accounts that fail the rules• Include failed calls, count call attempts• Get your T&Cs sorted “AUTHORISED & UNAUTHORISED”
Voipfone
Before and After
Loss22 July 2014 £364.8622 July 2014 £26.7522 July 2014 £429.8222 July 2014 £0.5222 July 2014 £0.1024 July 2014 £0.4024 July 2014 £0.6427 July 2014 £0.44
23 August 2014 £0.0527 August 2014 £0.48
Voipfone
This has been a Public Service Presentation on behalf of ITSPA
Come join us.....
Colin Duffy, Voipfone
Voipfone
Overview
• What is the General Data Protection Regulation?
– background and timeline
• Scope and core principles
• Interacting with customers
– customer consents
– impact on privacy policies
– [new data subject rights]
26
osborneclarke.com
What does the General Data Protection Regulation do?
• Replaces / completely overhauls existing Directive and by
extension the Data Protection Act 1998 in UK
• Same basic principles as current regime …
… but aims to harmonise legislation across EU
• Modernises data protection laws but aims to be technology
neutral
• "Protects fundamental rights … of natural persons … to the
protection of personal data"
• Promotes free movement of personal data within EU
28
osborneclarke.com
osborneclarke.com
Timeline and next steps
05 Jan 2012 First draft of General Data Protection Regulation ("GDPR")
12 Dec 2015 European Parliament and EU Council of Ministers reach
political agreement on a compromise GDPR text
27 Apr 2016 Formal adoption by the European Parliament and Council
5 May 2016 Publication in the Official Journal
December
2016
onwards
Article 29 Working Party guidance:
• Setting up new European Data Protection Board ( EDPB)
• Preparing one stop shop and consistency mechanism
• Issuing guidance for controllers and processors
• On-going communications
27 May 2018 GDPR comes fully into force
29
GDPR takes privacy regulation to a new level
0
50
100
150
200
250
Articles Recitals Pages
DPD
GDPR
• Higher level of complexity
• Packed with stricter requirements
30
osborneclarke.com
osborneclarke.com
The bigger picture and impact
• A new era of data protection compliance in Europe which
also sends a strong message to global businesses
• Businesses will need to focus more time, resources and
money on compliance
• Impact on consumer expectations and behaviours?
• The e-Privacy Directive is also being updated
– but existing law remains in place for now
• Aligns with the European Digital Single Market
• Cross-over with NIS Directive on cyber security
31
What is personal data?
• Personal data means any data which relate to an identified or identifiable natural individual (the data subject)
• GDPR applies to processing of personal data:
– wholly or partly by automated means
– which form part of a filing system (= a structured set of personal data accessible according to specific criteria)
• Special categories of data are data relating to racial or ethnic origin, political opinions, religious or “similar” beliefs, trade union membership, physical or mental health, sexual life, [and actual or alleged criminal offences]
– GDPR restrictions on certain genetic/biometric data
33
osborneclarke.com
Controlling and Processing
• Processing includes virtually every conceivable
operation in relation to data (and does not require
automated means)
• A data controller determines the purposes and
means of processing
• A data processor processes data on behalf of a
data controller
34
osborneclarke.com
Recap: existing Data Protection Principles
1. Personal data must be processed fairly and lawfully
2. Personal data must be obtained for specified purposes and not processed in
a manner incompatible with those purposes
3. Personal data must be adequate, relevant and not excessive
4. Personal data shall be accurate and (where necessary) kept up to date
5. Personal data must not be kept longer than necessary
6. Personal data must be processed in accordance with the rights of data
subjects
7. Appropriate technical and organisational measures must be taken against
unauthorised processing, and against loss or destruction
8. Personal data must not be transferred to a country outside the EEA unless
that country ensures an adequate level of protection for the rights and
freedoms of data subjects in relation to personal data
35
osborneclarke.com
New and restated principles (1)(Article 5)
Personal data must be:
• processed lawfully, fairly and in a transparent manner
• collected for specified, legitimate and explicit purposes and not
processed in a way incompatible with them ("purpose limitation")
– some purposes will not be incompatible:
• public interest archiving
• scientific/historical research purposes
• statistical purposes
• adequate, relevant and limited to what is necessary in relation to
purposes for which it is processed ("data minimisation")
…
36
osborneclarke.com
New and restated principles (2)(Article 5)
Personal data must be:
• accurate and, where necessary, kept up to date ("accuracy")
– must take every reasonable step to erase/rectify inaccuracies without delay
• kept in a form which permits identification of data subjects for no
longer than is necessary for purposes for which it is processed
("storage limitation")
– storage for longer periods permitted for archiving etc
• processed in a way which ensures appropriate security of data
("integrity and confidentiality")
The controller shall be responsible for and able to
demonstrate compliance ("accountability")
37
osborneclarke.com
Sanctions – Harmonised and Higher(Articles 77 – 84)
• Fines applicable by DPAs:
• Right to claim compensation from controller or processor
• Data subjects to have right to effective judicial remedy
– in home state and where controller/processor is established
38
osborneclarke.com
Requirements for lawful processing (1)(Article 6) – similar to DPA
Lawful processing requires one of these criteria to be met:
• data subject's consent
– "freely given, specific, informed and unambiguous"
– stricter conditions must be met (see below)
• necessary for performance of contract to which data subject is party
(or to take steps requested by data subject prior to contract)
– not a contract with third parties or subcontractors
• necessary for compliance with a legal obligation to which controller is
subject
• necessary in order to protect vital interests of data subject
40
osborneclarke.com
Requirements for lawful processing (2)(Article 6) – similar to DPA
(Lawful processing requires one of these criteria to be met:)
• necessary to perform task in public interest or official authority
• necessary for legitimate interests of controller of third party, and not
overridden by interests or fundamental rights or freedoms of the data
subject
– what are "legitimate interests"?
• preventing fraud? • internal administration?
• ensuring network security? • direct marketing purposes?
– need to take account of data subject's reasonable expectations
– requires careful assessment
41
osborneclarke.com
BUT stricter basic conditions for consent(Article 7)
Requests for consent must be:
• clearly distinguishable from other matters
• in an intelligible and easily accessible form
• use clear and plain language
Consent can be withdrawn at any
time:
• must be as easy to withdraw as to give
• data subject must be told upfront this is possible
Other drawbacks:
• contract performance must not be conditional on consent
• clear evidence
• consent for separate processing operations
42
osborneclarke.com
ICO draft guidance on consent published 2 March 2017
Extra consent requirements(Articles 8 & 9)
Consent by children to "information society services":
• Requires consent or authorisation by parent
– applies below 16 years or a lower age (not below 13) set by MS
• Reasonable efforts to verify parental approval required
Processing "special categories" of personal data:
• Generally requires explicit consent
• Some other (limited) grounds available, e.g.:
– Necessary for employment law, social security or social protection
– Protection of vital interests
– Where personal data has been manifestly made public by the data subject
43
osborneclarke.com
osborneclarke.com
Enhanced transparency and information(Articles 12 – 14)
• Transparency is key
• Information / communications must be:
– concise
– transparent
– intelligible
– easily accessible form
– set out in clear and plain language
• Similar obligations where data not obtained from data
subject
44
osborneclarke.com
Enhanced information provision requirementsWhat information do you have to provide when data is collected?
1. Controller's identity and contact details
2. Purposes and legal basis of processing
3. Legitimate interests (pursued by the controller or third party)
4. Details on other recipients (or categories of recipient)
5. Cross-border transfers
6. Period for which data will be stored (or relevant criteria)
7. Existence of data subjects' rights (see later)
8. Existence of any automated decision making
9. Rights to lodge a complaint to a supervisory authority
10. Whether data is required by statute or contract or necessary to enter into a
contract, plus consequences of failure to provide data.
45
osborneclarke.com
Enhanced information provision requirementsWhat about information that is not obtained directly from the data subject?
The same information has to be provided plus:
1. categories of data concerned;
2. source of the data.
When?
– Within a reasonable period after obtaining the data;
– If used for communications – at the time of the first communication
with the data subject (at the latest)
– If disclosed to another recipient – when the data is first disclosed (at
the latest)
In both cases update the data subject if the purposes change
46
Contact details
Mark Taylor
Partner
CommercialT +44 (0) 20 7105 7640
M +44 (0) 7702 136 965
48
osborneclarke.com