{"id":9528,"date":"2016-07-06T08:21:42","date_gmt":"2016-07-06T15:21:42","guid":{"rendered":"https:\/\/www.aerocominc.com\/info\/?p=9528"},"modified":"2017-05-11T09:15:39","modified_gmt":"2017-05-11T16:15:39","slug":"cloud-therapy-ep-010-sip-security-tips-with-bill-bollinger","status":"publish","type":"post","link":"https:\/\/www.aerocominc.com\/info\/cloud-therapy-ep-010-sip-security-tips-with-bill-bollinger\/","title":{"rendered":"Cloud Therapy: EP 010 &#8211; SIP Security Tips with Bill Bollinger"},"content":{"rendered":"<p><a href=\"https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2016\/07\/SIP-Security-Podcast.jpg\" rel='magnific'><img loading=\"lazy\" class=\"aligncenter wp-image-9529\" src=\"https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2016\/07\/SIP-Security-Podcast.jpg\" alt=\"SIP Security Podcast\" width=\"589\" height=\"327\" srcset=\"https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2016\/07\/SIP-Security-Podcast.jpg 810w, https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2016\/07\/SIP-Security-Podcast-300x167.jpg 300w, https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2016\/07\/SIP-Security-Podcast-250x139.jpg 250w, https:\/\/www.aerocominc.com\/info\/wp-content\/uploads\/2016\/07\/SIP-Security-Podcast-600x333.jpg 600w\" sizes=\"(max-width: 589px) 100vw, 589px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"https:\/\/www.linkedin.com\/mynetwork\/invite-sent\/bill-bollinger-6254521a\/\" target=\"_blank\">Appia&#8217;s<\/a><\/span> Co-Founder and VP of Legacy Systems, <a href=\"https:\/\/www.linkedin.com\/mynetwork\/invite-sent\/bill-bollinger-6254521a\/\" target=\"_blank\">Bill Bollinger<\/a>, discusses his tips for IT Departments on <span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"https:\/\/www.aerocominc.com\/info\/our-products\/access\/voice\/sip\/\" target=\"_blank\">SIP<\/a><\/span> Security. As someone who&#8217;s been around VoIP for as long as anyone and who&#8217;s company has thousands of SIP hack attempts every day, Bill knows his stuff and has some simple yet great tips when it comes to how to choose a secure SIP provider, how to set up your credentials in a way that reduces risk and what to do if you&#8217;re getting hit with a barrage of phantom calls.<\/p>\n<p><iframe style=\"border: none;\" src=\"\/\/html5-player.libsyn.com\/embed\/episode\/id\/4469903\/height\/90\/width\/640\/theme\/custom\/autonext\/no\/thumbnail\/yes\/autoplay\/no\/preload\/no\/no_addthis\/no\/direction\/backward\/render-playlist\/no\/custom-color\/87A93A\/\" width=\"640\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<p>Want more Cloud Therapy? Subscribe to us on <span style=\"text-decoration: underline;\"><a href=\"https:\/\/itunes.apple.com\/us\/podcast\/cloud-therapy-aerocominc.com\/id1112772590?mt=2\" target=\"_blank\">iTunes<\/a><\/span> or <a href=\"http:\/\/www.stitcher.com\/podcast\/cloud-therapy-with-aerocominccom?refid=stpr\" target=\"_blank\">Stitcher<\/a>!<\/p>\n<p><span style=\"color: #ff6600;\"><strong><a style=\"color: #ff6600;\" href=\"http:\/\/www.aerocominc.com\/search?q=SIP+Trunks\" target=\"_blank\">Browse customer reviews on enterprise SIP service providers.<\/a><\/strong><\/span><\/p>\n<p><span style=\"color: #ff6600;\"><strong>Don&#8217;t stress about researching the hundreds of SIP options. Click below to skip to the top 3 for your company&#8217;s needs.<\/strong><\/span><\/p>\n<p><script src=\"\/\/static.leadpages.net\/leadboxes\/current\/embed.js\" async=\"\" defer=\"defer\"><\/script><button style=\"background: #f26e22; border-color: #f26e22; border-radius: 4px; color: #ffffff; display: inline-block; vertical-align: middle; padding: 16px 32px; min-width: 192px; border: 1px solid #f26e22; font-size: 1rem; font-family: Helvetica, Arial, sans-serif; text-align: center; outline: 0; line-height: 1; cursor: pointer; -webkit-transition: background 0.3s, color 0.3s, border 0.3s; transition: background 0.3s, color 0.3s, border 0.3s; box-shadow: 0px 5px 5px rgba(0, 0, 0, 0.6);\" data-leadbox-popup=\"144249073f72a2:136337e37f46dc\">MY TOP 3<\/button>\u00a0 \u00a0 \u00a0 \u00a0 <\/p>\n<h5><em>See full transcript below:<\/em><\/h5>\n<p>\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 Mike: Hey, everybody. Thank you for joining us on the program today. We\u2019ve had <span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"https:\/\/www.aerocominc.com\/info\/our-products\/cloud\/communications-and-collaboration\/cloud-phone-system\/\" target=\"_blank\">hosted VoIP<\/a><\/span> in our office for, well, since 2005, so about eleven years. Around a couple of years ago, we started noticing these calls that were coming in our 800 number. We would pick up the phone\u2026 When someone calls our 800 number, it\u2019s, kind of, a round-robin. Somebody would pick up the phone and it would be dead air. Then, you\u2019d hear a click and, sometimes, it would go back to a busy signal or something like that, but the calls are always coming from different numbers. Now, being in the telecom industry, I, kind of, knew, at the back of my head, there wasn\u2019t much we could do from our phone system standpoint to block the calls because they were coming from different numbers every single time. I also knew that this was probably some type of a scam going on where somebody was making money off of long-distance calls. We called our service provider and it seemed like they couldn\u2019t really do anything about it. We slapped an auto-attendant onto our main number to just temporarily fix the problem so that we didn\u2019t have to constantly be picking up the phone. It, kind of, discouraged everyone in the office from wanting to pick up the phone because they knew it was probably, nine times out of ten, going to be just some dead-air call. That fixed the problem for a while and then we went back to answering the phones live after some time and it seems like it only happens here and there. Then, one of our sales people called me and told me all of a sudden his phone is ringing incessantly, non-stop, with these dead-air calls. We called our service provider \u2013 there wasn\u2019t much they could do about it. They said something probably happened where one of his ports on his firewall got opened. He actually works from his home and something happened with his residential internet service firewall on the router, which just seemed strange. We were pretty frustrated with it. My rep was extremely frustrated with it. Since his phone was non-stop ringing, he had to unplug it most of the time. We didn\u2019t really know what to do. All of a sudden, our service provider accidentally disconnected all of our phone numbers. When someone would call any of our phone numbers, it would say, \u201cThis number has moved\u201d or is no longer in service. It was only down for like a minute or two \u2013 we fixed the problem super-fast. It was just a mistake, an honest mistake on their end. After that, magically, no more of those spam calls or those weird calls. Well, that\u2019s just my story with getting, kind of, hacked or having people try to hack our hosted phone system. Now, we have hosted VoIP, but I know this goes on a lot with <span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"https:\/\/www.aerocominc.com\/info\/our-products\/access\/voice\/sip\/\" target=\"_blank\">SIP trunking<\/a><\/span> service as well since hosted VoIP, kind of, use a SIP trunking anyway \u2013 it really does, but just in a different way. Even though those are two separate products, SIP trunk and hosted VoIP, they both involve some type of security. So, when our next guest Bill Bollinger came to me and said he\u2019d like to speak on our podcast about SIP security, I jumped at the chance just because I had an experience with it and we\u2019re a very small company compared to some of you guys, and I know that security is always a big issue with IT folks. I thought that would be a perfect thing to talk about in our podcast. So, I\u2019m really excited. Again, this fellow\u2019s name is Bill Bollinger. He is the Vice President of Legacy Systems with <span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"http:\/\/www.aerocominc.com\/company-profile\/appia\" target=\"_blank\"><span style=\"text-decoration: underline;\">Appia<\/span> <\/a><\/span>and he\u2019s also their co-founder. Don\u2019t let the title fool you, he\u2019s actually more of a technical person. He is more of, like, their engineer person. Because he\u2019s one of the co-founders, he, kind of, jumps around into different jobs \u2013 whatever type of job they need him at, that\u2019s what he does. Right now, he\u2019s the VP of Legacy Systems, but he really knows his stuff when it comes to SIP and VoIP. Appia started in 2001, so he co-founded a company that\u2019s main product was Voice over IP in 2001. Most of us didn\u2019t even know what that was in 2001. Don\u2019t lie, most of you had no clue. I know I didn\u2019t and I know all of my customers had no clue. That\u2019s why he knows his stuff. It\u2019s a really great conversation. He gets into some cool things and some actions you can do on your end to make sure that people aren\u2019t hacking into your system. Some very specific, easy things that all of us can do like something as simple as making sure your admin is not using the standard\/default credentials to log in. I know you guys are laughing, but, don\u2019t lie, I know some of you have that setup on some of your things, so it is a good tip and it\u2019s something that all of us need to do to make sure we don\u2019t get our system hacked. When you do get hacked, some bad things can happen. He has a story where someone had some really significant losses, financially, on their phone bills because they were hacked. I know you\u2019re going to get some great stuff from this episode and if that\u2019s not enough for you, I\u2019ve also got another free giveaway. <a href=\"https:\/\/aerocominc.leadpages.co\/leadbox\/1466eec73f72a2%3A136337e37f46dc\/5632763172487168\/\" target=\"_blank\"><img src=\"https:\/\/lh3.googleusercontent.com\/4iun1BR1P9oq26l3sURXSHWGCZzB2VrysvSbbXInnT_DI6KsPJ0TSk316HnWlOsx4I729BoWSThyL6iuI9QXvQ=s0\" alt=\"\" \/><\/a><script src=\"https:\/\/aerocominc.leadpages.co\/leadbox-1467755315.js\" type=\"text\/javascript\" data-leadbox=\"1466eec73f72a2:136337e37f46dc\" data-url=\"https:\/\/aerocominc.leadpages.co\/leadbox\/1466eec73f72a2%3A136337e37f46dc\/5632763172487168\/\" data-config=\"%7B%7D\"><\/script><\/p>\n<p>I took a bunch of time \u2013 I talked about this in our last episode. IT professionals, typically, do not know voice very well. Don\u2019t be offended if you are one of those who does, but most of you don\u2019t. I went ahead and took a lot of time to write down all the differences between all the main types of voice access which are: <span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"https:\/\/www.aerocominc.com\/info\/our-products\/access\/voice\/pri\/\" target=\"_blank\">PRI<\/a><\/span>, <span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"https:\/\/www.aerocominc.com\/info\/our-products\/access\/voice\/sip\/\" target=\"_blank\">SIP<\/a><\/span>, and <span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"https:\/\/www.aerocominc.com\/info\/our-products\/access\/voice\/pots\/\" target=\"_blank\">analog lines<\/a><\/span>. \u201cDifferences\u201d meaning: What capabilities does each technology have in terms of being able to failover? What capabilities does each have in terms of phone numbers, in terms of access types? When is each technology the best fit for your company?<\/p>\n<p>I made a little guide, it\u2019s like a chart, listing these three technologies in three separate columns and down the rows, all these different capabilities. I hope it\u2019s something that you guys will get a lot of benefit from. I think you will. If you\u2019re shopping for voice services and you don\u2019t know, really, if you should go with SIP, or stay with PRI, or if you should keep your analog lines if you\u2019re moving to SIP, this is a great little guide. It\u2019s real short and sweet.<\/p>\n<p>I\u2019ll give it to you for free, no problem. All you have to do is text the word \u201cVOICEGUIDE\u201d to the number 44-222. Again, just text the word \u201cVOICEGUIDE\u201d to the number 44-222 and we will send you a free copy of this voice guide that I, personally, took the time to make and I know you\u2019ll like.<\/p>\n<p>Alright, let\u2019s get to the interview.<\/p>\n<p>Alright, Bill. Thanks for joining us on the program.<\/p>\n<p>Bill: Thank you for having me.<\/p>\n<p>Mike: Tell us a little bit about yourself both personally and professionally.<\/p>\n<p>Bill: Love to. I\u2019m with <span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"http:\/\/www.aerocominc.com\/company-profile\/appia\" target=\"_blank\">Appia Communications<\/a><\/span>. I\u2019ve been here since about 2001. I\u2019m currently the VP of Legacy Systems, but throughout my tenure here I\u2019ve had a number of different roles. I\u2019ve been involved with the building of our infrastructure, deployment of our services, maintenance of our services, and also involved on the sales side as well.<\/p>\n<p>Mike: Fantastic. What did you do before Appia?<\/p>\n<p>Bill: I\u2019ve been with a number of technical companies, a number of startups. It also had a begun a startup involved in Voice over IP as well.<\/p>\n<p>Mike: Wow. So, yeah, you\u2019ve been in Voice over IP before most of us knew what it was.<\/p>\n<p>Bill: I have, actually. It put me in a fairly unique place to be able to participate in the startup of Appia Communications.<\/p>\n<p>Mike: Fantastic. What about personally?<\/p>\n<p>Bill: I live in metro Chicago, and a couple of kids that are grown and off on their own. I enjoy running quite a bit \u2013 I run several marathons. Between running and working, that\u2019s, kind of, my life.<\/p>\n<p>Mike: That\u2019s pretty cool. What\u2019s the last marathon that you ran?<\/p>\n<p>Bill: The last marathon I ran was the Indianapolis marathon a few years ago.<\/p>\n<p>Mike: Oh, fantastic. So, sometimes you\u2019re actually traveling to go run different ones, not just in Chicago?<\/p>\n<p>Bill: That\u2019s correct. I ran marathons in Honolulu, in Indianapolis, and Chicago.<\/p>\n<p>Mike: Oh, wow. The running bug is just one thing that has never hit me. I think I\u2019ve hated to run since I was a little kid. I was an athlete in a lot of other sports, but the running thing, you know\u2026 Now that I have kids and don\u2019t have as much free time, just trying to stay in shape going to the gym, I always think, \u201cYou know, maybe running is a good idea,\u201d but it just never sounds like fun to me. For you, is it something that you\u2019ve always enjoyed? Is it something that you\u2019ve picked up as you got a little bit older?<\/p>\n<p>Bill: Running is not my favorite thing either. I, kind of, look at it as a life extension practice. I ran my first marathon in Honolulu, as I\u2019ve mentioned, back in 1985 with little to no training because I was young and foolish. I did so much damage, I didn\u2019t run again for another fifteen years, so it\u2019s been the last ten years or so that I\u2019ve picked it back up again.<\/p>\n<p>Mike: Oh, wow. Yeah. When we were kids, I think, my dad got into running a little bit. He ran in a marathon, I think, it was down in Long Beach. My memory is just us getting in our family van \u2013 we had four kids in our family. We drove down to see him run this marathon. I remember afterward\u2026 I remember him, like, getting in the back of the van and cramping up on the way home. He must have been cramped up because, all of a sudden, he was in all this pain.<\/p>\n<p>As a kid, I didn\u2019t know what was going on. I\u2019m like, \u201cWhy is he\u2026\u201d like, \u201cGosh, is he going to die or something? What\u2019s going on back there?\u201d Thinking back now, I was thinking, oh, that\u2019s the first marathon he ever ran in. It\u2019s probably just like you said, he probably didn\u2019t prepare for it as much as he should have. It\u2019s probably taken a toll on his body that getting into a car within half an hour after you get done running a marathon and charging home, probably start cramping up pretty bad.<\/p>\n<p>Bill: As far as I\u2019m concerned, he\u2019s a winner just for having attempted a marathon. Completing it is even better. My hat\u2019s off to him.<\/p>\n<p>Mike: Yeah, me too. I\u2019m like, \u201cOh, man. That\u2019s tough.\u201d Just being on the elliptical machine is pretty tough for me, but I don\u2019t know.<\/p>\n<p>Anyway, today, I\u2019m excited to hear your topic. Today, you\u2019re going to talk to us about <span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"https:\/\/www.aerocominc.com\/info\/our-products\/access\/voice\/sip\/\" target=\"_blank\">SIP<\/a><\/span> security, which I think is a really great topic because I know our listeners who are IT professionals for small and mid-sized companies out there, I know security is always huge with them no matter what we\u2019re talking. Whether or not we\u2019re talking cloud computing, or their servers in-house, or SIP, security is always big.<\/p>\n<p>I think, SIP security, in itself can, kind of, sneak up on you. People think voice, a lot of times security really isn\u2019t their top concern. They\u2019re thinking more, you know, downtime, voice quality, and things like that, but security is a big deal and should be a big deal. So, go ahead and tell us a little bit about your topic and I\u2019ll just turn it over to you.<\/p>\n<p>Bill: Well, thanks. As a SIP trunk service provider being one of the many things that Appia offers, we are daily barraged by people attempting to gain a foothold and be able to fraudulently connect with us to consume minutes, long-distance minutes. It\u2019s primarily these attempts are happening to, what we call, high-cost destinations around the globe. In fact, we\u2019re getting hit daily with hundreds of attempts every second. As a service provider, we\u2019ve had to employ pretty significant security practices to prevent unauthorized people from being able to leverage our infrastructure while only allowing those folks who are authorized to be able to leverage our trunking services.<\/p>\n<p>Mike: Can you explain that a little bit to us novices out there? I\u2019ve heard that a little bit being in the industry for sixteen years. Not as long as you, but long enough to know that I\u2019ve heard about, somehow, there are some scams going on where people make money by consuming long-distance minutes. Can you explain that to the novice voice people out there and help us understand how people are making money off of consuming long-distance minutes?<\/p>\n<p>Bill: Certainly. There are a couple of different things that happen. Now, these service providers are typically off-shore the United States \u2013 Eastern Europe and into Asia. They\u2019re service providers themselves in many cases and they\u2019re looking for a way to be able to place their minutes to somebody\u2019s high-cost destination, obviously, for free to them. They, over the years, have been pretty successful with their techniques to be able to do that. Other folks will place fraudulent minutes to things like toll-free numbers or even 900 numbers where they\u2019re making money by somebody calling into their numbers and will place multiple hour-long calls into some of these services.<\/p>\n<p>Mike: These people who are terminating minutes on your network, they make money how? If they\u2019re sending long-distance traffic onto your network and terminating it, how do they get paid? Did you guys have to pay them for minutes on your network? How does that work?<\/p>\n<p>Bill: We have to pay somebody for the minutes that are used in the first case, right? They have one of their customers call Afghanistan, for instance. They, then, can gain a foothold on us or somebody like us\u2019 network and they can have that call placed for free. They\u2019re going to extract to their customer for making their own call, but they don\u2019t have to pay for it. That\u2019s one way they make money.<\/p>\n<p>The other way is that some of these people have, say, a toll-free number or a 900 number, some type of a number where a fee extracted for calls into that number. They will place fraudulent calls into those numbers so that for every minute that call was up, they\u2019re getting paid.<\/p>\n<p>Mike: Okay. Because I\u2019m always trying to figure out why the heck we always get these weird calls. For instance, on our main number, on our 800 number, a lot of times we\u2019ll get these constant dead-air calls. A call comes in, somebody in our office picks up the phone and it\u2019s just dead air. It\u2019s always from a different number \u2013 the number keeps changing all the time.<\/p>\n<p>We probably get, I don\u2019t know, ten\/fifteen of them a day. We\u2019ve tried to go to our provider and it was like, \u201cHey, what\u2019s going on here?\u201d They just act like there\u2019s nothing they can do and I\u2019m like this has to be some type of scam where they\u2019re making money somehow terminating these calls. I don\u2019t know how they\u2019re making doing this because it\u2019s just dead air, but it was something that, when you mentioned SIP security, I was like, \u201cI wonder if that has anything to do with what\u2019s going on with us?\u201d<\/p>\n<p>Bill: Well, it may very well be. Really, the topic of what I wanted to talk about today was that not only are these people trying to fraudulently access our system, but they\u2019re also focused on trying to acquire a foothold into customer <span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"https:\/\/en.wikipedia.org\/wiki\/Business_telephone_system\" target=\"_blank\">PBX<\/a><\/span>s and leverage their connection into some trunk provider. That situation you just described me very well be somebody trying to get a foothold into your phone system. Potentially, you may have, and this is fairly common, get into your voicemail, and your voicemail may be enabled for an outcall capability. They can get into your voicemail, gain access to this outcall capability, and place another call out of your phone system to a very high-cost destination that benefits them.<\/p>\n<p>Mike: Got it.<\/p>\n<p>Bill: Really, the focus of what I really wanted to talk about today was the necessary security that an administrator of a PBX needs to be sensitive to. Obviously, the PBX needs to be locked down pretty tight. Outcall capability out of voicemail has been a traditional way these folks have been able to leverage PBX, but, today, in the SIP world, SIP trunks typically use two methods of authentication with a service provider like Appia.<\/p>\n<p>The first and preferred method is a method of authentication we call \u201cIP authentication,\u201d which means the service provider and the PBX administrator agree that the method of authentication will be the IP address that the PBX has. That works great in an environment where a static IP address is available by the customer. As a service provider, we will accept any call that originates from that IP address and on an incoming call we will send that call to that dedicated IP address. That\u2019s the most secure method of the two methods that we have available.<\/p>\n<p>For the customer that has a dynamic IP address, perhaps a DSL connection or their PBX is only capable of what we call a \u201cdigest authentication method,\u201d a username and a password are used to authenticate. When a request comes to us from this agreed upon username and password, we\u2019ll use that to authenticate calls and register that PBX on the IP address that those credentials are coming from.<\/p>\n<p>Mike: Got it.<\/p>\n<p>Bill: That\u2019s probably the most widely used, only because a lot of PBXs have limitations in that regard. But, it\u2019s not the most secure and there\u2019s an opportunity for a hacker, if you will, to, through a dictionary hack or whatever, eventually guess the username and the password. It\u2019s important that complex credentials be used if the digest method is going to be employed.<\/p>\n<p>We\u2019ve run into a number of interesting situations with this. We\u2019ve had, in fact, a customer begin to send us, what were very clearly to us, fraudulent calls. We have systems that help us identify when this might be the case. We indicated to the customer that we were pretty certain their PBX has been compromised, but the customer didn\u2019t want to deal with it. Despite multiple attempts by us to get their attention, they ran up a bill with us of $10,000.<\/p>\n<p>Mike: Jeez.<\/p>\n<p>Bill: At that point, we started to get their attention, but they continued to deny that the calls were originating from their system for about another week. During that next week, they\u2019ve accumulated another $12,000 in fraudulent long-distance charges while we were arguing whether or not their PBX was secure and have been hacked, which, of course, it had.<\/p>\n<p>It\u2019s a story I\u00a0like to use about the importance of listening to your service provider because the chances are they\u2019ve been through this before, it\u2019s all they do twenty-four hours a day. Pretty good chance they know what they\u2019re talking about and they\u2019re looking out for your best interest. This particular customer was available to the public internet. It had a set of standard credentials that are widely known throughout the industry with this particular platform they were using. The time it took us to convince them that there was a problem $24,000 or so worth of fraudulent charges was accumulated.<\/p>\n<p>Mike: Jeez. Then, when you say \u201cstandard credentials,\u201d you\u2019re talking about username and password on a particular phone or just to get into the PBX admin in general?<\/p>\n<p>Bill: Yes, the latter. The PBX admin was just using the traditional credentials, the factory default credentials that that system comes with.<\/p>\n<p>Mike: Oh, got it. Yeah. You\u2019re like, \u201cWho helped you install your PBX? They didn\u2019t change the factory default?\u201d Jeez.<\/p>\n<p>Bill: Well, the worst part of it was this company that we were dealing with was, in fact, an IT consulting firm that dealt with telephony.<\/p>\n<p>Mike: Oh, jeez. So, lesson learned to all you listeners out there that if you have your phone system installed by a third-party, don\u2019t automatically assume that they\u2019re thinking SIP security as top priority. They may do the factory default to help them easily get access into all these different phone systems that they have installed and they just leave the factory default on there until, maybe, they\u2019ve been burned. You don\u2019t want to be the first person that gets burned for them to learn that lesson, I guess, huh?<\/p>\n<p>Bill: Indeed. In fact, these folks, these hackers, have become very crafty. In the days not too long gone by, they would just blast these fraudulent phone calls and try to get as many phone calls in a shorter period through the systems that they found were vulnerable. When they would send these calls, it\u2019s fairly easy to identify that you\u2019ve been hacked, and that there\u2019s something in this, and to take care of it, but they\u2019ve gotten much craftier now. They know what these typical thresholds are that everybody is looking for now and they send calls at a frequency that\u2019s just below these thresholds. They\u2019ve gotten very sneaky and will come in just under the radar so it becomes more and more difficult to identify when you\u2019ve been violated.<\/p>\n<p>Mike: When somebody is trying to hack you, is it, kind of, like I described? Are you getting phone calls into your main phone line? What\u2019s, kind of, a sneaking suspicion that somebody is trying to hack you? Is there any way to know?<\/p>\n<p>Bill: Well, like I said, depending on your service provider, we employ systems where we try to identify when we see this. You should choose a service provider that, by default, will not allow your phone system to terminate to these, what we call, high-cost destinations. We just won\u2019t let those calls go through unless the customer acknowledges that they do call these high-cost destinations from time to time and they understand the risk of us allowing those calls to terminate.<\/p>\n<p>Mike: Got it.<\/p>\n<p>Bill: To answer your question, the situation you described \u2013 continuous incoming phone calls with, seemingly, no one there is a pretty good idea that somebody is trying to gain a foothold, trying to figure out how to get in to your auto-attendant or find a voicemail box that, maybe, has a non-complex passwords and so forth. Having your phone systems, IP address not available to the general internet so they can\u2019t get access to it via IP or a couple of obvious things that a system administrator should be doing.<\/p>\n<p>Mike: Does that mean they should be using a private IP? Doing some type of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Network_address_translation\" target=\"_blank\">NAT<\/a> as opposed to just a raw public IP?<\/p>\n<p>Bill: Absolutely. That\u2019s, generally, what folks do, but instead of employing, say, an access control list or a firewall to only allow the traditional [50 60 00:30:20] traffic, which is, of course, what SIP uses, they\u2019ll make it available to everybody instead of just a narrowing it down to only allowing that type of traffic from the IP addresses of their provider.<\/p>\n<p>Mike: Is there anything a customer can do in terms of firewall settings? Because I know firewall gets a little bit tricky when we\u2019re talking about SIP, or hosted VoIP, or anything like that, is there any type of firewall settings that they should be making sure they have enabled?<\/p>\n<p>Bill: Well, from a security standpoint, what I just mentioned is very helpful \u2013 clamping down all SIP traffic except the SIP traffic that\u2019s coming and going to their provider. If they have remote phones, the use of VPN can be very helpful in allowing those remote phones in. It just really depends on your environment and how you deployed your IP PBX. It\u2019ll dictate what security measures you\u2019ll take.<\/p>\n<p>Mike: Interesting. What about <span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"https:\/\/www.aerocominc.com\/info\/our-products\/cloud\/communications-and-collaboration\/cloud-phone-system\/\" target=\"_blank\">hosted VoIP<\/a><\/span>? Is the same set of rules applicable if you\u2019re using hosted VoIP as opposed to just getting SIP trunks from a service provider?<\/p>\n<p>Bill: It is to an extent. Complex credentials have to be employed for the phones, right? If you think about it, the phones employ a digest approach to security. Each phone has a username and a password. That username and that password have to be complex in order to avoid somebody, a bad guy, if you will, from guessing what they are. Because once an IP phone\u2019s credentials have been compromised, that hacker, that service provider, whoever they are can begin making phone calls at will using the credentials of that extension.<\/p>\n<p>Mike: That\u2019s interesting. Because we have hosted VoIP internally and one of our users, about a month ago, all of a sudden, started getting tons of spam calls. Just like you mentioned, it was literally like every twenty seconds, he was getting inbound spam calls \u2013 just like we said like dead air and all that stuff. We called our service provider and they said, \u201cOh, something must have happened. There must be a port open\u201d because this person works from home and I think they have, right now, Time Warner or something for internet. They said, \u201cOh, one of your ports must have been open for a second. Somebody got in there and that\u2019s what\u2019s going on, but there\u2019s really nothing we can do about it.\u201d<\/p>\n<p>We just went back and forth for a long time. I was, kind of, frustrated. Here I am in the industry, but I\u2019m getting a dose of my own medicine. There\u2019s nothing they can do about it. Our user is just, basically, like, \u201cI can\u2019t even have my phone plugged in because it\u2019s just maddening. I\u2019m just getting constant calls.\u201d<\/p>\n<p>Then, the funny thing happened. We accidentally had all of our phone numbers disconnected. I put in a partial disconnect order. We just got rid of a couple of users on the hosted VoIP system and accidentally disconnected all of our phone numbers \u2013 only for like five minutes. Then, we got them back up, but his was one of the ones that got disconnected. When it came back up, he said, \u201cYou know what? My issues are gone.\u201d<\/p>\n<p>So, they disconnected his\u2026 If you were to call his <span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"https:\/\/en.wikipedia.org\/wiki\/Direct_inward_dial\" target=\"_blank\">DID<\/a><\/span> for those five minutes we\u2019re down, it said, \u201cThis number is no longer in service. It\u2019s been disconnected or has moved,\u201d so there\u2019s a full disconnect message on there. Just doing that solved the problem.<\/p>\n<p>But, it was something, like you said, that makes me go back, and I\u2019m going to have to ask him what his credentials are and make sure he\u2019s got some complex credentials in there because it may just be somebody got in and was doing something like that. I was like, well, note to self: If that starts happening, call the provider again and say, \u201cWell, if you can\u2019t fix it, can you just disconnect our numbers for five minutes at 8:00 at night or 10:00 at night and just let it be disconnected for half an hour or something, and then bring it all back up?\u201d because that seems to solve the problem, ironically.<\/p>\n<p>Bill: Yeah. That\u2019s becoming more and more of a problem in our industry \u2013 these incoming phantom calls. Depending on your provider, well, some of the open systems don\u2019t have this capability. Many of the more sophisticated systems you can actually tell the phone not to respond to any invite except those coming from your service provider. That would have solved your problem in that if that provider had that capability with the phone, the phone would have ignored all of the invites coming from places other than your service provider and that eliminates the problem that you mentioned.<\/p>\n<p>Mike: That\u2019s great. That\u2019s some good advice. I\u2019m writing that down because if that ever happens again, I need to know what to do because I was at a loss. I was ready to switch providers, actually. I was like, \u201cYou know? Whatever. I\u2019m in the industry. We can switch providers pretty easily.\u201d If they can\u2019t resolve it, we just need to move on because I\u2019m not going to change my sales person\u2019s DID just to avoid spam calls. That\u2019s silly.<\/p>\n<p>Then, they\u2019re saying, \u201cNo. You can get a managed router from us. If we deploy a managed router on site, it is housed, then we could probably prevent it.\u201d I\u2019m like, \u201cOkay. So, I\u2019m going to pay $50 &#8211; $100 a month for a managed router at a remote user\u2019s house?\u201d That didn\u2019t make sense. Anyway, that\u2019s good.<\/p>\n<p>You know how it is, too. Sometimes you\u2019re talking to somebody in service that is maybe a little bit, you know, they\u2019re a little bit green or something. You never know. Sometimes they just make a mistake and they\u2019re learning too. Not to say that our service provider is terrible or anything, but, yeah\u2026 That\u2019s good info.<\/p>\n<p>Overall, what\u2019s, kind of, your parting wisdom for us on SIP security?<\/p>\n<p>Bill: I\u2019d have to say that listen to your service provider about security. If you aren\u2019t natively offered their best security practices when you on board with the service provider, ask them for their best security practices. It\u2019s a painful issue for our entire industry. They\u2019re going to have some best practices for you to employ. Listen to them. Do what the service provider recommends and you should have a very positive experience.<\/p>\n<p>Mike: I think that\u2019s a great takeaway because so many times\u2026 I mean, I work with service providers on a daily basis. That is a subject that almost never comes up. It\u2019s just a good practice to, maybe, just take that extra step and ask the, whether it\u2019s the sales engineer you\u2019re working with the service provider or calling in to repair, and asking them for what they recommend in terms of security measures.<\/p>\n<p>Because installing customers and things like that, everybody is so busy with porting numbers and all that stuff that a topic that rarely comes up is \u201cHey, what are your best practices that we should be doing for SIP security? What\u2019s a bullet list that I should make sure we do to make sure that we don\u2019t get hacked on this SIP service?\u201d As strange as it sounds, like I said, that doesn\u2019t really come up very often, so it\u2019s good to take the initiative to ask the service provider on your own. I think that\u2019s some great advice.<\/p>\n<p>Bill: Indeed.<\/p>\n<p>Mike: Well, great. Thanks for sharing that with us. That was a great topic. When you, initially, brought it up to me a week or so ago, I was excited to hear about it just because of my own experience with it and, like I said earlier, because I know so many of our listeners are very concerned with security. When you\u2019re in charge of an organization with a hundred plus users or a thousand users and you\u2019re deploying SIP, my little issue of a few users can put a big exclamation point on how bad that issue could get. Like you said, you can end up getting a bill with thousands and thousands of dollars of fraudulent charges, and really no way to recoup it if the provider has been telling you they\u2019re fraudulent and you\u2019re not willing to take the extra step that they\u2019re recommending. So, I really appreciate you coming on and sharing that wisdom with us.<\/p>\n<p>Bill: My pleasure. Thanks for having me.<\/p>\n<p>Mike: No problem. Before you go, I\u2019d love it if you could tell us a little bit about your company <span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"http:\/\/www.aerocominc.com\/company-profile\/appia\" target=\"_blank\">Appia<\/a><\/span>, what you guys sell, and what\u2019s new and exciting going on in Appia these days.<\/p>\n<p>Bill: Oh, super. Thanks. Appia is a managed service provider. We\u2019ve been in business since 2001. In fact, our first commercial customer from 2001 is still our customer today in 2016, and we\u2019re pretty proud of that fact.<\/p>\n<p>Mike: That\u2019s cool.<\/p>\n<p>Bill: We\u2019re, as I mentioned, a managed service provider with an emphasis on voice. We offer SIP trunking, as we discussed today, hosted IP telephony, hosted desktop service, hosted video conferencing. We can also offer corporate cell phone service as an [MVNO 00:40:23], and data center space \u2013 just about anything that would be interested in buying from a cloud perspective.<\/p>\n<p>Mike: Fantastic. Now, are you guys selling services nationwide, or worldwide, or do you have a certain geographic area that you guys have a network in\/that you sell within?<\/p>\n<p>Bill: No, we\u2019re offering service to customers in five continents. Outside of the United States and most of the civilized western world, we\u2019re able to offer service, and we have a number of happy customers around the planet.<\/p>\n<p>Mike: Fantastic. You mentioned that you guys do a lot of voice services. Is there something in particular that you guys do especially well when it comes to SIP or voice services?<\/p>\n<p>Bill: We feel like our hosted voice service is difficult to beat. We deploy a geo-redundant system. The reliability of that system is measured in \u2013 [mean time 00:41:37] between failures is measured in years. We have a very talented staff, very [Inaudible 00:41:47] Again, we\u2019ve been doing this since 2001, so we\u2019re well-versed in all the different methods around Voice over IP and, in particular, hosted services. We would put our service up against anybody\u2019s.<\/p>\n<p>Mike: Fantastic. Yeah, it\u2019s hard to believe that you guys were doing hosted VoIP in 2001. You and I talked about it before the call, but I was working for <span style=\"color: #ff6600;\"><a style=\"color: #ff6600;\" href=\"http:\/\/www.aerocominc.com\/company-profile\/xo\" target=\"_blank\">XO Communications<\/a><\/span> in 2001. I think XO released a product that was hosted VoIP. It was on Cisco phones and we had the product for about six months and it completely\u2026<\/p>\n<p>I remember when they rolled it out; all of us sales people were just scratching our heads going, \u201cWhat the heck? Wait, you give someone phones, but there\u2019s no phone system. You connect it up to their internet T-1 and there\u2019s dial tone? Like, what?\u201d It sounds so silly now because everybody, kind of, knows how hosted VoIP works, theoretically, now, but, back then, that was so foreign.<\/p>\n<p>Like I said, that was just a product that we tried and we rolled out. Like I said, it lasted about six months until the first couple of installs and we realized this is really difficult, and all the installs are going bad, and it\u2019s not working very well, and we can\u2019t get it working, so, I think, they just, kind of, brought it back in. I thought that we were, kind of, a first-mover bringing that out there, but you guys had a whole company where that was one of your core products. That\u2019s pretty impressive.<\/p>\n<p>Bill: Indeed. It\u2019s been a fun ride these past sixteen years.<\/p>\n<p>Mike: Yeah. Especially because I feel like in the last few years, hosted VoIP has really started to\u2026 That aura of mystery and fear has been lifted, I feel, like in the last three to four years where, before that, everybody was, kind of, like, \u201cWell, I don\u2019t know. Sounds good, but I\u2019m still, kind of, scared of it.\u201d Now, it seems like everybody is like, \u201cAlright. I\u2019m comfortable with that.\u201d It\u2019s a lot more accepted today than it was even just a few years ago. That\u2019s pretty good for you guys to have a great product that you\u2019ve been doing for a long time in a market that I think is\u2026 I think, right now, hosted VoIP is going to be exploding throughout the next five to ten years.<\/p>\n<p>Bill: We concur.<\/p>\n<p>Mike: Well, great. That\u2019s some good info. If anybody wants to learn more about Appia, just reach out and contact us at Cloud Therapy or AeroComInc.com and give us a call. If you\u2019d like to talk to anybody on Bill\u2019s staff and learn a little bit more about Appia, we\u2019d be happy to introduce you to their best people and teach a little bit more about their company and see if it might be a good fit.<\/p>\n<p>Thanks a lot, Bill. I appreciate your taking the time. Thanks for joining us on the program.<\/p>\n<p>Bill: Thank you. have a super day.<\/p>\n<p>Mike: You too.<\/p>\n<p>So, what did you think of Bill? I thought it was great. The thing that I got out of it the most was I\u2019m definitely going to tell our sales person, Josh, to make sure that his credentials for logging into our hosted VoIP system. I don\u2019t know if that had anything to do with the issue he was having where he was having non-stop calls, but it definitely would help.<\/p>\n<p>That\u2019s the big takeaway I got out of there, but, there\u2019s a couple more too. For instance, making sure that you go with a provider that does not allow calls to terminate to those expensive destinations unless you purposefully allow it. Also, making sure you don\u2019t put a public IP address on anything that the public can see. I think a lot of you IT folks know that intrinsically. Also, if something like that starts happening, make sure the service provider not accept any calls that are not coming from them, maybe set up your handset that way.<\/p>\n<p>Needless to say, some great takeaways there for me and, hopefully, you as well. Before I go, I just wanted to, again, remind you of that cool voice comparison guide that I made for you. Hey, I spent hours putting this thing together. Don\u2019t lie, voice is not your strength. Help yourself out, take a look at the voice guide so that you know the difference, at least, between SIP, PRI, and analog lines if you\u2019re shopping for voice so that you\u2019re arming yourself with some information about what you\u2019re going to need if you\u2019re approaching service providers.<\/p>\n<p>No worries, we\u2019ll give it to you for free. All you have to do to get it is text the word \u201cVOICEGUIDE\u201d to the number 44-222. Text the word \u201cVOICEGUIDE\u201d to the number 44-222 and we will send that voice guide to you for free.<\/p>\n<p>Alright. Well, that does it for today. I hope you enjoyed the show. I\u2019ll catch you next time.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; Appia&#8217;s Co-Founder and VP of Legacy Systems, Bill Bollinger, discusses his tips for IT Departments on SIP Security. As someone who&#8217;s been around VoIP for as long as anyone and who&#8217;s company has thousands of SIP hack attempts every<span class=\"ellipsis\">&hellip;<\/span> <a href=\"https:\/\/www.aerocominc.com\/info\/cloud-therapy-ep-010-sip-security-tips-with-bill-bollinger\/\"><\/p>\n<div class=\"read-more\">Read more &#8250;<\/div>\n<p><!-- end of .read-more --><\/a><\/p>\n","protected":false},"author":6,"featured_media":9529,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_mi_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[371],"tags":[243,215,638,641,642,446,445,422,429,523,640,636,637,635,382,632,377,428,423,639,539,391],"_links":{"self":[{"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/posts\/9528"}],"collection":[{"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/comments?post=9528"}],"version-history":[{"count":0,"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/posts\/9528\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/media\/9529"}],"wp:attachment":[{"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/media?parent=9528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/categories?post=9528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.aerocominc.com\/info\/wp-json\/wp\/v2\/tags?post=9528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}