Toll Fraud Security on the Mitel 3300

[Tom01]

Hi guys

If we leave voice mail out, as it has been already managed, is there some other ways to execute toll fraud on Mitel 3300...

How about if one gains access into the UCA or ENT/OPS server through the data network. Is it still possible for the hacker to execute toll fraud.

Also if there any software etc available to trace fraud calls.

Regards

[ralph]

Oh boy.....
Leaving the VM out of it there are still a few ways.
1) this is my most current study interest:   A hacker attacks a SIP based telco provided router.  Breaks the credentials and then sets up his own router.   Generally it appears this is used for doing TDoS attacks on other customers, not so much toll fraud.
2) Trunks that don't disconnect properly.  A call that hits the system and then someone/something hangs up but the caller stays on line and gets PBX dialtone.   From there can dial out if the other layers of security are not set properly.
3) of course the old stand by: DISA.  Dumb.
4) Twinning.   If your twinning creds are compromised then they can twin anywhere.
5) The exten '900' scam 
6) Internal fraud:  i.e.   Forward your phone to grandma and then call your phone from home.

Of course there needs to be several layers of security.  Only peel these back as needed
1) Block trunk to trunk calls.
2) Set the COR of the trunks to deny ARS access.
3) remove/restrict direct trunk access.
4) layer your ARS  - See this doc
5) Block your VM ports from dialing.
6) Block call forward external - or forward only to system speed calls (preferred)
7) Work with your carrier to block international calls
Work with your carrier to restrict incoming toll free calls to only those areas of the country that require it.

Of course the apps, like OPS, UCA etc, if they compromised then of course any knowledgeable hacker will cause problems.   

Remember this: the only totally secure system is the one that turned off and locked in a vault.

Ralph

[LoopyLou]

To add to Ralphs comments.
1). Don't use trival passwords on vmboxes, any system access, any server access or on hotdesk logins
2). If the 3300 is the DHCP server set it up to reject any request that is not from a phone.
3). use access control lists or other network means so that only devices that need to communicate with the voice VLAN do so.
4). Phones can also be setup to use 802.1x ( device authentication before joining a network )
5). COR restrict Trunks and voicemail ports
6). Do not have a RAD as an answer point for any trunk ( allows DISA dialing )
7). Setup call recognition on PRI's for users of smart phone clients.
. COS an COR 1 should be set up to do virtually nothing. These are the defaults assigned to any new phone.
9) Consider setting up an intercept on toll denial to switchboard or something else so you get warning of repeated attempts to commit toll fraud.
10). If you are going to use account codes so users can change their COS and COR then don't make the trival, make them long and don't have them consecutive.
11). Setup a policy with users and switchboard not to transfer external callers to external numbers. " hi I'm Bob and I am out of the office can you transfer me to this long distance number in another country" 

[nintendo1889]

There's a file in the online help (at /uwi/help/En/sysadmin/preventing_toll_fraud.pdf), entitled Using CDE to Prevent Toll Fraud on the 3300 ICP. It's from 2002, but I found it helpful in addition to the information above.