Secure you network or pay the costs!

Peter Cox

UM Labs

The Victim• Organisation in leisure

and hospitality industry• Extensive facilities and

grounds• Existing Avaya phone

system, fixed handsets, problem free

• International calls routed via manned reception desk

• Needed to improve staff communication

Avaya

PBX

Voice VLAN

ISDN 30 toPSTN

The Attempted Solution• New WiFi/VoIP system

covering all facilities

• Zycoo PBX (Asterisk based)

• WiFi VoIP handsets for staff

• FXS/FXO Link to Existing Avaya PBX and PSTN

• Zycoo linked to Internet for remote support

Avaya

PBX

Voice VLAN

ISDN 30 toPSTN

Zycoo PBX

FXS/FXO Connection

Campus WiFi

WiFi handsets

Internet

Firewall

Fraud Timescale and Partial Call LogDays: 0 14 21

Installation Commenced

Fraudulent Calls

Remedial work

Fraudulent Calls

Permanent shutdown

Time Number Dialled Detail Duration (H:MM:SS) Cost (£)

23:59 00870773106590 Inmarsat 0:20:29 102.42

00:58 00870773106590 Inmarsat 0:20:33 102.75

01:20 00870773303338 Inmarsat 0:20:30 102.50

01:45 00870773303338 Inmarsat 2:26:30 732.50

03:35 00870773303338 Inmarsat 2:23:42 718.50

Primary Factor Allowing Fraudulent Calls

• Zycoo PBX was configured withoutpasswords for connecting extensions

• Easy to connect to the VoIP network via WiFior the Internet and enumerate the extensions

• Easy to make calls to PSTN number

| Extension | Password |-----------------------------| 350 | [no password] || Extension | Password |-----------------------------| 351 | [no password] || Extension | Password |-----------------------------| 352 | [no password] || Extension | Password |-----------------------------| 353 | [no password] |

Secondary Factors Allowing Fraudulent Calls

• The Avaya PBX was reconfigured to allow direct dialling of International calls*

• No controls on access from the Internet to the Zycoo PBX (any port, any IP address)*

• WiFi SSID visible, weak and guessable password

• Poor project management

* No one would admit responsibility for either of these changes

ITSPA Checklist for Secure Deployment of a PBX

• Ensure that every extension configured on your system has a password

• Setup the IP-PBX behind a firewall

• Limit external access to known IPs only

• Failing to follow these simple steps can cost tens of thousands

• If you need help, ask an ITSPA member!

http://www.itspa.org.uk/wp-content/uploads/161125_IPPBX_BCP.pdf

Internet Telephony FraudColin Duffy, Voipfone

The Friendly ScannerVoipfone

Anatomy of a PBX Hack

1:40 am, Sunday a customer’s PBX is hacked

1st Successful Call - Testing

- 5 second call to Palestine.

Voipfone

1st Hour – Searching

• 91 attempted calls to

Grenada, Nicaragua, Democratic Republic of Congo, Kiribati, Latvia, Maldives, Morocco, Burma (Myanmar), Nauru, Ukraine, Gambia, Norway, Bosnia and Herzegovina, Jamaica, Somalia, Serbia and Togo.

None of the calls connected

Voipfone

2nd Hour – well, who knows? I don’t

• 312 calls

• 22 were successful

• Repeat calls of zero duration were made to the same numbers in succession in no obvious pattern

A search for successfully connectable numbers was in progress, but that it was non-systematic and ham-fisted.

Voipfone

3rd hour - Operational:

• 1,106 calls, 281 (25%) were successful

• £617.92. 1,079 (98%) to Burkina Faso mobile numbers

• 946 (86%) were to a single number.

The fact that a single number could accept so many simultaneous connections means the calls were being terminated on a commercial platform, suggesting a large-scale operation.

Voipfone

4th Hour - Intervention:

• 95 calls in 9 minutes at a total cost of £115.01

• (98%) to the Burkina Faso Mobile numbers

• 53% to the same number

Account disabled, maximum spend exceeded

Voipfone

Result

Total 1,604 calls,

352 (22%) successful, £738.32.

Finally generating £766 per hour

48hrs over weekend = £36,768

Voipfone

Voiceflex and Frip Finishing Ltd

“This case concerns the consequences of a fraud carried out by unknown third-party hackers ("the hackers") between about 21.40 p.m. on Saturday, 29 October 2011 and about 10:22 a.m. the following Monday, 31 October 2011, when they hacked into Frip's router and/or PBX, with the consequence that some 10,366 telephone calls were made by persons unknown […] The majority of the telephone calls were made to a premium rate telephone number based in Poland […] As a result, the claimant rendered its invoice [which] came to a total of £35,560.20.”

(EWHC, 2014).

Voipfone

New Scotland Yard lost £1m over 18 months

(Corporate ICT, n.d.)

Voipfone

Fraud Destinations (n=23,127)

Voipfone

The Island Nation Effect

Voipfone

Fraud Calls vs Normal Calls

Voipfone

Risk Indicators(Statistically significant p>0.001)

• Time of day & Day of Week

• Cost of call

• Repeat calls to same number

• Intensity of calling

• High % unsuccessful calls

• Non-Western countries

• Nation states with micro-populations

• Non-UK sign-up (x9.43)

Voipfone

What Can Be Done?

• Create Rules – call risk characteristics– Build country risk indexes – Black list of bad numbers – eg TUFF, ITSPA SNITCH List– Use wholesalers that use anti-fraud tools– Ban 09 and 070 – allow by account on request– Key risk indicators are call price and call frequency

• Real time, automatic intervention required– notification or retrospective systems don’t work

• Disable accounts that fail the rules• Include failed calls, count call attempts• Get your T&Cs sorted “AUTHORISED & UNAUTHORISED”

Voipfone

Before and After

Loss22 July 2014 £364.8622 July 2014 £26.7522 July 2014 £429.8222 July 2014 £0.5222 July 2014 £0.1024 July 2014 £0.4024 July 2014 £0.6427 July 2014 £0.44

23 August 2014 £0.0527 August 2014 £0.48

Voipfone

This has been a Public Service Presentation on behalf of ITSPA

Come join us.....

Colin Duffy, Voipfone

Voipfone

Voipfone

The EU General Data Protection Regulation

European VoIP Summit 2017

Overview

• What is the General Data Protection Regulation?

– background and timeline

• Scope and core principles

• Interacting with customers

– customer consents

– impact on privacy policies

– [new data subject rights]

26

osborneclarke.com

What is the General Data Protection Regulation?

What does the General Data Protection Regulation do?

• Replaces / completely overhauls existing Directive and by

extension the Data Protection Act 1998 in UK

• Same basic principles as current regime …

… but aims to harmonise legislation across EU

• Modernises data protection laws but aims to be technology

neutral

• "Protects fundamental rights … of natural persons … to the

protection of personal data"

• Promotes free movement of personal data within EU

28

osborneclarke.com

osborneclarke.com

Timeline and next steps

05 Jan 2012 First draft of General Data Protection Regulation ("GDPR")

12 Dec 2015 European Parliament and EU Council of Ministers reach

political agreement on a compromise GDPR text

27 Apr 2016 Formal adoption by the European Parliament and Council

5 May 2016 Publication in the Official Journal

December

2016

onwards

Article 29 Working Party guidance:

• Setting up new European Data Protection Board ( EDPB)

• Preparing one stop shop and consistency mechanism

• Issuing guidance for controllers and processors

• On-going communications

27 May 2018 GDPR comes fully into force

29

GDPR takes privacy regulation to a new level

0

50

100

150

200

250

Articles Recitals Pages

DPD

GDPR

• Higher level of complexity

• Packed with stricter requirements

30

osborneclarke.com

osborneclarke.com

The bigger picture and impact

• A new era of data protection compliance in Europe which

also sends a strong message to global businesses

• Businesses will need to focus more time, resources and

money on compliance

• Impact on consumer expectations and behaviours?

• The e-Privacy Directive is also being updated

– but existing law remains in place for now

• Aligns with the European Digital Single Market

• Cross-over with NIS Directive on cyber security

31

Scope and Core Principles

What is personal data?

• Personal data means any data which relate to an identified or identifiable natural individual (the data subject)

• GDPR applies to processing of personal data:

– wholly or partly by automated means

– which form part of a filing system (= a structured set of personal data accessible according to specific criteria)

• Special categories of data are data relating to racial or ethnic origin, political opinions, religious or “similar” beliefs, trade union membership, physical or mental health, sexual life, [and actual or alleged criminal offences]

– GDPR restrictions on certain genetic/biometric data

33

osborneclarke.com

Controlling and Processing

• Processing includes virtually every conceivable

operation in relation to data (and does not require

automated means)

• A data controller determines the purposes and

means of processing

• A data processor processes data on behalf of a

data controller

34

osborneclarke.com

Recap: existing Data Protection Principles

1. Personal data must be processed fairly and lawfully

2. Personal data must be obtained for specified purposes and not processed in

a manner incompatible with those purposes

3. Personal data must be adequate, relevant and not excessive

4. Personal data shall be accurate and (where necessary) kept up to date

5. Personal data must not be kept longer than necessary

6. Personal data must be processed in accordance with the rights of data

subjects

7. Appropriate technical and organisational measures must be taken against

unauthorised processing, and against loss or destruction

8. Personal data must not be transferred to a country outside the EEA unless

that country ensures an adequate level of protection for the rights and

freedoms of data subjects in relation to personal data

35

osborneclarke.com

New and restated principles (1)(Article 5)

Personal data must be:

• processed lawfully, fairly and in a transparent manner

• collected for specified, legitimate and explicit purposes and not

processed in a way incompatible with them ("purpose limitation")

– some purposes will not be incompatible:

• public interest archiving

• scientific/historical research purposes

• statistical purposes

• adequate, relevant and limited to what is necessary in relation to

purposes for which it is processed ("data minimisation")

…

36

osborneclarke.com

New and restated principles (2)(Article 5)

Personal data must be:

• accurate and, where necessary, kept up to date ("accuracy")

– must take every reasonable step to erase/rectify inaccuracies without delay

• kept in a form which permits identification of data subjects for no

longer than is necessary for purposes for which it is processed

("storage limitation")

– storage for longer periods permitted for archiving etc

• processed in a way which ensures appropriate security of data

("integrity and confidentiality")

The controller shall be responsible for and able to

demonstrate compliance ("accountability")

37

osborneclarke.com

Sanctions – Harmonised and Higher(Articles 77 – 84)

• Fines applicable by DPAs:

• Right to claim compensation from controller or processor

• Data subjects to have right to effective judicial remedy

– in home state and where controller/processor is established

38

osborneclarke.com

Interacting with Data Subjects

Requirements for lawful processing (1)(Article 6) – similar to DPA

Lawful processing requires one of these criteria to be met:

• data subject's consent

– "freely given, specific, informed and unambiguous"

– stricter conditions must be met (see below)

• necessary for performance of contract to which data subject is party

(or to take steps requested by data subject prior to contract)

– not a contract with third parties or subcontractors

• necessary for compliance with a legal obligation to which controller is

subject

• necessary in order to protect vital interests of data subject

40

osborneclarke.com

Requirements for lawful processing (2)(Article 6) – similar to DPA

(Lawful processing requires one of these criteria to be met:)

• necessary to perform task in public interest or official authority

• necessary for legitimate interests of controller of third party, and not

overridden by interests or fundamental rights or freedoms of the data

subject

– what are "legitimate interests"?

• preventing fraud? • internal administration?

• ensuring network security? • direct marketing purposes?

– need to take account of data subject's reasonable expectations

– requires careful assessment

41

osborneclarke.com

BUT stricter basic conditions for consent(Article 7)

Requests for consent must be:

• clearly distinguishable from other matters

• in an intelligible and easily accessible form

• use clear and plain language

Consent can be withdrawn at any

time:

• must be as easy to withdraw as to give

• data subject must be told upfront this is possible

Other drawbacks:

• contract performance must not be conditional on consent

• clear evidence

• consent for separate processing operations

42

osborneclarke.com

ICO draft guidance on consent published 2 March 2017

Extra consent requirements(Articles 8 & 9)

Consent by children to "information society services":

• Requires consent or authorisation by parent

– applies below 16 years or a lower age (not below 13) set by MS

• Reasonable efforts to verify parental approval required

Processing "special categories" of personal data:

• Generally requires explicit consent

• Some other (limited) grounds available, e.g.:

– Necessary for employment law, social security or social protection

– Protection of vital interests

– Where personal data has been manifestly made public by the data subject

43

osborneclarke.com

osborneclarke.com

Enhanced transparency and information(Articles 12 – 14)

• Transparency is key

• Information / communications must be:

– concise

– transparent

– intelligible

– easily accessible form

– set out in clear and plain language

• Similar obligations where data not obtained from data

subject

44

osborneclarke.com

Enhanced information provision requirementsWhat information do you have to provide when data is collected?

1. Controller's identity and contact details

2. Purposes and legal basis of processing

3. Legitimate interests (pursued by the controller or third party)

4. Details on other recipients (or categories of recipient)

5. Cross-border transfers

6. Period for which data will be stored (or relevant criteria)

7. Existence of data subjects' rights (see later)

8. Existence of any automated decision making

9. Rights to lodge a complaint to a supervisory authority

10. Whether data is required by statute or contract or necessary to enter into a

contract, plus consequences of failure to provide data.

45

osborneclarke.com

Enhanced information provision requirementsWhat about information that is not obtained directly from the data subject?

The same information has to be provided plus:

1. categories of data concerned;

2. source of the data.

When?

– Within a reasonable period after obtaining the data;

– If used for communications – at the time of the first communication

with the data subject (at the latest)

– If disclosed to another recipient – when the data is first disclosed (at

the latest)

In both cases update the data subject if the purposes change

46

Questions / Discussion

Contact details

Mark Taylor

Partner

CommercialT +44 (0) 20 7105 7640

M +44 (0) 7702 136 965

mark.taylor@osborneclarke.com

48

osborneclarke.com