Hi,<br>We received the following alert from our phone company. I wondered how vulnerable Unity is to these threats. I'll include the complete message below. Specifically, we have Unity 2.4 Build 184.108.40.206.<br><br>***************<br><br>There have been some recent 'hacker attacks' on voice mail systems, and we wanted to make sure that our customers are taking adequate precautions to prevent telephone fraud through campus resources. While Resicom, along with many of the carriers that serve our mutual customers, does perform pro-active fraud monitoring, some types of fraud may not be detected by these systems. Ultimately, each PBX owner must ensure that their systems are 'fraud proof', as they are responsible for the charges.<br><br>In many cases hackers are calling from payphones, or using pre-paid cards (sometimes stolen), and cannot be easily traced.<br><br>Recent incidents of fraud were cases where hackers gained access to a voice mail system and used those ports to dial out to foreign destinations through multiple access methods. The voice mail system in question __was already set__ to deny outcalling, but these hackers were still able to place these calls through those ports.<br><br>Some suggestions:<br>--Ensure that your campus operators are trained not to transfer to external numbers, or to extensions that begin with the same digit as your trunk access code (i.e if you dial '9' for an outside line x9000, 9011; if you dial '8' for an outside line, x8000, 8001, 8011, etc.). It is also important to make sure that the non-business hour attendants are aware of the possible scam calls.<br><br>--Voice mail systems, automated attendants, and interactive voice response systems usually connect to the campus PBX through extensions just like those on your desk. Check that voice mail system extensions are completely restricted, and cannot place external calls, even with an auth code.<br><br>--If your voice mail system must do outcalling for pager notification, configure it to use only a small number of ports, and configure those ports to only allow dialling to a minimal calling area.<br><br>--If you have toll-free numbers that terminate in a voice mail system, configure that mailbox to not allow '0 transfer' after hours.<br><br>--If your voice mail system allows users to transfer to a caller-entered extension, ensure that the system will not allow transfer to an extension that begins with your trunk access code (for example 9000, 9001, 9011)<br><br>--Re-confirm restrictions after major system changes or upgrades to confirm that they are still in place.<br><br>
Unity is pretty tight here... currently you can't dial ANY number that doesen't correspond to a call handler or a subscriber. Period. No "free dials" are allowed (this feature is coming in a later version of 3.x but admins can lock it down if they wish).
The only vulnerability here would be the same weak spot all such systems have and that's hackers getting into user's mailboxes. They can change the transfer string over the pone and attempt to dial out that way. Unity employs restriction tables that dictate what number patterns are allowed for transfer strings to prevent this from being a problem (i.e. no long distance numbers are allowed).
Make sure your users all have PWs set and change them from time to time and make sure your restriction tables for dialout and transfers are locked down appropriately and you should be safe.
You can also use CallManagers calling searches spaces and partition to prevent Unity from being able to call outside to the local network. Just don't do this if you are doing notification to outside devices.
Keith Chambers Unity Technical Lead Unified Voice Team, San Jose Cisco Systems firstname.lastname@example.org
IntroductionCUCM Routing RulesDial String implementation PolicyCUCM Routing LogicSIP URI Call Routing Analysis+++ Case Study: 1 ++++++ Case Study: 2 +++Conclusion
Over the last few months, I have had the privilege of working on SI...
Are you getting this error “Installer User Interface Mode Not Supported. The installer cannot run in this UI mode. To specify the interface mode, use the -i command-line option, followed by the UI mode identifier. The value UI mode identifiers...