[VOIPSEC] VOIP for free??

Smith, Donald Donald.Smith at qwest.com
Wed Apr 13 23:40:12 CDT 2005 

Arp tricks only work in a "arp domain". So unless your on my lan or a lan which we have a helper address configured for you cant play:)

DNS is currently being cache poisoned, host file hijacked and windows registry hijacked so thats a pretty realistic method.

DHCP is difficult to play with outside the lan NOT impossible but difficult.
Routing protocols are difficult but depending on the ISPs securitys possible.

L2 again on the lan doable outside implies a big issue with your (and the victims) isp.

Given a insider at your isp or within your enterprise with privledges ALL of these are possible and realistic.

Having said all of that end users will "subscribe" to services that preform manindamiddle as part of their basic service, use trivial passwords, open nearly anything sent to them ... so end user education is important!



donald.smith at qwest.com giac




-----Original Message-----
From: Scott Keagy [mailto:Scott.Keagy at webex.com]
Sent: Tue 4/12/2005 3:41 PM
To: Diana Cionoiu; Michael Shields
Cc: Smith, Donald; voipsec at voipsa.org; securityrequirements at voipsa.org
Subject: RE: [VOIPSEC] VOIP for free??
 
Actually, it's not very difficult to get in the middle. Here are a variety
of points of vulnerability that enable someone to get in the middle:

DNS (modify entries to point all traffic to a hacker's machine)
DHCP (make all traffic go to hackers machine as default gateway, or change
DNS entry to point at hacker's machine so all names resolve to hacker's IP
addr)
ARP (reply with hacker's MAC address, gratuitous ARPs or regular ARP
replies)
Flood CAM tables in switches to destroy existing MAC addr/port associations
so all traffic is broadcast out every port, and then use ARP attacks)
Routing protocols (change routing such that traffic physically passes
through a router/machine controlled by hacker)
Spanning tree attacks to change layer 2 forwarding topology
Various control protocols that switches use such as VTP
Physical insertion (e.g. PC with dual NIC cards)

These are just some of the mechanisms to become a man-in-the-middle.

Each of these can be performed in most Fortune500 companies today with
relative anonymity (just need to have access to the network as a disgruntled
employee or through social engineering). There are a variety of solutions
proposed or recently available, but they are far from widely deployed.
Example technologies that could thwart many of these attacks: DNSSEC,
authenticated routing protocols, 802.1x, 802.11i (applied to wired ethernet
to authenticate every Ethernet frame), port-based ACLs on layer 2 switches,
and various specific fixes in layer 2 switches to harden against control
protocols and restrict the forwarding of unnecessary traffic.

Regards,
Scott
 

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Diana Cionoiu
Sent: Monday, April 11, 2005 7:59 AM
To: Michael Shields
Cc: Smith, Donald; voipsec at voipsa.org; securityrequirements at voipsa.org
Subject: Re: [VOIPSEC] VOIP for free??

Hello Michael,

I was refering on the fact that you have to be in the middle (as in man in
the middle), which is far more complicated then you may think.

Diana


> Diana Cionoiu wrote:
> > RTP is not trivial to be listen,
> > and anyway who can listen you phone calls also can see your yahoo, 
> > icq, msn,irc  messages, so i think first we should solve those 
> > things and then go after plain VoIP.
> 
> I am not sure why you say this.  For over two years, Ethereal has been 
> able to decode RTP streams and save the audio into a file.  This only 
> takes a few clicks, and with a little time you could automate it
completely.
> 
> It is true that other more widely used protocols also have 
> vulnerabilities, including DNS, SMTP, and HTTP.  However, work on VOIP 
> security does not block work on other protocols, so that is no reason 
> to put VOIP security work on hold.  It is easier to fix problems now 
> while the protocols are still in relatively limited deployment.
> 

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list