[VOIPSEC] Actual Attacks

[Sembhi S]

Bob Rolen

Bob your point about convergence and responsibility as seen by some IT departments is right.

In some respects, much of the convergence can be broken into what was traditionally physical security domain, (i.e. Access Control,
CCTV, Alarms, etc.), and traditional telecoms domain, (i.e. VoIP, Video and Audio conferencing, etc.), which are introducing serious
security questions about the underlying protocols that have been brushed aside (by work arounds), or just not necessary in what IP
networks have been used for in the past, (e.g. basic web sites, email).

One of the areas of concern to us (we are a technology research consultancy) which opens up other vulnerabilities has been the
embedded technologies used by many of the above (e.g. CCTV, Alarms, VoIP phones, Video Conferencing) products. We have focussed
mainly on groups of products which utilise both the IP network and embedded systems, the first group we are making our research
public on is CCTV, (the next will be VoIP, hence my interest in this group).

In our work we have documented problems, incidents, trends in CCTV technology and management, and there are definitely some
similarities in the way CCTV and VoIP are dealt with in some companies due to their history in other departments. CCTV's were
controlled by 'physical security' staff, now even where the CCTV system is operating over IP network, IT staff have not necessarily
been consulted, (in some cases don't want to be whether its politics, budget or both). 

Phil DePasquale

Phil your experience is not unusual, and publicising this could help. We have heard the same arguments in the CCTV field, and found
that there are many vulnerabilities but it is not in the interest of those incumbents in the market to promote these. As I said we
have data for the CCTV over IP products we will make public, and we have some data for VoIP, but will form part of formal research
to be made public later this year, (don't take this to mean that it will be charged for, it just means the first time we make it
public it will be in a report format, and then documented separately for open use on our site).

We haven't come across anyone documenting this data as yet, especially in the way we are doing it with the CCTV products, for one of
the research papers we undertook war-dialling open wireless CCTV systems (legally). We have been able to identify very sensitive
areas in buildings of major corporations, where it is obvious that no-one from the IT department could have been involved in the
setup. This work does not attempt to name and shame but to show that even some organisations which form part of the critical
national infrastructure have not taken steps for different security groups to communicate and protect themselves by enforcing simple
security procedures. We show that the vulnerabilities of IP based CCTV systems can be a way  for criminals to get into other parts
of the IP network, and that if your company is part of the critical national infrastructure it has a greater responsibility to take
a wider overview of security than companies. Applying this to the VoIP market, if your company is considered as part of the critical
national infrastructure, then it has a responsibility (whether an immediate line managers accepts it or not) to undertake a risk
assessment before dismissing outright that a vulnerability does not exist because it is not publicised.

Currently, our web site is just under construction, until we make our work public (the first paper is due to go public at the end of
April), however if there is demand for listing problems, incidents, and trends of VoIP systems (especially those using embedded
technology), I'm sure we could probably work on something simple sooner which doesn't conflict with promotion of our VoIP work
before it is made public. Let me know, or if anyone else wants to contribute, you have my email.

On a more general note I would like to say that this forum is one of the most interesting around currently, and I congratulate you
for that.

Sarbjit Sembhi CISSP
Principal Security Consultant
Sarbject Solutions


	Message: 4
	Date: Thu, 17 Feb 2005 06:30:03 -0600
	From: "Robert  Rolen" <brolen at mindspring.com>
	Subject: [VOIPSEC] Actual Attacks
	To: <Voipsec at voipsa.org>
	Message-ID: <002001c514ec$681ac770$6401a8c0 at m2d2c1>
	Content-Type: text/plain;	charset="iso-8859-1"

	Has a catalog or database been established to report and track actual attacks against VOIP systems.  I realize there are
typical internet attacks (spoofing, Trojans, sniffers, denial of service), but are the attacks being documented to track the
increase in attacks.  

	 There are a lot of telecommunications managers that are not talking with the IT departments and some of the IT departments
see the telephone system as just another responsibility added to their staff. 

	The trend of convergence for all security systems (Access Control, CCTV, Alarms) into IP networks is rapidly becoming a
reality.

	Is there a trend to continue the isolation of the telephone system from the office LAN?

	A storybook of problems, incidents and trends would go a long way to enhance the VOIP protection budget.

	Any Thoughts?
	Bob Rolen
	Birmingham, Al

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.8 - Release Date: 14/02/2005