[SPAM] RE: [VOIPSEC] Actual Attacks
Christopher A. Martin
chris at infravast.com
Fri Feb 25 20:34:24 CST 2005
One other side note to this topic...
One of the funny things about existing attacks against VoIP services...to
date the big ones that I have seen and mitigated involve the application
being implemented with either default values or the OS/Hardware not being
properly hardened or secured by firewalls/IPSec.
Christopher A. Martin
P.O. Box 1264
Cedar Hill, Texas 75106
Chris at InfraVAST.com
> -----Original Message-----
> From: Brian Rosen [mailto:br at brianrosen.net]
> Sent: Friday, February 25, 2005 7:19 PM
> To: Chris at sip1.com; 'Mark Teicher'; voipsec at voipsa.org
> Subject: [SPAM] RE: [VOIPSEC] Actual Attacks
>
> Chris
>
> I'm pretty heavily involved in SIP standards development, and have been
> for
> some time. I talk regularly with the kind of folks that I think would
> know
> if their stuff had been "hit". I know about plenty of attacks on the
> underlying infrastructure, including the platform attacks. I have NEVER
> heard even a whisper of an actual attack on VoIP equipment that used
> exploits specifically related to SIP (which I don't think is substantially
> better or worse than other VoIP protocols). There is one exception, which
> is when the Uppsala tests came out, some folks saw script kiddies using
> the
> test scripts against some devices. As we know, most devices did crash
> first
> time out with those tests. So agree that there have been attacks,
> primarily
> using platform vulnerabilities, but don't think there have been many
> attacks
> directly on the VoIP stuff.
>
> With regard to eavesdropping, it's not very easy to eavesdrop within a
> corporate network unless you have physical access to the switches, or, for
> a
> really knowledgeable hacker, passwords to the network management systems.
> The nature of the switched architecture is that packets come in one port
> and
> go out ONE other port; it's not a bus or broadcast system any more.
>
> Now, I always assume it's possible when designing systems; assume that
> every
> switch is a bridge..., but the reality is that sniffing packets for VoIP
> is
> much harder than most people think it is.
>
> Brian
>
> > -----Original Message-----
> > From: Christopher A. Martin [mailto:chris at sip1.com]
> > Sent: Friday, February 25, 2005 6:51 PM
> > To: 'Brian Rosen'; 'Mark Teicher'; voipsec at voipsa.org
> > Subject: RE: [VOIPSEC] Actual Attacks
> >
> > Hi Brian,
> > Just a little comment on your question...
> >
> > Many of these attacks do involve the use of protocols other than SIP to
> > perform, such as DNS poisoning, which is a real existing threat today
> due
> > to
> > complacency or resource issues (in terms of staff and time).
> >
> > The reason you won't hear much about any real exploits is that no one
> > wants
> > this to get out. Even in existing non VoIP implementations, until
> > regulatory
> > stepped in (Sarbanes Oxley, etc...) no one wanted this dirty laundry to
> go
> > public...and I suspect even with regulations secrets will be kept as
> long
> > as
> > possible.
> >
> > You are correct though on the eavesdropping, this typically will be an
> > insider attack (which as statistics show is about 70% of actual
> enterprise
> > threat) or kiddies on wifi and cable modems as you noted.
> >
> > This is one of the reasons that I focus on the big picture when
> developing
> > the preventive measures for an infrastructure. SIP is one piece, but it
> > can
> > easily be the facilitator that was missing in the past for true
> > exploitation. This is however at the moment an unfounded comment...to
> > date.
> >
> > Christopher A. Martin
> > P.O. Box 1264
> > Cedar Hill, Texas 75106
> > Chris at InfraVAST.com
> >
> > > -----Original Message-----
> > > From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
> On
> > > Behalf Of Brian Rosen
> > > Sent: Friday, February 25, 2005 4:32 PM
> > > To: 'Mark Teicher'; voipsec at voipsa.org
> > > Subject: RE: [VOIPSEC] Actual Attacks
> > >
> > > Are you aware of this actually happening, or is this all theoretic?
> > >
> > > I've never heard of actual incidents of any of this.
> > >
> > > The latter (eavesdropping) is actually the reverse; when we do
> testing,
> > we
> > > have to go through all kinds of grief to allow the sniffers to get at
> > the
> > > packets. Someone has to actually bring a hub (not a switch) so we can
> > > sniff
> > > the packets. You can, of course, run Etherreal on some of the actual
> > > devices. It's amazingly hard to sniff packets in a typical switched
> > > architecture. When we implement CALEA (legal wiretap), it takes a
> > special
> > > box that we force all the traffic to go through so we can copy the
> > packets
> > > to the LEA.
> > >
> > > WiFi and your neighbor's cable modem excepted, of course.
> > >
> > > Brian
> > >
> > > > -----Original Message-----
> > > > From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
> > On
> > > > Behalf Of Mark Teicher
> > > > Sent: Friday, February 25, 2005 4:37 PM
> > > > To: voipsec at voipsa.org
> > > > Subject: RE: [VOIPSEC] Actual Attacks
> > > >
> > > > Actual Attacks
> > > >
> > > > SIP Proxy Impersonation
> > > > SIP Proxy Hijacking
> > > > Message Tampering - hard to devise an common exploit across VOIP
> > > > platforms, but most likely possible
> > > > Denial of Service - depends on the packet, usually just causes a
> phone
> > > to
> > > > reset, or a port to shutter on the gateway, call server more
> > vulnerable
> > > > due to the underlying operating system
> > > > Session Attack - hard to devise a common exploit applicabel across
> all
> > > > VOIP platforms, possible on some of the well known vendors
> > > > Eavesdropping - more feasible than most, especially if some of the
> > > default
> > > > features of the particular VOIP equipment is not configured
> properly.
> > > >
> > > > -----Original Message-----
> > > > From: Robert Moskowitz <rgm at icsalabs.com>
> > > > Sent: Feb 25, 2005 1:56 PM
> > > > To: Brian Rosen <br at brianrosen.net>, 'Simon Horne'
> > <security at isvo.net>,
> > > > voipsec at voipsa.org
> > > > Subject: RE: [VOIPSEC] Actual Attacks
> > > >
> > > > At 09:36 AM 2/24/2005, Brian Rosen wrote:
> > > >
> > > > >"Web of Trust" is a failed concept. It works, but we have not been
> > > able
> > > > to
> > > > >successfully deploy in a large scale.
> > > >
> > > > But it CAN work for groups of friends.
> > > >
> > > > >Certificate authority chains work only within an enterprise. We
> have
> > > not
> > > > >really made them work well outside of that.
> > > >
> > > > Check out ACES.
> > > >
> > > > Check out the Federal PKI and work being done to duplicate it in
> > > > commercial
> > > > settings (drug industry for one). Note I am the author of the
> Bridge
> > CA
> > > > model in the federal PKI.
> > > >
> > > > Thing is you REALLY need a reason to get PKi s to work together.
> Mail
> > > was
> > > > never one. Bout VoIP could be.
> > > >
> > > >
> > > > Robert Moskowitz
> > > > Senior Technical Director
> > > > ICSA Labs, a division of Cybertrust, Inc.
> > > > W: 248-968-9809
> > > > F: 248-968-2824
> > > > E: rgm at icsalabs.com
> > > >
> > > > There's no limit to what can be accomplished
> > > > if it doesn't matter who gets the credit
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Voipsec mailing list
> > > > Voipsec at voipsa.org
> > > > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Voipsec mailing list
> > > > Voipsec at voipsa.org
> > > > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> > > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Voipsec mailing list
> > > Voipsec at voipsa.org
> > > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> >
More information about the Voipsec
mailing list