[VOIPSEC] Actual Attacks

Christopher A. Martin chris at sip1.com
Fri Feb 25 17:50:39 CST 2005 

Hi Brian,
Just a little comment on your question...

Many of these attacks do involve the use of protocols other than SIP to
perform, such as DNS poisoning, which is a real existing threat today due to
complacency or resource issues (in terms of staff and time). 

The reason you won't hear much about any real exploits is that no one wants
this to get out. Even in existing non VoIP implementations, until regulatory
stepped in (Sarbanes Oxley, etc...) no one wanted this dirty laundry to go
public...and I suspect even with regulations secrets will be kept as long as
possible. 

You are correct though on the eavesdropping, this typically will be an
insider attack (which as statistics show is about 70% of actual enterprise
threat) or kiddies on wifi and cable modems as you noted.

This is one of the reasons that I focus on the big picture when developing
the preventive measures for an infrastructure. SIP is one piece, but it can
easily be the facilitator that was missing in the past for true
exploitation. This is however at the moment an unfounded comment...to date.

Christopher A. Martin
P.O. Box 1264
Cedar Hill, Texas 75106
Chris at InfraVAST.com

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Brian Rosen
> Sent: Friday, February 25, 2005 4:32 PM
> To: 'Mark Teicher'; voipsec at voipsa.org
> Subject: RE: [VOIPSEC] Actual Attacks
> 
> Are you aware of this actually happening, or is this all theoretic?
> 
> I've never heard of actual incidents of any of this.
> 
> The latter (eavesdropping) is actually the reverse; when we do testing, we
> have to go through all kinds of grief to allow the sniffers to get at the
> packets.  Someone has to actually bring a hub (not a switch) so we can
> sniff
> the packets.  You can, of course, run Etherreal on some of the actual
> devices.  It's amazingly hard to sniff packets in a typical switched
> architecture.  When we implement CALEA (legal wiretap), it takes a special
> box that we force all the traffic to go through so we can copy the packets
> to the LEA.
> 
> WiFi and your neighbor's cable modem excepted, of course.
> 
> Brian
> 
> > -----Original Message-----
> > From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> > Behalf Of Mark Teicher
> > Sent: Friday, February 25, 2005 4:37 PM
> > To: voipsec at voipsa.org
> > Subject: RE: [VOIPSEC] Actual Attacks
> >
> > Actual Attacks
> >
> > SIP Proxy Impersonation
> > SIP Proxy Hijacking
> > Message Tampering - hard to devise an common exploit across VOIP
> > platforms, but most likely possible
> > Denial of Service - depends on the packet, usually just causes a phone
> to
> > reset, or a port to shutter on the gateway, call server more vulnerable
> > due to the underlying operating system
> > Session Attack - hard to devise a common exploit applicabel across all
> > VOIP platforms, possible on some of the well known vendors
> > Eavesdropping - more feasible than most, especially if some of the
> default
> > features of the particular VOIP equipment is not configured properly.
> >
> > -----Original Message-----
> > From: Robert Moskowitz <rgm at icsalabs.com>
> > Sent: Feb 25, 2005 1:56 PM
> > To: Brian Rosen <br at brianrosen.net>, 'Simon Horne' <security at isvo.net>,
> > 	voipsec at voipsa.org
> > Subject: RE: [VOIPSEC] Actual Attacks
> >
> > At 09:36 AM 2/24/2005, Brian Rosen wrote:
> >
> > >"Web of Trust" is a failed concept.  It works, but we have not been
> able
> > to
> > >successfully deploy in a large scale.
> >
> > But it CAN work for groups of friends.
> >
> > >Certificate authority chains work only within an enterprise.  We have
> not
> > >really made them work well outside of that.
> >
> > Check out ACES.
> >
> > Check out the Federal PKI and work being done to duplicate it in
> > commercial
> > settings (drug industry for one).  Note I am the author of the Bridge CA
> > model in the federal PKI.
> >
> > Thing is you REALLY need a reason to get PKi s to work together.  Mail
> was
> > never one.  Bout VoIP could be.
> >
> >
> > Robert Moskowitz
> > Senior Technical Director
> > ICSA Labs, a division of Cybertrust, Inc.
> > W:      248-968-9809
> > F:      248-968-2824
> > E:      rgm at icsalabs.com
> >
> > There's no limit to what can be accomplished
> > if it doesn't matter who gets the credit
> >
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> >
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> 
> 
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list