Comments on: SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time http://voipsa.org/blog/2006/11/15/sans-top-20-internet-security-attack-target-list-for-2006-includes-voip-for-the-first-time/ Collective thoughts and musings on the state of VoIP security today. Thu, 07 Aug 2008 23:51:41 +0000 http://wordpress.org/?v=2.6 By: Telecom,Security and P2P » Blog Archive » SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time http://voipsa.org/blog/2006/11/15/sans-top-20-internet-security-attack-target-list-for-2006-includes-voip-for-the-first-time/#comment-16552 Telecom,Security and P2P » Blog Archive » SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time Sun, 28 Jan 2007 15:44:58 +0000 http://voipsa.org/blog/2006/11/15/sans-top-20-internet-security-attack-target-list-for-2006-includes-voip-for-the-first-time/#comment-16552 [...] See more comments and report at VoIPsa blog. [...] [...] See more comments and report at VoIPsa blog. [...]

]]> By: VoIP: Security Threat #5 -- Alec Saunders .LOG http://voipsa.org/blog/2006/11/15/sans-top-20-internet-security-attack-target-list-for-2006-includes-voip-for-the-first-time/#comment-5232 VoIP: Security Threat #5 -- Alec Saunders .LOG Thu, 16 Nov 2006 13:21:17 +0000 http://voipsa.org/blog/2006/11/15/sans-top-20-internet-security-attack-target-list-for-2006-includes-voip-for-the-first-time/#comment-5232 [...] Dan York has written a lengthy post on how SANS (SysAdmin, Audit, Network, Security) Insitute has identified VoIP among their top 20 Internet Security Threats for 2006.  They’ve identified six major trends in Internet security attacks, and VoIP is one of them, primarily via vulnerabilities in systems like Asterisk and Cisco Call Manager.  [...] [...] Dan York has written a lengthy post on how SANS (SysAdmin, Audit, Network, Security) Insitute has identified VoIP among their top 20 Internet Security Threats for 2006.  They’ve identified six major trends in Internet security attacks, and VoIP is one of them, primarily via vulnerabilities in systems like Asterisk and Cisco Call Manager.  [...]

]]> By: Richard http://voipsa.org/blog/2006/11/15/sans-top-20-internet-security-attack-target-list-for-2006-includes-voip-for-the-first-time/#comment-5189 Richard Thu, 16 Nov 2006 04:41:10 +0000 http://voipsa.org/blog/2006/11/15/sans-top-20-internet-security-attack-target-list-for-2006-includes-voip-for-the-first-time/#comment-5189 This does help improve the awareness of security vulnerabilities and threats related to VoIP, for engineers, managers, vendors, users and etc. This does help improve the awareness of security vulnerabilities and threats related to VoIP, for engineers, managers, vendors, users and etc.

]]> By: SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time « Telecom, Security and P2P http://voipsa.org/blog/2006/11/15/sans-top-20-internet-security-attack-target-list-for-2006-includes-voip-for-the-first-time/#comment-5187 SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time « Telecom, Security and P2P Thu, 16 Nov 2006 04:34:44 +0000 http://voipsa.org/blog/2006/11/15/sans-top-20-internet-security-attack-target-list-for-2006-includes-voip-for-the-first-time/#comment-5187 [...] See more comments and report at VoIPsa blog. [...] [...] See more comments and report at VoIPsa blog. [...]

]]> By: Shawn Merdinger http://voipsa.org/blog/2006/11/15/sans-top-20-internet-security-attack-target-list-for-2006-includes-voip-for-the-first-time/#comment-5124 Shawn Merdinger Wed, 15 Nov 2006 16:39:10 +0000 http://voipsa.org/blog/2006/11/15/sans-top-20-internet-security-attack-target-list-for-2006-includes-voip-for-the-first-time/#comment-5124 I find it very interesting that SANS is now recommending folks run security tools like PROTOS against their VoIP products. This could indicate the beginning of a new level of due diligence in IT shops. One of many potential issues concerns the complexity of these fuzzing tools. Aside from setup and running them correctly, there's also the very challenging aspects of determining *exactly* what the attack causing the problem actually was -- for example running these voip fuzzer testcases in different ways (forward, backward, random) can place a device under test in a strange one-off state. An example of this is from the README in the J. Oquendo's recently released Asteroid SIP tool: http://www.infiltrated.net/asteroid/ "Anyhow, I have found that by sending a certain sequence of these packets, in a certain order, servers react differently. Sometimes it will crash faster, sometimes more extensions are subscribe, etc, etc. I will not post any sequencing until vendors have patched their programs against this lame attack but, I will release the packet samples I've been working with." For those about to embark on this brave new world of customer-done QA, a "first run" of SIP tools I'd suggest running against your SIP device is the SIPSAK tool with some of the flooding options, the PROTOS SIP suite, the Asteroid suite, and ISIC (udpsic and tcpsic) against the SIP ports. I find it very interesting that SANS is now recommending folks run security tools like PROTOS against their VoIP products. This could indicate the beginning of a new level of due diligence in IT shops.

One of many potential issues concerns the complexity of these fuzzing tools. Aside from setup and running them correctly, there’s also the very challenging aspects of determining *exactly* what the attack causing the problem actually was — for example running these voip fuzzer testcases in different ways (forward, backward, random) can place a device under test in a strange one-off state. An example of this is from the README in the J. Oquendo’s recently released Asteroid SIP tool: http://www.infiltrated.net/asteroid/

“Anyhow, I have found that by sending a certain sequence of these packets, in a certain order, servers react differently. Sometimes it will
crash faster, sometimes more extensions are subscribe, etc, etc. I will not post any sequencing until vendors have patched their programs
against this lame attack but, I will release the packet samples I’ve been working with.”

For those about to embark on this brave new world of customer-done QA, a “first run” of SIP tools I’d suggest running against your SIP device is the SIPSAK tool with some of the flooding options, the PROTOS SIP suite, the Asteroid suite, and ISIC (udpsic and tcpsic) against the SIP ports.

]]>