[SPAM] RE: [VOIPSEC] Actual Attacks
Geir Harris Hedemark
geir at dod.no
Sat Feb 26 07:57:10 CST 2005
"Christopher A. Martin" <chris at infravast.com> writes:
> One other side note to this topic...
> One of the funny things about existing attacks against VoIP services...to
> date the big ones that I have seen and mitigated involve the application
> being implemented with either default values or the OS/Hardware not being
> properly hardened or secured by firewalls/IPSec.
The one really big vulnerability I have seen in VOIP services viewed
at the system level was the web front-end created by a VOIP
provider. Admittedly, I haven't seen very many.
Who cares if you spend half a year securing your VOIP backend if you
are trusting the web browser of your users to proxy the SQL statements
you are using to handle your configuration database?
Security is a weakest-link problem. I think that many VOIP providers
based on old telco knowledge may find themselves with a cultural
problem in the future. All of a sudden, integration with a web
presence may be a make or break for the company as a whole. I have
worked in both areas, and I have no problem imagining a VOIP company
controlled by telco throughbreds with blinkers on where a couple of
junior people are hired to cobble together a web presence in a couple
of hours.
If that happens, expect to have sql injection vulnerabilities and
other trivial web-based exploits en masse.
People trying to find a weak link will try to find your weak link. If
your weak link is not being interested in a certain kind of
technology, then that is where the attack will most likely appear.
Geir
More information about the Voipsec
mailing list