[VOIPSEC] FW: fyi: Pharming against IP telephony

Thu Jun 30 09:57:39 CDT 2005

A flow based behavioral model of VoIP network elements (SBC, SIP proxy, etc)
and subsequent client-server interaction with validation of client bits via
an authorization could allow for a more complete view of legitimate behavior
of a VoIP network and a basis for alerting as the when that behavior is
different.  

If you can understand the behavior of the authorized user base (and the
condition of the network elements during that time) recognizing and
identifying security incidents may get easier.  This also plays well for
compliance based testing since you can analyze, summarize and report on
client and network element behavior (and misbehavior).

Also, comparison of flow based data within the VoIP network to known attack
profiles (pharming being one of them) would allow for quick recognition of
known Internet wide malicious behavior almost instantly, and certainly would
shed some light on intra-provider behavior like pharming with data points for
analysis (both client and server) from multiple networks simultaneously.

One of the more distinct advantages for a VoIP network is there is a fairly
endpoint fixed architecture;  a behavioral model of that architecture
improves your chances for detection of and action against malicious activity
to and from those endpoints.

-----------------------------------------------
          Doug Fleming
          AIM: fahttyMD
          703-842-7572

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Irwin Lazar
> Sent: Sunday, June 26, 2005 11:50 PM
> To: voipsec at voipsa.org
> Subject: [VOIPSEC] FW: fyi: Pharming against IP telephony 
> 
> 
> FYI: Forwarded for discussion:
>  
> Any thoughts on prevention mechanisms?  SSL seems to be a possibility.
>  
> 
> 
> 
> http://www.cybercrimelaw.org/index.cfmhursday, June 09 |
> Pharming threats to IP phone networks described
> 
> Pharming against IP telephony is now only possible, it is
> probable. ZDNet describes how pharming (or "poisoning" a DNS 
> server to reroute traffic to a different destination) may be 
> used to redirect IP phone traffic from the intended recipient 
> to another location. Imagine you dialing your bank's number, 
> entering your SSN and password at the voice prompts, and then 
> a month later, having your identity stolen. 
> 
> Pharming exploits vulnerabilities in a piece of network
> equipment responsible for translating e-mail and Web 
> addresses into IP addresses. Security experts speaking at 
> Supercomm this week said that, by hijacking a domain-name 
> system (DNS) server--a computer that stores and organizes IP 
> addresses--pharmers get control of VoIP calls.
> 
> Without their knowledge, VoIP users' calls could then be
> redirected to IP addresses completely different from the ones 
> the users dialed, warns Paul Mockapetris, the inventor of the 
> domain name system.
> 
> 6/7/2005
> 
> 
> Pharming threats to IP phone networks described
> 
> 
> -Posted by Russell Shaw @ 5:51 am
> 
> *	General <http://blogs.zdnet.com/ip-telephony/index.php?cat=1>  
> 
> *	Security <http://blogs.zdnet.com/ip-telephony/index.php?cat=2>  
> 
> >From the giant Supercomm <http://www.supercomm2005.com/>  telephony
> trade show in Chicago, colleague Ben Charny reports
> <http://news.zdnet.com/2100-1009_22-5734117.html> today on 
> concerns about a VoIP flavor of pharming. It's DNS cache 
> poisoning, pure and simple.
> 
> As Ben explains, pharming can exploit vulnerabilities in
> certain network equipment that translates email and Web 
> addresses into IP addresses. Security experts at Supercomm 
> are pointing out that by hijacking a domain-name server that 
> organizes and stores IP addresses, pharmers can obtain 
> control of VoIP calls.
> 
> You don't want that to happen. Why? Your VoIP calls, or
> callers, could be directed to unintended and perhaps 
> malicious, IP addresses.
> 
> We'll be monitoring insights from Supercomm for solutions. If
> you have any, we'd like to hear about them as well. Post a TalkBack.
> 
>  
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 