[VOIPSEC] [VOIPSA Tech Board] Do we want to make astatementonthis VoIP hacking story to the VOIPSEC list? FirstMajorVoIPHacking Scheme Uncovered
David Endler
david.endler at voipsa.org
Mon Nov 7 14:15:05 CST 2005
To add a little more color to the thread below, we discussed this news
article in depth last week within VOIPSA's technical board of advisors. We
came to the conclusion that the issue was probably overhyped for the sake of
selling full copies of the author's report. Based upon the experiences of
the board, some whom were interviewed by the reporter, it seemed evident
that this issue reflects a toll fraud threat that is neither new nor
completely undetected in the VoIP world. Not having purchased a full
version of the report, we cannot comment specifically on its technical
merits.
David Endler
Chairman, VOIPSA
----- Original Message -----
From: "Hallam-Baker, Phillip" <pbaker at verisign.com>
To: <dhiraj.2.bhuyan at bt.com>; <ishatenko at voipshield.com>;
<bmaterna at voipshield.com>; <rtimmons at voipshield.com>;
<pslaby at voipshield.com>; <dan_york at Mitel.com>; <leaders at voipsa.org>;
<Voipsec at voipsa.org>
Sent: Monday, November 07, 2005 12:54 PM
Subject: Re: [VOIPSA Tech Board] [VOIPSEC] Do we want to make
astatementonthis VoIP hacking story to the VOIPSEC list?
FirstMajorVoIPHacking Scheme Uncovered
> Internet crime comes in many forms. The form that is causing widespread
> concern is the form where the consumer is targetted.
>
> This particular attack is not a general concern for the simple reason
> that the only party that is going to be affected is the telephone
> service provider whose systems are vulnerable. The security
> vulnerability is easily defined and remediation schemes exist already.
> Deployment of the necessary security controls is a straighforward
> calculation, will the benefit of reduced fraud outweigh the cost?
>
>
> It is not inevitable that security problems become chronic. In fact we
> now have a lot of information that allows us to predict with a high
> degree of confidence whether a problem will become chronic or not. There
> are a number of factors which increase the likelihood of the problem
> becoming chronic:
>
> 1) Threat is not considered seriously, remidation is not pro-active
> 2) The party that suffers the loss does not control the
> infrastructure
> with the vulnerability that is being exploited
> 3) A social engineering vulnerability is exploited
> 4) Deployment of security enhancements requires changes at the
> end-points
>
> None of these factors apply to VOIP so the security problems should not
> become chronic unless people become complacent and do nothing to
> remediate vulnerabilities in a timely fashion.
>
> The VOIP related security problems that worry me are VOIP borne junk
> calls, junk fax, 419 advance fee frauds and premium rate billing fraud.
>
>
>
>
>> -----Original Message-----
>> From: Voipsec-bounces at voipsa.org
>> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of
>> dhiraj.2.bhuyan at bt.com
>> Sent: Monday, November 07, 2005 1:36 PM
>> To: ishatenko at voipshield.com; bmaterna at voipshield.com;
>> rtimmons at voipshield.com; pslaby at voipshield.com;
>> dan_york at Mitel.com; leaders at voipsa.org; Voipsec at voipsa.org
>> Subject: Re: [VOIPSEC] [VOIPSA Tech Board] Do we want to make
>> a statementonthis VoIP hacking story to the VOIPSEC list?
>> First MajorVoIPHacking Scheme Uncovered
>>
>> There are security issues in many of the current VoIP billing
>> solutions that still needs to be addressed. For example, a
>> "modified" SIP phone may initiate a call and once the call is
>> established, the SIP phone terminates the call (at SIP
>> layer), but continues sending and receiving the RTP media
>> steams. Since the RTP media stream is end to end (for most
>> VoIP solutions), the billing system is fooled into believing
>> that the call is over.
>>
>> Dhiraj Bhuyan
>> Senior Security Researcher
>> British Telecom, UK
>>
>> -----Original Message-----
>> From: Voipsec-bounces at voipsa.org on behalf of Igor Shatenko
>> Sent: Mon 11/7/2005 5:49 PM
>> To: Bogdan Materna; Richard Timmons; Paul Slaby;
>> dan_york at Mitel.com; leaders at voipsa.org; Voipsec at voipsa.org
>> Subject: Re: [VOIPSEC] [VOIPSA Tech Board] Do we want to make
>> a statement onthis VoIP hacking story to the VOIPSEC list?
>> First Major VoIPHacking Scheme Uncovered
>>
>> Hi,
>>
>>
>>
>> Issue is definitely overblown by media. It is look like the
>> bug in software and not the fundamental issue of billing
>> services. I think, In general, call billing should be based
>> on Call initiation and RTP stream continuity versus end call
>> setup. Regarding vulnerability: every clam like this should
>> be supported by hard evidence, rather then talking about some
>> billing companies. I agree with Dan on this.
>>
>>
>>
>> Sincerely,
>>
>>
>>
>> Igor Shatenko
>>
>>
>>
>> Senior Security Analyst
>>
>> VoIPshield Systems Inc.
>> 16 Fitzgerald Road, Suite 250
>>
>> Ottawa, Ontario K2H 8R6
>>
>> Tel. (613) 224-4443 ext. 320
>> fax (613) 224-3891
>>
>> SIP: 313 at voipshield.com
>> email: ishatenko at voipshield.com
>> <mailto:ishatenko at ishatenko@voipshield.com>
>>
>>
>>
>> ________________________________
>>
>> From: leaders-bounces at voipsa.org
>> [mailto:leaders-bounces at voipsa.org] On Behalf Of dan_york at Mitel.com
>> Sent: November 7, 2005 12:02 PM
>> To: leaders at voipsa.org
>> Subject: [VOIPSA Tech Board] Do we want to make a statement
>> on this VoIP hacking story to the VOIPSEC list? [VOIPSEC]
>> First Major VoIP Hacking Scheme Uncovered
>> Importance: High
>>
>>
>> VOIPSA Tech Board members,
>>
>> While we discussed - and dismissed - this "story" about a
>> massive VoIP hacking scheme on our own internal "leaders"
>> list for the VOIPSA technical board, someone did post the
>> link to the public VOIPSEC mailing list (as shown below).
>> I've also personally fielded yet more inquiries from various
>> folks who have seen this story cross-posted in various places.
>>
>> Given that we know that it's overblown hype, do we want to
>> make what amounts to a public statement to that effect?
>>
>> I'm not saying that we issue a news release, etc., but a
>> reply to the posting in the VOIPSEC mailing list from, say,
>> you, David (not to put you on the spot, but... ), or Jonathan
>> or someone else from the VoIPSA board might be an effective
>> way to pour some water on the fire (and show that VOIPSA has
>> some value in its communication between members). I honestly
>> hate to give the article author the additional exposure of a
>> response...
>> so I don't know.
>>
>> Perhaps something like:
>>
>> We have investigated the article and as best we can tell
>> this has to do with modifying the billing codes to obtain free calls,
>> something that has always been a concern in PBX
>> environments and something which most products guard against. We
>> have contacted VOIPSA members, including one quoted in the
>> article, and received agreement that this is not anything new
>> and is not at all anything specific to VoIP. VOIPSA
>> members continue to monitor the issue but at the moment have not
>> been able to find any indication of actual exploits of this
>> suggested vulnerability beyond a couple of isolated cases.
>>
>> The problem, of course, is that any response like that begs
>> the addition
>> of:
>>
>> We would ask the author to make publicly available any
>> information he has about actual exploits as we have not yet
>> found any real evidence of this.
>>
>> Or something like that. On the one hand, I don't think we
>> want to challenge the author, but on the other hand, I think
>> we want to make sure people don't treat this as a real threat.
>>
>> I don't know if we want to do this, but if there was a
>> statement from VOIPSA, I think it would help reassure people
>> (and we individual members can then point to the VOIPSA message).
>>
>> Thoughts? Should we do this?
>>
>> Regards,
>> Dan
>>
>> --
>> Dan York, CISSP, Director of IP Technology, Office of the CTO
>> Mitel Corporation http://www.mitel.com/ dan_york at mitel.com
>> Ph: +1-613-592-2122 350 Legget Drive, Ottawa, ON, K2K 2W7 Canada
>> PGP key (F7E3C3B4) available for secure communication
>>
>> ----- Forwarded by Dan York/Kan/Mitel on 11/07/2005 11:21 AM -----
>>
>>
>>
>> Hank Nussbacher <hank at efes.iucc.ac.il>
>> Sent by: Voipsec-bounces at voipsa.org
>>
>> 11/06/2005 01:25 AM
>>
>>
>> To: voipsec at voipsa.org
>> cc:
>> Subject: [VOIPSEC] First Major VoIP Hacking Scheme
>> Uncovered
>>
>>
>>
>>
>> http://www.accessintel.com/cgi-bin/press/show.cgi?1130972376
>>
>> "According to Zipper, hackers have figured out a way to
>> manipulate the IP stream in order to steal long-distance
>> service. Many in the communications industry are keeping
>> things quiet while they assess the full extent of the
>> potential damage, but sources admit this security breach
>> "could expose a
>>
>> lot of companies to a great deal of fraud.""
>>
>> -Hank
>>
>>
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>>
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>>
>
> _______________________________________________
> leaders mailing list
> leaders at voipsa.org
> http://voipsa.org/mailman/listinfo/leaders_voipsa.org
>
>
>
More information about the Voipsec
mailing list