[VOIPSEC] Interesting Article - Many VOIP vulnerabilities few exploits?

Diana Cionoiu diana-liste at voip.null.ro
Thu Dec 20 08:41:27 CST 2007 

Hello Klaus,

Just that Asterisk is not really used in places where the harm can be 
high. I know that most of the outsides see Asterisk as being very 
implemented but  that not happening in large deployments.

Diana

Klaus Darilion wrote:
> Craig schrieb:
>   
>> http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
>> cleId=9053452&source=rss_news50
>>
>>
>> The above article predicts that there will not be many (or any) major VOIP
>> attacks next year.  The primary reasons the author gives are:
>>
>> 1. that most VOIP deployments are behind corporate network protections, 
>> 2. that most deployments are using proprietary protocols and
>> 3. the ROI for attackers isn't very high.
>>
>>
>> None of these reasons hasn't been stated before.  What is new is the fact
>> that the article is saying that 2008 won't bring any major crippling
>> attacks; the kind that create headlines in mainstream media.  
>>
>> Thinking about it, that makes sense.  After all, although VOIP may be
>> spreading, it is doubtful that a single attack, or even a blended attack,
>> could be created that exploits all or most VOIP implementations at once.
>>     
>
> I tend to disagree. There are lots of Asterisk boxes out there and I am 
> quite sure that many of them do NOT immediately update Asterisk after 
> security advisories. So I am quite sure I can crash many Asterisk boxes 
> by sending crafted SIP packets to random IP addresses port 5060.
>
> regards
> klaus
>
>
>   
>> Just my humble thought....
>>
>>
>> Craig L. Bowser
>> Information Assurance Manager
>> CISSP		SANS GSEC (Gold)
>> craig  reswob  net
>> -------------------------------
>> An economist is an expert who will know tomorrow why the things he predicted
>> yesterday didn't happen today. - Laurence J. Peter
>>
>>
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>     
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list