[VOIPSEC] Cellphone Botnets, Blackmailing VOIP & a Healthy Cybercrime Economy - Desktop Security News Analysis - Dark Reading (UNCLASSIFIED)
J. Oquendo
sil at infiltrated.net
Tue Oct 21 15:58:31 CDT 2008
(Comments inlined)
>
> http://www.darkreading.com/document.asp?doc_id=166029
>
>
> The attached link goes to an article that highlights a report put out by the
> Georgia Tech Information Security Center (GTISC) regarding five emerging
> threats that the authors see coming down the pipe in 2009. One of those
> threats is against VoIP.... as usual. It talks about how VoIP DoS attacks
> will be used to blackmail organizations.
>
> As has been discussed before by many, the main reason there haven't been
> more documented attacks is due to the fact that most VoIP implementations
> are not exposed to the raw Internet. Without that exposure, is it possible
> to launch an effective VoIP specific DoS blackmail scheme against a company?
I disagree with this, I know factually of many companies - even some Fortune
100's(!) who have their VoIP infrastructure to some extent on a forward
facing Internet link. I believe the authors of this and other documents like
it are associating botnets as a "de-facto" standard method of attack. We all
have to keep in mind that a determined attacker will pull off a very structured
attack to achieve their goals.
Factually, I can find open VoIP implementations as I'm sure many on this list
can without even thinking twice about what to look for. With this said, it will
only be a matter of time before someone automates the appropriate fingerprinting
mechanism to determine which publicly available hosts have a forward facing
VoIP link on the net (nmap -sS -P0 -p 5060,5061 anyone?). Once this is done
on a grand scale, it becomes fuzzy math for the media and their articles:
"Hax0rs declare jihad on VoIP!" (I can see it now)
> And considering the two most well known publicly used VoIP services, Vonage
> and Skype, are they vulnerable to a VoIP DoS? While I know of some
> government organizations that would love to DoS Skype (at least in their
> domain), it doesn't seem likely that an infrastructure as Skype has could be
> DoS'd easily.
Skype's P2Pish implementation would be difficult to take down since its
shared spectrum VoIP (is that even a term?). While someone *might* be able
to DoS their servers, I would hope their network engineers, F5 engineers
(or whatever they use for load balancing) will have a handle on this.
> On a side note, regarding the fact that it seems VoIP is always on the lists
> of emerging threats about to happen, perhaps we, as an industry of VoIP
> security types, need to be wary that we don't push the panic button too
> often. VoIP is still new, is still developing and still has many known and
> unknown security risk, but I wonder if someone is always saying something
> 'bad' is about to happen, will the message start getting ignored because
> nothing major has happened before despite 'dire' predictions?
>
> Anyway, just some thoughts..
For me, it all boils down to "Best Laid Plans". Protect your infrastructure
and stop treating VoIP differently from the way you would treat your own
webservers. Remember at the end of the line, its nothing more than a client
server process. Protect it with the same safeguards and measures you would
use on your mail servers, web servers. Make sure those rules on your routers
and firewalls block out and allow in trusted hosts. Remote warriors can be
addressed with proxies if need be.
For all the "news" I read about "VoIP security" in the mainstream media, I
still have a disconnect between "VoIP security" and say "Web Application
Security". While it may be a slightly different variable to tweak for the
VoIP side of things, a competent admin can easily create the necessary
tools to mitigate against most attacks. I know I've written my own script
based IPS for SIP traffic out of boreDumb. I believe creativity, knowledge
of not only VoIP but systems and security goes a long way period. Moreso
than any product I've seen on the market. Outside of this, some shops may
not have the budgets to implement wide scale solutions, so the next best
thing... Ingenuity!
Which reminds me... What happened to that company that was unloading like
a thousand VoIP based advisories every other month. Did they finally give
up. I haven't been amused by the depth of their efermal security concepts
and grasp of it all. Perhaps someone there can chime in with another 100
or so advisories or best practices so the lowly like myself can understand
it from a different perspective.
P.S. (Shawn) Thanks! I was actually overwhelmed and have been playing
catch up but I will respond soon.
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
"Each player must accept the cards life deals him
or her: but once they are in hand, he or she alone
must decide how to play the cards in order to win
the game." Voltaire
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
More information about the Voipsec
mailing list