[VOIPSEC] voipscanner.com in beta - SaaS VoIP Security Scanning
Dustin D. Trammell
dtrammell at breakingpoint.com
Tue Apr 7 11:04:53 CDT 2009
On Tue, 2009-04-07 at 17:43 +0200, Sandro Gauci wrote:
> > I.e., what prevents me, as an attacker, using this service to scan
> > someone else's PBX to do my reconnaissance for me? How shall I be
> > restricted to IP space that I'm authorized to scan, and how is this
> > determined?
> >
>
> An attacker would have to have received the "beta code". There is no
> restriction on IP address space currently but would be interested in
> your suggestions on this one. As an extra precaution I'm actively
> monitoring the service to detect abuse.
To start, I'd consider what the CA's (should) do regarding verifying
that the person applying for certificates really does work for the
company they say they do, and said company really does own the domains
they are attempting to get certs for, except instead of domains, you're
looking for IP address ownership. Unless they're a large company and
are directly referenced in the ARIN whois as IP space owners for the
range in question, you have to deal with the extra layer of verifying
that the IP address space owned by the ISP referenced in ARIN has been
assigned to whoever you're verifying.
--
Dustin D. Trammell
Security Researcher
BreakingPoint Systems, Inc.
More information about the Voipsec
mailing list