[VOIPSEC] Anyone aware of public disclosures of security incidents related to SIP trunks?

J. Oquendo sil at infiltrated.net
Tue Dec 22 05:09:06 CST 2009 

> DY> Right.  An attacker could potentially spoof the IP and trigger
many SIP INVITES, but would not be able to receive the return traffic
and launch the actual call.

Dan, sorry this forked off another response. Also removed the cc to
curtail dupes.

Grain of Salt time on disclosures. I'm unsure about the following but
now that I actually think about it, I don't that a trunk carrier
would be able to disclose some instances of a compromise on the
SIP trunking side. I'll ask the legal department at work later but will
provide a reasoning for this statement.

You ready?

CLI-nCite_1# show calea

Provisioning Server
-------------------
   Listening IP Address:      x.xx.xxx.x
   Listening Port:            xxxx
   VRD:                       x
   State:                     {x,xxx}ABLED


I'm wondering if, as a carrier had someone managed to fiddle and
compromise a trunk, what would the legalities be if at that
same time of occurrence, a CALEA tap was in place. Would a
carrier be legally required to keep a tight lip as to avoid
alerting someone being tapped.

Without letting cats out of bags here, its not that difficult
to remotely compromise *certain* SBC's. E.g., pop some bad
(or good depending on your hat) code and obtain instant shell
gratification:

http://www.mail-archive.com/debian-bugs-rc@lists.debian.org/msg78718.html
http://securitytracker.com/alerts/2006/Oct/1017089.html
http://www.securityfocus.com/bid/24949
http://www.securityfocus.com/bid/24950

* Advertisement time *
I wish you guys at ACME on this list would send me lab
equipment to play with. I'm sure on NDA I could figure out
some potentially neat stuff
* end advertisement *

Back to topic though, it's questions like these that sometimes
come to mind and end up staying unanswered because there
is no clear guidance on the matter. With that said, we can
can look at the reasons for not disclosing a compromise of
a trunk.

If a carrier discloses an incident of compromise
1) Carrier runs the risk of losing business from fleeing
customers
2) Carrier faces potential regulatory firing squad
3) Loss of reputation
4) pay off the client for monies lost potential
negligence lawsuit

If a carrier DOESN'T disclose a compromise
1) business as usual
2) pay off the client for monies lost
3) business as usual
4) business as usual

The incentive for a carrier to come out of the closet
doesn't necessarily pay off in the long run.

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

More information about the Voipsec mailing list