[VOIPSEC] Hijacking the Entire VoIP Infrastructure (take two)

Tue Jan 27 07:16:07 CST 2009

Early week ramblings a-plenty...

According to mailing list chatter [1] Packet8's DNS servers may or may not have been hijacked.
While DNS hijacks aren't all that uncommon, I sat around thinking about the after-effects of these
kinds of situations. What could someone possibly gain from this attack so I put together a punch
list of sorts:

Denial of Service - Causing a loss of confidence in Packet8's ability to maintain a secure posture,
a competitor could create targeted marketing using Packet8 as an example.

Theft of Clients - Because someone can now create their own infrastructure bastardization of
Packet8's internals, when customers complain, an email could have been crafted a-la:
"Please update your information on this page" where the attacker could have created a form
based page to gather Packet8's client information.

Massive Toll Fraud - Again, being the attacker can direct what goes where, it would be trivial
to create a mimic of Packet8's network sniffing VoIP traffic in efforts to create a list of accounts
that can be used for toll fraud. Usernames and passwords would be gathered and stored for
future use.

The list went on, but I decided to focus on the major ones that would disaffect Packet8 from a
financial perspective as money always talks. After thinking up all the attack vectors, I thought
about how to protect an infrastructure from this - should I pester Dan Kaminisky, should I look
for managed "secure" DNS services since this happened. What's the aftermath?

If I were Packet8 management, I'd tear into my security and systems engineers as well as my
CSO, CISO and anyone else involved with building and deploying the infrastructure as well as
those responsible for security that infrastructure. This entire attack - if true - could have been
avoided at a much lower cost to Packet8 if they had a proper perception slash view of what
security truly is and why companies need to start taking security more serious.

For starters, depending on how we look at it, did they not violate PCI/DSS since there is the
potential for an attacker to have mimicked their credit card processing servers and had Packet8
clients re-enter information. What about GLBA - information could have potentially been
disclosed. The issue here is - no one would ever know the extent of the damage done to
Packet8 unless of course those responsible are caught. There are a lot of questions I would
be asking Packet8 if I were a customer - not to mention I'd be shopping around for an
alternative.

Technology-wise, Packet8's staff should now take the appropriate steps to change their
authentication mechanisms for all their clients however, I don't see this happening. It would
be a very time consuming and costly affair, client's will be irrate so what's likely to happen?
If you ask me, Packet8 will either sweep it under the rug as if nothing happened or issue
a statement downplaying the incident. They could always pull a TJX and offer reduced
pricing on their services [2] hoping money woos customers to forget.

I have no beefs, qualms with Packet8 - and yes I have used their service before circa 2005
when it was a bit in its infancy. They've certainly come a long way, but it seems that they
like other companies forgot to build a solid posture especially when it came to security.
If I was still a customer - my service would likely be switched unless Packet8 gave me
some very strong assurances that I would be absolved of any financial liabilities arising
from this attack - money doesn't grow on trees. 

[1] https://puck.nether.net/pipermail/outages/2009-January/001098.html
[2] http://news.cnet.com/8301-1009_3-10148115-83.html

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Enough research will tend to support your
conclusions." - Arthur Bloch

"A conclusion is the place where you got
tired of thinking" - Arthur Bloch

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E