Fear and Loathing in Las VoIP - PowerPoint PPT Presentation

About This Presentation
Title:

Fear and Loathing in Las VoIP

Description:

'New technologies such as VoIP risk driving a horse and cart ... One-off DoS against specific SIP implementations. E-mail-driven phishing with VoIP phone numbers ... – PowerPoint PPT presentation

Number of Views:32
Avg rating:3.0/5.0
Slides: 34
Provided by: ietf
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Fear and Loathing in Las VoIP


1
Fear and Loathing in Las VoIP
  • Adam J. ODonnell, Ph.D.
  • Senior Research Scientist
  • Cloudmark, Inc.
  • adam_at_cloudmark.com

2
Predictions regarding VoIP security are
amusing. Security attacks on/involving VoIP are
fascinating.
3
An electronic Pearl Harbor-type event will
happen in 2006 or 2007. I do stand by
that... New technologies such as VoIP risk
driving a horse and cart through ... our network.
4
There are 500,000 hits on Google for spit
voip... ... why?
5
what was predicted...
  • Taking down the entire phone network via large
    scale DDoS
  • Massive Spam and Phishing
  • Large-scale authentication abuse - Phishers
    proporting to be banks

6
...what is being seen
  • One-off DoS against specific SIP implementations
  • E-mail-driven phishing with VoIP phone numbers
  • Large-scale authentication abuse... but people
    posing as other people, not as organizations

7
why? Economics
  • Hackers are trying to gain the highest level of
    notoriety for their investment.
  • Spammers and Phishers are trying to contact the
    maximum number of people for the minimum cost.

8
DoS Economics
  • First step in writing a full exploit is crashing
    the service
  • Very well-established process
  • Grab protocol description
  • Write fuzzer
  • Publish results

9
DoS Economics
  • Looking for vulnerabilities in new services is a
    standard pass-time for hackers looking to learn.
  • The target isnt VoIP, but rather a new, possibly
    privileged service on the server

10
Phishing Economics
  • Again, a very well established process
  • Choose a target and a mailing list
  • Either compromise or buy compromised web servers
    to host a target page
  • Generate messages
  • Retrieve data provided by fooled users from
    webservers

11
(No Transcript)
12
Phishing has become so standardized that
diversification of labor has taken place, with
separate groups of individuals supplying the web
servers, mail servers, money laundering services,
etc...
13
Phishing Market Pressures
  • As phishing became standardized, so did several
    of the anti-phishing techniques
  • Classifiers were trained to look for e-mail
    mentioning banks with odd-looking URLs
  • Phishing hosts were reported to network
    operators, who act quickly to remediate the issue

14
Phishing Market Pressures
  • The target market for phishers began to shrink,
    due both to user education and improved content
    filters
  • For phishing to continue to be profitable, both
    the pitch and the callback information have to
    become
  • More novel to the target
  • Difficult to analyze

15
VoIP-carrying Phishing Scams
  • Novel customers arent used to phone numbers
    being unsafe
  • Difficult to analyze No whois-style information
    readily available for anti-phishers
  • Cost effective the time required to acquire an
    inbound VoIP number is inline with compromising a
    desktop for use as a webserver

16
Your online credit card account has high-risk
activity status. We are contacting you to remind
that our Account Review Team identified some
unusual activity in your account. In accordance
with Philadelphia FCU Bank User Agreement and to
ensure that your account has not been
compromised, access your account was limited.
Your account access will remain limited until
this issue has been resolved. We encourage you
to call our Account Verification Department at
phone number (517) XXX-XXXX and perform the steps
necessary to verify your account informations as
soon as possible. Allowing your account access to
remain limited for an extended period of time may
result in further limitations on the use of your
account and possible account closure. Contact
our Account Verification Department at (888)
354-9907 24 hours / 7 days a week to verify your
account informations and to confirm your identity.
17
(No Transcript)
18
(No Transcript)
19
Dear Customer, We've noticed that you experienced
trouble logging into Santa Barbara Bank Trust
Online Banking. After three unsuccessful attempts
to access your account, your Santa Barbara Bank
Trust Online Profile has been locked. This has
been done to secure your accounts and to protect
your private information. Santa Barbara Bank
Trust is committed to make sure that your online
transactions are secure. Call this phone number
(1-805-XXX-XXXX) to verify your account and your
identity. Sincerely,Santa Barbara Bank Trust
Inc.Online Customer Service
20
What can we expect?
  • Given that...
  • Appears to be the work of a limited number of
    phishers.
  • Small number of relatively unsophisticated
    messages
  • First number had 1500 callers in 3 days, which is
    a far better response rate than webpages

21
What can we expect?
  • More of the same, until...
  • Lines of communication are established between
    anti-phishers and VoIP providers
  • Banks adopt and customers expect multifactor
    authentication

22
Authentication Economics
  • Phone numbers are used as authentication, because
    it is cheap (already in place)
  • Spoofing phone numbers was previously expensive,
    requiring expertise in compromising phone switches

23
Authentication Economics
  • The MGC component of VoIP systems are responsible
    for passing the calling partys phone number into
    the system
  • Spoofing phone numbers is trivial for anyone with
    access to an MGC (ie, anyone who runs Asterisk)
  • Several companies, such as camophone.com and
    spoofcard.com have been established to offer just
    this service

24
Think about all the systems that use only
your phone number as a form of authentication...
25
This is the enemy.
26
This is the enemy.
Aug 23rd (TMZ.com) Paris Hilton dropped from
spoofcard.com for hacking into Lindsay Lohans
voicemail, thus violating the ToS.
27
Consider the possibilities...
  • In 1997, a measure was passed through Congress to
    ban radio receivers that covered the cellular
    phone band after a group of individuals recorded
    a high-level Republican conference call chaired
    by Newt Gingrich

28
Consider the possibilities...
  • While not meant to be FUD, what will happen to
    VoIP regulation if some Hill staffer gets ideas
    after reading the Paris Hilton/Lindsay Lohan
    story...

29
Remediation?
  • Authentication? Trivial, move to multi-factor
    systems, such as a PIN number.
  • ACL? Also trivial, only accept calls across the
    MGC from phone numbers delegated to that provider
  • Identity? A little harder. Maybe push
    crypto-signed signed phone numbers over the
    CallerID packet

30
Remediation?
  • Reputation? This can be assigned to
  • Phone numbers
  • Source IPs
  • Content
  • Reporters of reputation information themselves

31
Remediation?
  • If the response time is too long, FNs and FPs
    skyrocket
  • Sender reputation is likely to be far easier to
    establish for mail spammers than VoIP spammers
  • Not many home machines are mail servers, but many
    home machines are going to be VoIP users

32
Moral of the story?
  • The possibility of attack isnt as important as
    the economic viability of attack
  • Hackers and spammers are going to go with minor
    modifications on what they know, rather than
    major jumps in methodology

33
Questions?
  • Adam J. ODonnell, adam_at_cloudmark.com
Write a Comment
User Comments (0)
About PowerShow.com