1 / 33

Fear and Loathing in Las VoIP

Fear and Loathing in Las VoIP. Adam J. O’Donnell, Ph.D. Senior Research Scientist Cloudmark, Inc. adam@cloudmark.com. Predictions regarding VoIP security are amusing. Security attacks on/involving VoIP are fascinating.

adeola
Download Presentation

Fear and Loathing in Las VoIP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fear and Loathing in Las VoIP • Adam J. O’Donnell, Ph.D. • Senior Research Scientist • Cloudmark, Inc. • adam@cloudmark.com

  2. Predictions regarding VoIP security are amusing. Security attacks on/involving VoIP are fascinating.

  3. “An electronic Pearl Harbor-type event will happen in 2006 or 2007. I do stand by that...” “New technologies such as VoIP risk driving a horse and cart through ... our network.”

  4. There are 500,000 hits on Google for “spit voip”... ... why?

  5. what was predicted... • Taking down the entire phone network via large scale DDoS • Massive Spam and Phishing • Large-scale authentication abuse - Phishers proporting to be banks

  6. ...what is being seen • One-off DoS against specific SIP implementations • E-mail-driven phishing with VoIP phone numbers • Large-scale authentication abuse... but people posing as other people, not as organizations

  7. why? Economics • Hackers are trying to gain the highest level of notoriety for their investment. • Spammers and Phishers are trying to contact the maximum number of people for the minimum cost.

  8. DoS Economics • First step in writing a full exploit is crashing the service • Very well-established process: • Grab protocol description • Write “fuzzer” • Publish results

  9. DoS Economics • Looking for vulnerabilities in new services is a standard pass-time for hackers looking to learn. • The target isn’t VoIP, but rather a new, possibly privileged service on the server

  10. Phishing Economics • Again, a very well established process: • Choose a target and a mailing list • Either compromise or buy compromised web servers to host a target page • Generate messages • Retrieve data provided by fooled users from webservers

  11. Pitch Callback

  12. Phishing has become so standardized that diversification of labor has taken place, with separate groups of individuals supplying the web servers, mail servers, money laundering services, etc...

  13. Phishing “Market Pressures” • As phishing became standardized, so did several of the anti-phishing techniques • Classifiers were trained to look for e-mail mentioning banks with odd-looking URLs • Phishing hosts were reported to network operators, who act quickly to remediate the issue

  14. Phishing “Market Pressures” • The target market for phishers began to shrink, due both to user education and improved content filters • For phishing to continue to be profitable, both the pitch and the callback information have to become • More novel to the target • Difficult to analyze

  15. VoIP-carrying Phishing Scams • Novel: customers aren’t used to phone numbers being unsafe • Difficult to analyze: No whois-style information readily available for anti-phishers • Cost effective: the time required to acquire an inbound VoIP number is inline with compromising a desktop for use as a webserver

  16. Your online credit card account has high-risk activity status. We are contacting you to remind that our Account Review Team identified some unusual activity in your account. In accordance with Philadelphia FCU Bank User Agreement and to ensure that your account has not been compromised, access your account was limited. Your account access will remain limited until this issue has been resolved. We encourage you to call our Account Verification Department at phone number (517) XXX-XXXX and perform the steps necessary to verify your account informations as soon as possible. Allowing your account access to remain limited for an extended period of time may result in further limitations on the use of your account and possible account closure. Contact our Account Verification Department at (888) 354-9907 24 hours / 7 days a week to verify your account informations and to confirm your identity.

  17. Dear Customer, We've noticed that you experienced trouble logging into Santa Barbara Bank & Trust Online Banking. After three unsuccessful attempts to access your account, your Santa Barbara Bank & Trust Online Profile has been locked. This has been done to secure your accounts and to protect your private information. Santa Barbara Bank & Trust is committed to make sure that your online transactions are secure. Call this phone number (1-805-XXX-XXXX) to verify your account and your identity. Sincerely,Santa Barbara Bank & Trust Inc.Online Customer Service

  18. What can we expect? • Given that... • Appears to be the work of a limited number of phishers. • Small number of relatively unsophisticated messages • First number had 1500 callers in 3 days, which is a far better response rate than webpages

  19. What can we expect? • More of the same, until... • Lines of communication are established between anti-phishers and VoIP providers • Banks adopt and customers expect multifactor authentication

  20. Authentication Economics • Phone numbers are used as authentication, because it is cheap (already in place) • Spoofing phone numbers was previously expensive, requiring expertise in compromising phone switches

  21. Authentication Economics • The MGC component of VoIP systems are responsible for passing the calling party’s phone number into the system • Spoofing phone numbers is trivial for anyone with access to an MGC (ie, anyone who runs Asterisk) • Several companies, such as camophone.com and spoofcard.com have been established to offer just this service

  22. Think about all the systems that use only your phone number as a form of authentication...

  23. This is the enemy.

  24. This is the enemy. Aug 23rd (TMZ.com): Paris Hilton dropped from spoofcard.com for hacking into Lindsay Lohan’s voicemail, thus violating the ToS.

  25. Consider the possibilities... • In 1997, a measure was passed through Congress to ban radio receivers that covered the cellular phone band after a group of individuals recorded a high-level Republican conference call chaired by Newt Gingrich

  26. Consider the possibilities... • While not meant to be FUD, what will happen to VoIP regulation if some Hill staffer gets ideas after reading the Paris Hilton/Lindsay Lohan story...

  27. Remediation? • Authentication? Trivial, move to multi-factor systems, such as a PIN number. • ACL? Also trivial, only accept calls across the MGC from phone numbers delegated to that provider • Identity? A little harder. Maybe push crypto-signed signed phone numbers over the CallerID packet

  28. Remediation? • Reputation? This can be assigned to: • Phone numbers • Source IPs • Content • Reporters of reputation information themselves

  29. Remediation? • If the response time is too long, FNs and FPs skyrocket • Sender reputation is likely to be far easier to establish for mail spammers than VoIP spammers • Not many home machines are mail servers, but many home machines are going to be VoIP users

  30. Moral of the story? • The possibility of attack isn’t as important as the economic viability of attack • Hackers and spammers are going to go with minor modifications on what they know, rather than major jumps in methodology

  31. Questions? • Adam J. O’Donnell, adam@cloudmark.com

More Related