Title: Fear and Loathing in Las VoIP
1Fear and Loathing in Las VoIP
- Adam J. ODonnell, Ph.D.
- Senior Research Scientist
- Cloudmark, Inc.
- adam_at_cloudmark.com
2Predictions regarding VoIP security are
amusing. Security attacks on/involving VoIP are
fascinating.
3An electronic Pearl Harbor-type event will
happen in 2006 or 2007. I do stand by
that... New technologies such as VoIP risk
driving a horse and cart through ... our network.
4There are 500,000 hits on Google for spit
voip... ... why?
5what was predicted...
- Taking down the entire phone network via large
scale DDoS - Massive Spam and Phishing
- Large-scale authentication abuse - Phishers
proporting to be banks
6...what is being seen
- One-off DoS against specific SIP implementations
- E-mail-driven phishing with VoIP phone numbers
- Large-scale authentication abuse... but people
posing as other people, not as organizations
7why? Economics
- Hackers are trying to gain the highest level of
notoriety for their investment. - Spammers and Phishers are trying to contact the
maximum number of people for the minimum cost.
8DoS Economics
- First step in writing a full exploit is crashing
the service - Very well-established process
- Grab protocol description
- Write fuzzer
- Publish results
9DoS Economics
- Looking for vulnerabilities in new services is a
standard pass-time for hackers looking to learn. - The target isnt VoIP, but rather a new, possibly
privileged service on the server
10Phishing Economics
- Again, a very well established process
- Choose a target and a mailing list
- Either compromise or buy compromised web servers
to host a target page - Generate messages
- Retrieve data provided by fooled users from
webservers
11(No Transcript)
12Phishing has become so standardized that
diversification of labor has taken place, with
separate groups of individuals supplying the web
servers, mail servers, money laundering services,
etc...
13Phishing Market Pressures
- As phishing became standardized, so did several
of the anti-phishing techniques - Classifiers were trained to look for e-mail
mentioning banks with odd-looking URLs - Phishing hosts were reported to network
operators, who act quickly to remediate the issue
14Phishing Market Pressures
- The target market for phishers began to shrink,
due both to user education and improved content
filters - For phishing to continue to be profitable, both
the pitch and the callback information have to
become - More novel to the target
- Difficult to analyze
15VoIP-carrying Phishing Scams
- Novel customers arent used to phone numbers
being unsafe - Difficult to analyze No whois-style information
readily available for anti-phishers - Cost effective the time required to acquire an
inbound VoIP number is inline with compromising a
desktop for use as a webserver
16Your online credit card account has high-risk
activity status. We are contacting you to remind
that our Account Review Team identified some
unusual activity in your account. In accordance
with Philadelphia FCU Bank User Agreement and to
ensure that your account has not been
compromised, access your account was limited.
Your account access will remain limited until
this issue has been resolved. We encourage you
to call our Account Verification Department at
phone number (517) XXX-XXXX and perform the steps
necessary to verify your account informations as
soon as possible. Allowing your account access to
remain limited for an extended period of time may
result in further limitations on the use of your
account and possible account closure. Contact
our Account Verification Department at (888)
354-9907 24 hours / 7 days a week to verify your
account informations and to confirm your identity.
17(No Transcript)
18(No Transcript)
19Dear Customer, We've noticed that you experienced
trouble logging into Santa Barbara Bank Trust
Online Banking. After three unsuccessful attempts
to access your account, your Santa Barbara Bank
Trust Online Profile has been locked. This has
been done to secure your accounts and to protect
your private information. Santa Barbara Bank
Trust is committed to make sure that your online
transactions are secure. Call this phone number
(1-805-XXX-XXXX) to verify your account and your
identity. Sincerely,Santa Barbara Bank Trust
Inc.Online Customer Service
20What can we expect?
- Given that...
- Appears to be the work of a limited number of
phishers. - Small number of relatively unsophisticated
messages - First number had 1500 callers in 3 days, which is
a far better response rate than webpages
21What can we expect?
- More of the same, until...
- Lines of communication are established between
anti-phishers and VoIP providers - Banks adopt and customers expect multifactor
authentication
22Authentication Economics
- Phone numbers are used as authentication, because
it is cheap (already in place) - Spoofing phone numbers was previously expensive,
requiring expertise in compromising phone switches
23Authentication Economics
- The MGC component of VoIP systems are responsible
for passing the calling partys phone number into
the system - Spoofing phone numbers is trivial for anyone with
access to an MGC (ie, anyone who runs Asterisk) - Several companies, such as camophone.com and
spoofcard.com have been established to offer just
this service
24Think about all the systems that use only
your phone number as a form of authentication...
25This is the enemy.
26This is the enemy.
Aug 23rd (TMZ.com) Paris Hilton dropped from
spoofcard.com for hacking into Lindsay Lohans
voicemail, thus violating the ToS.
27Consider the possibilities...
- In 1997, a measure was passed through Congress to
ban radio receivers that covered the cellular
phone band after a group of individuals recorded
a high-level Republican conference call chaired
by Newt Gingrich
28Consider the possibilities...
- While not meant to be FUD, what will happen to
VoIP regulation if some Hill staffer gets ideas
after reading the Paris Hilton/Lindsay Lohan
story...
29Remediation?
- Authentication? Trivial, move to multi-factor
systems, such as a PIN number. - ACL? Also trivial, only accept calls across the
MGC from phone numbers delegated to that provider - Identity? A little harder. Maybe push
crypto-signed signed phone numbers over the
CallerID packet
30Remediation?
- Reputation? This can be assigned to
- Phone numbers
- Source IPs
- Content
- Reporters of reputation information themselves
31Remediation?
- If the response time is too long, FNs and FPs
skyrocket - Sender reputation is likely to be far easier to
establish for mail spammers than VoIP spammers - Not many home machines are mail servers, but many
home machines are going to be VoIP users
32Moral of the story?
- The possibility of attack isnt as important as
the economic viability of attack - Hackers and spammers are going to go with minor
modifications on what they know, rather than
major jumps in methodology
33Questions?
- Adam J. ODonnell, adam_at_cloudmark.com