preview of “interest high in voip security at sipnoc 2012 | 200 ok”

7/31/2019 Preview of Interest High in VoIP Security at SIPNOC 2012 | 200 OK

1/10

9/1/12 2nterest High in VoIP Security at SIPNOC 2012 | 200 OK

Page 1ttp://200ok.info/2012/07/16/voip-security-sipnoc/

nterest High in VoIP Security at SIPNOC 2012

ULY 16, 2012 BY MARK R LINDSEY1

Large Financial Losses Dominate Concern

une 2012, Hyatt Dulles, Sterling, Virginia, USA: Carrier VoIP Security was the first technical topic

discussed at the SIPForums SIPNOC 2012 conference. A standing-room-only crowd of engineersattended an informal Birds-of-Feather (BOF) session on the latest in VoIP Security Threats andPrevention techniques.

Dollars Lost, Interest Gained

Why the huge interest? There was a well-attended security BoF at SIPNOC 2011, but this year thecrowd was enormous. This year, everyone is feeling the pain of service theft. Most of the SIPNOC2012 attendees represent VoIP Carriers. When their service is hacked, it costs a lot of money, andnterferes with normal business operations.
http://200ok.info/2012/07/16/voip-security-sipnoc/#commentshttp://200ok.info/2012/07/16/voip-security-sipnoc/#commentshttp://200ok.info/2012/07/16/voip-security-sipnoc/#commentshttp://200ok.info/2012/07/16/voip-security-sipnoc/#commentshttp://200ok.info/2012/07/16/voip-security-sipnoc/#commentshttp://200ok.info/2012/07/16/voip-security-sipnoc/#commentshttp://200ok.info/2012/07/16/voip-security-sipnoc/#commentshttp://200ok.info/2012/07/16/voip-security-sipnoc/#commentshttp://200ok.info/2012/07/16/voip-security-sipnoc/#commentshttp://200ok.info/2012/07/16/voip-security-sipnoc/#commentshttp://200ok.info/2012/07/16/voip-security-sipnoc/#commentshttp://200ok.info/2012/07/16/voip-security-sipnoc/#commentshttp://200ok.info/2012/07/16/voip-security-sipnoc/#commentshttp://200ok.info/author/markrlindsey/http://200ok.info/2012/07/16/voip-security-sipnoc/


2/10



http://200ok.info/2012/07/16/voip-security-sipnoc/img_5379-version-2/#main)Stealing phone service is not new. AT&T, as the United States first major long-distance serviceprovider, has fought theft of service for ages. But the advent of widespread carrier VoIP over thenternet has created an excellent opportunity to steal service. Attackers need not physically attach t

your network to steal your service; they need only connect to your service across the Internet.

Number One Threat: Theft of Service for

Fraudulent Calls

The top threat identified was theft of service. The essence is that someone uses a service to makephone calls without authorization. The owner or operator of the service is then responsible for payhe telephone bills. The expensive, and interesting destinations to which calls are placed are typica

n Developing countries. For example, one recent story highlighted the plight of an Ipswich,Massachusetts businessman whose service was stolen. The thief used his service to call Somalia, athe rate of US $22.00 per minute. (http://www.salemnews.com/local/x1501704698/A-million-

dollar-bill)

These are not cases of a lonely foreign college student calling his mother back home. This is bigbusiness. In the case of the Ipswich manufacturer, the thieves averaged around 7 concurrent calls t
http://www.salemnews.com/local/x1501704698/A-million-dollar-billhttp://200ok.info/2012/07/16/voip-security-sipnoc/img_5379-version-2/#main


3/10



Somalia for 4 days.

His carrier has since dropped the bill and absorbed the cost.http://hosted2.ap.org/APDEFAULT/aa9398e6757a46fa93ed5dea7bd3729e/Article_2012-07-09-

$1M%20Phone%20Bill/id-c0050db654c9475399853ba88d3330b1) Thats good for the consumer bwhat ifyou are the carrier? You may be asked to absorb a $1M phone bill to avoid putting yourcustomer out of business.

Block Expensive Destinations

About a third of the Security BoF participants say that they block calls to expensive destinations bydefault. That is, if you need to do business with Somalia, and youre willing to pay the

$1,320.00/hour to do so, then changes are high that your VoIP carrier wont let you call them withogetting special permission.

This is a simple and safe strategy. But VoIP Carriers should be careful in how they do this; the FCCdoes regulate a VoIP carriers flexibility to decide not to route calls to certain destinations.http://transition.fcc.gov/Daily_Releases/Daily_Business/2012/db0207/DA-12-54A1.pdf) (Although, to the best of my knowledge, these rules only affect domestic US destinatio

f youre familiar with the legacy telco model, where the local provider is distinct from the longdistance provider. In many VoIP service providers, this is not the case; the local service includes

your long distance calling. There is no Equal Access to alternate long-distance carriers with theseVoIP services.

Detect the Stolen Service

Many BoF participants also considered it critical to be able to successfully detect stolen service as it

occurring. All of the techniques for doing this amount to behavioral monitoring of some form: try tdetermine if the user is making unusual calls.

Many participants use some sort of threshold. For example, they may count the number of expensinternational calls being placed each day. And if that count exceeds some fixed number, say, 5, thehey have automatically detected the service. Others do their detection after some billing analysis h

been done, so they can suspect fraud only if a threshold of dollars has been exceeded.
http://transition.fcc.gov/Daily_Releases/Daily_Business/2012/db0207/DA-12-154A1.pdfhttp://hosted2.ap.org/APDEFAULT/aa9398e6757a46fa93ed5dea7bd3729e/Article_2012-07-09-$1M%20Phone%20Bill/id-c0050db654c9475399853ba88d3330b1


4/10



Some carriers reported using the customers history to set the threshold. The more sophisticatedystems, like ECGs Fraudstopper (http://www.e-c-group.com/fraudstopper/), do some auto-earning to detect the behavioral patterns of use.

There was also no single answer on how to handle a new customer. What is the appropriate fraudimit if you have no history or behavioral patterns?

Block Compromised Service

After the fraud is detected, many BoF participants said they would automatically disable expensivcalling on the affected telephone. Many raised concerns about disabling telephone services.

One successful strategy put forward was to notify the customer. A letter such as this one may be sevia email:

Dear customer, your terms of service say that youre responsible for security of your phones. Were onlygoing to charge you for $50 of fraudulent service, not the full invoice. But we disabled your phone in themean time.

Special Risks with Credit-Card Signup

One participant noted special risks that come when you allow customers to signup for telephoneervice with a credit card. Thieves may sign up for service with a stolen credit card then make

expensive calls. Until that card is reported as stolen, or fraud is detected by the credit card compant does not appear possible for the VoIP Carrier to prevent the fraud.

SIPVicious Friendly-Scanner Registration Flood

Many participants noted that SIP REGISTER floods are continuing, apparently through the use ofSIPVicious. These floods are caused when attackers scan the system, looking for SIP accounts thathey can steal. By scanning the system very fast, they may overload it, and cause an outage before raud even begins.
http://www.e-c-group.com/fraudstopper/


5/10



A classic model appears to be (a) detection of SIP accounts with poor authentication; (b) test calls toverify the service early in the work week; then (c) heavy fraudulent use starting Friday night, whenraud detection is weaker over the weekend.

Common Sources of Fraud

Many fraudulent calls appear to come from Skype and Google Voice gateways. In addition, NorthAfrica and the Palestinian Territory were common sources at the IP layer for the attacks.

Beware the SIP Phone on the Public InternetOne carrier reported special problems with their Bring-Your-Own-Device model. In their service,customers buy SIP service, but use their own devices. Many of these devices are SIP phones on thepublic Internet. Attackers can scan the Internet (often via Google) for SIP phones, then retrieve theSIP authentication credentials right off the phone. Then they can REGISTER as that phone with theVoIP service provider, and make fraudulent calls.

This carrier strongly recommended avoiding IP Phones when connected directly to the Public

nternet. They should, instead, be connected to the network through a firewall or NAT device thatprevents incoming connections.

The fundamental vulnerability is that the SIP phones do not adequately protect themselves againsthe public Internet. The vendors do not expect users will be putting their phones on the publicnternet; they expect them to have private IPs inside a NAT-protected network.

SIP PBXs and IADs are Common Targets, Too

SIP PBXs (such as Asterisk and Cisco Call Manager) are commonly directly connected to the InternMany BoF participants mentioned cases where a customers PBX is exploited. In these cases, theattacker places fraudulent calls through the Internet, to the customers PBX. Then the customers Poutes those calls to the VoIP carrier. Even if you have quality SIP authentication credentials to


6/10



authenticate that SIP PBX, you cant detect that the calls are actually not legitimate.

Similar cases were reported with Adtran TA900-series IADs. Attackers would login to these deviceeconfigure them to allow SIP calling through the Internet, then route calls from the attacker, via thAD, to the SIP PBX. We would expect this to be possible on all SIP-to-SIP capable devices, includin

Cisco IAD2430-series devices, those from Audiocodes, and many more. The key is proper securinghe SIP PBX or IAD to prevent an attacker from gaining control.

Telephony-Layer Denial of Service

One carrier reported multiple attempts to create a Denial of Service simply by using up all voice poon a customers device. For instance, an attacker would place many phone calls to a banks Interact

Voice Response (IVR) system. This effectively may prevent the bank from receiving calls through tVR while the attack is ongoing. (I wonder if this type of attack is coordinated with credit card frauon that banks customers, with the hope being to prevent a suspicious vendor from checking in withe bank to verify a credit card.)

The Tools are Only for the Hackers

Someone asked about the VoIP Security Testing tools; for example, SIPVicious. Is anybody usinghose tools to actively test their own network, or their customers networks? Only one BoF participaaid that he was.

Sharing the Wisdom

Meetings like this are rare. We discussed how to better disseminate information about the latesthreats, and wisdom on how to make the roll-out of VoIP go more smoothly. Some participants

mentioned the difficulty in getting formal authority to actually exchange information about theirhreats and counter-techniques.

SIPForum SIPNOC (http://www.sipnoc.org/) can be a useful, in person meeting to discuss these
http://www.sipnoc.org/


7/10



isks and threats. Some participants also mentioned the FBI Infraguard program, but also noted tht seems to be a listen-only forum. That is, many companies join to hear what the FBI has to say, bew want to publicize anything theyre seeing, even among a limited set of participants.

VoIPSA (http://voipsa.org/)may be another good forum where public content can be published.
http://voipsa.org/http://200ok.info/2012/07/16/voip-security-sipnoc/img_5393/#main


8/10



(http://200ok.info/2012/07/16/voip-security-sipnoc/img_5393/#main)Dan York, of the Internet Society and VoIPSA

Perhaps the challenge is convincing everyone that sharing information about the latest threats isactually beneficial. But this is an old debate, extended to the new telephone network. Is it really goor everyone involved if the information about the threats is publicized?

Yes, if it is possible to ultimately make a secure and robust system.

No, if there are intrinsic weaknesses that will never be fully strengthened. That is, were only assecure as we are secret about the weaknesses.
http://200ok.info/2012/07/16/voip-security-sipnoc/img_5393/#main


9/10



by Taboola (http://services.taboolasyndication.com/publisher/wordpress-wordpress-com/rbox?

From the Web

(http://www.haircolorforwomen.com/breakthrough-hair-color-system-youvideo?utm_source=Taboola&utm_medium=V3&utm_campaign=Taboola&source=taboola)

(http://www.newsmax.com/Newsfront/heart-attack-signs-crandall/2012/0&Source=Taboola)

(http://conditions.healthguru.com/question/what-is-the-relationship-betwehgref=taboola3&Source=Taboola)

(http://www.moneynews.com/aftershock-2013?PROMO_CODE=FD19-1&uThis entry was posted in voip and tagged security, sipforum, sipnoc, voipsa. Bookmark thepermalink.

One thought on Interest High in VoIP Security atSIPNOC 2012

1. Layne Monsonsays: July 17, 2012 at 15:03once again a spot on article on what ive seen occuring over the last couple years as these hacker

http://www.haircolorforwomen.com/breakthrough-hair-color-system-your-salon-doesnt-want- ou-to-know-about-video?

Why Stylists Hate Boxed Haircolor Hair Color For WomenHair Color ForWomen

htt ://www.newsmax.com/Newsfront/heart-

4 Things Your Body Will Do Right Before aHeart Attack NewsmaxNewsmax

htt ://conditions.health uru.com/ uestion/what-

What is the relationship between depression andFM? Health GuruHealth Guru

Why Trump Is Dumping The Dollar: It.sGoin To Hell. Mone News

MoneyNews
http://www.moneynews.com/aftershock-2013?PROMO_CODE=FD19-1&utm_source=taboolahttp://conditions.healthguru.com/question/what-is-the-relationship-between-depression-and-fm?hgref=taboola3&Source=Taboolahttp://www.newsmax.com/Newsfront/heart-attack-signs-crandall/2012/07/10/id/444949?PROMO_CODE=F9D1-1&Source=Taboolahttp://www.haircolorforwomen.com/breakthrough-hair-color-system-your-salon-doesnt-want-you-to-know-about-video?utm_source=Taboola&utm_medium=V3&utm_campaign=Taboola&source=taboolahttp://200ok.info/2012/07/16/voip-security-sipnoc/#comment-44http://netsocket.com/http://200ok.info/2012/07/16/voip-security-sipnoc/http://200ok.info/tag/voipsa/http://200ok.info/tag/sipnoc/http://200ok.info/tag/sipforum/http://200ok.info/tag/security/http://200ok.info/category/voip/http://www.moneynews.com/aftershock-2013?PROMO_CODE=FD19-1&utm_source=taboolahttp://conditions.healthguru.com/question/what-is-the-relationship-between-depression-and-fm?hgref=taboola3&Source=Taboolahttp://www.newsmax.com/Newsfront/heart-attack-signs-crandall/2012/07/10/id/444949?PROMO_CODE=F9D1-1&Source=Taboolahttp://www.haircolorforwomen.com/breakthrough-hair-color-system-your-salon-doesnt-want-you-to-know-about-video?utm_source=Taboola&utm_medium=V3&utm_campaign=Taboola&source=taboolahttp://services.taboolasyndication.com/publisher/wordpress-wordpress-com/rbox?item-id=/2012/07/16/voip-security-sipnoc


10/10



ramp up their attacks.Also watch your voicemails ability to be set to pass through calls. They like to fwd calls througVM portal ability once a compromised SIP acct has been achieved. That way they can trunk thSIP calls through it. If you got an SBC , also configure all the dynamic security you can againstregistering SIP UAs , especially if they come from the internet. Make sure it kicks them for a lolong time if they get a bad password too like over 12 hours. I once had an Acme I set to kick

them for only 4 hours and a hacker (over the period of several days) still managed to keep tryinand got a weak password SIP acct that ironically was just installed a couple weeks before and neven in use yet by a customer.Be WARY!! they are out there and looking actively!!

Blog at WordPress.com. | Theme: Sunspot by Automattic.

Follow

Follow 200 OK

Powered by WordPress.com
http://wordpress.com/signup/?ref=lofhttp://void%280%29/http://automattic.com/http://theme.wordpress.com/themes/sunspot/http://wordpress.com/?ref=footer

preview of “interest high in voip security at sipnoc 2012 | 200 ok”

Documents