Fear%20and%20Loathing%20in%20Las%20VoIP

1
Fear and Loathing in Las VoIP

• Adam J. ODonnell, Ph.D.
• Senior Research Scientist
• Cloudmark, Inc.
• adam_at_cloudmark.com

2
Predictions regarding VoIP security are
amusing. Security attacks on/involving VoIP are
fascinating.
3
An electronic Pearl Harbor-type event will
happen in 2006 or 2007. I do stand by
that... New technologies such as VoIP risk
driving a horse and cart through ... our network.
4
There are 500,000 hits on Google for spit
voip... ... why?
5
what was predicted...

• Taking down the entire phone network via large
  scale DDoS
• Massive Spam and Phishing
• Large-scale authentication abuse - Phishers
  proporting to be banks

6
...what is being seen

• One-off DoS against specific SIP implementations
• E-mail-driven phishing with VoIP phone numbers
• Large-scale authentication abuse... but people
  posing as other people, not as organizations

7
why? Economics

• Hackers are trying to gain the highest level of
  notoriety for their investment.
• Spammers and Phishers are trying to contact the
  maximum number of people for the minimum cost.

8
DoS Economics

• First step in writing a full exploit is crashing
  the service
• Very well-established process
• Grab protocol description
• Write fuzzer
• Publish results

9
DoS Economics

• Looking for vulnerabilities in new services is a
  standard pass-time for hackers looking to learn.
• The target isnt VoIP, but rather a new, possibly
  privileged service on the server

10
Phishing Economics

• Again, a very well established process
• Choose a target and a mailing list
• Either compromise or buy compromised web servers
  to host a target page
• Generate messages
• Retrieve data provided by fooled users from
  webservers

11
(No Transcript)
12
Phishing has become so standardized that
diversification of labor has taken place, with
separate groups of individuals supplying the web
servers, mail servers, money laundering services,
etc...
13
Phishing Market Pressures

• As phishing became standardized, so did several
  of the anti-phishing techniques
• Classifiers were trained to look for e-mail
  mentioning banks with odd-looking URLs
• Phishing hosts were reported to network
  operators, who act quickly to remediate the issue

14
Phishing Market Pressures

• The target market for phishers began to shrink,
  due both to user education and improved content
  filters
• For phishing to continue to be profitable, both
  the pitch and the callback information have to
  become
• More novel to the target
• Difficult to analyze

15
VoIP-carrying Phishing Scams

• Novel customers arent used to phone numbers
  being unsafe
• Difficult to analyze No whois-style information
  readily available for anti-phishers
• Cost effective the time required to acquire an
  inbound VoIP number is inline with compromising a
  desktop for use as a webserver

16
Your online credit card account has high-risk
activity status. We are contacting you to remind
that our Account Review Team identified some
unusual activity in your account. In accordance
with Philadelphia FCU Bank User Agreement and to
ensure that your account has not been
compromised, access your account was limited.
Your account access will remain limited until
this issue has been resolved. We encourage you
to call our Account Verification Department at
phone number (517) XXX-XXXX and perform the steps
necessary to verify your account informations as
soon as possible. Allowing your account access to
remain limited for an extended period of time may
result in further limitations on the use of your
account and possible account closure. Contact
our Account Verification Department at (888)
354-9907 24 hours / 7 days a week to verify your
account informations and to confirm your identity.
17
(No Transcript)
18
(No Transcript)
19
Dear Customer, We've noticed that you experienced
trouble logging into Santa Barbara Bank Trust
Online Banking. After three unsuccessful attempts
to access your account, your Santa Barbara Bank
Trust Online Profile has been locked. This has
been done to secure your accounts and to protect
your private information. Santa Barbara Bank
Trust is committed to make sure that your online
transactions are secure. Call this phone number
(1-805-XXX-XXXX) to verify your account and your
identity. Sincerely,Santa Barbara Bank Trust
Inc.Online Customer Service
20
What can we expect?

• Given that...
• Appears to be the work of a limited number of
  phishers.
• Small number of relatively unsophisticated
  messages
• First number had 1500 callers in 3 days, which is
  a far better response rate than webpages

21
What can we expect?

• More of the same, until...
• Lines of communication are established between
  anti-phishers and VoIP providers
• Banks adopt and customers expect multifactor
  authentication

22
Authentication Economics

• Phone numbers are used as authentication, because
  it is cheap (already in place)
• Spoofing phone numbers was previously expensive,
  requiring expertise in compromising phone switches

23
Authentication Economics

• The MGC component of VoIP systems are responsible
  for passing the calling partys phone number into
  the system
• Spoofing phone numbers is trivial for anyone with
  access to an MGC (ie, anyone who runs Asterisk)
• Several companies, such as camophone.com and
  spoofcard.com have been established to offer just
  this service

24
Think about all the systems that use only
your phone number as a form of authentication...
25
This is the enemy.
26
This is the enemy.
Aug 23rd (TMZ.com) Paris Hilton dropped from
spoofcard.com for hacking into Lindsay Lohans
voicemail, thus violating the ToS.
27
Consider the possibilities...

• In 1997, a measure was passed through Congress to
  ban radio receivers that covered the cellular
  phone band after a group of individuals recorded
  a high-level Republican conference call chaired
  by Newt Gingrich

28
Consider the possibilities...

• While not meant to be FUD, what will happen to
  VoIP regulation if some Hill staffer gets ideas
  after reading the Paris Hilton/Lindsay Lohan
  story...

29
Remediation?

• Authentication? Trivial, move to multi-factor
  systems, such as a PIN number.
• ACL? Also trivial, only accept calls across the
  MGC from phone numbers delegated to that provider
• Identity? A little harder. Maybe push
  crypto-signed signed phone numbers over the
  CallerID packet

30
Remediation?

• Reputation? This can be assigned to
• Phone numbers
• Source IPs
• Content
• Reporters of reputation information themselves

31
Remediation?

• If the response time is too long, FNs and FPs
  skyrocket
• Sender reputation is likely to be far easier to
  establish for mail spammers than VoIP spammers
• Not many home machines are mail servers, but many
  home machines are going to be VoIP users

32
Moral of the story?

• The possibility of attack isnt as important as
  the economic viability of attack
• Hackers and spammers are going to go with minor
  modifications on what they know, rather than
  major jumps in methodology

33
Questions?

• Adam J. ODonnell, adam_at_cloudmark.com