0
VoIP security legends and myths Konstantin Gurzov Head of Sales Support Department
VoIP   is attractive ! VoIP Access company’s network Manage calls  ( fraud ) Data defect and replacement Call interception...
VoIP infrastructure components VoIP segment is an integration of a number of specialized platforms and network devices, di...
All local network threats are actual for VoIP <ul><li>Default passwords </li></ul><ul><li>Managing web interfaces </li></u...
<ul><li>Default passwords </li></ul>Known threats  –  former protection measures Примеры рассчитанных метрик на основе &qu...
<ul><li>Back-end devices </li></ul><ul><ul><li>Default PIN for CISCO IP PHONE -  « **#* » </li></ul></ul><ul><li>SIP gatew...
<ul><li>Managing web interfaces </li></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>С ross Site Scripting </li>...
<ul><li>CISCO Call Manager </li></ul><ul><ul><li>CVE-2010-3039 privilege gaining </li></ul></ul><ul><ul><li>CVE-2007-4633 ...
Known threats  –  former protection measures <ul><li>Software vulnerabilities </li></ul>Arbitrary code execution from the ...
Known threats  –  former protection measures <ul><li>Software vulnerability </li></ul>Denial of service in  CISCO Call Man...
<ul><li>Services are unavailable and restricted </li></ul><ul><ul><li>web interfaces with vulnerabilities </li></ul></ul><...
<ul><li>Traffic listening </li></ul><ul><ul><li>weakly protected wireless networks </li></ul></ul><ul><ul><li>Implementati...
Examples of real attacks <ul><li>Traffic fraud </li></ul><ul><li>Interception of negotiations </li></ul><ul><li>Capture of...
Traffic fraud IP PBX 1 – Client’s IP PBX of  «А»  company IP PBX 2 – Attacker’s IP PBX <ul><li>No ACLs on devices </li></u...
Traffic fraud  –  attacker’s actions <ul><li>Scan the network and find IP PBX 1. </li></ul><ul><li>Provide PSTN connection...
Traffic fraud  –  can be avoided if <ul><li>operator: </li></ul><ul><li>configures ACLs on external interfaces of client I...
Interception of negotiations <ul><li>Use wireless networks </li></ul><ul><li>Weak encryption algorithms </li></ul><ul><li>...
Capture corporate network <ul><li>No managing of changes  </li></ul>
Capture corporate network  –  attacker’s actions <ul><li>Get access to the corporate network via Wi-Fi </li></ul><ul><li>F...
Conclusions <ul><li>VoIP   infrastructure is vulnerable to the same security threats as an ordinary corporate network </li...
Advices to create secure infrastructure <ul><li>Advice  1:  monitor changes and updates in your VoIP infrastructure . </li...
Thank you for your attention ! Questions ? Konstantin Gurzov [email_address]
Upcoming SlideShare
Loading in...5
×

Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income! Or Vice Versa?

1,641

Published on

Integrated services by telecom operators and Unified Communications technology promise a quick payback and great convenience. However, it was discovered from practice that VOIP and IPPBX services can cause many problems, first of all relating to information security and fraud. What information security issues can arise for a company if Unified Communications are used? VOIP/PBX/MGW broken in 60 seconds - is it possible? Effective methods and practicalities of Unified Communications security will be discussed.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,641
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • DBMS, FTP, OS, Web, Mail, DNS, LDAP, Remote administration, Network hardware Number of vulnerable services associated with password policy Metrics are based on “alive” data collected in security internal audits conducted by Positive Technologies experts, 2009
  • High, Medium, Low Dynamic site Typical site Detailed analysis of a vulnerable application
  • Картинку просить у автора
  • Картинку просить у автора
  • Transcript of "Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income! Or Vice Versa?"

    1. 1. VoIP security legends and myths Konstantin Gurzov Head of Sales Support Department
    2. 2. VoIP is attractive ! VoIP Access company’s network Manage calls ( fraud ) Data defect and replacement Call interception Personal data theft and so on …
    3. 3. VoIP infrastructure components VoIP segment is an integration of a number of specialized platforms and network devices, different networks and technologies
    4. 4. All local network threats are actual for VoIP <ul><li>Default passwords </li></ul><ul><li>Managing web interfaces </li></ul><ul><li>Software vulnerabilities </li></ul><ul><li>Traffic interception </li></ul><ul><li>Account blocking </li></ul>
    5. 5. <ul><li>Default passwords </li></ul>Known threats – former protection measures Примеры рассчитанных метрик на основе &quot;живых&quot; данных при проведении внутренних аудитов ИБ специалистами компании Positive Technologies , 2009 г. About 50% of all network devices have default or easily bruteforced passwords
    6. 6. <ul><li>Back-end devices </li></ul><ul><ul><li>Default PIN for CISCO IP PHONE - « **#* » </li></ul></ul><ul><li>SIP gateways </li></ul><ul><ul><li>Default password for Asterisk - « admin » leads to: </li></ul></ul><ul><ul><ul><li>Denial of service </li></ul></ul></ul><ul><ul><ul><li>Interception </li></ul></ul></ul><ul><ul><ul><li>Integrity violation </li></ul></ul></ul><ul><ul><ul><li>Toll Fraud </li></ul></ul></ul>Examples Reconfiguration Minoring Interception
    7. 7. <ul><li>Managing web interfaces </li></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>С ross Site Scripting </li></ul></ul><ul><ul><li>DoS </li></ul></ul><ul><ul><li>and so on. </li></ul></ul>Known threats – former protection measures If an attacker manages to access your device web interface, attacks are guaranteed to be successful
    8. 8. <ul><li>CISCO Call Manager </li></ul><ul><ul><li>CVE-2010-3039 privilege gaining </li></ul></ul><ul><ul><li>CVE-2007-4633 XSS </li></ul></ul><ul><ul><li>CVE-2007-4634 SQL Injection </li></ul></ul><ul><ul><li>CVE-2008-0026 SQL Injection </li></ul></ul><ul><li>Asterisk GUI </li></ul><ul><ul><li>CVE-2008-1390 CVSS Base Score 9,3 </li></ul></ul>Examples The possibility to detect vulnerabilities of different risk level, based on analysis of 5560 sites conducted by Positive Technologies experts, 2009
    9. 9. Known threats – former protection measures <ul><li>Software vulnerabilities </li></ul>Arbitrary code execution from the network in в CISCO Call Manager 6 Vulnerability allows attackers to execute arbitrary code
    10. 10. Known threats – former protection measures <ul><li>Software vulnerability </li></ul>Denial of service in CISCO Call Manager 6 Vulnerability allows attackers to cause a denial of service
    11. 11. <ul><li>Services are unavailable and restricted </li></ul><ul><ul><li>web interfaces with vulnerabilities </li></ul></ul><ul><ul><li>weak password policy </li></ul></ul>Known threats – former protection measures Any VoIP device is a member of Ethernet network, so it is vulnerable to a most part of network attacks
    12. 12. <ul><li>Traffic listening </li></ul><ul><ul><li>weakly protected wireless networks </li></ul></ul><ul><ul><li>Implementation of « Man in the middle » attack </li></ul></ul><ul><ul><li>Tens of specialized applications to listen VoIP traffic, for example, Cain & Abel ( www.oxid.it ), UCSniff ( http://ucsniff.sourceforge.net ) </li></ul></ul>Known threats – former protection measures Traffic listening leads to violation of confidentiality and personal data thefts
    13. 13. Examples of real attacks <ul><li>Traffic fraud </li></ul><ul><li>Interception of negotiations </li></ul><ul><li>Capture of corporate network </li></ul>
    14. 14. Traffic fraud IP PBX 1 – Client’s IP PBX of «А» company IP PBX 2 – Attacker’s IP PBX <ul><li>No ACLs on devices </li></ul><ul><li>Weak device and software password policy </li></ul><ul><li>Low protection level as a whole for VoIP infrastructure </li></ul><ul><li>Billing once a month </li></ul>
    15. 15. Traffic fraud – attacker’s actions <ul><li>Scan the network and find IP PBX 1. </li></ul><ul><li>Provide PSTN connection to IP PBX 2 via IP PBX 1. </li></ul><ul><li>Pass expensive MG / MH calls via «А» into PSTN. </li></ul>1 2 3 «А» operator is unable to explicitly separate responsibilities between itself and its client, so it pays always
    16. 16. Traffic fraud – can be avoided if <ul><li>operator: </li></ul><ul><li>configures ACLs on external interfaces of client IP PBX; </li></ul><ul><li>ensures that calls passed through SIP trank are not routed back; </li></ul><ul><li>blocks MG / MH calls if not used ; </li></ul><ul><li>distributes password policy to VoIP services; </li></ul><ul><li>offers services for protection analysis of client’s hardware . </li></ul>
    17. 17. Interception of negotiations <ul><li>Use wireless networks </li></ul><ul><li>Weak encryption algorithms </li></ul><ul><li>ACLs are not used </li></ul><ul><li>Weak password policy </li></ul>
    18. 18. Capture corporate network <ul><li>No managing of changes </li></ul>
    19. 19. Capture corporate network – attacker’s actions <ul><li>Get access to the corporate network via Wi-Fi </li></ul><ul><li>Find CISCO Call Manager by typical response </li></ul><ul><ul><li>uses SQLi implemented CVE-2008-0026 </li></ul></ul><ul><ul><li>gets user password hashes equivalent to the request </li></ul></ul><ul><ul><li>restores passwords from hashes </li></ul></ul><ul><li>One of restored passwords is Admin password for all CISCO local networks </li></ul>2 3 <ul><ul><li>runsql select user,password from applicationuser </li></ul></ul>https://www.example.org/ccmuser/personaladdressbookEdit.do?key='+UNION+ALL+SELECT+'','','',user,'',password+from+applicationuser;-- 1 An attacker can capture all local network via VoIP services
    20. 20. Conclusions <ul><li>VoIP infrastructure is vulnerable to the same security threats as an ordinary corporate network </li></ul><ul><li>VoIP service vulnerabilities LAN vulnerabilities </li></ul><ul><li>The same methods are used to create protected infrastructure in VoIP as in LAN </li></ul>
    21. 21. Advices to create secure infrastructure <ul><li>Advice 1: monitor changes and updates in your VoIP infrastructure . </li></ul><ul><li>Advice 2: distribute password policy to VoIP services, use strong crypto algorithms . </li></ul><ul><li>Advice 3: use compliance and vulnerability management system to prevent incidents . </li></ul><ul><li>Advice 4: offer security level monitoring for clients hardware as VAS . </li></ul><ul><li>Advice 5: take a broad view of your infrastructure security, remember it is not only working stations and e-mail system . </li></ul>
    22. 22. Thank you for your attention ! Questions ? Konstantin Gurzov [email_address]
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×