UC Expo 2010 - The Quandary of unified Communications Security


Published on

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

UC Expo 2010 - The Quandary of unified Communications Security

  1. 1. The Quandary of UC Security and Fraud Prevention From Legacy Telecom to Unified Communications Zeev Pritzker - zeev@vibesec.com Infrastructure & Delivery Management Theatre
  2. 2. Security threats to legacy enterprise telecom
  3. 3. Dial-through PBX fraud PSTN War dialer Cuba €€ ££ Bingo!
  4. 4. Have you been hit by PBX fraud? Confidential VoIP Fraud: Scenarios and Solutions By Peder Jungck - Todays VoIP Makes Fraud Easy. The European business was billed for usage to the tune of $20,000, but what the U.S. VoIP provider did not know was that those calls were to a European equivalent of a fee-based 1-900 number service. By the time the U.S. VoIP provider received invoices for $450,000 from the 1-900 phone services, the European business entity was nowhere to be found. Telecommunications fraud has been identified as the single biggest cause of revenue loss for telecommunications providers, with figures averaging between 3 and 5 percent of an operator's annual revenue. Current statistics point to a global loss of $55 billion per year, making telecommunications fraud a bigger business than international drug trafficking . Winnipeg Free Press By: Meghan Hurley 18/12/2008 1:00 AM A local business owner is on the hook for a $52,000 phone bill after his voice-mail system was hacked and hundreds of calls were made to Bulgaria. 98% of PBX hacking results in dial-through fraud 25% report losses of more than 5% of revenues
  5. 5. International PBX fraud case (2007) <ul><li>2,500 companies hacked </li></ul><ul><ul><li>U.S., Europe, Canada and Australia </li></ul></ul><ul><li>Losses: over $56,000,000 for US companies alone </li></ul><ul><li>Technique: brute force PBX dial-through </li></ul><ul><li>10 “call centers” seized in Italy and Spain </li></ul><ul><li>Partial “distribution of profits” to Al-Qaeda </li></ul>
  6. 6. Revenue pumping PBX fraud PSTN Auto- dialer Fake premium service ££
  7. 7. Internal abuse using PBX features PSTN Forward Cuba €€ ££ Premium rate services
  8. 8. Legacy phone eavesdropping PSTN
  9. 9. Summary: legacy telecom threats <ul><li>War dialing: costly and slow </li></ul><ul><li>Denial of service: expensive to implement </li></ul><ul><li>Eavesdropping: physical access required </li></ul><ul><li>The phones: dumb and unbreakable </li></ul>Key threat: PBX dial-through Fraud Up to $50 billion annually in toll fraud worldwide Fraud of up to 6% of total carrier revenue is not unusual Source: BT, 2008
  10. 10. Enterprise UC threats
  11. 11. UC network attack vectors Voice VLAN Data VLAN INTERNET TFTP server PSTN PSTN WAN VLAN hop
  12. 12. IP phones: no longer dumb or unbreakable <ul><li>IP phones are weak network-attached hosts </li></ul><ul><ul><li>Easily found and identified </li></ul></ul><ul><ul><li>No HIPS, no anti-virus </li></ul></ul><ul><ul><li>Browser interface (mostly not even HTTPS!) </li></ul></ul><ul><ul><li>Frequently mismanaged passwords/usernames </li></ul></ul><ul><ul><li>Blindly trust self-announced SIP proxies </li></ul></ul><ul><ul><li>Use unprotected TFTP server for configuration download </li></ul></ul>
  13. 13. IP phone Web interface can be googled… XXX
  14. 14. Googled phone Web interface XXX Attack using password guessing
  15. 15. Googling for Cisco CallManager Default User ID and password are telephone extension number! (google search for inurl:&quot;ccmuser/logon.asp&quot;)
  16. 16. Room eavesdropping Cisco phone (remote auto-answer) Security Flaw Opens Cisco VoIP Phones To Eavesdropping By Jennifer Hagendorf Follett, Nov. 29, 2007 Cisco Systems has confirmed a security vulnerability discovered in its VoIP phones that enables attackers to eavesdrop on voice calls. Cisco issued a security alert that identified 11 models of its Cisco Unified IP Phone 7900 Series handsets that are vulnerable to the attack that allows users to log into a phone and configure it as their own on a temporary basis.
  17. 17. UC “security assessment” software <ul><li>A variety of strong UC security breaking tools </li></ul><ul><li>Freely downloadable from the Internet </li></ul><ul><li>Intuitive GUI </li></ul><ul><li>Automated break-in arsenal </li></ul><ul><ul><li>VLAN hopping </li></ul></ul><ul><ul><li>UC device discovery </li></ul></ul><ul><ul><li>Password cracking </li></ul></ul><ul><ul><li>Man-in-the-Middle attacks </li></ul></ul><ul><ul><li>Voice and video decoding and recording </li></ul></ul><ul><ul><li>Media manipulation </li></ul></ul><ul><li>Compromise UC networks in minutes </li></ul><ul><ul><li>Eavesdropping </li></ul></ul><ul><ul><li>Identity theft </li></ul></ul><ul><ul><li>Call hijacking </li></ul></ul><ul><ul><li>Disruption of service </li></ul></ul>
  18. 18. SIPScan scans networks for vulnerable SIP devices
  19. 19. SIP trunk dial-through attack INTERNET SIP trunk WAN Rogue IP-PBX PSTN
  20. 20. Indirect SIP trunk dial-through SIP trunk INTERNET PSTN WAN Rogue IP-PBX
  21. 21. Cain & Abel password cracking and SIP eavesdropping Man-in-the–middle insertion using ARP poisoning Full range of VoIP codecs supported Automatic decoding and recording into .wav file
  22. 22. UCSniff – SIP scanning, VLAN hopping and eavesdropping
  23. 23. Man-in-the-middle eavesdropping Voice VLAN Data VLAN VLAN hop
  24. 24. Rogue SIP proxy attack Voice VLAN Data VLAN Internet PSTN I’m your SIP proxy OK! Fraud Eavesdropping Call Hijacking
  25. 25. Denial of Service – SIP Flooding
  26. 26. Denial of Service – Call Terminate
  27. 27. IP-Centrex/hosted PBX attack vectors Metro access VPN Data VLAN Internet Carrier Core IP-Centrex WEB PORTAL PSTN Voice VLAN VLAN hop Admin attacks User attacks
  28. 28. Surveillance video hijacking Data VLAN Internet Video VLAN VIDEO REPLAY
  29. 29. Summary of UC attack surfaces
  30. 30. Future attack vectors <ul><li>Presence </li></ul><ul><li>Intelligent routing </li></ul><ul><li>Fixed-mobile convergence </li></ul>
  31. 31. Solutions?
  32. 32. Existing network security solutions <ul><li>Not UC context aware </li></ul><ul><li>Usually cannot protect against UC threats </li></ul><ul><li>Beware of piling up expensive equipment that does not solve the problem: </li></ul><ul><ul><li>IPS/IDS </li></ul></ul><ul><ul><li>Encryption </li></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Network access control </li></ul></ul>
  33. 33. Existing UC security point solutions <ul><li>VoIP intrusion prevention </li></ul><ul><li>VoIP network access control </li></ul><ul><li>VoIP network audit </li></ul><ul><li>Encryption </li></ul><ul><li>Traditional PBX fraud prevention </li></ul><ul><li>Session Border Controllers </li></ul><ul><li>Fragmented </li></ul><ul><li>Leave too many loopholes </li></ul><ul><li>Expensive </li></ul><ul><li>Difficult to combine and manage </li></ul>
  34. 34. The onerous “Best Practices”
  35. 35. The Quandary of UC Security and Fraud Prevention <ul><li>UC created unresolved security challenges </li></ul><ul><li>IT departments do not understand UC security </li></ul><ul><li>Existing point solutions are inadequate </li></ul><ul><li>Best practices require large and skilled personnel </li></ul>
  36. 36. Needed: Comprehensive S olutions <ul><li>Focused on UC </li></ul><ul><ul><li>Threat management in UC service context </li></ul></ul><ul><ul><li>UC applications, protocols, devices, network </li></ul></ul><ul><li>Unified and easy to manage </li></ul><ul><ul><li>Unified security and fraud management </li></ul></ul><ul><ul><li>Internal and external attacks </li></ul></ul><ul><ul><li>Easy to deploy appliance </li></ul></ul><ul><ul><li>Low OpEx/personnel </li></ul></ul>
  37. 37. Thank you [email_address]