Thursday, May 15, 2008

VoIP and identity fraud on the BBC

The BBC News is running an article highlighting one of the most basic vulnerabilities in the majority of current VoIP providers - the lack of encryption. Indeed, this is a problem since SIP passes an md5 hash of the password as clear text and therefore anyone watching the traffic can perform an offline attack and quickly recover the credentials. The attack has been described in countless blogs, articles and papers by now and some tools are very efficient in demonstrating this issue.

What caught my eye is the mention of VoIP credentials being sold on the underground 17$ a piece. So I emailed Mr Gladwin who was quoted in the article. This is a summary of our email conversations:
  • There is no indication that stolen VoIP details were harvested because of the lack of encryption
  • If anyone comes across underground forums / sites / resources which have prices please let me know. Unfortunately Dave Gladwin was not able to provide me with a reference (until now)
  • There was no indication as to the size or volume of the VoIP credentials trading
Skype took the chance to remind us that this is not an issue for then (since they make use of a proprietary protocol which has encryption built-in).

I'm interested in learning which method is being used to steal credentials. Take your pick:
  • Sniffing at WiFi internet cafe's / hacked service providers etc and offline password attacks
  • Active password attacks (such as those supported by SIPVicious svcrack). Such attacks have been previously used by Robert Moore and obviously others which were not caught ;-)
  • Hacked VoIP service providers or end users
  • Phishing attacks
My feeling is that active password attacks will give you the best results when the target is simply "the Internet". But in the end, what matters is what's being currently abused and how we can prevent and mitigate.

Update: Dave Gladwin updated the Newport Networks Blog to provide more details on the subject.

Friday, May 2, 2008

Defcon 15 videos - VoIP related talks

Just in case anyone missed Defcon 15 (like I did), here's two talks of interest with relation to VoIP:
For the rest of the videos check out this list.

Thanks for Anthony of Iron::Guard for the pointer.

OSSEC v1.5 now has builtin Asterisk rules

A new OSSEC version has been released. Along with a number of updates, OSSEC now includes the Asterisk rules that were first published in my hakin9 article and then here. The rest of the updates are described in the Changelog.

Grab it now.