Preview only show first 10 pages with watermark. For full document please download

Ringcentral Attack Analysis

Rating
Date

July 2018
Size

3.1MB
Views

8,782
Categories

computers & electronics networking IP communication servers

Transcript

Secure Cloud Communications & Collaboration TM copyright 2007 all rights reserved RedShift Networks Building Secure Communications and Collaboration Clouds 1 Confidential Communication • Visibility • Freeswitch Conference Call, October 31st, 2012 Control • Protection www.redshiftnetworks.com 2 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Today’s Headlines full of VOIP and UC Attacks on Global Level Explosion of VOIP/Video Attacks in 2011 and ALL of 2012 (50% increase of VOIP attacks month to month) Rupert Murdoch’s NewsCorp $55M Loss $15M loss Attacks Attacks Attacks Attacks Attacks Attacks Attacks Attacks Attacks Attacks Attacks Attacks Attacks Attacks Attacks GLOBAL SIP BOTNET Attacks Attacks Attacks Attacks Attacks Attacks Attacks Attacks Attacks VOIP Network Down Toll Fraud - $80B in losses - Eavesdropping and TDOS Attacks 3 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved $120K Loss Confidential Communication • Visibility 4 • Control • Protection copyright 2007 all rights reserved VOIP, Unified Communications & Collaboration Enterprise Unified Communications & Collaboration Market IDC 5 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved • Unified Communications Market to double by 2014.Massive Growth predictedtecheye.net • The third straight quarter of growth in enterprise telephony equipment propelled the PBX and UC market back to annual growth in 2010, totaling $8.3 billion (up from $7.7 billion in 2009) Infonetics Explosion of Unified Communications in the Cloud Market VOIP Services Market to become a $76B by 2015 (Infonetics – Sept 2011) • UC as a Cloud Service growing at 93.8% CAGR Infonetics • NTT, Comcast and France Télécom retains its leadership as the world's largest residential VoIP service provider followed by • 100M+ Enterprise VOIP Seats today moving to 250M Plus VOIP Seats from now till 2015 (Worldwide) • Downturn Drives UC Cloud Adoption March, 2010 – Information Age Confidential 6 Communication • Visibility • Control • Protection copyright 2007 all rights reserved Unified Communications as a Service Vendors Security for Servers Applications Web Access Web Servers IPS Devices • Tipping Point • Intruvert Email Access Email (Exchange) Servers Anti-SPAM • Brightmail • Ironport • Cyphertrust • Postini Database Access Database Servers Database Firewalls • Decru • Imperva Unified Communications & Collaboration Servers Unified Communication Servers • IP PBX, • Presence • Conferencing • Collaboration UCTM (Unified Communications Threat Management) IPS-DPI Web Servers Anti-SPAM Email Servers DB Firewall Database Servers UC Servers (IP Voice, Video, UC&C) 7 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved New Threats & New Security Product Segments - Unified Communications & Collaboration Security Security is ‘Normal’ in a LAN Network (Data) • Enterprises allocate 4% to 8% of their project budget to ‘SECURITY’ • We’d like VOIP Carriers and VOIP network implementers to do the same. attacks DB Servers DB Firewall (Imperva) Carrier Firewall Enterprise LAN Anti-SPAM (Cisco) attacks Confidential 8 Communication • Visibility • Control • Protection copyright 2007 all rights reserved Microsoft Exchange UC Cloud - Complement SBC in Data Center with Deep UC & Collaboration Security/Analytics Unified Communications & Collaboration (VOIP/Video) Security: - Visibility, Control and Protection of core SoftSwitch / IP PBX. attacks Carrier UC&C Data Center Collaboration RedShift UCTM Hawk Carrier SBC IP PBX UM Presence Conferencing attacks Confidential 9 Deep UC application layer security & UC analytics Communication • Visibility • Control • Protection copyright 2007 all rights reserved Layer 3 to 4 Network (SBC) functions What is VOIP, Unified Communications & Collaboration ? VOIP & Unified communications (UC) is the integration of real-time communication services such as: • • • • • • • • SoftSwitch IP Telephony Presence Conferencing / Collaboration (audio, video, web) Instant Messaging (chat) Call control Data sharing (whiteboards, file/app/desktop sharing) Speech recognition/ IVR With non real-time communication services such as: Unified messaging (integrated voicemail, email, SMS) UC is not a single product, but a set of products that provides a consistent unified user interface and user experience across multiple devices and media types Confidential 10 • Control • Protection Communication • Visibility copyright 2007 all rights reserved • Evolution of Unified Communications and Collaborations - Yesterday 2012 Confidential Communication • Visibility • Control • Protection Anywhere Anytime Any place VOIP Cloud/SAS Public Clouds 2014-15 copyright 2007 all rights reserved 11 Hosted UC Apps Private Clouds - IP PBX Conferencing Presence Collaboration IVR/ACD VOIP/UC Apps in 2 Years and Beyond - VOIP/UC Apps Unified Messaging (UM) IVR / ACD Publishing Documents Communications Enabled Business Process (CEBP) Desktop Collaboration Soft Clients Desktop Sharing Video Sharing Presence Voicemail Applications Sharing UC Endpoints Video Conferencing Web Collaboration IM (Voice/Video) Documents Sharing Audio Conferencing Voice XML Apps Fax over IP Click-2-Call Apps IP-PBX IM (Text) Mobile UC Speech Apps Increasing complexity 12 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Unified Communications And Collaboration Applications Continue To Grow Presence The Interconnected Enterprise and VOIP Carrier Fast Explosion of VOIP/UC Enabled Devices Database Server Farm Presence/UC Server Farm Email Server Farm Web Server Farm Enterprise C Enterprise B IP PBX Server Farm Collaboration IPS-DPI DB Firewall Anti-SPAM Enterprise Service Provider 13 Confidential WiFi BYOB “Broadband” UMA/GSM WiFi/WiMax Dual-Mode Dual-Mode SOHO/Remote Communication • Visibility • Control • Protection copyright 2007 all rights reserved Increased Complexity Causing Increased Unmanageability Factors Driving UC Security Market Smart Mobile Devices to grow to 1.5B units by 2014 (IDC, May 2011) – UC, Collaboration, Web and Security critical role 14 UC client shipments to grow 65% per year through 2015 (Frost &Sullivan, Nov 2009) Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved SIP Trunking growing at 50%+ CAGR (Nemertes Research) Inter Connected Unmanaged SIP Deployments Exploding RedShift in the Hosted UC and Collaboration Cloud Offering Rogue Devices Rogue Applications Unified Communications & Collaboration Cloud and SAS Services Desktop/ Application Sharing Presence Rogue Users Unsecure UC Apps IP PBX Unified Messaging Conferencing Botnet Attacks Mobile Malware IVR/ACD Collaboration (web/video) Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Disgruntled Employee Confidential Communication • Visibility 16 • Control • Protection copyright 2007 all rights reserved Why Securing Real Time Applications is vastly different Requirements for Securing Real Time Flows is vastly different • Category I: Real-time Requirements – 5-9s reliability – Low latency for Signaling and Media • 2ms for signaling; 100µs for media • Category II: Security Requirements – – – – Low tolerance to false-positives Low tolerance to false-negatives Call re-attempts are not acceptable Process encrypted traffic (SIP/TLS, SRTP) – Deep packet inspection capabilities from Layer 3 – Layer 7 VOIP and UC traffic – Heterogeneous architecture comprising of both pro-active and reactive solution elements – Need to maintain multiple levels of call state with adaptive behavioral learning of both UC application and VOIP endpoint – Advance correlation of protocol state and security events across the different layers and security modules – UC-aware policy and incident management system 17 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved • Category III: Technology Requirements Requirements for Securing Real Time Flows is vastly different – Comprehensively address VOIP, UC and CEBP application security threats • SIP/SCCP/H.323 protocol anomaly detection, IPS, Voice DOS and SPIT prevention, eavesdropping, toll fraud, number harvesting, UC Application threats • Category IV: Carrier & Enterprise Focus – Deeper interoperability requirements with disparate systems – Complex services spanning multiple protocols – One security solution – not a slapdash combination of several piecemeal solutions – Zero touch deployment • – Tightly integrated with IP-PBX and other communication infrastructure elements – easy to deploy and manage – Easy integration with 3’rd party vendor solutions providing UC and SOA services (e.g. Microsoft, SAP, BEA and IBM) – Provide visibility to all VOIP and UC traffic – Provide control to all UC services, Applications and Assets 18 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Category V: UC/VOIP Focus Next Generation VoIP/UC Applications and Services: Posing New Threat Vectors and Opportunities Limited VOIP/UC Security IP Phone Mobile UC Applications Media Controller VOIP Firewalls UC/VOIP servers (collaboration, PBX, Presence, UM, Media, IM) SBC IP- enabled Soft phones IP VOICE/MEDIA Business Applications CRM DATA Web HR Enriched UC/VOIP Services Data Protected UC SOA/ Web-Services Rich Voice/Video Collaborative Apps ERP IDS/IPS Devices DPI/Application Firewalls Network Firewalls DOS/DDOS Protection SCM UC as a Service (UCaaS) Intelligent SIP Applications SIP Trunks NEW THREATS Illegitimate Interception/ Modification Number Harvesting Call Pattern Tracking Media Hijacking / RTP Flood Collaboration Hijacking Eavesdropping SPIT Message Stealing Toll Fraud Call-ID spoofing Presence publish Media Threats Voice/UC DOS + 1000’s more Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved UNPROTECTED Communications Confidential Communication • Visibility 20 • Control • Protection copyright 2007 all rights reserved Publicized VOIP and UC Threats – case study Real-time applications bringing about new type of threats & pain points IP PBX VDOS Unified Messaging / PBX SPIT VPhishing High-Tech company “Advertisement” Network Banks IP PBX East/West banks Network Network Customers Account Number & PIN “Advertisement” NASA / NTT Fake IP PBX Conferencing Attack – Call Park Eavesdropping Toll Fraud IP PBX IP PBX Major Call Center Network FBI IP PBX “Buy $10,000,000” $80 billion loss Dad London Network Network Uncle Delhi 21 Confidential Mom Tokyo Communication • Visibility • Control • Protection copyright 2007 all rights reserved “Sell $10,000,000” Spyware Code Red $2.6B Loss Trojans Worms Virus 42% Internet 5% Internet Penetration 1995 Confidential Penetration 2000 VOIP SPIT Slammer $2B Loss Skype VOIP/UC Attacks consumers SF Giants VM Stealing VDOS/ TDOS NASA VOIP Utility Data to Voice VOIP Toll Fraud UK Parliament major vendors, announce VOIP/ UC vulnerabilities at blackhat Florida - $1M loss NY - $26M loss Panama - $100K loss Rumania - $15M loss 17% VOIP Penetration 2012 Communication • Visibility • Control • Protection 2015 NOW!! UC & C Aware FW Loveletter $8B Loss Botnets Application Blackhat Announces Vulnerability Microsoft Announces Vulnerability Call-ID spoofing VOIP FW SPAM VOIP Phishing BotNet copyright 2007 all rights reserved 22 2005 $22B loss - SPAM Amazon/ Carrier Infrastructure Application & Next Gen FW Layer 5-7 Bank of America St. Barbara Bank East Coast Bank Packet Filter & Stateful Packet Inspection FW Layer 1-4 Timing Comparison: Internet Attacks vs. UC Attacks Global Increase in High Profile Security Threats, Frauds, Cyber war and Industry Espionage -- VOIP/UC makes it easier High Profile Global Hacking Incidents now happening Voicemail Hacking scandal by News Corp Israel Bezeq network came down for 4 hours shutting down their entire network Service Providers/ISPs Losing Billions of Dollars in Threats and Fraud Activities Communications Fraud Control Association (CFCA) Telecom Fraud report 2010 - Carriers/ISPs losing $72-80 Billion (USD) in Threats and Fraud attacks The Top 3 Fraud categories include: 29% (approx. $22 billion USD) - Subscription/Identify (ID) Theft 20% (approx. $15 billion USD) - Compromised PBX/Voicemail Systems 6% (approx. $4.5 billion USD) – Premium Rate Service Fraud Global upsurge in SIP Botnets, Toll Fraud and other malicious threats From China, Russia, Iran - Saw 20,000 separate attack incidents in 3 days Citibank loses data for 300,000 customers around the world. Automated calling/phishing attacks to gather PIN numbers 23 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved FBI issues multiple Press notes on Toll Fraud, TDOS attack crimes Global Cyber Warfare -- State and Criminal actors Financial Institutions/Credit Card agencies losing $B in dollars VOIP Fuzzing Malformed Request (Protocol Fuzzing) Malformed Protocol Messages PROTOS Suite Codenomicon Suite Spirent ThreatEx Mu Security Eavesdropping Call Pattern Tracking Number Harvesting Conversation Eavesdropping and Analysis Voicemail Reconstruction TFTP Configuration File Sniffing Conversation Reconstruction VOIP Interception / Modification Call Blackholing Conversation Alteration Conversation Degrading Conversation Hijacking False Caller Identification DTMF Alteration / Recording Service Abuse / Integrity Call Conference Abuse Call Stealing (Toll Fraud) Identity Theft Registration Spoofing / Attacks Misconfiguration of Endpoints Premium Rate Service Fraud Flood based Disruption of Service Registration Flooding User Call Flooding Directory Service Flooding DoS on Signaling RTP DoS Attacks Distributed DOS Attacks Signaling or Media Manipulation Fake Call Teardown Messages Call Hijacking Registration Removal / Hijacking / Addition Wiretapping SPIT Key Logging / DTMF Logging OS Vulnerabilities Cisco Call Manager Vulnerabilities Avaya Communication Manager Microsoft LCS/OCS Server Nortel Alcatel Lucent Siemens / NEC VOIP Scanning and Enumeration Tools Nessus SIP-Scan SIPp Sivus iWar SIP Crack Data Threats SQL Injection Cross-Site Scripting Malware Viruses Web Vulnerabilities Buffer Overflows UC Application Threats UM – Message Waiting Indication Attacks UM – Manipulation of User Mailbox UM – Voicemail Retrieval threats UM – QoS degradation Conference – Illegal Join / Leave Conference Attacks Conference – Moderator Functions Attack UC Application Threats Conference – Adding Users Illegally Conference – Rejoin attacks Presence State Publish Watcher authorization IP-PBX—Password Attacks IP-PBX – Attendant Forwarding UC Application Threats IP-PBX Music on Hold Threats IP-PBX DND Attacks Collaboration Web Interface Threats Collaboration – Unauthorized File Upload threats Collaboration – Weak backend integrations Collaboration – Multimode Chat Threats 24 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved UC & Collaboration Threats, Vulnerabilities & Attack Tools Confidential Communication • Visibility 25 • Control • Protection copyright 2007 all rights reserved Real World VOIP Attacks Summary of VOIP attacks in 2012 in Carrier Networks Every VOIP network is getting attacked NOW • • Nationwide VOIP Carrier - USA • • Blast of Registration attacks that almost brought Softswitch to its knees and not allowing legitimate calls into the network. Global Carrier (with VOIP) - USA • • Major SIP DDOS VOIP attack that shutdown entire network Nationwide VOIP Carrier – USA • • Major VOIP attack from 1000’s IP addresses – 60 different types of VOIP attacks. Shut down entire VOIP network for 3 hours. Nationwide VOIP Carrier - USA • • Includes any carrier with SIP footprint – Really a problem as VoLTE rolls out Major problems with Fraud on VOIP network International Mobile Operator • Major problems with Fraud, and attacks on their VOIP network – Losing money constantly and customers complaining. • And Many more…. Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved • Attacks seen in US based Network (within 7 days): • Attacks by malicious users using “Scanners”; Scanners like SIPVICIOUS, SIPP etc (over 100 different scanners) • Lots of these attacks; The attackers initially scans the network and then generate more aggressive attacks!! We saw an aggressive rate of scanners from these IP Addresses. • Register Attack • We saw a Register Attack from an IP address in Egypt which is not part of Carrier’s list of customers. This is Toll Fraud and this is an international attacker • Request Rate Monitor Violations • Again we are seeing Toll Fraud attack attempts from Germany, Saudi Arabia and Germany. • Register Hijacking Violations • Another attempt at Toll Fraud from Nigeria. • Lots of these attacks occur when a bad protocol message is sent to the Softswitch which could shut down the Softswitch or cause the Softswitch to go into an ERROR state. • 27 And Others Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved • Malformed Protocol Messages or Fuzzing Attacks 28 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Attack at an ITSP Network 29 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Advanced Persistent Threat (APT) Attacks (VOIP/UC) @ ITSP Network Chronology of VOIP/UC Attacks – The Phases 1 2 30 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved 3 31 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Fraud – From Global Attacks Global Blacklist of all VOIP attackers from around the world • As RedShift Networks installs boxes all over the world, each node will learn about ‘attacks & threats’ in different parts of the world and will share this ‘intelligence’ with other carriers 32 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved • RedShift develops signatures of each attack type and attacker Confidential Communication • Visibility 33 • Control • Protection copyright 2007 all rights reserved VOIP/UC Architecture & Threat Categories Unified Communications & Collaboration Applications Security – Hundreds of attack vector combinations Business Services Financials Telephone UC Cloud / Commerce Hosted Services CRM CEBP … VULNERABLE UC &C Apps Unified Messaging Modules Conferencing Presence Collaboration IVR/ Video Voicemail (web/audio/video) ACD Apps servers IP-PBX (SIP) IP- PBX LCS/OCS (SCCP, H.323, IAX) (SIP) Transport Signaling SIP, H323, MGCP, SCCP SDP, XML, WS RTP, SRTP Supporting Services OS and Networking Layers (Windows, Linux, Unix, Symbian) (TCP, UDP, IP) Configuration (Database) 34 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved HTTP, DNS, DHCP, TFTP, LDAP, RADIUS, AD Device and OS Vulnerabilities Device Configuration Weakness IP/TCP Network Infrastructure Weakness VOIP & UC Protocols Implementation Vulnerabilities VOIP & UC Network Eavesdropping VOIP & UC Network Interception and Modification Fuzzing Attacks Voice & UC Denial of Service (VDOS/UCDOS) Attacks Signaling Manipulation Attacks Media Manipulation Attacks SPAM over Internet Telephony (SPIT) UC Infrastructure Threats (Voice, Media, IM, Web, UC & Collaboration) UC Application Layer Threats Data  Voice Threats Voice Phishing Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved VOIP and UC&C Threat Categories (RedShift’s additions) VOIP Device and OS Vulnerabilities IP phones, endpoints, Call Managers, Gateways and Proxy servers run on an underlying operating system with can be compromised Most of the devices run on traditional operating systems, e.g. Windows, Linux, RTOS etc. that are vulnerable with numerous exploits publicly available. Several buffer overflow exploits publicly available against the Cisco IOS operating system Denial-of-Service (DOS) exploits triggered by fragmented UDP packets for Alcatel and Avaya phone Most vendors have had announced exploits and vulnerabilities Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved RedShift Networks has a library of thousands of vulnerabilities we have discovered across multiple platforms. VOIP Device Configuration Weaknesses Weak Configurations - Open TCP/UDP ports, open files shares with global read/write permissions or temporary folders with weak permissions etc. As a result, the services running on these devices now become vulnerable to wide variety of attacks resulting in either a loss of service or a compromise of the device SIPNOC, June, 2012 – VOIP Carriers have HUGE problem with this as many attacks are done during periods when Network Managers are configuring their networks. We see attackers continuously scanning networks – ATTACKS HAPPEN IN A MATTER OF SECONDS The SNMP services offered by the devices may be vulnerable to reconnaissance attacks. Example, valuable information was gathered from an Avaya IP phone by using SNMP queries with the “public” community name Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Cisco SIP-based phone telnet service vulnerability that allows the telnet service to be exploited by an attacker due to weak password permissions set on the VOIP device IP/TCP (L2-L4) Infrastructure Weaknesses IP/TCP infrastructure weaknesses: TCP and UDP are transport mediums and are vulnerable to attacks that Examples include DOS/DDOS, session hijacking, protocol anomalies, etc. which may cause an undesirable behavior on the VOIP services Several publicly available tools that generate TCP and/or UDP flooding attacks Lots of tools in the wild – just google for the attack tool in this realm Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Malformed TCP packet generators that can result in undesirable crashes VOIP and UC Protocol Implementation Vulnerabilities VOIP and UC protocols such as SIP, SCCP, H.323, RTP, XMPP, MSRP, TIP, VXML, UXML, IM protocols etc. are relatively new emerging standards Both the protocol specifications and the subsequent vendor implementations need to mature to reduce the overall threat exposure: • Parsing errors, • NULL packets (**) • Anomalous packets (**) • Protocol state violations, • RFC violations (**) and many more (**) – We are seeing these attacks in customer networks The PROTOS work is publicly available as such any script kiddies can download and run the tools necessary to crash vulnerable implementations Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Hundreds of vulnerability discoveries in vendor implementations of VOIP products that use H.323 and SIP by University of Finland’s PROTOS group [5] VOIP and UC Network Eavesdropping These attacks allow the attacker to obtain sensitive business or personal information otherwise deemed confidential The mechanism is the intercepting and reading, inserting, modifying of messages and conversations by unintended recipients Some examples include • masquerading (**), • registration hijacking (**) (**) – We are seeing these attacks in customer networks Eavesdropping • impersonation • Replay attacks. • Call Pattern Tracking • Traffic Capture (**) • Message Stealing/ Modification (**) • Message Tampering (**) Network “Sell $10,000,000” Communication • Visibility • Control • Protection copyright 2007 all rights reserved Confidential IP PBX “Buy $10,000,000” VOIP Network Interception and Modification These attacks are focused towards compromising the integrity of a VOIP or UC service The attacks are very targeted and hard to detect The end outcome of the attack can range from a loss of reputation, brand name, leakage of sensitive information (**) – We are seeing these attacks in customer networks Few examples include: Registration Hijacking (**) Toll Fraud Call Rerouting (**) $40 billion Problem IP PBX Conversation Alteration Impersonation (**) Network Uncle Delhi Confidential Communication • Visibility • Control • Protection Mom Tokyo copyright 2007 all rights reserved Toll Fraud (**lots of attacks) VOIP/UC Protocol Fuzzing Attacks Fuzzing is a popular black-box testing method employed by software vendors to improve robustness and performance of the code Fuzzing, as a term, relates to negative tests that are designed to test what the software should not do These tests range from input fuzzing, protocol state fuzzing or structural fuzzing often resulting in a crash, denial-of-service or degradation Fuzzing is the START of the attack!! Few examples include: PROTOS SiVus (**) Spirent ThreatEx (**) – We are seeing these attacks in customer networks SIPp (**) 100’s of tools out there. REDSHIFT NETWORKS – We’re seeing scanners continuously HIT all the networks. Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved SIPScan (**) SIP Fuzzing • SIP grammar (ABNF) – The SIP grammar is defined in RFC 3261 (Augmented Backus-Naur Form) • SIP Fuzzing: Exploits different aspects of the SIP grammar 43 Infinite sentences Syntax Delimiters Field Values Context-Sensitive Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved – – – – – SIP Fuzzing Categories • Syntax Errors 44 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved – Syntax errors violate the grammar of underlying language. – They are created by removing an element, adding an extra element and providing the elements in wrong order. SIP Fuzzing Categories • Delimiter Errors 45 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved – Delimiters mark the separation of fields in a sentence. – In SIP the delimiters are white space characters (space, tab, line-feed, etc), or characters (commas, semicolons etc) – Delimiters can be omitted, multiplied or replaced by other unusual characters. Paired delimiters, such as braces, can be left unbalanced. VOIP, Media and UC Denial of Service (DOS/DDOS) Attacks • Resource Starvation: Due to flooding attacks originating either from a single source or multiple sources hogging significant CPU bandwidth making the victim server totally unusable • Resource Unusable: Uses a carefully crafted mechanism to exploit a specific vulnerability leading to a crash or a service integrity compromise * Other Flooding attacks: SIP/SCCP/H.323/RTP/UC DOS/DDOS Attacks IP PBX VDOS Forge BYE (**) Stealth DOS MWI Flood Attacks (**) – We are seeing these attacks in customer networks Confidential Communication • Visibility • Control • Protection Network copyright 2007 all rights reserved Presence State Flooding (**) DoS Reported 09/12/2002 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved • FreeSWITCH having issues handling overly long Route header value which results in segmentation fault. This can be also considered as a DoS vulnerability because it is possible to remotely crash FreeSWITCH. Affected version: FreeSWITCH Version 1.2.0rc2+git~20120731T213556Z~e97da8e20a (1.2.0-rc2; git at commit e97da8e20a on Tue, 31 Jul 2012 21:35:56 Z) • Later or previous commits might also affected. • The issue have been To test if you have a vulnerable build do the following: - Prepare an INVITE request containing a Route header with the value generated by the following command: perl -e "print 'A,' x 15000" - Send the prepared INVITE request to port 5060 Signaling Threats (SIP etc) The signaling protocols if not properly authenticated, encrypted and without proper authorization controls can result in several threats include: . Few examples Identification of VoIP/UC devices Protocol enumeration (SIP register, options, and invite methods) and VoIP war-dialing (**) Vulnerability scanning of VOIP/UC endpoints (**) Number harvesting and Call pattern tracking (**) Authentication cracking and guessing (**) Signaling manipulation attacks: Registration (removal, addition, and hijacking methods) and Redirection attacks Signaling teardown resulting in denial-of-service (**) (**) – We are seeing these attacks in customer networks Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Caller ID spoofing: techniques, services, and scenarios (**) Media And Video Threats (RTP) Exploiting weaknesses in Video Infrastructure Exploiting weakness in IP Video protocols and network Inserting malicious code/scripts in the payloads Exploiting vulnerabilities in Video Applications – e.g. Media Players, Browser-based Media streaming etc. Video DOS/DDOS Attacks Video Hijack Video SPAM Video Teardown Video Eavesdropping Video Recording The attacker sends a Video SPAM message [e.g. Viagra message] to simultaneous end nodes Eavesdropping of Video traffic using video sniffer tools (MITM Attack) Video Replay (or Redirect) Attack – An attacker intercepts a live video conference, e.g. presented by the CEO; replays an earlier private conversation of him with investor Confidential An attacker can intercept a live RTP video conferencing stream, hijack it with another video clip [e.g. porn] An attacker tears down an existing video session using a carefully crafted packet An attacker illegitimately intercepts and record live video traffic using packet capture tool [e.g. Wireshark] and save this into a .wav/.avi file that can then be replayed at will Communication • Visibility • Control • Protection copyright 2007 all rights reserved The attacker sends a flood of RTP/RTCP packets towards a target [endpoints, servers] resulting in a denial-of-service SPAM over Internet Telephony (SPIT) • There is a general perception that Voice SPAM will suffer the same fate as Email SPAM • NOW that VOIP deployments today are being interconnected via the internet or Cloud or federation, ie in open networks spammers are starting to exploit these interconnections. (**) Unified Messaging / PBX SPIT High-Tech company Network (**) – We are seeing these attacks in customer networks Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved “Advertisement” UC Infrastructure Threats (Voice, Media, IM, Web, UC & Collaboration) UC infrastructure comprising of a complex network of servers, protocols, users and endpoints need to enforce strict policy lockdown measures to reduce the attack exposures Few Examples include: Unauthorized Use of Voice Assets (IP PBX, IP Phone etc) Fraudulent/ wasteful employee calling activity Privilege escalation of VOIP or UC services from Users with lower privileges – weak administrative access levels Excessive use of bandwidth heavy services Weak controls on VOIP/UC, IM or Media services such as FAX over IP, VOIM, video chats Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Weak IP-PBX controls and threats – e.g. Blind Transfer, Auto Attendant override, Music on Hold threats, Call forwarding, Do-Not-Disturb attacks UC Application Layer Threats UC applications such as Presence, Unified Messaging, Collaboration, Conferencing, IVR, ACD, Telepresence etc. also suffer from threats if proper security enforcements are not properly enforced. Few examples include: Presence -- Illegal Presence state manipulation Presence -- Unauthorized Presence state monitoring, publish invalid presence states Presence -- Protocol content manipulation resulting in invalid states Presence -- Presence masquerading (or spoofing) Continuous Presence state publish Rupert Murdoch News Corp – Unified Messaging – Illegal Voicemail Reconstruction, retrieval, broadcast Unified Messaging -- Email SPAM on Voice mail systems ; Message Waiting Indication (MWI) attacks FBI/Scotland Yard Attack - Conferencing -- Illegal Join/Leave attacks, Moderator or Floor control attacks Collaboration -- Hijacking, Altering or Routing, Illegal use of conferencing functions Collaboration – Teardown, Identity Spoofing/Theft attacks Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Unified Messaging – Protocol Attacks/ DOS on Voice mail systems, email systems, fax machines etc Data  Voice Threats The beauty of converged networks is that voice over IP is 'just' another application running on the data network Unfortunately from a security viewpoint, this means that it will also be affected by all the attacks that affect data networks, even if they are not deliberately targeting voice over IP Few examples include: Buffer overflow exploits (**) SQL Injection attacks (**) Cross-site scripting Command injections Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved (**) – We are seeing these attacks in customer networks Voice Phishing – FBI has issued WARNING of this attack • A new form of identity theft which tricks ones into revealing personal information when the scammer replaces a website with a telephone number, or is able to redirect the traffic going to genuine Bank’s PBX to a Fake PBX • Once, the naïve user starts punching his personal information, e.g. social security number, driver’s license, credit card numbers or Bank ATM’s number, the digits are retrieved from the payloads using some advanced tools . VPhishing Banks IP PBX East/West banks Network Fake IP PBX Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Customers Account Number & PIN Strict Compliance Enforcements catching up .. • FISMA, FEDRAMP – Provide new Cloud security standards for all cloud business owners including VOIP/UC • SOX – Provide adequate proof of control to VOIP/UC • GLBA – Protect the privacy of consumer information gathered by VOIP/UC systems • HIPAA – Ensure confidentiality of electronic health data transmitted by VOIP/UC systems • PCI-DSS – Ensure protection of credit card data transmitted and used by VOIP/UC systems • The Federal Deposit Insurance Corporation (FDIC) VoIP Guidelines - it as part of their risk assessment associated with GLBA. • CALEA, EU Regulatory Forum, Telecommunications Act and many more.. Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved - The FDIC recommends that financial services deploying VOIP evaluate Growing VOIP/UC Applications Vulnerabilities – A cause of concern Some SIP servers may exclude the “qop” parameter from the 401/407 challenge message. This gives rise to the possibility of undetected message tampering resulting in sensitive SIP signaling data (e.g. originator identity) being changed by an attacker Registrar SIP implementations may not enforce user names in To header and in Authorization header to be identical. This may allow an attacker to reuse sniffed Authorization header for someone other To header SIP proxy server implementations may accept replayed credentials in call setup requests potentially allowing an attacker to reuse credentials previously captured in the messages of choice An attacker can reuse previously sniffed credentials and change the From user name to create large number of subscriptions to overload Presence server Each SIP request generates one of several possible SIP responses. Several implementations are vulnerable to information leak where an attacker can deduce SIP extensions/ user names based on the response codes received to specially crafted requests Unspecified vulnerability in the Nortel CS 1000 M media card in Enterprise VoIP-Core-CS 1000E, 1000M, and 1000S 04.50W before 20070523 in Meridian/CS 1000 allows remote attackers to cause a denial of service (card hang) via unspecified vectors Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved If feature access codes are not properly authenticated or if the authentication is vulnerable to replay attack, then an attacker can use feature access code to make the SIP call server to use spoofed caller ID and place calls on his/her behalf. Confidential Communication • Visibility 57 • Control • Protection copyright 2007 all rights reserved Recommendations for locking down VOIP networks Internal controls for VOIP/UC systems ensure strong password strength protection Employ strong encryption (WPA with AES-256 bit) VOIP/UC systems be tested against standard penetration & vulnerability testing tools – patched regularly Provide detailed Call Logs, Billing logs, Alerts & Events log, Audit & Admin Logs Employ strong 2-factor authentication to prevent unauthorized use Ensure security and confidentiality of consumer information gathered by VOIP/UC systems Protect against any MITM based threats – illegal tampering, routing or modification of user or call records – e.g. Call-ID spoofing, Toll Fraud, SQL Injection Protect against unauthorized access to Confidential Communication • Visibility VOIP/UC records • Provide security of health data stored in Voice Messaging systems Prevent sabotage of UC/VOIP services – Identity stealing, escalation – minimize use of soft phones – botnets that can steal data Present clean separation of UC VLANs with Data VLANs – Proper Authentication, Authorization, Auditing controls Protect eavesdropping of WiFi IP Phone’s by Encryption All payment card information using VOIP/UC needs to be encrypted with 2factor authentication using a Virtual Private Network (VPN) Prevent against any voicemail hacking attacks Protect against any illegal redirecting or tampering of VOIP traffic Prevent illegitimate eavesdropping (or Control • Protection recording) of media traffic copyright 2007 all rights reserved Security Recommendations Confidential Communication • Visibility 59 • Control • Protection copyright 2007 all rights reserved Case Studies – Locking down VOIP Networks Case Study #1 – Hosted VOIP Carrier protecting Core network and offering Security for Enterprise customers Enterprise B Collaboration SoftSwitch Unified Messaging Presence Carrier’s NOC (Monitor) Carrier Conferencing SBC Eth2 Eth0 OFFERINGS: VOIP Security’ to your Hosted VOIP customers and ‘Monitor/Managed’ the Security on premise (sell or lease) and monitor/report security threats/events/alerts/attacks etc. • AND charge for this new service – Monthly fee for Appliance (sell or lease) & Managing security 60 Enterprise A Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved • Carrier can offer ‘Managed Customer Case Study #2 – Wholesale Carrier Carrier Customer Carrier’s NOC (Monitor) Carrier 61 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Carrier Customer Customer Case Study #3 – Mobile Operator with VOIP Network A) VOIP Security B) Network Visibility Enterprise B A IMS SBC Cable B A Carrier B B B A Mobile Carrier’s NOC (Monitoring) Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Carrier Customer Customer Case Study # 4 – Calling Card Vendor Carrier Customer Vendor’s NOC VENDOR 1 (Monitor RedShift) VENDOR Vendor 1 63 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved VENDOR Carrier Customer RedShift Unified Communications Threat Management (UCTM) Technology – VOIP/Video Security TOLL FRAUD VOIP/Video DOS DDOS VOIP/ VIDEO/ UC POLICIES DEVICE & USER ANALYTICS VOIP/UC ENCRYPTION TERMINATION (TLS, SRTP) USER, APP & NETWORK BEHAVIOUR LEARNING RTP/SRTP (MEDIA SECURITY) SIP TRUNK SECURITY FUZZING ATTACKS (Protocol Compliance) APP AWARE UC/VOIP SECURITY VOIP/UC IPS SPIT (SPAM OVER IP TELEPHONY) SQL DB ATTACKS WAR DIALING SIP BOTNET ATTACKS Stateful Packet Inspection DATA FIREWALL GLOBAL BLACKLIST SERVICE Tap mode, Monitor mode & Inline mode 64 Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Correlation, Behavior Analysis & Analytics Next generation IP- Voice, Video and UC&C applications will leverage IP infrastructure to empower richer user experience across any device, any time and from any location The stakeholders must understand that while this move presents great promise, it also presents unique security requirements that are different than conventional data applications Due to real time nature of communications combined with complex interconnect involving many entities, the overall network complexity and threat vectors exposure is alarming It is important to consider proper security measures through the entire lifecycle of the deployment – not an after thought The nature of threats, security risks and exposure need to be understood thoroughly Correlation of THREATS and ATTACKS across GLOBAL NODES Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Conclusions Thank You Delivers: Confidential Communication • Visibility • Control • Protection copyright 2007 all rights reserved Secure CLOUD Communications and Collaboration

Ringcentral Attack Analysis

Rating

Date

Size

Views

Categories

Share

Transcript

Forgot your password?.