[VoiceOps] [VOIPSEC] Tackling VoIP fraud, new idea

J. Oquendo sil at infiltrated.net
Fri Feb 21 11:02:49 EST 2014 

On Fri, 21 Feb 2014, D'Arcy J.M. Cain wrote:

> > Second field, one can set up a triggering mechanism.
> > (Pseudo code)
> > 
> > if [ number == 2125551212 ]
> > 	then
> > do something (send_email || generate_phonecall
> > 	done
> > fi
> 
> Not sure what you mean here.  If the IP is already blocked then what
> are we checking?

Blocking an IP will ONLY block the attacker from doing malice
from that host. If by chance someone made it onto one of your
machines, you could set a trigger that says: Hey if you see
an account trying to dial this KNOWN_TO_BE_BAD number that is
listed, send me an e-mail, or lookup what OTHER IP is now
trying to call that number and block them too.

> Not sure about this.  What if I want to weight the reports based on who
> submitted them.  There may be members that I completely trust and would
> block based on their report.  For others I may want to see multiple
> reports before I block.

I don't disagree however, I am taking my malware analysis and
DFIR experience here. The reason (IMHO) we companies still get
compromised six ways from Sunday is, many don't share data for
various reasons: 1) they don't want the public/others to know
"they've been had," 2) data submitted may be relevant to an
ongoing law enforcement related investigation 3) good old
fashioned chest thumping.

Chest thumping. I have seen many companies take the approach
that attacker data is some holy grail. "We were the first and
only to see this!" All the while others could have been given
a green light on an attack source.

> What about non-free email?  It seems to me that a tighter vetting
> process is needed.  I wouldn't accept any email that was not attached
> to an actual VoIP provider.  I realize that that takes more work though.

There are VoIP providers, ITSPs, Carriers, but you're leaving
out the small businesses, and smaller non carrier like shops
who can also disclose attack sources. 

> I am not totally opposed to the idea.  Not sure how useful it might
> be.  What sort of attacks are you thinking about?  I already block IPs
> based on failures to register and no one can dial without being
> registered.  It's all automatic.

I am thinking the whole gamut of attacks. Registrations,
actual calls, anything related to VoIP. Web based exploit
of a PBX. Anything that is relevant to IP PBX telephony
systems.

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF

More information about the VoiceOps mailing list