Welcome, Guest
  Nortel Voice Security Categories
  About Nortel Voice Security
Nortel Voice Security
< Previous | Next >

Low Hanging Fruit
By Stephan Varty, Mar 18, 2009, 03:40 PM EDT


After reading the recent news article "Fugitive hacker indicted for running VoIP scam" I re-read the following older article which includes additional details about the methods used: "Interview With A Convicted Hacker: Robert Moore Tells How He Broke Into Routers And Stole VoIP Services". The events in question were from some time ago (2006), however I believe that the methods used by the hackers in this article are still just as likely to succeed. In this post I'll discuss the vulnerabilities that were mentioned in the article and suggest some controls that would help to mitigate them.

 

The most common vulnerability the hackers exploited was the use of default passwords. I have recently heard several anecdotes which indicate that this continues to be far too common an opportunity. Manufacturer default usernames and passwords are easy to find on the Internet. Reasons for default passwords being present may range from such things as the defaults being used intentionally to missed installation steps, hidden or unused default user accounts, and software failures. Some controls that would help remedy this problem include a regular password change process, a good password policy including password complexity and age requirements, regular audits, and multi-factor authentication. I like the suggestion made in the interview article itself: "Products should be sold so the default password has to be changed first time they use it". That would eliminate this problem entirely.

 

The devices that were exploited may have been directly manageable from the Internet. The hacker is quoted as saying: "We came across only two or three boxes that actually had access lists in place". In many cases devices are not intended to be deployed with their administrative interfaces on subnets with uncontrolled access. Remote administrative access could be managed by implementing defense in depth controls including access control lists, firewalls, segregated management subnets, and VPNs.

 

Unpatched, easily exploitable bugs and out of date software were also specifically targeted by the hackers. Unfortunately in complex environments there may be legitimate reasons to be running older software loads, and to exercise caution when applying software updates. One example is constraints imposed by interoperability requirements which may occur when solutions include products from multiple vendors. Some controls that could help to manage this exposure include network segregation, good patch management policy and procedures, and intrusion prevention systems. It's a good idea to have a verification environment that mimics your real systems so that updates can be pre-tested prior to rolling them out for active duty on mission critical systems. If a software update causes an outage because of a compatibility issue the vendor could not have foreseen, the impact is every bit as serious as a denial of service attack.

 

When there were no default passwords or easily exploitable bugs to exploit, the hackers used dictionary and brute force attacks to get in. Controls to defend against these types of attacks include a good password policy with requirements for password complexity, maximum invalid attempt settings, and lockout interval settings. Regular configuration and logfile audits, limiting access to login interfaces and multi-factor authentication are additional controls which can help defend against these attacks.

 

One vulnerability specifically mentioned in the article by the hacker was the lack of monitoring or logging demonstrated by the targets. Given the fact that there appears to have been a significant amount of scanning for systems to target as well as brute force password attacks I would expect some evidence of this to have appeared in various logfiles. Controls such as enabling audit logging, security information and event management systems, IDS/IPS alarms, traffic volume analysis, and logfile review policies and procedures can help with detection of attacks and identify devices which have already been compromised.

 

None of the vulnerabilities mentioned here involve a high level of technical sophistication to exploit. They are the low hanging fruit. We all need to ensure that basic security measures are not overlooked and that existing security controls are being consistently implemented.

 

Stephan Varty, CISSP

Security Vulnerability Analyst

Nortel


Tags: threats, vulnerabilities, voip-security
Bookmark:         

< Previous | Next >



Comments:

Click to view alex45's profile 		     

Some thoughts are remember forever... I feel the same feeling with the above words....

In the mean time I am not worried too much....

Thanks,

________________________

MINUTETRADERS | Voice Exchange - Buy/Sell Wholesale AZ VoIP Termination Routes



Mar 20, 2009 10:29 AM by alex45


Leave a Comment

Log In to have full access and participate in our Nortel Community. Register now if you don't have an account


Actions
  Recent Comments