IP phone network hacker

In a world of unified networks, phones are easy prey for hackers

Unified communications—bundling all communications channels on a single IP platform—offers the promise of simplified IT management and cost savings, because an enterprise has to maintain and manage a single network rather than separate networks for voice and data. But as voice becomes just another data service, phones are being increasingly exposed to threats from the Internet.

Denial of service attacks against phone systems, or TDOS, have become more frequent in the past two years, and a report from SecureLogix on Voice and Unified Communications predicts that the problem is likely to get worse before it gets better.

“In the future, these attacks will be much more severe,” the company warns. “By simply generating more calls or using more entry points to the UC network, many more calls can be generated, resulting in a very expensive attack or one which degrades the performance of a contact center, rendering access unavailable to legitimate callers.”

It should be noted that, as a provider of TDOS mitigation services, SecureLogix has a horse in this race and might not be 100 percent objective. But it is hard to deny the problem.

Earlier this year the Homeland Security Department altered government emergency communications centers after a rash of phone DOS attacks flooding public safety answering points in an apparent attempt to extort money. As early as 2010 the FBI warned that TDOS apparently was being used as diversions for more serious crimes, and last year, researchers at Arbor Networks reported hackers advertising TDOS-as-a-service.

What is new, or at least changing, is the growing ease of launching such attacks. Free software is available to automatically generate robocalls, and VOIP-aware botnets can generate massive numbers of calls from many locations, making the distributed attacks harder to spot.

“On the origination side, the public voice network looks more like the Internet every day from a call generation point of view,” the report says, making it easy for an attacker to generate floods of calls. “This change is accelerating and is out of the control of the enterprise.”

On the receiving side, if an enterprise that has integrated its voice systems into its data network, phones become one more entry point for attackers. And even if phones are not plugged into the network, phone DOS attacks can tie up customer services, cut off phone service, and leave the agency vulnerable to fraud and blackmail.

There is little an agency can do to prevent keep attackers from launching attacks. But as a potential target, phone DOS is one more problem to keep in mind. If your voice system is integrated into your data network, remember that VOIP needs to be managed like all other services. And if it is not in your data network, bear in mind that your phone system still is a critical communications link that should be monitored like other links. Pay attention to volume and capacity and be aware of unusual patterns that degrade your quality of service or even shut it down completely. Ensure that your analysts, service providers and security providers are ready to identify and track these activities and have the ability in place to block malicious traffic.

Posted by William Jackson on May 06, 2013 at 9:39 AM0 comments

Network printers can become hosts for Distributed Reflection Denial of Service attacks

How hackers can turn the Internet of Things into a weapon

We are living in world of increasingly smart devices. Not really intelligent; just smart enough to be dangerous.

As more devices become IP-enabled, they contribute to the pool of things that can be recruited into botnets or other platforms used for distributed attacks. Distributing attacks make it more difficult to trace the source of the attack and also makes it easier to overwhelm a target. In the past year, distributed denial of service has become the attack of choice for activists and blackmailers.

Prolexic, a DDOS security company, has published a white paper on Distributed Reflection Denial of Service (DrDOS) attacks that focuses on a handful of protocols, including the Simple Network Management Protocol. SNMP is an application layer (Layer 7) protocol commonly used to manage devices with IP addresses.

“Unlike other DDOS and DrDOS attacks, SNMP attacks allow malicious actors to hijack unsecured network devices — such as routers, printers, cameras, sensors and other devices —  and use them as bots to attack third parties,” the report points out.

This is a concern not only because it increases the number of possible devices that can be compromised, but also because remote devices such as printers and sensors of every kind often are less likely to be properly managed and secured, leaving them open to exploit.

For public-sector agencies, this can include such devices as sensors used in weather observations, control valves at power plants, door locks in prisons, traffic signals and any number of other connected devices. A search engine such as Shodan can reveal those connected devices, many of which are completely without security,

SNMP uses the User Datagram Protocol, a stateless protocol that is subject to IP spoofing. A Reflection DOS attack using SNMP is a type of amplification attack, because an SNMP request generates a response that typically is at least three times larger. Boiled down to its basics, an attacker can port-scan a range of IP address to identify exploitable SNMP hosts. He sends an SNMP request to these hosts using the spoofed IP address of the target server, and the hosts’ replies saturate the target’s bandwidth, making it unavailable.

“The raw response size of the traffic is amplified significantly,” the report says. “This makes the SNMP reflection attack vector a powerful force.”

The best way to protect yourself from being shanghaied into such an attack is to identify all of the devices accessible on your network, whether or not they appear to be sensitive, and properly manage them. Prolexic offers a list of mitigations in its paper.

Remote management of and access to otherwise dumb devices can be a great convenience, but the trade-off is that it adds to the list of things that must be managed and secured.

Posted by William Jackson on May 03, 2013 at 9:39 AM0 comments

For DARPA, it's all about surprises

Arati Prabhakar, director of the Defense Advanced Research Projects Agency, has an interesting description of DARPA’s mission: Its job is to prevent technological surprises to the U.S. military and to create surprises of its own.

In its 55-year history DARPA occasionally has surprised itself, and the agency now is working to stay ahead of its own technologies. Take the Global Positioning System for example. DOD’s weapons systems depend on GPS today, but everyone else has it as well. Over the last 30 years it has evolved from an exclusive and exotic military tool to a consumer service embedded in millions of smart phones.

“This dependency creates a critical vulnerability for many U.S. munitions systems,” DARPA says. And now the agency is searching for an alternative.

DARPA was created in 1958 in the wake of Russia’s launch of Sputnik, a surprise that the United States did not want repeated. Its job is to keep this country ahead of the game.
Coming off a decade of two concurrent wars and rapid technological advances, the agency took some time to assess its role going forward.

At a recent press briefing Prabhakar outlined three trends shaping the new environment DARPA finds itself in:

  1. The threats facing the country have shifted from a monolithic nation-state adversary to a complex of nations, terrorist and criminal organizations and individuals, all with access to advanced cyber technology.
  2. The U.S. military is critically reliant on this technology, which is being produced globally.
  3. Money for national security is likely to be tight for the foreseeable future.

“These three factors create a very challenging environment,” Prabhakar said. And this puts pressure on DARPA to keep producing asymmetric technologies — tools that have an impact far beyond the cost of development.

A case in point is a next-generation positioning system that would supplement, if not replace, GPS. The Micro-Technology for Positioning, Navigation and Timing program aims to produce self-contained chip-based systems that do not depend on GPS signals. A significant step toward this has been produced by DARPA researchers at the University of Michigan who have developed a small timing and inertial measurement unit that integrates many of the needed functions in a device smaller than a penny.

DARPA also is working to get out in front in cyberwarfare. The ominously named Plan X is an effort to move offensive cyberwar capabilities beyond the current generation of handcrafted weapons (nobody mentioned Stuxnet during the briefing) and fully integrate them into the portfolio of tactical options on the battlefield.

“I think that will be extraordinarily powerful,” Prabhakar said.

Ironically, such offensive weapons, whether launched by or against the United States, will use the Internet, another technology developed by DARPA. Once again, the agency is racing to keep ahead of itself.

Posted by William Jackson on Apr 25, 2013 at 9:39 AM0 comments

Cyberattacks targeting manufacturers

Cyber attacks shift from agencies to IT suppliers

Attacks against government systems dropped sharply in 2012 compared with the year before, according to the latest Internet Security Threat Report from Symantec, but that does not mean that the pressure is off. Attackers are just changing their tactics by targeting upstream companies in the government supply chain.

“There has been a marked shift” in targeting, said Paul Wood, Symantec’s cybersecurity intelligence manager. Attackers seem to be shifting their sights to the manufacturing sector, and often to smaller companies that offer softer targets, he said.

The most recent report analyzes attack data gathered during 2012 calendar year from Symantec’s Global Intelligence Network and its cloud-based Web and e-mail security services.

The shift is evident in the lists of most commonly targeted sectors for the last two years. In 2011 government was the most-targeted sector, with 25 percent of identified attacks. In 2012 it moved to fourth place, with just 12 percent. In the same period, the manufacturing sector went from third place to the top of the list, accounting for 24 percent of attacks last year.

But “manufacturing” is a broad classification and the figures become more interesting when you break them down. “The vast majority seem to be in the defense realm,” Wood said. Six of the 10 most frequently targeted companies are defense industry contractors.

In an increasingly global, off-the-shelf IT environment, supply chain security has become a major concern for agencies and steps are being taken to identify trusted suppliers. In addition to the risk of counterfeit or compromised products and components, vendors and private-sector partners also can be back doors into well-defended government systems. Homeland Security and the Defense Department address this issue in the Defense Industrial Base program to streamline the sharing of intelligence with supply chain partners.

But protecting the entire chain with sensitive information can be difficult. The percentage of small to medium-sized businesses being targeted has increased sharply in the last year, from 18 percent in 2011 to 31 percent in 2012.

“When you look at the supply chain, the small business is perhaps the weakest link,” Wood said. A small upstream partner could provide the access and information an attacker could use to successfully social engineer an attack against a larger partner.

It is difficult, if not impossible, to identify the source of many attacks, and because those being analyzed were the ones that were identified and blocked, it is hard to say for sure what the attackers would have done had they been successful. But the shift shows that the attackers are motivated, disciplined and persistent. The worst kind of attacker.

Posted by William Jackson on Apr 17, 2013 at 9:39 AM0 comments