lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <fb0927a80704020842j4aa2cbdbrf8249d2f36726ae4@mail.gmail.com>
Date: Mon, 2 Apr 2007 09:42:18 -0600
From: "Shawn Merdinger" <shawnmer@...il.com>
To: "J. Oquendo" <sil@...iltrated.net>
Cc: full-disclosure@...ts.grok.org.uk, Voipsec <Voipsec@...psa.org>
Subject: Re: Cisco IP Phone vulnerability

On 3/31/07, J. Oquendo <sil@...iltrated.net> wrote:
> -----BEGIN LSD SIGNED MESSAGE-----
>
> Infiltrated.net Security Advisory:
> Cisco IP Phone Denial of Service
> http://www.infiltrated.net/ciscoIPPhone7960.html
> Revision 6.9

Hi,

If I may suggest, there could be other "root causes" here.  This
report below is quite a read, both content and length, and is most
certainly no joke.

Though (in the waning spirit of April fool's day) I suppose a little
fun can be had...for instance, the rationale for why
maddox.xmission.com is not an acceptable home page for emergency
relief worker laptops still eludes me.  After all, it's "The Best Page
in the Universe" is it not?  Or, perhaps you've pondered what is the
most "politically correct" manner for expeditiously dispatching
crystal meth addicts coming down from their high in scenic
Pearlington, Mississippi after hurricane Katrina?

Read on intrepid souls...

http://www.nps.navy.mil/DisasterRelief/docs/NPS-Katrina_AAR_LL.pdf

HASTILY FORMED NETWORKS FOR COMPLEX HUMANITARIAN DISASTERS AFTER
ACTION REPORT AND LESSONS LEARNED FROM THE NAVAL POSTGRADUATE SCHOOL'S
RESPONSE TO HURRICANE KATRINA 1 - 30 September 2005

Authors
Brian Steckler (NPS Faculty)
Bryan L. Bradford, Maj, USAF (NPS Student)
Steve Urrea, Capt, USMC (NPS Student)


<begin opinionated drivel>

Typical Question:  "Should we worry about VoIP phone security posture
and resistance to real-world attack?"

Typical Answer:  "VLANs.  VoIP phones way inside the perimeter and
untouchable.  Nothing to see here.  Move along.  Last call.  Thanks
for stopping by."

Perhaps not...

Unfortunately, somehow essential security concepts, for example,
"attackers will target your weakest points" and "attacker physical
access can very well equal game over" seem largely absent from the
dialog when it comes to the security posture of many VoIP phones
(wifi, desktop, dual-mode).  The evident issues thus far, from basic
stability to über-l4m3 low-hanging fruit, are the proverbial canaries
in the coal mine; a love-tap compared to the beating looming on the
horizon unless lots more folks with skin in this game get "eyes on
target" to past, present and emerging
risks/threats/vectors/mitigation/security QA, etc.

Clearly the gloves are coming off, and it's not a stretch to imagine
something, oh say, as obscure as the forthcoming Apple iPhone (or
several) up for "PWN to OWN" right next to the Mac laptops (and who
knows what else) at some security conference soon, perhaps this summer
in that quaint and charming little desert town?  Hrm, if Apple wanted
to "reach out to the security community" I suppose DR might consider
penciling in some time at Cansecwest for a iPhone lovefest [1].

After all, didn't Window Snyder recently mention something about who
in the game these days seems to 0wn the little things that mean so
much, like "power" and "control" and "time" [2] -- maybe the "lumps
now better than lumps later" approach is a feasible tactic and <gasp>
makes good business sense?

Eh, what do I know?  Were I really smart I would've learned how to
play golf and gone into marketing.  Nevertheless, as with any gear, be
it a hillbilly-armor Humvee or VxWorks Mars Lander, time will tell if
VoIP phones, and recent/upcoming emergency communication offerings are
up to the challenge and can truly "cut the fog" of chaos when the sh*t
hits the fan.  I really hope that when the rubber tires on all those
fancy Jack Bauer wannabe suburbans [3] hit the road and get to where
they need to go, that the packets also hit the wire the way they
should, and the right people get the right information at the right
time so they can make the right decisions...you know, like it happens
on 24.

So as we chuckle away yet another April Fool's Day, with many of us
sitting in comfy homes with full bellies, waiting for our $700
Playstation 3 to catch fire and burn the house down (just wait until
they start getting dusty - "dude, is that smoke?"), I humbly suggest
that we try to understand the true costs and implications of
security/quality issues affecting VoIP phones, and of course all the
other pieces of this shifting, opaque puzzle of madness and amusement.

Requisite bottom line:

VoIP phones have emerged as a critical tool that's going into people's
hands in demanding situations when communication matters most and
circumstances are the least forgiving.  There must be clear, tangible,
and enforceable obligations in conjunction with truly independent and
on-going security evaluation to ensure mission-critical VoIP phones
are resistant to real-world attacks.  Failure to take decisive action
may very well end up costing more in human misery and property loss
than the proactive investment to ensure reasonably secure posture in
VoIP phones.

<end opinionated drivel>

Btw, thanks for sharing the new VoIP security tools at your site
<www.infiltrated.net>, and we'll get them added asap to the VOIPSA
VoIP Security Tool List <http://www.voipsa.org/Resources/tools.php>
:-)

Kind regards,
--scm

Shawn Merdinger
Independent Security Researcher
voipninja.com

Notes:

[1] <shameless plug> Voipninja.com is accepting sponsorship of
Voipninja research staff to attend select conferences – potential
ROI/deliverables include trip report, out-brief, and respectable bar
tabs </shameless plug>

[2] http://news.zdnet.com/2100-1009_22-6170219.html

[3] http://cms.firehouse.com/content/article/article.jsp?sectionId=46&id=54007

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ