Description: Many people who deploy SIP for voice or video don't understand the potential security risks. As a result, there are lots of vulnerable SIP devices connected to the Internet that are easily compromised due to misconfiguration or lack of simple protections. This is fairly common knowledge within the security community, but what most don't realize is that you can do more than just make free phone calls - like get rich quick! In this talk I'll discuss...
How SIP compromises occur and who the primary actors are:
How did we get here? Why so many vulnerable devices?
Common discovery and attack methodologies & the weaknesses exploited
The most common attack tools used, backed up by real world data
Where most attackers are coming from, again with real data
After a system has been compromised: Top ways to make money - how and why they actually work:
International Revenue Sharing Fraud - calling a high cost destination and splitting the profits
Toll Bypass - using a PBX local trunk to bypass high per minute rates
Domestic Traffic Pumping - driving traffic to a rural telco to increase payment from inter-exchange carrier
Extortion using a Telephony Denial of Service attack - a quickly rising trend where phone lines are tied up if demands are not met
Time permitting, other top fraud that doesn't require a PBX - Wangiri & SMS SPAM - missed call or text message to a mobile, return call to high cost destination with profit splitting
Patrick is in charge of product security for the communications business unit of a fortune 100 company. His twenty years of experience has mostly been within telecom manufacturers, but he's also worked in banking and defense. When not working you can find him brewing beer, picking locks, or practicing Kung Fu.
For More Information please visit : - http://carolinacon.org
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.