On Fri, 21 Feb 2014, D'Arcy J.M. Cain wrote:
> > Second field, one can set up a triggering mechanism.
> > (Pseudo code)
> >
> > if [ number == 2125551212 ]
> > then
> > do something (send_email || generate_phonecall
> > done
> > fi
>
> Not sure what you mean here. If the IP is already blocked then what
> are we checking?
Blocking an IP will ONLY block the attacker from doing malice
from that host. If by chance someone made it onto one of your
machines, you could set a trigger that says: Hey if you see
an account trying to dial this KNOWN_TO_BE_BAD number that is
listed, send me an e-mail, or lookup what OTHER IP is now
trying to call that number and block them too.
> Not sure about this. What if I want to weight the reports based on who
> submitted them. There may be members that I completely trust and would
> block based on their report. For others I may want to see multiple
> reports before I block.
I don't disagree however, I am taking my malware analysis and
DFIR experience here. The reason (IMHO) we companies still get
compromised six ways from Sunday is, many don't share data for
various reasons: 1) they don't want the public/others to know
"they've been had," 2) data submitted may be relevant to an
ongoing law enforcement related investigation 3) good old
fashioned chest thumping.
Chest thumping. I have seen many companies take the approach
that attacker data is some holy grail. "We were the first and
only to see this!" All the while others could have been given
a green light on an attack source.
> What about non-free email? It seems to me that a tighter vetting
> process is needed. I wouldn't accept any email that was not attached
> to an actual VoIP provider. I realize that that takes more work though.
There are VoIP providers, ITSPs, Carriers, but you're leaving
out the small businesses, and smaller non carrier like shops
who can also disclose attack sources.
> I am not totally opposed to the idea. Not sure how useful it might
> be. What sort of attacks are you thinking about? I already block IPs
> based on failures to register and no one can dial without being
> registered. It's all automatic.
I am thinking the whole gamut of attacks. Registrations,
actual calls, anything related to VoIP. Web based exploit
of a PBX. Anything that is relevant to IP PBX telephony
systems.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Because none of us want to deal with fraud, and many of us
have fought it, are fighting it, and eventually (like it or
not) will come across it. I am proposing starting up a NON
PUBLIC, TRUSTED mailing list. The purpose of the list would
be to share information on attacks, numbers, dialed, and so
forth. The reasoning for it not being public, would be
obvious, avoid letting a threat actor know they have been
flagged.
The theory behind this list, would be to aggregate KNOWN
fradulent destinations for the purposes of creating some
form of blacklist, or triggering mechanism. For example,
suppose I had a break in, where calls went to 2125551212.
On the list I would send an email stating:
x.x.x.x (IP) | 2125551212 | DATE | CHECKSUM
First field is obvious, you'd want to block this address.
Second field, one can set up a triggering mechanism.
(Pseudo code)
if [ number == 2125551212 ]
then
do something (send_email || generate_phonecall
done
fi
The date, is for historical purposes, and the checksum
would be a variable of which system saw what. For those
who have seen my VABL list http://www.infiltrated.net/vabl.txt
It would look EXACTLY like that. So for anyone who'd
care to share, without disclosing WHO shared the
information, there would be a mechanism to hide your
identity (company info, etc..)
The other reason for it being a NON public list, would be a
matter of trust in the sense that, I would NOT allow any
freemail (Gmail, Hotmail, etc) to be used, in order to
minimize any false positives. The last thing I would want
is for someone to maliciously submit data against a
competitor. (make sense?)
I am willing to start, and maintain such list, however, I'd
need to know whether or not a) others are willing to share
attack data (which will be sanitized) b) other businesses
and peers would find the data useful.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
Hi, folks,
Can toll-free numbers have CNAM registrations? We're hoping to have it say something other than "TOLL-FREE CALLER", but our vendor says that toll-free CNAMs can't change.
thanks,
Graham Freeman
gfreeman at sungevity.com
