Chapter 6: Spoofing

Spoofing is the act of making something appear as something else to the target application or end user . Users and applications decide what action to take based on information presented to them. If the information presented can fool users or applications, they might take action in a way they might not normally act. This is particularly interesting when it comes to security decisions. In this chapter, you ll learn how to find issues that fool programs into trusting incorrect information and how attackers can present information to a user through a program s user interface (UI) in a deceptive and misleading way (known as UI spoofing).

Grasping the Importance of Spoofing Issues

A common mistake that jeopardizes security is to trust something ”a piece of data, an address, a dialog box ”that can be controlled by an attacker. Spoofing bugs take advantage of opportunities when a program or an end user can be fooled into making a decision beneficial to the attacker based on information that has been tampered with or supplied by the attacker. In some situations, spoofing bugs can be used to bypass security mechanisms and compromise an application. Caller ID is a good example of a serious spoofing problem.

Caller ID Spoofing

Caller ID is a feature available on phone lines in many countries that displays the phone number of the originating call. Average users of this feature believe the number displayed by Caller ID is accurate, and call recipients often base their decision of whether to answer the call on this information ”for example, accepting calls from recognized phone numbers and declining to answer calls from unknown numbers .

However, Caller ID information can be spoofed. The capability of spoofing Caller ID information previously was limited to the people who controlled a public branch exchange (PBX), a method of access that wasn t available to most people. Today, there are easier ways to spoof Caller ID information by using Voice over IP. (Services have been set up to allow users to make calls for only a few cents a minute using spoofed Caller ID information.) Although this issue seems somewhat harmless at first, there are many malicious abuses , such as using it as a social engineering aide and for voice mail compromise.

Spoofing as a Social Engineering Aide

Social engineering is the ability to obtain private information by fooling the target (a person) into believing that the attacker can be trusted with that information. For example, suppose you find a new software vulnerability and contact the software vendor with the details so that it can fix the issue. You decide not to disclose the issue to anyone else until it is fixed. In this scenario, you wouldn t give information about the vulnerability to someone who calls you on the phone and asks for details. However, what would you do if someone calls and claims to work for the vendor? If the caller works for the vendor, you should be able to trust the person with the vulnerability information. What if your Caller ID shows the call originates from the vendor? If you aren t aware of Caller ID spoofing, you might disclose the details of the vulnerability to an attacker, who has spoofed the call and practiced social engineering on you to obtain the private information.

Important  

Kevin Mitnick, one of the most famous social engineers , once was interested in how Motorola cell phones worked so that he could identify vulnerabilities. He was able to use his social engineering skills to call Motorola and convince the persons he spoke with that he was a Motorola research and development employee. As such, he was given the firmware source code. For more information about this, see http://www.pcworld.com/news/article/0,aid,121922,00.asp .

Compromising Voice Mail Using Spoofing

Most cellular phone service plans include voice mail. Users have voice mail passwords that are used to protect their mailbox from unauthorized people listening to their messages and changing their voice mail options. Some cellular phone providers offer a feature that enables users to access their mailbox without entering a password if users call from their cellular phone. The voice mail system must determine from where the call originates to allow the password to be bypassed. Sometimes Caller ID is used for this purpose. If a caller spoofs the Caller ID information, he or she can log on to the voice mail system as someone else without using a password. Because the voice mail system trusts the Caller ID information, there is a security vulnerability.

We were surprised this type of spoofing was so easy to accomplish. We tried it against several voice mailboxes (with owners permission). We attempted to call the victim s cell phone number and spoofed that the call was originated by the same number. The victim s cell phone doesn t even ring. We were immediately connected to the voice mail system and logged in without a password! This attack doesn t work against all voice mail boxes. Some providers don t use Caller ID information and some users have configured their mailboxes to require the password for access regardless of from where the call originates.



Hunting Security Bugs
Hunting Security Bugs
ISBN: 073562187X
EAN: 2147483647
Year: 2004
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net