Voice of VOIPSA

While this isn’t about VoIP, per se, there’s a new version of an Internet-Draft out, draft-ietf-tcpm-icmp-attacks, about how ICMP can be used to attack TCP. The abstract is:

This document discusses the use of the Internet Control Message
Protocol (ICMP) to perform a variety of attacks against the
Transmission Control Protocol (TCP). Additionally, describes a
number of widely implemented modifications to TCP’s handling of ICMP
error messages that help to mitigate these issues.

The document has been around in the IETF space since 2005, but is now moving further down the path toward being issued as an RFC. Seems to be a solid doc for people wanting to understand ICMP attacks.

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

To most in the security industry these words bring to mind attack and defense of the electronic communications and control of military assets and sensitive government institutions and information. Government vs. government. The US government recognizes this as a developing threat and has undertaken steps to prepare for possible cyber war scenarios. But recent press coverage has been filled with what can be best described as a cyber war between a foreign government and a US commercial business – China and Google. Google’s belief it has the right to do business as it sees fit has come into conflict with a government that does not share this view and apparently has taken action. Most hacking incidents we read about involve criminal activity and easily understood motives – money. Businesses understand this too and are diligent to prevent and minimize this. There are means (at times) to legally redress criminal breaches, minimize and recoup losses – but what of this incident? As large and savvy as Google appears as a business they seem to be on their own against an even larger and capable foreign government and the vast resources it can bring to bear in the electronic arena. A frightening position indeed. Who does Google turn to and for what result? Is this the opening shot of ever increasing and blatant ideological (based on national interests) ‘hacktivism’ by governments as they take action not against governments, but the business and economic assets of countries with differing views?

Do you accept the definition of cyber war presented here? How would you define and what would you call the recent exchange between China and Google? Cyber war to me seems a little extreme and hacktivism a little light.

Google attacked
http://www.npr.org/templates/story/story.php?storyId=122703950

Yahoo and others too?
http://www.bloomberg.com/apps/news?pid=20601204&sid=aRCof4o1aj5Y

Law firm a victim
http://www.securityfocus.com/brief/1062

China’s position
http://www.reuters.com/article/idUSTRE60D0CA20100114

Hacktivism
http://www.sophos.com/blogs/gc/g/2010/01/12/baidu-chinas-largest-search-engine-defaced-iranian-cyber-army/

US Cyber Command
http://www.defense.gov/news/newsarticle.aspx?id=54890

The holidays are over, time to focus on the new year ahead. For some the holidays provide a little more time – as others are busy preparing for the holidays – to research, review and ‘catch up’ on security news and trends from around the industry.
I have always been an advocate for security awareness in the small to medium business (SMB) space. Working in this field I have come to understand the balance between equipment and resources cost and the margins which SMB’s operate within to remain viable. Calls for increasing security can appear to negatively impact this balance. Unfortunately the SMB space is becoming an increasingly popular target for internet criminals as witnessed by these two recent articles.

http://www.krebsonsecurity.com/2010/01/fbi-investigating-theft-of-500000-from-ny-school-district/

http://www.wired.com/threatlevel/2009/12/feds-warn-small-businesses/

Although the targets here were school districts one can easily see the correlation to the SMB space when thinking of resources available and operational processes within an organization. How long would it take for an SMB to notice that the transfer or payment of funds was not proper and then correct it? How much can they afford not to recover? As noted in one article the red flag was raised by the bank and not the customer! One wonders how many SMB’s would receive the same amount of diligence from their banking institutions.

So how does this tie in with VoIP security? Even in these tight economic times unified communications has continued to increase in deployments due in part to operational improvements and cost reduction promises. Growth in UC deployment means increased deployments of SIP trunking and SIP trunking usually means port 5060 is open in your firewall and network. Now we see that this open port can possibly be used as a probe point to other servers and services within the network through the firewall. Its time for SMB’s to think of more than just a firewall and anti-virus (as most SMB’s do) as protection enough from threats.

http://www.theregister.co.uk/2010/01/06/web_based_firewall_attack/

We can understand the criminal intent to go for the ‘big score’ (against the big institutions) but these attacks should remind all to never underestimate the lure of easy cash wherever it may be or whatever the amount – never think your business is ‘not large enough’ to be a target. It’s not the size of the prize but the ease of exploitation that makes you a target.

Growth of SIP trunking:
http://www.infonetics.com/newsletters/newsletter-CRS-Enterprise-Voice-SIP-Trunking-Survey-102709.html

Most of us are familiar with the information disclosure risks associated with devices like phones and ATAs on the Internet, and this has been mentioned in presentations like Endler/Collier at BlackHat in 2006. However, the recent emergence of Shodan significantly raises the exposure of these devices, especially embedded systems.

Shodan bills itself as a “Computer Search Engine” and some folks have raised questions about the impact, ethics, etc. So far, Shodan has remained under-the-radar, but I expect we’ll see more coverage and questioning of what value-add this service provides to security efforts.

A few simple searches of Shodan will provide the reader more insight of the capabilities of this service. Bear in mind that searches can get much more specific. Also, Shodan is growing, and it’s worth re-visiting the site to gain better perspective of updates.

Example searches:

1. VOIP — http://shodan.surtri.com/?q=voip
2. Nortel — http://shodan.surtri.com/?q=nortel
3. Mitel — http://shodan.surtri.com/?q=mitel
4. .mil — http://shodan.surtri.com/?q=.mil
5. SCADA — http://shodan.surtri.com/?q=scada

Earlier this week, the security team at Digium released Asterisk Projects Security Advisory AST-2009-010 identifying an interesting attack where an attacker can send a malformed RTP packet within the RTP stream and crash the Asterisk system. The fix identified is to upgrade to the latest version of Asterisk.

My one bit of feedback to the folks at Digium would be that their advisories do not provide any information about mitigating circumstances. (Would be great if they could add such a section.)

In this particular case, I confirmed with Digium that this advisory only affects systems that allow public unauthenticated calls over an IP connection. So Asterisk systems that are only used for PSTN connectivity – or only allow authenticated connections/calls – are not vulnerable to this attack. My Digium contact indicated:

The attacker would have to be capable of negotiating a RTP stream and then sending the Comfort Noise payload within the stream to crash the system.

He also indicated that IAX connections are not affected as they do not use RTP streams. So basically you are only vulnerable to this attack if you allow anyone to connect to your Asterisk box over an IP network presumably using the SIP protocol.

If you aren’t allowing those connections, it’s probably still good to upgrade… but you are apparently not vulnerable to the specific attacks outlined in the advisory.

After literally a year of being away from the microphone, Jonathan and I posted Blue Box Podcast Episode #86 yesterday. The show is really just an update on what we’ve been doing over the past year, why there haven’t been new shows, what we are thinking about for the future, etc. We had a brief update on the Edwin Pena case and talked about the fact that sadly the VoIP security issues out there really haven’t changed much in the past year.

Jonathan and I have decided that we won’t be returning Blue Box to its original weekly schedule. We’re not sure, honestly, how often we’ll put out new episodes… we will see how schedules and such align. In the meantime, BBP 86 is up there for those who would like an update.

Thanks to all of you who have continued to listen and who also sent notes to us while we were offline wondering how things were going. Thanks.

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

Following up on a story we’ve literally been covering for years, SC Magazine reported last week that VoIP fraudster Edwin Pena was to be arrive back in the USA last Friday, October 16. The FBI news release indicates that Pena is to be arraigned today, October 23rd, in New Jersey.

For those not familiar, the story began back in June 2006 with the initial reports that Pena masterminded a scheme to sell phone service and then running that service over other providers networks. We covered this at some length back in Blue Box Podcast #31. Then, in September 2006, Pena fled the country and was a fugitive abroad until he was nabbed in Mexico in February 2009.

Meanwhile, his co-conspirator Robert Moore was convicted and sent to jail. I had a chance to interview Robert in conjunction with the Voice Report folks as part of their Telecom Junkies podcast (also linked here) which provided some insight into how the attack took place.

The good news now is that Pena is back in the US, in jail, and to be arraigned sometime today. Good to see this work by the FBI and other agencies.

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

At first sight, using any VoIP client on the iPhone or the iPod Touch (a.k.a. iDevices) may seem like a uninteresting thing. The reason for this is that Apple does not allow 3rd party applications to run in the background. So when a user close down his iVoIP Client he will not be able to receive any calls at all, thus defeating the reason for using VoIP on these devices in the first place.

However, if we take a look at some of the VoIP clients offerings available we notice that a few of these clients have the ability to receive incoming calls, even when the software it self is not running.

At first sight this seems to be a Good Thing – however, there are severe security implications by doing this. Users will in fact willingly, put them self under a man-in-the-middle attack.

Read the rest of this entry »

For those interested in the underlying plumbing of this site, today I added the RSS Cloud plugin for WordPress to this site that is described in more detail in this post: “RSSCloud for WordPress”

What does this mean for you as readers?

In the short term, not much.  The only RSS Cloud-enabled reader right now is Dave Winer’s River2.

However, both RSS Cloud and PubSubHubbub are moving us closer to a “realtime” web where you as a reader can “subscribe” to feeds and receive updates as soon as those feeds are updated.  Currently, when you “subscribe” to our RSS feed, you only see updates when your news reader polls the feeds to which you are subscribed.  Given that a good number of feeds may not have changed since the last polling interval this process is also quite a waste of packets.

So the idea is to move from a “polling” paradigm to one of “subscribe/notify”.  Much more will be happening in this space in the time ahead.  In the meantime, if you do use River2 or any of the other readers that may support the RSSCloud tag, you’ll be able to interact with the Voice of VoIPSA blog in that model.

P.S. Yes, I’m also working to add the PubSubHubbub plugin for WordPress to this blog, but I’ve run into a technical issue I’m trying to debug.

Typically I don’t follow the deluge of Windows rootkits available because the sheer number and variety make diligently understanding all of them more than fairly daunting. After all, given limited resources, one must choose their battles and specialties in the security field.

That said, occasionally a Windows rootkit surfaces that is so mean, nasty and downright cool, that it becomes a must-know. Such is the case with the newest release of Stoned Bootkit. Be sure to go to their site and check it out, along with the paper, but here are a few highlights:

Understanding the threats that Windows rootkits like this pose to VoIP security, especially on end users, is key.