If you will be in Miami at ITEXPO February 2-4 you are welcome to attend a free “SIP Trunking And Security” session I (Dan York) will be doing as part of Ingate Systems’ SIP Trunking Workshops. The SIP trunking workshops are free to all attendees even if you only register for an exhibit pass.
My session will be 11:15-12:30 on Wednesday, February 3rd, and if you do attend please feel free to come up and introduce yourself (or drop me a note in advance to let me know to look out for you). I’ll be bringing my recording gear, too, and the talk will eventually go out in my Blue Box Podcast feed so you will be able to hear it later.
P.S. If you are attending ITEXPO and your company makes a product or provides a service related to VoIP security, please feel free to let me know and perhaps we can schedule an interview to go out as a Blue Box Special Edition.
Welcome to the 111th United States Congress! On January 7th, the bill that never made it through the Senate in the last Congress has been reintroduced as S. 30, the Truth in Caller ID Act of 2009. It was apparently read twice and referred to the Committee on Commerce, Science, and Transportation. It’s now got two more years to attempt to make it through the Senate and get signed into law… Is anyone else as skeptical as I am that it’ll actually happen? Remember, this bill started as the Truth in Caller ID Act of 2006.
Our friend Craig Bowser recently pointed out that TMC will have a schedule of “Network Security” classes at the upcoming ITEXPO in Miami on February 4th. The three classes are:
Security Threat Mitigation in Enterprise UC Environments
Securing the SIP Trunk
VoIP Security Best Practices
The companies involved are Acme Packet, Sipera and VoIPShield Systems, all of whom we’ve mentioned at various times either on this blog on over on Blue Box. Anyway, if you are heading down to ITEXPO, you may want to check out these session.
P.S. And if you ARE heading down to ITEXPO, please do let me know as I’ll be down there, too.
Therefore, as a part of my new year resolution to change this blog into more generic fuzzing blog, I will start by sharing my experiences in the current state of fuzzing market. Based on a recent study by Gary McGraw and other well known security gurus, all major product security teams apparently use fuzzing (my comments on it here). But most (even security specialists) still seem to misunderstand what fuzzing really is about. So, I will focus on that here also. Enter the world of fuzzing!
Ari has a wealth of information on the topic of fuzzing (and has written a book on the subject) and so it will be interesting to see where he takes the blog. We’ll see…
It may sound a bit like a storyline from the West Wing, but there actually is a branch of the government called the National Communications System tasked with ensuring that telecommunications related to “national security” remain intact and ready to use. President Kennedy created NCS in 1963, and its mandate has expanded to include high-priority Internet and mobile phone calls too.
Score one for sanity. Apparently the FBI believed that while eavesdropping on the audio of a conversation required a warrant, capturing any DTMF transmissions sent during the call did not. From the CNet report:
Just about everyone knows that the FBI must obtain a formal wiretap order from a judge to listen in on your phone calls legally. But the U.S. Department of Justice believes that police don’t need one if they want to eavesdrop on what touch tones you press during the call.
Those touch tones can be innocuous (“press 0 for an operator”). Or they can include personal information including bank account numbers, passwords, prescription identification numbers, Social Security numbers, credit card numbers, and so on–all of which most of us would reasonably view as private and confidential.
That brings us to New York state, where federal prosecutors have been arguing that no wiretap order is necessary. They insist that touch tones cannot be “content,” a term of art that triggers legal protections under the Fourth Amendment.
IAX2 provides a different response during authentication when a user does not exist, as compared to when the password is merely wrong. This allows an attacker to scan a host to find specific users on which to concentrate password cracking attempts.
The workaround involves sending back responses that are valid for that particular site. For example, if it were known that a site only uses RSA authentication, then sending back an MD5 authentication request would similarly identify the user as not existing. The opposite is also true. So the solution is always to send back an authentication response that corresponds to a known frequency with which real authentication responses are returned, when the user does not exist. This makes it very difficult for an attacker to guess whether a user exists or not, based upon this particular mechanism.
Digium classifies it as a minor security issue and notes in the advisory that patches are available.
To get more information from the knowledgeable public, W3C is holding a workshop to “identify and prioritize directions for SIV standards work as a means of making SIV more useful in current and emerging markets. ” The workshop will be held in early March at SRI in Menlo Park, California.
Although the paper submission deadline has passed, if you were unaware of this workshop and are dying to attend, please email firstname.lastname@example.org as described in the Call for Participation.
More information can also be found on the W3C Biometrics Workshop site. Sounds like an interesting conference to attend… (Dan Burnett will be there, but I will not).