Monthly Archives: December 2010

Webinar Tomorrow: Securing Next Generation IP Communications Systems

International Legal Technology AssociationTomorrow (Friday, December 17, 2010) I will be participating in a webinar entitled “Deployment of Next Generation IP Security” for the International Legal Technology Association, an industry organization looking to “maximize the value of technology in support of the legal profession“. It should be fun and I’m expecting that the questions I’ll receive may indeed be a bit different from doing a webinar to security professionals or enterprise IT staff.

The abstract is as follows:

Deployment of next generation IP-PBXs and Session Initiation Protocol (SIP) are the new standard. AT&T has gone on record stating POTS is dead. So are these new technologies safe? How can you insure a safe and secure environment? Recently in one such sophisticated attack the attacker hacked into the SIP provider and bounced off the IP-PBX which re-directed the calls to a Michigan number which then re-directed the calls to International Countries of known terrorist activity thus racking up over $12,000 in toll-fraud charges. Could this happen to you? This Webinar will look into the following:

  • How to properly choose a SIP provider
  • Voice encryption with emphasis on soft phone deployment on laptops, wireless and Wi-Fi devices.
  • User Authentication via third party certification (Today anyone can download an app or purchase a calling-card which allows them to display any Caller ID Number)
  • Remote User and Voice RTP Stream protection (This is a known VOIP Vulnerability)

Securing your IP-PBX can be simple once you understand the issues. It is then up to you as to what level of protection you which to deploy.

If you are interested in offering a similar webinar to your organization, be it a company, nonprofit or industry group, please feel free to drop me a note, as I’m always open to participating in such sessions (and have done so many times in the past).

And if you are a ILTA member, I look forward to answering your questions tomorrow!


If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.


Data Loss Prevention: 10 Technical Questions To Make Your Vendor Squirm

“There’s a war out there, old friend. A world war. And it’s not about who’s got the most bullets. It’s about who controls the information. What we see and hear, how we work, what we think… it’s all about the information” — Cosmo, Sneakers (1992)

The headline news of Wikileaks has drawn considerable attention to the huge, intractable problems of digitized data and how much a single individual can damage an organization, business or nation-state. But these issues are not just with Wikileaks, as the recent breach of gaming leader Blizzard resulted in disclosure of business plans and product roadmaps.

Blizzard Product Roadmap
blizzard pwnage

With this focus on DLP, some insightful commentary is out there. In particular, Gary Warner in his Wikileaks: Lessons Learned blog post discusses the subtleties of data classification versus data categorization, and outlines a pragmatic approach to detection, such as frequency of access monitoring across these defined planes. This article is well worth the read. Another good, and short blog post is from Neil MacDonald at Gartner, who advocates redefining “Data Loss prevention” as a subset of “Data Lifecycle Protection” — a really good point.

These are going to be heady times for DLP (Data Loss Prevention) vendors, and we can expect to see DLP solutions become as popular as the late 90’s and early 2000’s security mantra of “we have to install antivirus and firewalls.” Many organizations are seeking and will continue to seek technical solutions to gain control over data exfiltration. As expected, many DLP vendors are offering “the perfect solution” that promises to fix your problems.

In my view, however, I’m seeing vendors either unaware or willfully ignorant of the many technical means to exfiltrate data over the network in a surreptitious manner. And put simply, their products and solutions can’t begin to address these threats.

To provide folks with some ammo to use for Q&A with DLP vendors, I’ve come up with the following 10 questions. The first few are easy, and the DLP vendor probably has some type of coverage. However, as the questions progress, you can expect to start seeing blank stares, and hearing the hemming-hawing and mentioning of “it’s on the product roadmap — just wait one more quarter” and “we’ll check with our engineers and get back to you” — always my favorite vendor answers 😉

1. How does it inspect SSL traffic?

This is a softball question, with the likely answer being some kind of man-in-the-middle decryption scheme, possibly having to use another vendor’s hardware. The follow-up to this is: What about Stunnel?

2. How does it inspect services like Dropbox, EverNote, etc.?

Another softy, but starting to get a little more difficult because we’re dealing with multiple consumer services.

3. Inspection of various consumer communications over IM like AIM, Google Chat, etc.?

Lulling them into complacency, this should be a gimme question with no problem answering.

4. Does it do any metadata analysis is conducted on documents (.doc,.xls, .pdf, etc.) or images (.png, .gif, .jpg, etc.)? What about video files (.avi, .mp4, etc.)?

You should expect some raised eyebrows on this one.

5. Does it do any steganography analysis of images?

Some will say yes, others no. If yes, the follow-up question is: How do you do this? There are literally hundreds of steganography tools — do you have strings or signatures that you’re looking for from all of these tools?

6. You product probably blocks well-known P2P like Limewire, Bearshare, etc. What about private P2P networks like WASTE?

7. What about VoIP, including encrypted ones like zphone, Skype, Cisco Skinny? Specifically, does it inspect for DMTF tones?

“It’s on the roadmap” will be most likely answer.

8. Does it block/ inspect advanced data exfiltration tools and tactics?

This will be perhaps the most exciting Q&A. Be sure to do your homework on these tools and techniques!

9. How does it inspect TOR traffic? TOR hidden services?

Expect audible groans.

10. How does it address IPv6 tunneled inside IPv4?

Expect quizzical looks.

Hopefully this will enlighten you about some of the methods attackers will use to perform data exfiltration. And will also provide you some good questions to beat up vendors after they take you out for lunch or golf. At the very least, you can expect your DLP vendor to mention that nobody has asked some of these questions of them before 🙂

WikiLeaks as a Preview of All-Out Cyberwar, Part 2 – The Escalation

Updating twothree points from my post last week, WikiLeaks as a Preview of All-Out Cyberwar. I wrote:

On the opposite site, you have the WikiLeaks organization itself moving its content to various places and among various providers… desperately seeking a way to keep itself online. But even more you have supporters of WikiLeaks downloading all the content and popping up mirror sites all over the place, trying to keep the organization’s content out there. The distributed and decentralized nature of the Internet allows easily for this type of content propagation.

Through the WikiLeaks Twitter page, they have been reporting the growth in mirror sites, most recently 507 mirrors. (Note the reported checkbox for new mirror sites.) Which, of course, provides a nice hit list to those who want to shut it down…

And every new site or domain name that pops up with WikiLeaks content becomes yet another target for those wishing to knock the organization offline.

… such as the report today that the WikiLeaks servers in Sweden are under attack.

And undoubtedly there are supporters of WikiLeaks out there who are trying to counter-attack the attackers.

UPDATE, 2 hours later: I noticed this in a NY Times piece yesterday: The collective Anonymous, an informal but notorious group of hackers and activists, also declared war on Sunday against enemies of Mr. Assange, calling on supporters to attack sites companies that do not support WikiLeaks and to spread the leaked material online.

As I wrote last week:

I think it will get uglier before it’s all over.

Indeed, TechCrunch wonders how long the @wikileaks Twitter account will stay around

WikiLeaks as a Preview of All-Out Cyberwar

WikiLeaks.jpgAs a network security professional, the ongoing WikiLeaks saga certainly is quite concerning. I am not referring to the exposure of documents – but rather the all-out effort to completely wipe WikiLeaks off the Internet… and what that means for your business and your connectivity to the Internet.

I’m NOT talking here about the politics of the WikiLeaks situation. A significant number of you reading this will probably believe that WikiLeaks is an extreme terrorist organization that should be eliminated from the network and the leaders should be hunted down and imprisoned (or worse). And a significant number of you reading this will probably believe that WikiLeaks is a champion of transparency and openness and a leader in fighting against government censorship and secrecy and needs to be supported by all means possible.

Put the politics aside for a moment and think about WikiLeaks in terms of:

an entity that many organizations around the world want to eliminate from the Internet.

Consider the attacks they have been under:

  • Multiple reports of large-scale distributed denial-of-service attacks
  • Being kicked off of multiple hosting providers, including Amazon Web Services
  • Most recently, having the wikileaks.org domain name removed from DNS

and undoubtedly many other forms of attacks…

The Guardian in the UK had a good article up today on the issue:

WikiLeaks fights to stay online after US company withdraws domain name

I definitely understand the difficult decision EveryDNS.net faced (and in full disclosure, I do personally use their free service for some dynamic DNS domains). I know a couple of the folks there, and as they state in the notice on their home page:

More specifically, the services were terminated for violation of the provision which states that “Member shall not interfere with another Member’s use and enjoyment of the Service or another entity’s use and enjoyment of similar services.” The interference at issues arises from the fact that wikileaks.org has become the target of multiple distributed denial of service (DDOS) attacks. These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites.

You are a provider of a free domain name service … and suddenly one of those 500,000+ domains comes under extreme attack to such a degree that it could endanger the accessibility for everyone. Though I am sure that the EveryDNS folks will be vilified by some (and probably attacked) and praised by others, as a network and security professional I can understand why they made the choice they did. At some point, there is a need to protect and preserve your own infrastructure and connectivity. They can’t stay in business if they don’t.

But reading that Guardian article and all the other ongoing coverage, I can’t help but think:

We are witnessing a preview of true cyber-war.

Beyond the public pressure from various senators and government officials around the world to shut down WikiLeaks and encourage companies to sever ties, you have to wonder if various intelligence and/or military agencies with different governments aren’t actively trying to shut them down online. Add in all the private groups clamoring for a shut-down… you have to think some of them are engaged in electronic activity. And add in all the individuals out there trying to do their part to shut down WikiLeaks.

How many botnets are probably active right now trying to execute DDoS’ against WikiLeaks?

On the opposite site, you have the WikiLeaks organization itself moving its content to various places and among various providers… desperately seeking a way to keep itself online. But even more you have supporters of WikiLeaks downloading all the content and popping up mirror sites all over the place, trying to keep the organization’s content out there. The distributed and decentralized nature of the Internet allows easily for this type of content propagation.

And every new site or domain name that pops up with WikiLeaks content becomes yet another target for those wishing to knock the organization offline. And undoubtedly there are supporters of WikiLeaks out there who are trying to counter-attack the attackers.

I think it will get uglier before it’s all over.

For us in the security community, there is much to think about:

  • Where are your services hosted on the Internet? How well do you know those providers? And how solid and redundant are their services?
  • Could your sites become “collateral damage” and be knocked off the ‘Net if some other site hosted at a provider came under attack?
  • Where are the single points-of-failure (SPOFs) in your hosting and Internet connectivity?
  • Where are your domain names hosted? What if the DNS provider came under attack?
  • Do you have alternative domains available? Perhaps through a completely different DNS provider and able to be pointed to a completely different hosting provider?
  • What are the Time-To-Live (TTL) values set for your primary domain names? If one provider was knocked out, how quickly could you repoint those domains to another site?
  • And if you are hosting your own services, what levels of protection do you have in place? What kind of redundant connections do you have?
  • What ability do you have to rapidly move your connectivity (and content) to another site?
  • etc., etc.

Bringing this to a VoIP and communications context, if you are using IP-based systems for real-time communications, is your architecture robust enough to withstand attacks? (whether or not those attacks are targeted at you or at others connected near you?) Can you answer those questions above for your real-time communications system? Where are your SPOFs? What are your backup plans? How will you stay online and connected in the face of an overwhelming attack?

This particular saga of WikiLeaks will play out in the days, weeks and months ahead… and whether they stay online or are forced offline remains to be seen… but what we’re publicly witnessing right now is a case study of the time ahead of us.

Are you prepared?


Dan York, CISSP, is chair of the VoIP Security Alliance, author of “Seven Deadliest Unified Communications Attacks” and a frequent speaker on communication security issues.


Weaponizing the Nokia N900 – Part 3

Welcome to the 3rd post in my series of leveraging the power of the Nokia N900 utilizing opensource, cutting-edge security tools for espionage/ethical penetration testing.

As mentioned in my last article, I’m continuing to focus on available, easily installed and free tools. This post will cover more scary security-related applications for the Nokia N900, in particular the ability to control the N900 via SMS.

I’ve been scoping tools for the N900 that will place a call surreptitiously and will cover two here: BabyPhone and SMSCON.

BabyPhone

babyphone

BabyPhone for the N900 is a monitoring application that uses the N900’s microphone to listen for a predefined noise threshold, like a baby crying, and then initiates a phone call to the configured number.

From a potential espionage/pen-test standpoint, I found this an attractive application in the sense that it’s useful to kick off a call when there’s ambient noise in the target location, such as an executive conference room. However, I had some problems with the microphone — not with the sensing part that listens for noise and then initiates the call, but rather after the call was placed, I could not hear anything. This might be a issue with my phone, and some quick searches for others with this problem proved fruitless.

Were the mic working, I might have stuck with this application and not looked further. In retrospect, it’s fortunate that it did not work, as I was forced to look for other applications and found a killer one called SMSCON.

SMSCON

smscon

SMSCOM is an application that allows you to control your Nokia N900 via SMS messages to the phone. Clearly, from a espionage/pen-test perspective this kind of remote control over a cellular network using SMS is a powerful tool, and is basically allowing you to send SMS commands to a Linux box, which is what the N900 is at the end of the day. SMSCON is also useful as a poor man’s Lojack in that the remote control aspects allow you to pull GPS data, take pictures of the perp who stole your phone, SMS the new SIM card information when a replacement SIM is inserted into the N900, etc.

SMSCON has a companion program called SMSCON-EDITOR which which provides some basic pre-configured options and templates to add in various parameters like phone number to call, email address, etc. There are some other options, such as a reverse SSH session from the phone to a SSH server, thereby allowing you to connect to the external SSH server, and then connect back to the N900 through the established SSH tunnel on the external server…very old skool but still slick and an effective means to traverse NAT, firewalls, etc.

Another SMSCON-EDITOR option allows you to kick off a Bash script on the N900 via SMS. Really, with all the bells and whistles and pretty GUI of SMSCON, this single function is the one single thing that a skilled attacker would need to do in using the N900 in a espionage/pen-test scenario. Think of leaving the N900 at a target site, and then sending the SMS to kick off your custom bash script that does any number of things, such as bluetooth scanning, firing up the N900 wireless adapter for sniffing, calling a phone, etc. One of the slickest scripts will send a SMS when the N900’s keyboard is opened or closed, providing a useful means to determine if the target has discovered and is handling the N900 you covertly placed on-site for your espionage/pen-test engagement. Pure evil.

Of course, it would be great if all the functions and scripts worked right. With both the SMSCON and SMSCON-EDITOR programs plenty of functions that work, but some do not, and there are plenty of bugs and non-functioning glitches to SMSCON and SMSCON-EDITOR at this time. That said, the good news is that both projects are active and bugs are getting fixed. Both of these are definitely programs to watch, but even so, they have provided the basic framework from which to build your own tools that leverage the N900.

Use The Source

Especially useful about SMSCON is that it’s written in a nice Python script. Having a plaintext script as opposed to a compiled binary is excellent as it allows a few things, such as seeing exactly what is going on under the covers. Wondering how the N900 sends a SMS? Read the script. How does the N900 access the front camera, take a photo of the user, and then email it? Read the script. How does the N900 make a cellular call? Read the script.

Overall, the usefulness of this written in Python is huge, and it allows the savvy user and coder to pull functionality from the SMSCON Python script and roll-your-own mini-tools to do specific actions on the N900. I’m not a coder, but even with my meager coding skills I can read through the well-documented and clean SMSCON Python code and figure out quite a bit.

If you’re planning to use SMSCON be sure to check out the Maemo forum thread for SMSCON — it will save you time and answer many of your questions.

Well, that’s it for this post, hope you’ve enjoyed it and that the information helps broaden your view of what kinds of tools and software can be leveraged on COTS gear for espionage/pen-testing engagements. As for what’s next, I’ve been working with some of the wireless tools like Aircrack-NG and Kismet on my N900 and will likely make that the next blog post, or soon thereafter, in this series.