Voice of VOIPSA

It may be a wee bit of a late notice for folks to join the call live, but in about 50 minutes, the VoIP Users Conference will have their weekly live call talking this week with folks from Humbug Telecom Labs about their tools for detecting and analyzing VoIP fraud.

You can join the live call via SIP, Skype or the regular old PSTN. There is also an IRC backchannel that gets heavy usage during the call.

If you can’t attend the call live, a recording of the session will be made available later from the episode’s web page.

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

Last Friday there was news out of the Chaos Computer Club Congress in Berlin that two security researchers, Karsten Nohl and Sylvian Munaut, had successfully cracked the encryption used in the GSM cellular network. While not “VoIP”, per se, this is of interest to any of us working with VoIP as many VoIP clients are now working on “smartphones” running on top of the GSM network (like, oh, the iPhone, among others). Some of the articles on this topic:

• TheNextWeb: Hackers crack open GSM networks to eavesdrop on mobile calls
• InfoSecurity.com: Security researchers subvert GSM encryption
• eWeek Europe: Researchers Demonstrate GSM Phone Call Hack

The researchers are apparently not releasing their toolkit publicly, but obviously word of their success will encourage others to investigate further.

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

Tomorrow (Friday, December 17, 2010) I will be participating in a webinar entitled “Deployment of Next Generation IP Security” for the International Legal Technology Association, an industry organization looking to “maximize the value of technology in support of the legal profession“. It should be fun and I’m expecting that the questions I’ll receive may indeed be a bit different from doing a webinar to security professionals or enterprise IT staff.

The abstract is as follows:

Deployment of next generation IP-PBXs and Session Initiation Protocol (SIP) are the new standard. AT&T has gone on record stating POTS is dead. So are these new technologies safe? How can you insure a safe and secure environment? Recently in one such sophisticated attack the attacker hacked into the SIP provider and bounced off the IP-PBX which re-directed the calls to a Michigan number which then re-directed the calls to International Countries of known terrorist activity thus racking up over $12,000 in toll-fraud charges. Could this happen to you? This Webinar will look into the following:

• How to properly choose a SIP provider
• Voice encryption with emphasis on soft phone deployment on laptops, wireless and Wi-Fi devices.
• User Authentication via third party certification (Today anyone can download an app or purchase a calling-card which allows them to display any Caller ID Number)
• Remote User and Voice RTP Stream protection (This is a known VOIP Vulnerability)

Securing your IP-PBX can be simple once you understand the issues. It is then up to you as to what level of protection you which to deploy.

If you are interested in offering a similar webinar to your organization, be it a company, nonprofit or industry group, please feel free to drop me a note, as I’m always open to participating in such sessions (and have done so many times in the past).

And if you are a ILTA member, I look forward to answering your questions tomorrow!

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

Updating twothree points from my post last week, WikiLeaks as a Preview of All-Out Cyberwar. I wrote:

On the opposite site, you have the WikiLeaks organization itself moving its content to various places and among various providers… desperately seeking a way to keep itself online. But even more you have supporters of WikiLeaks downloading all the content and popping up mirror sites all over the place, trying to keep the organization’s content out there. The distributed and decentralized nature of the Internet allows easily for this type of content propagation.

Through the WikiLeaks Twitter page, they have been reporting the growth in mirror sites, most recently 507 mirrors. (Note the reported checkbox for new mirror sites.) Which, of course, provides a nice hit list to those who want to shut it down…

And every new site or domain name that pops up with WikiLeaks content becomes yet another target for those wishing to knock the organization offline.

… such as the report today that the WikiLeaks servers in Sweden are under attack.

And undoubtedly there are supporters of WikiLeaks out there who are trying to counter-attack the attackers.

UPDATE, 2 hours later: I noticed this in a NY Times piece yesterday: The collective Anonymous, an informal but notorious group of hackers and activists, also declared war on Sunday against enemies of Mr. Assange, calling on supporters to attack sites companies that do not support WikiLeaks and to spread the leaked material online.

As I wrote last week:

I think it will get uglier before it’s all over.

Indeed, TechCrunch wonders how long the @wikileaks Twitter account will stay around…

As a network security professional, the ongoing WikiLeaks saga certainly is quite concerning. I am not referring to the exposure of documents – but rather the all-out effort to completely wipe WikiLeaks off the Internet… and what that means for your business and your connectivity to the Internet.

I’m NOT talking here about the politics of the WikiLeaks situation. A significant number of you reading this will probably believe that WikiLeaks is an extreme terrorist organization that should be eliminated from the network and the leaders should be hunted down and imprisoned (or worse). And a significant number of you reading this will probably believe that WikiLeaks is a champion of transparency and openness and a leader in fighting against government censorship and secrecy and needs to be supported by all means possible.

Put the politics aside for a moment and think about WikiLeaks in terms of:

an entity that many organizations around the world want to eliminate from the Internet.

Consider the attacks they have been under:

• Multiple reports of large-scale distributed denial-of-service attacks
• Being kicked off of multiple hosting providers, including Amazon Web Services
• Most recently, having the wikileaks.org domain name removed from DNS

and undoubtedly many other forms of attacks…

The Guardian in the UK had a good article up today on the issue:

WikiLeaks fights to stay online after US company withdraws domain name

I definitely understand the difficult decision EveryDNS.net faced (and in full disclosure, I do personally use their free service for some dynamic DNS domains). I know a couple of the folks there, and as they state in the notice on their home page:

More specifically, the services were terminated for violation of the provision which states that “Member shall not interfere with another Member’s use and enjoyment of the Service or another entity’s use and enjoyment of similar services.” The interference at issues arises from the fact that wikileaks.org has become the target of multiple distributed denial of service (DDOS) attacks. These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other websites.

You are a provider of a free domain name service … and suddenly one of those 500,000+ domains comes under extreme attack to such a degree that it could endanger the accessibility for everyone. Though I am sure that the EveryDNS folks will be vilified by some (and probably attacked) and praised by others, as a network and security professional I can understand why they made the choice they did. At some point, there is a need to protect and preserve your own infrastructure and connectivity. They can’t stay in business if they don’t.

But reading that Guardian article and all the other ongoing coverage, I can’t help but think:

We are witnessing a preview of true cyber-war.

Beyond the public pressure from various senators and government officials around the world to shut down WikiLeaks and encourage companies to sever ties, you have to wonder if various intelligence and/or military agencies with different governments aren’t actively trying to shut them down online. Add in all the private groups clamoring for a shut-down… you have to think some of them are engaged in electronic activity. And add in all the individuals out there trying to do their part to shut down WikiLeaks.

How many botnets are probably active right now trying to execute DDoS’ against WikiLeaks?

On the opposite site, you have the WikiLeaks organization itself moving its content to various places and among various providers… desperately seeking a way to keep itself online. But even more you have supporters of WikiLeaks downloading all the content and popping up mirror sites all over the place, trying to keep the organization’s content out there. The distributed and decentralized nature of the Internet allows easily for this type of content propagation.

And every new site or domain name that pops up with WikiLeaks content becomes yet another target for those wishing to knock the organization offline. And undoubtedly there are supporters of WikiLeaks out there who are trying to counter-attack the attackers.

I think it will get uglier before it’s all over.

For us in the security community, there is much to think about:

• Where are your services hosted on the Internet? How well do you know those providers? And how solid and redundant are their services?
• Could your sites become “collateral damage” and be knocked off the ‘Net if some other site hosted at a provider came under attack?
• Where are the single points-of-failure (SPOFs) in your hosting and Internet connectivity?
• Where are your domain names hosted? What if the DNS provider came under attack?
• Do you have alternative domains available? Perhaps through a completely different DNS provider and able to be pointed to a completely different hosting provider?
• What are the Time-To-Live (TTL) values set for your primary domain names? If one provider was knocked out, how quickly could you repoint those domains to another site?
• And if you are hosting your own services, what levels of protection do you have in place? What kind of redundant connections do you have?
• What ability do you have to rapidly move your connectivity (and content) to another site?

• etc., etc.

Bringing this to a VoIP and communications context, if you are using IP-based systems for real-time communications, is your architecture robust enough to withstand attacks? (whether or not those attacks are targeted at you or at others connected near you?) Can you answer those questions above for your real-time communications system? Where are your SPOFs? What are your backup plans? How will you stay online and connected in the face of an overwhelming attack?

This particular saga of WikiLeaks will play out in the days, weeks and months ahead… and whether they stay online or are forced offline remains to be seen… but what we’re publicly witnessing right now is a case study of the time ahead of us.

Are you prepared?

Dan York, CISSP, is chair of the VoIP Security Alliance, author of “Seven Deadliest Unified Communications Attacks” and a frequent speaker on communication security issues.

Back on October 4, 2010, I spoke at Ingate Systems “SIP Trunking and Unified Communications” section of TMC’s ITEXPO event in Los Angeles. I gave an overall summary of issues around VoIP/UC security and then joined a large panel of others answering questions from the moderator and the audience. The slides I used are now available online from my SlideShare account:

Given that I hold a CISSP certification, I naturally remain connected to the Information Systems Security Certification Consortium (ISC2) organization in order to maintain my credentials. I hadn’t paid much attention to the actual website for a while and only recently noted that there is a ISC2 blog and it’s been updated periodically for a while now:

http://blog.isc2.org/

Some of you may find it a useful resource. The ISC2 also is on Twitter, of course.

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

While I wouldn’t normally write about simply an updated website for a company, this particular company is Sipera Systems, one of the small number of companies focused pretty much entirely on VoIP security… er… “Unified Communications Security”. (And hey, “UC Security” sounds a whole lot better to say!)

Given that part of my regular work is working with web sites, I commend them on their new nice, clean look. They’ve also revamped their blog, as well.

Good to see, and I wish them continued success in this space.

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

Flickr credit: mhartford

What do you think “VOIPSA 2.0″ should be? And perhaps more importantly, how are you willing to help?

As Dave Endler wrote in his post last week, five years ago the need for an organization like VOIPSA was very clear. As I’ve often said in my talks, at that time there were security vendors running around saying “VoIP is incredibly insecure… but if you buy our box/service/whatever you’ll be safe! Trust us!” And there were some communications vendors running around effectively saying “All those VoIP security concerns are overblown by paranoid security people… if you just buy our box/service/whatever you’ll be safe! Trust us!”

The truth, as we know, is somewhere in between.

And that is the prime value that VOIPSA brings, in my opinion… being an “industry neutral” place were we can lay out that there are very real threats to IP communications security – but that there are also very real solutions.

Over the past 5 years, we’ve started that process with the VoIP Security Threat Taxonomy, the VoiP Security Tools List, the VOIPSEC mailing list, this Voice of VOIPSA blog, the talks and webinars we’ve given, the Ingate SIP Trunking Seminars we’ve participated in, the Blue Box podcasts we created – and so many other ways.

There is a great bit more to do. The original need that spawned VOIPSA is very much alive today. If anything, the need is greater as we’ve moved from being concerned not just with “Voice Over IP”, but even more with the broader “Unified Communications” picture that includes video, chat, presence and other forms of collaboration. The threats, the tools and the solutions all keep evolving.

We all owe Dave Endler a great amount of thanks for all the work he did to bring us together, launch VOIPSA and get it moving. I certainly wish him all the best with his new endeavors and I expect we’ll still see him lurking around watching what’s going on.

Jonathan Zar and I will be posting some thoughts soon on next steps for the organization, but in the meantime I thought I’d just write this post and let you all know that I’d very much like to hear from you all who are reading this. While not formally a “membership” organization (i.e. you can’t become a “member” of VOIPSA), we do have a “community” of people who read and participate in the various mailing lists and other areas.

To all of you who have participated in and/or promoted VOIPSA (or have wanted to do so), what would you like to see the organization do next? How would you like to help?

Please feel free to leave a comment here or send me an email. I’m listening.

This isn’t about VoIP, per se, but it is about the threat we’ve long talked about of transmitting data over insecure WiFi networks. At the Toorcon 12 conference this week, Eric Butler and Ian Gallagher released a Firefox add-on called “Firesheep” (view their Toorcon slides) that scans an insecure WiFi network for login credentials passed as cookies and then, with a single click, lets you login to those accounts. Some of the reports:

• ReadWriteWeb: At a Cafe? I Can Hack Your Facebook, Twitter, Etc…With a Firefox Extension
• TechCrunch: Firesheep In Wolves’ Clothing: Extension Lets You Hack Into Twitter, Facebook Accounts Easily
• CNET: Researchers hack toys, attack iPhones at ToorCon

TechCrunch followed up with a post about how to protect yourself – by forcing SSL connections:

• TechCrunch: How To Protect Your Login Information From Firesheep

Although as noted in the comments, that doesn’t always work.

While this Firefox add-on is focused on the security of social networks, there are many other services out that there are sending data unprotected over networks.

In the end, we need more SSL (or “TLS” to those who understand the difference) – and other end-to-end technologies – to give us a safer Internet. Sadly, it will probably take proof-of-concept apps like this to make people pay attention.