Voice of VOIPSA

HD Moore of Metasploit Project fame has just released a new set of free War Dialing tools called WarVOX.  What makes these new tools so interesting is that they leverage VoIP service providers to scan and analyze hundreds of phone numbers, finding modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders much much faster than any modem ever could.  Check out the WarVOX screenshots which show the interface and slick reporting features.

As some of you may have noticed, our servers were offline for the past 24 hours due to unforeseen circumstances.  It seems the recent global economic turmoil has not left VOIPSA unscathed.  Turns out our hosting provider was delinquent on paying their bills to their upstream data center provider.   Supposedly, the hosting provider’s management is no where to be found and did not respond to repeated billing inquiries,  leaving the upstream data center no choice but to unplug all of the hosting provider’s customers.

Apologies for the inconvenience and we’re working on moving to a more permanant and solvent hosting provider in the near future!

The SANS Institute just released its Top 20 Internet Security Risks of 2007 Annual update. Yet again this year, VoIP made the list, with a collection of just some of the VoIP vulnerabilities that were disclosed this past year. Check it out. For those of you who don’t want to read the entire document, a decent executive summary is available here.

I’m pleased to announce the public release of VOIPSA’s VoIP Security Tool List. The list was developed to address the current void of VoIP security testing resources and sites, for vendors and VoIP users alike. The list is separated into the following seven broad categories:

• VoIP Sniffing Tools
• VoIP Scanning and Enumeration Tools
• VoIP Packet Creation and Flooding Tools
• VoIP Fuzzing Tools
• VoIP Signaling Manipulation Tools
• VoIP Media Manipulation Tools
• Miscellaneous Tools

Special thanks to VOIPSA members Shawn Merdinger and Dustin Trammell who created the list and have graciously agreed to maintain it. For more information about the tools list, you can listen to Dan York and Jonathan Zar discuss it in Blue Box Podcast #54 and also with Shawn Merdinger in Blue Box Special Edition #16 available at http://www.blueboxpodcast.com.

The March 19th edition of NewsWeek has an article about cyber thieves stealing VoIP minutes by hacking into VoIP providers’ gateways. It’s the first time I’ve actually seen real numbers applied to VoIP theft:

‘These thieves steal 200 million minutes a month, worth $26 million, says New York telecom Stealth Communications. With more than 5,000 wholesale-minutes markets worldwide, located mainly on Internet forums, fraud is hard to track. Emmanuel Gadaix, head of TSTF, a Hong Kong firm that investigates VoIP thefts, says it’s “very easy to set up a temporary link” through a hacked gateway. His company was recently hired by a Panamanian telecom that lost $110,000 to phreakers. TSTF followed tracks, in vain, that snaked through Bulgaria, Canada, Costa Rica, Hong Kong and the United States. Phreaker trails are “way too complicated” to track successfully, says Gadaix.’

This brings up memories of the Edwin Pena case, in which he was able to rake in over $1 million USD in profits from stealing and reselling VoIP minutes from several providers.

Does anyone know for sure how these VoIP provider gateways are being broken into? Default passwords? Well known vulnerabilities in the operating system? Stolen access codes?

Brian Krebs from the Washington Post reports on a new VoIP Phishing (Vishing) scheme targeting Bank of America customers. The scam appears as an official looking Bank of America email and tries to convince the victim to dial a toll free number to sort out some account problems. Once the victim dials that number, they’re prompted to enter in their account number and secret pin number. The evil doers are then able to easily access the bogus system and reconstruct all of the numbers you entered. Much like how traditional email phishing attacks flourished in the last couple of years, I absolutely believe that VoIP Phishing scams will skyrocket this year.

For some background, there was a compelling presentation at last year’s BlackHat security conference by Jay Schulman, entitled Phishing with Asterisk (PDF). In his presentation, Jay showed how easy it was for attackers to use Asterisk PBX to set up a spoofed banking automated attendant and route all calls to a toll free number through to that PBX. Additionally, Mark Collier and I devoted an entire chapter to VoIP Phishing in our book, Hacking Exposed: VoIP.

I’ve included a snapshot below of one of the first VoIP Phishing emails targeting PayPal that emerged last year that we showcased in our book. Click on it to see the larger image.

Several news sources are reporting that an unnamed 10-person Chinese company has successfully reverse engineered the Skype protocol. This company is supposedly planning to release their own software in two weeks that take advantage of Skype’s networks.

The main source of this information seems to be from the blog posting of Charlie Paglee, the CEO of Vozin Communications. The posting details a Skype call Paglee supposedly received from his Chinese contact at this unnamed company, through a non-Skype client. Several news outlets reporting on this:

VuNet
NetworkWorld
TechWorld
SecurityProNews

So far, no mention of this on Skype’s security blog.

Cisco announced vulnerabilities today in Unified CallManager versions 5.x:

Cisco Unified CallManager (CUCM) 5.0 has Command Line Interface (CLI) and Session Initiation Protocol (SIP) related vulnerabilities. There are potential privilege escalation vulnerabilities in the CLI which may allow an authenticated administrator to access the base operating system with root privileges. There is also a buffer overflow vulnerability in the processing of hostnames contained in a SIP request which may result in arbitrary code execution or cause a denial of service. These vulnerabilities only affect Cisco Unified CallManager 5.0.

The remote code execution SIP vulnerability is obviously the most concerning of all of these issues.  Luckily, it looks like the issue was discovered internally, which means an exploit may not publicly emerge for a while since Cisco’s advisory lacks detail on the actual malformed SIP message required to trigger the flaw.

RECON (Reverse Engineering Conference) was recently held from June 16-18 in Montreal. One of the presentations involved some in-depth Skype reverse engineering and analysis. The slides for the presentation are available in pdf format for part1 and part2. Among other things, the talk covered Skype’s crypto scheme, easter eggs, and general traffic analysis. Worth a read.

As a followup to Dustin Trammell’s posting about CALEA compliance, the Information Technology Association of America released a report today entitled Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP. To quote from a an InfoWorld article covering the report:

The study, co-authored by several people including TCP/IP co-creator Vinton Cerf and former U.S. National Security Agency encryption scientist Clinton Brooks, comes days after a U.S. appeals court upheld the FCC’s VOIP wiretapping rules. On Friday, the U.S. Court of Appeals for the District of Columbia upheld the ruling, requiring that VOIP providers offering a substitute for traditional telephone service comply with a 1994 telephone wiretapping law called the Communications Assistance for Law Enforcement Act (CALEA).

The FCC did not immediately respond to a request for comments about the ITAA study. But on Friday, FCC Chairman Kevin Martin said allowing law enforcement wiretapping of VOIP calls is of “paramount importance” to U.S. security.

Tracking VOIP calls would be more difficult than tracking calls on the traditional telephone network, because VOIP providers have little control over how their calls are routed across the Internet, said Whitfield Diffie, chief security officer at Sun Microsystems Inc. VOIP providers “have no special Internet privileges” to control traffic, said Diffie, one of the study’s authors.