The SANS Institute just released its Top 20 Internet Security Risks of 2007 Annual update. Yet again this year, VoIP made the list, with a collection of just some of the VoIP vulnerabilities that were disclosed this past year. Check it out. For those of you who don’t want to read the entire document, a decent executive summary is available here.
I’m pleased to announce the public release of VOIPSA’s VoIP Security Tool List. The list was developed to address the current void of VoIP security testing resources and sites, for vendors and VoIP users alike. The list is separated into the following seven broad categories:
Special thanks to VOIPSA members Shawn Merdinger and Dustin Trammell who created the list and have graciously agreed to maintain it. For more information about the tools list, you can listen to Dan York and Jonathan Zar discuss it in Blue Box Podcast #54 and also with Shawn Merdinger in Blue Box Special Edition #16 available at http://www.blueboxpodcast.com.
The March 19th edition of NewsWeek has an article about cyber thieves stealing VoIP minutes by hacking into VoIP providers’ gateways. It’s the first time I’ve actually seen real numbers applied to VoIP theft:
‘These thieves steal 200 million minutes a month, worth $26 million, says New York telecom Stealth Communications. With more than 5,000 wholesale-minutes markets worldwide, located mainly on Internet forums, fraud is hard to track. Emmanuel Gadaix, head of TSTF, a Hong Kong firm that investigates VoIP thefts, says it’s “very easy to set up a temporary link” through a hacked gateway. His company was recently hired by a Panamanian telecom that lost $110,000 to phreakers. TSTF followed tracks, in vain, that snaked through Bulgaria, Canada, Costa Rica, Hong Kong and the United States. Phreaker trails are “way too complicated” to track successfully, says Gadaix.’
This brings up memories of the Edwin Pena case, in which he was able to rake in over $1 million USD in profits from stealing and reselling VoIP minutes from several providers.
Does anyone know for sure how these VoIP provider gateways are being broken into? Default passwords? Well known vulnerabilities in the operating system? Stolen access codes?
Brian Krebs from the Washington Post reports on a new VoIP Phishing (Vishing) scheme targeting Bank of America customers. The scam appears as an official looking Bank of America email and tries to convince the victim to dial a toll free number to sort out some account problems. Once the victim dials that number, they’re prompted to enter in their account number and secret pin number. The evil doers are then able to easily access the bogus system and reconstruct all of the numbers you entered. Much like how traditional email phishing attacks flourished in the last couple of years, I absolutely believe that VoIP Phishing scams will skyrocket this year.
For some background, there was a compelling presentation at last year’s BlackHat security conference by Jay Schulman, entitled Phishing with Asterisk (PDF). In his presentation, Jay showed how easy it was for attackers to use Asterisk PBX to set up a spoofed banking automated attendant and route all calls to a toll free number through to that PBX. Additionally, Mark Collier and I devoted an entire chapter to VoIP Phishing in our book, Hacking Exposed: VoIP.
I’ve included a snapshot below of one of the first VoIP Phishing emails targeting PayPal that emerged last year that we showcased in our book. Click on it to see the larger image.
Several news sources are reporting that an unnamed 10-person Chinese company has successfully reverse engineered the Skype protocol. This company is supposedly planning to release their own software in two weeks that take advantage of Skype’s networks.
The main source of this information seems to be from the blog posting of Charlie Paglee, the CEO of Vozin Communications. The posting details a Skype call Paglee supposedly received from his Chinese contact at this unnamed company, through a non-Skype client. Several news outlets reporting on this:
VuNet
NetworkWorld
TechWorld
SecurityProNews
So far, no mention of this on Skype’s security blog.
Cisco announced vulnerabilities today in Unified CallManager versions 5.x:
Cisco Unified CallManager (CUCM) 5.0 has Command Line Interface (CLI) and Session Initiation Protocol (SIP) related vulnerabilities. There are potential privilege escalation vulnerabilities in the CLI which may allow an authenticated administrator to access the base operating system with root privileges. There is also a buffer overflow vulnerability in the processing of hostnames contained in a SIP request which may result in arbitrary code execution or cause a denial of service. These vulnerabilities only affect Cisco Unified CallManager 5.0.
The remote code execution SIP vulnerability is obviously the most concerning of all of these issues. Luckily, it looks like the issue was discovered internally, which means an exploit may not publicly emerge for a while since Cisco’s advisory lacks detail on the actual malformed SIP message required to trigger the flaw.
RECON (Reverse Engineering Conference) was recently held from June 16-18 in Montreal. One of the presentations involved some in-depth Skype reverse engineering and analysis. The slides for the presentation are available in pdf format for part1 and part2. Among other things, the talk covered Skype’s crypto scheme, easter eggs, and general traffic analysis. Worth a read.
As a followup to Dustin Trammell’s posting about CALEA compliance, the Information Technology Association of America released a report today entitled Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP. To quote from a an InfoWorld article covering the report:
The study, co-authored by several people including TCP/IP co-creator Vinton Cerf and former U.S. National Security Agency encryption scientist Clinton Brooks, comes days after a U.S. appeals court upheld the FCC’s VOIP wiretapping rules. On Friday, the U.S. Court of Appeals for the District of Columbia upheld the ruling, requiring that VOIP providers offering a substitute for traditional telephone service comply with a 1994 telephone wiretapping law called the Communications Assistance for Law Enforcement Act (CALEA).
The FCC did not immediately respond to a request for comments about the ITAA study. But on Friday, FCC Chairman Kevin Martin said allowing law enforcement wiretapping of VOIP calls is of “paramount importance” to U.S. security.
Tracking VOIP calls would be more difficult than tracking calls on the traditional telephone network, because VOIP providers have little control over how their calls are routed across the Internet, said Whitfield Diffie, chief security officer at Sun Microsystems Inc. VOIP providers “have no special Internet privileges” to control traffic, said Diffie, one of the study’s authors.
There’s a fairly spirited discussion happening on the VOIPSEC mailing list regarding the security of Skype and other softphones. VOIPSEC is a mailing list hosted by VOIPSA that is dedicated to discussing VoIP security topics. You can join in the debate by signing up for VOIPSEC here.
The New York Times is reporting a story about Edwin Andres Pena, a 23 year old Miami resident who was arrested today by the Federal government. The Feds allege that Pena was involved in a scheme to sell discounted Internet phone service by breaking into other Internet phone providers and piggybacking connections through their networks unbeknowst to them. According to the story:
To evade detection, Pena is said to have hacked into computers run by an unsuspecting investment company in Rye Brook, N.Y., commandeered its unprotected servers and re-routed his phone traffic through them. These steps made it appear as if that company was sending calls to more than 15 Internet phone companies.
In one three-week period, for instance, prosecutors say that one of the victimized Internet phone providers, based in Newark, received about 500,000 calls that were made to look as if they came from the company in Rye Brook. The Newark company was left having to pay $300,000 in connection fees for routing the phone traffic to other carriers, without receiving any revenue for the calls, prosecutors said.
You can read the entire story here.
Welcome to the group weblog of the Voice over IP Security Alliance