Category Archives: Books

New Book: Seven Deadliest Unified Communications Attacks

As some readers may already know, Syngress has now published a book I wrote, “Seven Deadliest Unified Communications Attacks” that dives into the threats to communications systems and the strategies to protect your systems. It is part of a series of “Seven Deadliest <topic> Attacks” books that have come out over the past couple of months. (And yes, there are seven books in the series.)

As I explained in this video, my intent was not so much to write a book about “VoIP security” but rather to take a look at a slightly larger level at the overall systems that we are connecting together under the name of “unified communications”. When we have voice, video, instant messaging, presence… coming from multiple different systems and then distributed over the global IP network… how do you secure it all?

The book was really my attempt to put in print form many of the themes we have written about on this site, talked about on the Blue Box Podcast and discussed in the VOIPSEC mailing list.

I do want to thank a couple of people in the VOIPSA circles… as I noted in the Acknowledgements, Dustin D. Trammell was an outstanding technical editor – and Andy Zmolek provided some excellent comments and thoughts. Longtime friend and VOIPSA blog contributor Martyn Davies had some helpful feedback, too, as did Scott Beer over at Ingate Systems.

Anyway, the book is out there… and I’ve put up a companion web site at www.7ducattacks.com where I’ll be listing additional resources, errata, updates, etc. There is also a Facebook page for the book. Feedback is definitely welcome (and yeah, I wouldn’t be opposed if you bought a copy or two 😉 ). I’m doing some interviews and podcasts about the book… if you are interested in interviewing me for your site or show, please contact me.

My hope with the book is that in some small way it can help encourage and spread the discussions we all have been having here… and in the end help our communications systems be a bit more secure. Thanks to all of you who have been reading posts here, commenting on them, participating in VOIPSEC and asking great questions.

P.S. If you are available tomorrow, Friday, May 20th, at 1pm US Eastern time, I’ll be interviewed live on the VoIP Users Conference call. Anyone is welcome to join in, listen, and ask questions.

“Indy Review” – Cisco: IP Communications, Voice over IP Security

Cisco Press and Patrick Park released, “Cisco: IP Communications, Voice over IP Security” in the beginning of 2009. There is a good knowledge transfer in this book for newcomers and I suspect a bit of review for seasoned practitioners. Nonetheless, you’ll be given a nice primer to VoIP security from the packet level, all the way through architecture. This book is divided into three different areas , which consists of VoIP Security Fundamentals, VoIP Security Best Practices and Lawful Interception (CALEA). I’ll briefly describe some content from each area, to give you a better idea of what is covered in the book and to help you protect your investment. I would encourage anyone reading this book to read the VoIPSA Threat Taxonomy version 1, side by side with this book, “http://voipsa.org/Activities/taxonomy.php”

The first part of the book gets into VoIP Security, where you’ll read about inherited and protocol vulnerabilities. You’ll also find that Cisco Press classifies attacks in four categories, which are threats against availability, confidentiality, integrity and social context. They explain call flows and security profiles that are associated with H.323 “D,E,F”, SIP and MGCP. If you have little to no experience with cryptography, they explain the functions and uses of a few implementations that are in use today. If you’re looking for network modeling for architecture and design they have something in the book for you as well.

Switching gears to VoIP Security Best Practices, you’ll be introduced to analysis and simulation of current threats, where they talk about mitigating DoS, sniffing, spoofing and VoIP spam. This section of the book identifies how to secure VoIP protocols with authentication, encryption, transport and network layer security, threat modeling and prevention. They will give you an overview in how SBC’s are deployed and used to resolve DoS, L.I.“Lawful Interception’’, exposed network topology, and performance issues. Then they get into Enterprise Network Devices and security devices, so you’ll be introduced to “Cisco Solutions” like Call Managers, End-Points, ASA’s, PIX’s and FWSM’s.

The last section of the book explains Lawful Interception (CALEA). They talk about requirements and standards that have been developed and implemented in Europe and the United States. There will also be a walk through in how L.I. is generally implemented and “possibly detected”, but the examples in the book are not limited to certain geographic areas or countries.

I would recommend this book to folks who are looking for a solid introduction to VoIP Security. After reading this book, along with the VoIPSA Threat Taxonomy “http://voipsa.org/Activities/taxonomy.php”, you will be aware of the different types of attacks and methods of mitigation that you may use to stop or just stall your next attacker……

New book: “Voice over IP Security” from Cisco…

amazon-voipsecurity.jpgIt appears that there is a new book out on VoIP security named, rather simply, “Voice over IP Security“. It’s from Cisco Press and written by a Patrick Park. I haven’t seen the book yet but ITworld has an interview with the author. Amazon.com of course has some user reviews as well.

Good to see additional books coming out into the field. It will be interesting to see how this compares to the others out there.

P.S. If you have the book and would be interested in writing a review for this site, please feel free to contact me.

Technorati Tags:
, , , ,

Schneier Honoured

Catching up on my reading, I see that Dr Dobb’s Journal honoured crypto guru Bruce Schneier in their April edition with an excellence in programming award.  I’ve been a fan of DDJ since I first came across the magazine in the 1980’s, and (with my software developer hat on) once even had the thrill of contributing to DDJ.

Congratulations, Bruce, coming from one of the World’s top-rank developer publications, I think this is an accolade to really enjoy.