Voice of VOIPSA

I’ve long been a staunch opponent of the “isolate your VoIP network from your data network” strategy. I personally believe that by putting up such restrictive barriers as would be required to provide any sense of actual security, the owners and administrators of a VoIP deployment are severely limiting the potential value they are able to receive from using Internet telephony. One of the Great Promises of VoIP is the ability to integrate communications with other productivity technologies such as work-group software and CRM applications. A lot of VoIP security practitioners tout the isolation strategy as a solution for the insecurity of the VoIP core devices and endpoints when in reality it is little more than a stop-gap, and not a very good one at that. By providing a false sense of security by way of network isolation, many VoIP deployment administrators may become complacent and pay less attention to the security posture of the actual VoIP devices and endpoints themselves. If you plan to integrate your communications system into the data-flow of your business in even the most minimal way, you’ll find quickly that most types of isolation that are available either provide a barrier to the desired functionality or open up so many holes in the barrier that it may as well not be there.

(more…)

In a few hours I’ll be boarding a plane back to New York where I’ll be attending Interop New York this afternoon and tomorrow. If any of you reading this will be there, please do drop an email. Tomorrow, I’ll be on a panel at 2:45pm with Jonathan Rosenberg about “Voice-oriented Attacks”. (Side note to Interop: Please make it so that we can link to individual sessions instead of having to link to the entire list of “security”-related sessions!) If you aren’t aware of who Jonathan Rosenberg is, he works for Cisco and is a huge contributor to IETF efforts related to SIP and in fact was one of the co-authors of RFC 3261 which is the primary RFC defining SIP. He’s also the author of “The Hitchhiker’s Guide to SIP” which aims to help guide people through the maze of the many, many documents that now are part of “SIP”. More relevant to tomorrow’s session, he’s also the author of a series of NAT traversal protocols for SIP, namely STUN, TURN and now ICE. Eric Krapf, the moderator of the session, is aiming to make it a more interactive and discussion-focused session (i.e. no slideware-to-death)… we’ll see if we can make it fun as well. I’ve also asked Interop for permission to record it and run it as a Blue Box podcast - we’ll see if they give me permission.
Note that if you are a CISSP, the ISC2 is holding a member reception today (Wednesday October 24, 2007) starting at 5:30 PM in Jacob Javits Center Room 1EO2 - LEVEL 1. Assuming that everything works with my flights today, I’ll be there.
I’ll even have some new business cards to give out…

P.S. I’ve now been public about who my new employer is.

Technorati Tags: cisco, conferences, danyork, jonathanrosenberg, security, voip, voip security, voipsa, voxeo

As I mentioned previously, I was down at the AstriCon conference a few weeks back where I spoke about VoIP security in general and how it applies to Asterisk in particular. At the end of my presentation, I did put forward some suggestions for where the Asterisk community could potentially focus to improve the product’s security. While I intend to put the slides and hopefully the recording online at some point soon, I thought I’d share with you all what I laid out as my suggestions:

1. TLS-encrypted SIP - Of course, this needs SIP over TCP first…
2. Secure RTP (SRTP) - There’s a patch that’s been around for quite some time, but it needs to be integrated into the main release. However, it’s not much good without the next item…
3. SRTP Key Exchange - First an implementation of ’sdescriptions” (although again that needs TLS-encrypted SIP) and then later DTLS or potentially ZRTP.
4. Figure out the phone configuration mess - So that the web servers on the phones can be disabled. Auto-configuration is a start, but how secure are the config files?
5. Identity - If we are to not be drowning in SPIT, one mechanism that seems pretty sure to factor in would be a way to assert the real identity of the sender. Leading candidate today appears to be RFC 4474 (SIP Identity).
6. Watch out for the APIs and the apps - Always fun when a rolodex app can crash your phone system!
7. Toll fraud - What specific tools are in Asterisk to prevent toll fraud? Can they be enhanced?
8. Testing with tools - There are a ton of VoIP security tools out there. Can Asterisk be tested with those tools?

That was my list that I spoke about at AstriCon. Do you agree? Disagree? What would your list include?

Technorati Tags: asterisk, astricon, digium, security, voip, voip security

If you are an Asterisk user, what do you see as the “security features” that it needs to have? I’m out here at the annual AstriCon event in Phoenix, Arizona, where on Thursday I am giving an “industry perspective” under the title: “Hacking and Attacking VoIP Systems - What You Need to Worry About” Given that I’m doing the talk under the VOIPSA banner, I’ll be giving my “standard” view on what the main threats are to VoIP, the tools that are out there to attack them and the best practices to protect against those threats. However, whenever I do this kind of “industry view” at a conference like this, I always try to include a section at the end that is specific to the audience.

So in this case, I thought I’d tack on a bit at the end about a “security roadmap” for Asterisk, i.e. what are the top 5 things that Asterisk developers should be thinking about. My slides are actually done (and I’m currently at 6 items on the list), but I’m not going to really post them here until I give my talk. (Come on, I have to have a bit of suspense, don’t I?) In the meantime, I thought I’d ask the question here on the blog:

What security features do you think are necessary in Asterisk?

Well, okay, I’ll list three obvious ones: 1) TLS-encrypted SIP; 2) SRTP (yes, there’s a patch, but it’s not in the main load); and 3) SRTP key exchange (sdes, DTLS, ZRTP, etc.)

But what are the other three on my list? And what would be on your list? (And if you list some great ones I haven’t thought of I’ll be sure to credit you in my preso.)

By the way, Thursday should be an interesting day (for me) here at AstriCon because there are actually three talks related to security. Obviously mine but then one right before me from someone named Mike Storella and titled “Realizing the Benefits of a Secure VoIP Telephony System” and one in the afternoon from a Patrick Young titled “Enterprise VoIP Security“. It will be entertaining to see if we are all reading from the same general pages. I’m also going to see if I can get their permission to record the sessions and put them out as Blue Box special editions. We’ll see.

In the meantime, if any of you reading this are attending AstriCon, feel free to drop me a note as I always enjoy meeting up with readers.

Technorati Tags: asterisk, astricon, security, voip, voip security, voipsa

Over on the Blue Box site, I’m pleased to announce that I uploaded Blue Box Video Edition #1, our very first experiment with adding a video component to the podcast.  In this 5-minute video, I was out at VoiceCon San Francisco last week and interviewed Sachin Joglekar from Sipera Systems about the SIP softphone exploit they first demonstrated at Black Hat.  Comments and opinions are definitely welcome.  Would you like to see more of these type of videos?

Click To Play

Today here at VoiceCon in San Francisco, Dave Endler and Mark Collier (both of whom are involved with VOIPSA) gave a 3-hour tutorial on “IP Telephony Security Threats and Countermeasures”.  For those who have read Dave and Mark’s “Hacking Exposed: VoIP” book, the tutorial followed the overall flow of the book.  They began with Dave talking about gathering information about a target, using scanning, enumeration, Google-hacking, etc.  Dave continued with talking about attacking the network through DoS, eavesdropping and then network interception - and the appropriate countermeasures to defend against the attacks.  After the break, Mark went into attacks against Avaya systems and appropriate countermeasures.  Dave followed with a similar section on attacks and countermeasures for Cisco systems.  Mark came back to talk about attacks against applications, fuzzing and ultimately social attacks such as SPIT and voice phishing.  Mark also spent a good amount of time talking about the various tools they developed as part of the book. Mark noted that they have updated the tools available on hackingvoip.com and will be making more updates in the coming months.

In his section on attacking Avaya systems, Mark Collier stressed a point we’ve made here on this blog:

“It’s great to have encryption enabled for signaling and voice and to buy phones that support it.  Encryption is great and I highly recommend it.  But if you don’t disable telnet or change default passwords, all that secure encryption really isn’t worth much.”

Indeed!

All in all a great session for folks looking for an introduction to VoIP security attacks and appropriate countermeasures.

There were a number of new tools released at the recent BlackHat and DEFCON conferences that I’ve just finished adding to the VoIPSA Security Tools List.

First, during the BlackHat Voice Services Security track, Himanshu Dwivedi & Zane Lackey spoke about attacks against H.323 and IAX. They released a number of tools including H225regreject, IAXHangup, IAXAuthJack, and IAX.Brute. Now you can easily launch many of the same attacks (as well as a few new ones) that you’ve known and loved from attacking SIP against both H.323 and IAX.

Next, Zane Lackey & Alex Garbutt debuted their RTPInject tool during the BlackHat turbo-talk track. It’s essentially a nice, pretty, easy to use GUI version of the RTP audio injection attack that I demoed last year at EUSecWest using the rtpinsertsound and rtpmixsound tools.

At DEFCON, Ian G. Harris released a tool called INTERSTATE which is a stateful protocol fuzzer for SIP.

Finally, I released my new RTP steganography tool, SteganRTP, at DEFCON. It uses steganographic data embedding techniques to create a covert channel in an RTP session’s audio payloads which it uses to transport it’s own custom communications protocol. The protocol provides user chat, file transfer, and remote shell access (if enabled).

All of the tools mentioned above can be found via the VoIPSA Security Tools List.

Just to show that VoIP security is not all about SIP, researchers Himanshu Dwivedi and Zane Lackey from iSEC Partners have produced some interesting material on vulnerabilities in IAX, which they just presented at the recent Black Hat conference. IAX (pronounced eeks) as you may know, is a proprietary protocol often used to connect together Asterisk servers for the purposes of call routing. Implementors say that it is simpler than SIP, and also tunnels through firewalls better than SIP, thanks to a ‘VPN like’ approach that tunnels signalling and media together down the same pipe.

iSEC came up with a number of novel attacks including exploiting authentication problems with the use of MD5 hashes; man-in-the-middle and DoS. They have a very nice paper here that describes their attacks in detail, and they have also made available some code (in Python) that you can use for your own experimentation.

Not stopping at IAX, they also had a go at the granddaddy of VoIP protocols, H.323, and have published a couple of attack tools there too. It’s enough to keep you busy all Summer long.

More: Black Hat USA 2007 abstracts
iSECPartners

Were you unable to get to VON Europe ‘07 in Stockholm, Sweden back in June to hear the panel session on “The Real Risks of VoIP Security“?  Well now you can hear it.  Blue Box Special Edition #19 is now available for download.

In this session, our own Martyn Davies is the moderator and the panelists are Ari Takanen of Codenomicon, Cullen Jennings of Cisco and Akif Arsoy of Verisign.  Readers of the VOIPSEC mailing list will have seen posts from Ari at various times and it’s hard to escape Cullen in the world of IETF standards!  Rather than just going through endless slides, the panel engaged in a conversation based on questions from Martyn and then the audience.   It was a lively session with lots of good questions, interaction from all three of the panelists and Martyn with the audience… and Cullen making the kind of statement “that everytime someone from Cisco makes a statement like this we make ourselves subject to attack” (you’ll have to listen to understand that teaser

I think you’ll find it both enjoyable and educational.  Thanks to Martyn for producing the recording and for Ari, Cullen and Akif for agreeing to have it distributed.  Thanks also to Carl Ford, Jeff Pulver and the rest of the VON team for allowing us to record and distribute the session.

Jonathan and I welcome any and all comments about these special editions.  You can leave them here on the VOIPSA weblog, on the Blue Box weblog, sent to blueboxpodcast@gmail.com or called in to our comment lines at +1-206-350-2583 or sip:bluebox@voipuser.org.

Are you attending Black Hat next week in Las Vegas (July 29-Aug 2)? Or the Defcon show that follows? If so, would you be willing to provide a report (either audio or written) for us to include in a future Blue Box podcast (or potentially post on the VOIPSA blog)? Neither Jonathan nor I (nor Martyn) are going to be attending Black Hat or Defcon but there do look to be a number of quite interesting talks involving VoIP security.  If you would be willing to send in a report from Black Hat or Defcon just briefly talking about what is discussed at the sessions there, please do drop us an email as we’d love to have such contributions. 

FYI, if you want to try audio, contributions could be either: 1) recorded using something like Audacity and then sent by email; or 2) simply called into our comment line (+1-206-350-2583 or sip:bluebox@voipuser.org).