Voice of VOIPSA

Are you attending Black Hat next week in Las Vegas (July 29-Aug 2)? Or the Defcon show that follows? If so, would you be willing to provide a report (either audio or written) for us to include in a future Blue Box podcast (or potentially post on the VOIPSA blog)? Neither Jonathan nor I (nor Martyn) are going to be attending Black Hat or Defcon but there do look to be a number of quite interesting talks involving VoIP security.  If you would be willing to send in a report from Black Hat or Defcon just briefly talking about what is discussed at the sessions there, please do drop us an email as we’d love to have such contributions. 

FYI, if you want to try audio, contributions could be either: 1) recorded using something like Audacity and then sent by email; or 2) simply called into our comment line (+1-206-350-2583 or sip:bluebox@voipuser.org).

Over on the Blue Box site, I just posted about two VoIP security presentations that are now available with the audio synchronized with slides courtesy of a new “slidecasting” interface created by SlideShare.net. The two presentations are:

• the 15-minute “story” I did of “SysAdmin Steve” and the troubles he face (audio was first available as Blue Box SE#15)
• the 90-minute workshop that Jonathan, Shawn and I did covering VoIP security threats, tools, best practices and more (audio was first available as Blue Box SE#16)

I’m intrigued by the slidecasting interface because to me it allows people who could not attend to experience the presentation in a manner close to what attendees saw.  Anyway, any feedback you all have would be welcome.

Day two opens with a keynote from Jonathan Rosenberg, one of Henning Schulzrinne’s early collaborators on SIP. Rosenberg went on from Columbia University to Dynamicsoft, later Cisco Systems where he is now a Fellow. Rosenberg is still active in IETF work related to SIP, and was principal author of NAT traversal techniques, STUN and ICE.

Rosenberg touched on many topics in his presentation on the challenges for IP telephony, but of course one of the challenges he talked about was SPIT or voice SPAM. He said that one basic decision point is whether you know the caller or not. As long as we have strong identity on VoIP networks, it’s possible to keep a white list of permitted callers. Then the problem becomes how to enroll people on to that list in the first place.

Safely letting in people that you don’t know opens the field to a whole range of different techniques. Some that he mentioned include: consent and reputation systems; CAPTCHAs; computational puzzles and payments at risk. Some of these he outlined as more promising than others, but the point is that this problem is not solved yet, and in fact is an ongoing discussion in the IETF and elsewhere.

Day one of IPTComm brings a whole raft of VoIP Security topics: Saverio Niccolini of NEC Philips spoke about a holistic approach to VoIP intrusion detection and prevention, including the use of a “honeypot” to draw attacks away from the true telephony service to a dummy that can help in analsysis of attacks. Jens Fiedler of Fraunhofer Fokus spoke about VoIP Defender, a prototype system that allows the dynamic analysis of SIP traffic, with realtime generation of filter rules, then applied back to the signalling traffic. Ali Fessi (Univ. of Tuebingen) spoke about CoSIP, and attempt to marry traditional SIP servers with a P2P SIP approach, with the aim of improving resilience to system failures or DoS attack. Humberto Abdelnur (INRIA) described Kiph, a stateful SIP fuzzer. Rather then the approach taken by the PROTOS toolset, KIF is SIP-specific, and understands not just the grammar, but also to some extent the context and behaviour of SIP, in order to better test for vulnerabilities in SIP-based products. Finally Ge Zhang (Fraunhofer FOKUS) spoke about DoS attacks to VoIP, based on attacks to the DNS server, which of course the SIP Proxy depends upon for its function. He also described some limited defences against this threat.

Interestingly, Henning Schulzrinne told us in his opening remarks that our host, Columbia University NY, recently experienced its own SPIT (Internet Telephony SPAM) attack, with someone accessing the Proxy, and “war dialling” a lot of IP phone extensions. There have been few real-life examples of this so far, but you can see that large IP communities, like universities, are likely to attract such attacks.

At Spring VON Europe, Ari Takanen said something very interesting about security of legacy interfaces in the panel session on The Real Risks of VoIP Security. In the discussion of established phone networks versus VoIP or next generation networks, he pointed out that “some interfaces are not designed to be open”, and therefore these can be particularly vulnerable to attack if for some reason that interface does get revealed. Ari gave the example of MGCP, the protocol that allows control of media gateways used in the PSTN.

MGCP is a functional interface that allows an application, or controller, to remotely instruct a media gateway how to handle a call, for example play a tone or voice prompt, perhaps wait for DTMF input. MGCP is designed for a tight relationship between controller and media gateway, but in its very design it is assumed that both components are secure inside a carrier’s network, and so security of the interface is a secondary concern. This means that should an ‘evil’ application get access to the MGCP interface, it can perform DoS attacks and other mayhem, and disrupt the operation of essential services, for example IVRs and prepay services.

As we transition from legacy PSTN (SS7) networks to NGN, there are going to be some shocks along the way. PSTN networks are closed today, with all the signalling hidden behind borders that potential hackers have no access too. However, as tools like SIGTRAN make telcos more-and-more embrace the TCP/IP world, all sorts of interfaces that should be concealed will from time-to-time offer new opportunities for hackers to try. We don’t have to switch the whole system over to SIP before enhanced security for telephony should be on the agenda.

The papers are in and the conference agenda is now published.

There’s plenty of meat here for those interested in VoIP Security, with  talks on intrustion detection and prevention, SIP security architecture, SIP fuzzing and DoS prevention.  Jeff Pulver will deliver the keynote, and many of the speakers are the same people that create such interesting discussion trails on the Voipsec list anchored on this site.

If you’re in New York  July 19th/20th, it’s going to be a great session.  Registration is open here.

According to Silicon.com, Ivan Krstić, Director of Security Architecture for the One Laptop Per Child project, used a keynote speech at AusCERT 2007 to criticize the architecture of modern operating systems, which allow every application to run with maximum access rights to the machine.

This is of course a topic that exercises many security managers these days, since there are so many things that a multimedia PC can do today, including playing, recording and editing music & video; creating and editing images and text; phoning, instant messaging and video calling. What is more there are vast numbers of applications that can be rapidly bought and downloaded from the Internet, giving near instant on-demand installation of nearly any type of application. For convenience, most users run in administrator mode all the time, as it avoids answering pesky questions when we want to install and gratify our need for new software.

Many VoIP users run softphones on their PCs. Softphones are cheap, and can be extremely convenient to use. They also create new possibilities, like being able to record calls or teleconferences without spending a lot of money on recording hardware and software. From a security point-of-view, of course, this is a risk, since the softphone can control all the facilities of your PC, has access to the disk drive, and could potentially record audio, or perhaps even all LAN traffic, without you knowing. From a LAN architectural point of view, some experts say that you should use VLANs, so that VoIP phone handsets and PCs cannot interact with each others’ traffic. This would avoid a PC being able to initiate SIP calls (if, say, a malicious user wanted to run some SIP scanning software on a machine), but if you want the convenience of running softphones, then the PCs must be able to make SIP calls, so really VLANs are out.

So once again it really comes down to security versus convenience. We can lock down PCs completely and make them “safe”, but then you could argue that users will be less productive, if the IS department must get involved whenever any new thing will be installed. At the other end of the scale, letting users install everything they want, from wherever, whenever they feel like it, is a recipe for a security disaster. It’s a balance, and that is one of the reasons that security is a difficult area.

To talk about the One Laptop Per Child project for a moment, this is an effort to build a $100 laptop (the XO) that can be made in the millions to provide to school children everywhere. If you haven’t heard of this before, I strongly recommend that you watch the video from TED 2006 where Nicholas Negroponte explains what they are trying to do. A very worthwhile project and this video is 18 minutes of gold dust. Describing one of their pilot projects in a remote village Cambodia, Negroponte says of the children with their laptops: “They only know Skype, they’ve never heard of telephony.”

Over on his blog Steve Gold laments the lack of focus on VoIP Security at the recent VoIP for Business event in London, and also talks about the failure of Ofcom (the Office of Communications in the UK) to take on the issue in their recently published VoIP service provider regulations. 

For those that don’t know the name, Gold is a security consultant of some pedigree: he was famously prosecuted by the UK government back in the 1980’s for compromising accounts in the Prestel system, a videotex system that was one of the world’s first online networks.  The failure of this prosecution led to the drafting of the Computer Misuse Act in the UK.

At O’Reilly’s 2007 Emerging Telephony conference last week in San Francisco, I had the opportunity to give a 15-minute presentation to all attendees about VoIP security. Rather than doing the traditional slideware outlining the threats, tools, best practices, etc., I tried to do something very different and simply tell a story of what could happen if a VoIP system were installed in an insecure manner - and how to go about securing that system. I tried to make it interesting and humorous (something not often tied to VoIP security) and the feedback at the show was quite positive. The audio and slides are now available over at Blue Box and I’d definitely be interested in any feedback you all have about the presentation, either in content or style.

One of the highlights of 3GSM Barcelona for me was visiting NEC at their stand, and to see their demonstrations in action. There was some discussion in the VoIP and security space over the last weeks about a server technology called VoIP SEAL that NEC were to demonstrate at the show, and I was keen to see this in action. VoIP SEAL is a system that attempts to defend a VoIP system against VoIP SPAM or SPIT (SPAM over Internet Telephony).

Luckily, at the time I visited the stand, Saverio Niccolini of NEC was there. Saverio is a prominent researcher for NEC, and was a speaker at the 3rd Annual VoIP Security Workshop last year, which I attended and wrote about here. It was great to meet up with Saverio, and he showed me the VoIP SEAL demo himself.

To briefly summarize the system, VoIP SEAL combines a number of different techniques to detect a suspicious VoIP call. Each module does a test and produces a score or index, and at the end the indices are weighted and combined to give an overall score that measures how ‘dangerous’ a call might be. For example, there are modules that can apply blacklist or whitelist logic; measure SIP INVITE rates; test reputation or check that different SIP URIs are not coming from the same IP address. So, each module is dedicated to measuring for a particular exploit or security aspect, and they can be combined in different ways, with different weights.

An interesting part of VoIP SEAL is that it can apply tests in two phases: firstly before answering the call and then after picking up. In the first phase, the ‘suspiciousness level’ of a call can be assessed, and if the level is low, the second phase can be skipped, simply connecting the call to the recipient. However, if the level passes a configured threshold, the call is diverted to a specialized answer machine that can apply further tests. Having this two-phase approach helps to minimize false positives, where genuine human callers get trapped in the system and can’t get through.

In phase 2, VoIP SEAL can measure the speech energy when a greeting or outgoing message is being played. For a genuine human caller, this energy should be low, as humans tend to listen rather than talk over greetings. A bot or SPAM application will behave differently, perhaps starting to stream audio continuously as soon as the media channel is available. There are more sophisticated audio CAPTCHA tests (Turing Tests) that can also be applied to attempt to tell the difference between a human and a bot. If the call is considered suspicious, it can just be allowed to play its message into a voicemail SPAM queue, and perhaps this queue would be periodically reviewed by an administrator to make sure that the VoIP SEAL was working effectively and not trapping too many real human callers.

If you want to hear more about VoIP SEAL, I recorded an interview with Saverio where he explains it in more detail. This interview will be coming up in a future edition of the Bluebox Podcast, run by two of our VOIPSA Chairs, Dan York and Jonathan Zar.