Just a note that if any of you out there are CISSP-certified, the elections for the Board of Directors for the ISC2 is happening right now through November 30th. Visit the ISC2 website, login to the members section and vote for up to 5 candidates (of the 12 running). If you find value in the CISSP, as I do, and would like it to retain its value, I encourage you to spend a few minutes reading through the bios and voting in the election. Ultimately, the direction of the ISC2, and the value of the CISSP certification, is in our hands as certification-holders and ISC2 members.
Category Archives: Security
McAfee Predicts 50% Rise in VoIP Attacks for 2008
McAfee recently published their top ten threat predictions for 2008. Among the other threats, attacks against VoIP systems were predicted to rise by 50% in 2008:
VoIP attacks should increase by 50 percent in 2008. More than twice the number of VoIP-related vulnerabilities were reported in 2007 versus the previous year – several high-profile “vishing” attacks, and a criminal phreaking (or fraud) conviction – so it’s clear that VoIP threats have arrived and there’s no sign of a slowdown.
Malware tries to entice Skype users with chat msg about lost girl…
Last week I meant to write about this, but Skype is advising people about some malware that is floating around that tries to entice Skype users to click a link that will then infect your computer. The rather despicable fashion the malware uses is to send a chat message that says “Please help me find this girl” referring to Madeleine McCann. Facetime Security Labs has a lengthy writeup that goes into all sorts of details about the particular worm variant. It propagates via IM, so it’s not anything particularly tied into VoIP, but obviously just something people should be concerned about.
Technorati Tags: skype
Isolation vs. Integration
I’ve long been a staunch opponent of the “isolate your VoIP network from your data network” strategy. I personally believe that by putting up such restrictive barriers as would be required to provide any sense of actual security, the owners and administrators of a VoIP deployment are severely limiting the potential value they are able to receive from using Internet telephony. One of the Great Promises of VoIP is the ability to integrate communications with other productivity technologies such as work-group software and CRM applications. A lot of VoIP security practitioners tout the isolation strategy as a solution for the insecurity of the VoIP core devices and endpoints when in reality it is little more than a stop-gap, and not a very good one at that. By providing a false sense of security by way of network isolation, many VoIP deployment administrators may become complacent and pay less attention to the security posture of the actual VoIP devices and endpoints themselves. If you plan to integrate your communications system into the data-flow of your business in even the most minimal way, you’ll find quickly that most types of isolation that are available either provide a barrier to the desired functionality or open up so many holes in the barrier that it may as well not be there.
Blue Box #69: Linksys SPA-941 vulnerability, SIP DDoS, New release of SIPVicious, Asterisk security roadmap, other VoIP security news, listener comments and more
Blue Box Podcast #69 is now available for download. In this 46-minute episode, Jonathan and I discuss the Linksys SPA-941 vulnerability mentioned in the VOIPSEC list, a potential SIP DDoS, a new release of SIPVicious, a suggested Asterisk security roadmap, other VoIP security news, listener comments and more.
Suggestions for a “security roadmap” for Asterisk
As I mentioned previously, I was down at the AstriCon conference a few weeks back where I spoke about VoIP security in general and how it applies to Asterisk in particular. At the end of my presentation, I did put forward some suggestions for where the Asterisk community could potentially focus to improve the product’s security. While I intend to put the slides and hopefully the recording online at some point soon, I thought I’d share with you all what I laid out as my suggestions:
- TLS-encrypted SIP – Of course, this needs SIP over TCP first…
- Secure RTP (SRTP) – There’s a patch that’s been around for quite some time, but it needs to be integrated into the main release. However, it’s not much good without the next item…
- SRTP Key Exchange – First an implementation of ‘sdescriptions” (although again that needs TLS-encrypted SIP) and then later DTLS or potentially ZRTP.
- Figure out the phone configuration mess – So that the web servers on the phones can be disabled. Auto-configuration is a start, but how secure are the config files?
- Identity – If we are to not be drowning in SPIT, one mechanism that seems pretty sure to factor in would be a way to assert the real identity of the sender. Leading candidate today appears to be RFC 4474 (SIP Identity).
- Watch out for the APIs and the apps – Always fun when a rolodex app can crash your phone system!
- Toll fraud – What specific tools are in Asterisk to prevent toll fraud? Can they be enhanced?
- Testing with tools – There are a ton of VoIP security tools out there. Can Asterisk be tested with those tools?
That was my list that I spoke about at AstriCon. Do you agree? Disagree? What would your list include?
Technorati Tags: asterisk, astricon, digium, security, voip, voip security
Asterisk – what would your “security roadmap” for Asterisk be?
If you are an Asterisk user, what do you see as the “security features” that it needs to have? I’m out here at the annual AstriCon event in Phoenix, Arizona, where on Thursday I am giving an “industry perspective” under the title: “Hacking and Attacking VoIP Systems – What You Need to Worry About” Given that I’m doing the talk under the VOIPSA banner, I’ll be giving my “standard” view on what the main threats are to VoIP, the tools that are out there to attack them and the best practices to protect against those threats. However, whenever I do this kind of “industry view” at a conference like this, I always try to include a section at the end that is specific to the audience.
So in this case, I thought I’d tack on a bit at the end about a “security roadmap” for Asterisk, i.e. what are the top 5 things that Asterisk developers should be thinking about. My slides are actually done (and I’m currently at 6 items on the list), but I’m not going to really post them here until I give my talk. (Come on, I have to have a bit of suspense, don’t I?) In the meantime, I thought I’d ask the question here on the blog:
What security features do you think are necessary in Asterisk?
Well, okay, I’ll list three obvious ones: 1) TLS-encrypted SIP; 2) SRTP (yes, there’s a patch, but it’s not in the main load); and 3) SRTP key exchange (sdes, DTLS, ZRTP, etc.)
But what are the other three on my list? And what would be on your list? (And if you list some great ones I haven’t thought of I’ll be sure to credit you in my preso.)
By the way, Thursday should be an interesting day (for me) here at AstriCon because there are actually three talks related to security. Obviously mine but then one right before me from someone named Mike Storella and titled “Realizing the Benefits of a Secure VoIP Telephony System” and one in the afternoon from a Patrick Young titled “Enterprise VoIP Security“. It will be entertaining to see if we are all reading from the same general pages. I’m also going to see if I can get their permission to record the sessions and put them out as Blue Box special editions. We’ll see.
In the meantime, if any of you reading this are attending AstriCon, feel free to drop me a note as I always enjoy meeting up with readers.
Technorati Tags: asterisk, astricon, security, voip, voip security, voipsa
FYI – I’m speaking on VoIP security at Ingate SIP Trunking Seminar Series Sept 11 in LA (concurrent with Internet Telephony Expo)
FYI, for those of you attending the Internet Telephony Conference & Expo in Los Angeles on September 10-12, I’ll be participating in a panel session that is part of Ingate’s SIP Trunking Seminar Series. I expect it will surprise no one to learn that I’ll be on the panel about “Enterprise Security and VoIP” speaking on behalf of VOIPSA. My particular session is Tuesday, September 11, 2007, from 9:30-11:00 am. More details and the schedule are available online.
The sessions are free and open to anyone to attend. Simply fill out the pre-registration form. If you are going to be there at the show, please do drop me a note, as I’m always interested in meeting readers or others interested in VoIP security.
Technorati tags: sip, sip security, sip trunking, ingate, ingate systems, voipsa, voip, voip security, dan york
A trio of new security blogs: Sipera’s VIPER Lab, Tipping Point’s DV Labs… and Microsoft "hackers"
There have been some new blogs related to security launched lately that I thought we should mention here for readers to check out. First up, VoIP security vendor Sipera Systems launched their Sipera VIPER Lab Blog with the primary author thus far being Sachin Joglekar, their Vulnerability Research Lead (who you can also see in Blue Box Video Edition #1). Given Sipera’s focus on VoIP security, posts there may be of obvious interest to readers here. Sachin just put up a good post yesterday, “What we SHOULD have learned from last year’s well-publicized VoIP attack“, about the Pena/Moore VoIP Fraud case, pointing out what we should have learned, but probably didn’t, from the VoIP fraud attack.
Over at TippingPoint, their Digitial Vaccine Labs quietly launched their “DVLabs Blog” a few months back. While not focused on VoIP security and including a range of different authors, I mention it really because TippingPoint employs VOIPSA Chair David Endler and also Dustin Trammell, a frequent contributor to this blog. There’s some good info posted on the DV Labs blog, and those of us who enjoyed “SysAdmin” magazine may like Dave’s lament: “Sys Admin Magazine Goes Quietly Into That Good Night“.
Finally, over at Microsoft, there’s a brand-new blog out called “hackers @ microsoft” which, in its only post so far on August 25th, says “Microsoft employs some of the best hackers in the world and actively recruits them and develops them. They work on all kinds of projects, whether it be in development, research, testing, management and of course security. ” Yet to be seen is how often people will post there, how many people will post and what the quality of the information will be. There’s not a direct link (yet) to VoIP security, but given that it is at Microsoft, it may be interesting to follow. We’ll see.
So there you are… three more blogs to check out. By the way, if you know of other new blogs related to VoIP security, feel free to leave a comment to this post or drop me a note. We’re always glad to help promote others who are talking about VoIP security.
Technorati tags: blogs, voip, voip security, security, sipera systems, sipera, tippingpoint, microsoft
Remote eavesdropping vulnerability with Grandstream SIP phone – now slashdotted
Back on August 22nd, Radu State from the Madynes research group in France posted a security advisory to the VOIPSEC mailing list, “Remote eavesdropping with SIP Phone GXV-3000“. He also posted it to full-disclosure and several other lists. As he writes:
While playing with the SIP Madynes stateful fuzzer, we have realized that some SIP stack engines have serious bugs allowing to an attacker to automatically make a remote phone accept the call without ringing and without asking the user to take the phone from the hook, such that the attacker might be able to listen to all conversations that take place in the remote room without being noticed.
The Madynes team also included the perl exploit script in the advisory as well, enabling someone wishing to test this to easily execute the attack. They indicate that they have found this vulnerability in several SIP stacks and that they can disclose the vulnerability with the Grandstream phone as Grandstream was apparently notified of this issue back in May. They indicate that “fixed software will be available from the vendor” – however as of today, Grandstream’s firmware page is still showing the same load as that found to be vulnerable by the researchers. Unless I missed it, I can’t seem to find any page on Grandstream’s site dealing with security issues.
The reason I mention this here, partly, is because the issue was slashdotted, based on the Sûnnet Beskerming article “Listen to SIP Phones Even When They are on the Hook“.
If you use Grandstream phones, I would suggest you should be contacting Grandstream to find out when a fix may be available. If you a producer of SIP phones, you might want to have a look at the exploit, which seems to be fairly straightforward, and see if your phones are vulnerable.
Technorati tags: voip, voip security, security research, security, sip, sip security, grandstream, madynes