Voice of VOIPSA

If you will be in Miami at ITEXPO February 2-4 you are welcome to attend a free “SIP Trunking And Security” session I (Dan York) will be doing as part of Ingate Systems’ SIP Trunking Workshops. The SIP trunking workshops are free to all attendees even if you only register for an exhibit pass.

My session will be 11:15-12:30 on Wednesday, February 3rd, and if you do attend please feel free to come up and introduce yourself (or drop me a note in advance to let me know to look out for you). I’ll be bringing my recording gear, too, and the talk will eventually go out in my Blue Box Podcast feed so you will be able to hear it later.

P.S. If you are attending ITEXPO and your company makes a product or provides a service related to VoIP security, please feel free to let me know and perhaps we can schedule an interview to go out as a Blue Box Special Edition.

Technorati Tags:
danyork, itexpo, miami, voipsa, voip security, sip trunking, sip, sip security, security

Our friend Craig Bowser recently pointed out that TMC will have a schedule of “Network Security” classes at the upcoming ITEXPO in Miami on February 4th. The three classes are:

• Security Threat Mitigation in Enterprise UC Environments
• Securing the SIP Trunk
• VoIP Security Best Practices

The companies involved are Acme Packet, Sipera and VoIPShield Systems, all of whom we’ve mentioned at various times either on this blog on over on Blue Box. Anyway, if you are heading down to ITEXPO, you may want to check out these session.

P.S. And if you ARE heading down to ITEXPO, please do let me know as I’ll be down there, too.

Over in his “Security: Secrets and Hype” blog, our friend Ari Takanen has announced because “Fuzzing Is Still Widely Unknown“, he’s going to evolve his blog there a bit:

Therefore, as a part of my new year resolution to change this blog into more generic fuzzing blog, I will start by sharing my experiences in the current state of fuzzing market. Based on a recent study by Gary McGraw and other well known security gurus, all major product security teams apparently use fuzzing (my comments on it here). But most (even security specialists) still seem to misunderstand what fuzzing really is about. So, I will focus on that here also. Enter the world of fuzzing!

Ari has a wealth of information on the topic of fuzzing (and has written a book on the subject) and so it will be interesting to see where he takes the blog. We’ll see…

Technorati Tags:
security, fuzzing, ari takanen

If you are an Asterisk user, you should be aware that Digium has released AST-2009-001 Information leak in IAX2 authentication. The description is:

IAX2 provides a different response during authentication when a user does not exist, as compared to when the password is merely wrong. This allows an attacker to scan a host to find specific users on which to concentrate password cracking attempts.

The workaround involves sending back responses that are valid for that particular site. For example, if it were known that a site only uses RSA authentication, then sending back an MD5 authentication request would similarly identify the user as not existing. The opposite is also true. So the solution is always to send back an authentication response that corresponds to a known frequency with which real authentication responses are returned, when the user does not exist. This makes it very difficult for an attacker to guess whether a user exists or not, based upon this particular mechanism.

Digium classifies it as a minor security issue and notes in the advisory that patches are available.

Technorati Tags:
asterisk, digium, voip, security, voip security

Through a colleague of mine, Dan Burnett, I just learned about an upcoming W3C Biometrics workshop in March in California around the subject of “Speaker Identification and Verification (SIV)”. As Dan writes:

To get more information from the knowledgeable public, W3C is holding a workshop to “identify and prioritize directions for SIV standards work as a means of making SIV more useful in current and emerging markets. ” The workshop will be held in early March at SRI in Menlo Park, California.

Although the paper submission deadline has passed, if you were unaware of this workshop and are dying to attend, please email member-siv-submit@w3.org as described in the Call for Participation.

More information can also be found on the W3C Biometrics Workshop site. Sounds like an interesting conference to attend… (Dan Burnett will be there, but I will not).

Technorati Tags:
biometrics, w3c, voicebiometrics, siv, standards

Over in the VOIPSEC mailing list, Shawn Merdinger recently pointed out a video produced by the folks at Enable Security to highlight one of their new tools, “sipautohack”, that they sell as part of one of their packages of tools called “VOIPPack”. From their description page, VOIPPack includes:

• sipscan – Scans the network for SIP devices and identifies the user-agent and if the device is a PBX
• sipenumerate – Enumerates extensions on a PBX server
• sipcrack – Launches password attacks on the PBX server
• sipautohack – Given a target network, this module will scan for SIP devices, enumerate any extensions on all PBX servers found and try to guess their password

This video, then, is a demonstration of the last of the listed tools:

Demonstrating sipautohack from Sandro Gauci on Vimeo.

We here at VOIPSA have no connection to this tool or vendor and cannot say anything positive or negative about the tool or company… it’s just another entry in the very long list of VoIP security tools out there (see our Tools list). I just think it’s great to see video screencasts out there showing what tools like this can do. (And if you have a screencast related to VoIP security out there you’d like us to mention, feel free to contact me.)

Technorati Tags:
security, voip, voipsecurity, sip, screencasts

Back in August, the folks at Sipera’s VIPER Lab released a free test tool, XTest, that tests how well (or not) 802.1X with EAP-MD5 protects IP phones and the overall VoIP infrastructure. You can get it at http://xtest.sourceforge.net/.

(And yes, I’ve been meaning to write about this since back in August…. and was intending to write a more thorough review. Perhaps I will at some point, but for now I thought I’d mention the tool’s availability.)

What are you doing tomorrow, Tuesday, October 28, 2008, at 1pm US Eastern time? If you are around, you are welcome to join a free webinar I’ll be giving on “Best Practices for Secure Unified Communications“.

From time-to-time, you’ll notice that those of us working with VOIPSA will take part in seminars/webinars offered by members of VOIPSA and we definitely enjoy doing so. For instance, as readers of the blog know, I’ve been speaking at Ingate’s SIP Trunking seminars for quite some time now. We’re generally open to speaking at anyone’s event or webinar – as long as they understand that there is no endorsement of the company/vendors’s products/services and that we are there to provide an industry-neutral point-of-view.

So tomorrow at 1pm US Eastern I’ll be speaking as part of Mitel’s “Discovery Series” where they invite in guest speakers from the industry. You can join the webinar for free at Mitel’s site. They asked me to speak about the threats/risks to voice over IP and unified communications and talk about best practices for protecting them. Here’s the abstract:

Discover Best Practices for Secure Unified Communications

Presented by: Dan York, Voice Over IP Security Alliance (VOIPSA)
October 28, 2008, 1:00 PM EDT / 10:00 AM PDT / 5:00PM GMT

With the emergence of Voice-over-IP and Unified Communications, companies now have incredible opportunities to provide a rich communication experience to employees located in a single location or distributed globally. But how does a company do this in a secure manner? How is the confidentiality and integrity of corporate conversations protected? How can a company be sure that its IP phone systems and IP trunks will always be available for usage? What are the issues around protecting SIP trunks or using hosted services?

In this webinar, VoIP Security Alliance Best Practices Chair Dan York will discuss the threats and risks to Voice-over-IP, the tools that are out to test (or attack) VoIP system and solutions and best practices for protecting your systems. He’ll also address concerns around SIP trunking, Spam for Internet Telephony (SPIT) and the move to push voice out into hosted/cloud computing environments and the associated concerns. Come prepared to learn about securing your VoIP system, to ask questions about your deployments and to leave with tips and resources to protect and defend your systems.

The webinar will be recorded and posted for later viewing as well. I’ll note that they also have a nice companion webinar to the one I’ll be giving tomorrow in one that HP representatives recently have on network security as it relates to VoIP.

Anyway, if you are available tomorrow (Oct 28th) at 1pm please do feel free to join into the webinar. I’ll post a note on this site, too, when it is available for later listening.

P.S. And yes, as a couple of people have asked, I do obviously have a closer association with this webinar than I do with some of the other vendors given that I worked at Mitel for 6 years and was their point person on VoIP security issues for much of that time. It will be fun to be speaking with them again.

Technorati Tags:
voip, voip security, security, voice, voice security, mitel, voipsa, danyork, dan york, unified communications

Last week I posted Blue Box Podcast #83 and you can now either download it or listen to it from the website. In this show where Jonathan and I were catching up on VoIP security topics from over the summer, we talked about SIP and Asterisk vulnerabilities, voice biometrics, P2PSIP, Aircell blocking Skype and other pieces of VoIP security news. You can listen to it now.

Technorati Tags:
bluebox, blue box, danyork, dan york, jonathan zar, voip, voip security, security, podcasts

The Times of London is out today with a provocatively titled piece: “Internet phone calls are crippling fight against terrorism” and leads with this:

The huge growth in internet telephone traffic is jeopardising the capability of police to investigate almost every type of crime, senior sources have told The Times.

As more and more phone calls are routed over the web – using software such as Skype – police are losing the ability to track who has called whom, from where and for how long.

The key difficulty facing police is that, unlike mobile phone companies, which retain call data for billing purposes, internet call companies have no reason to keep the material.

And goes on to mention issues security officials have with the new world of online communication:

At present security and intelligence agencies can demand to see telephone and e-mail traffic from communication service providers, such as mobile telephone companies. But rapid expansion of new providers, such as gaming, social networking, auction and video sites, and technologies, such as wireless internet and broadband, present a serious problem for the police, MI5, Customs and other government agencies.

Communications data is now a key weapon in securing convictions of both terrorists and serious criminals. It also plays a central role in investigations into kidnappings and inquiries into missing and vulnerable people.

It is indeed a challenging problem. How do government security services exercise their legitimate need to have access to some communications-related data in the pursuit of a crime when the communications providers are no longer easy to identify?

In the old days of just the PSTN, the communications carriers were easy to identify and easy to work with… in the sense that jurisdiction was usually rather clear since the provider was based in the country where the communication was taking place. Government security services could work with those companies to be able to do lawful intercept and other such actions.

VoIP changes all of that. From a technical perspective, geography goes out the window. You can use a software product created by a company from anywhere in the world to communicate with someone else. It can be encrypted. It can use different protocols. It can be unencrypted yet go over an encrypted VPN.

THERE IS NO CENTRAL CONTROL!

And without central control, there is no central way for a government agency to be able to easily obtain that communications data.

So what do you do? Do you create (and somehow futilely attempt to enforce?) draconian and Orwellian legislation that gives government agencies extremely broad powers to access Internet-carried information? (As it sounds like is happening in the UK?) Do you try to have industry entities voluntarily assist security agencies? Do you give up and admit that it’s next to impossible to really get all this kind of information?

There’s a balance to be struck somewhere in there – and finding that balance is going to be one of the toughest policy issues we all will confront over the next few years.

I can see both sides… as a strong privacy advocate, I do not want the government to have broad powers to intercept and view Internet traffic – the potential for abuse and mis-use is far too high in my opinion. Yet at the same time as a father and husband I can assure you that if something were ever to happen to any of my family, I would want law enforcement to have access to every tool imaginable to track down the perpetrators and bring them to justice.

Where’s the line? What’s the right approach?

No easy answers…

Technorati Tags:
voip, security, skype, lawfulintercept, calea, terrorism, voip security