Back in August, the folks at Sipera’s VIPER Lab released a free test tool, XTest, that tests how well (or not) 802.1X with EAP-MD5 protects IP phones and the overall VoIP infrastructure. You can get it at http://xtest.sourceforge.net/.
(And yes, I’ve been meaning to write about this since back in August…. and was intending to write a more thorough review. Perhaps I will at some point, but for now I thought I’d mention the tool’s availability.)
What are you doing tomorrow, Tuesday, October 28, 2008, at 1pm US Eastern time? If you are around, you are welcome to join a free webinar I’ll be giving on “Best Practices for Secure Unified Communications“.
From time-to-time, you’ll notice that those of us working with VOIPSA will take part in seminars/webinars offered by members of VOIPSA and we definitely enjoy doing so. For instance, as readers of the blog know, I’ve been speaking at Ingate’s SIP Trunking seminars for quite some time now. We’re generally open to speaking at anyone’s event or webinar – as long as they understand that there is no endorsement of the company/vendors’s products/services and that we are there to provide an industry-neutral point-of-view.
So tomorrow at 1pm US Eastern I’ll be speaking as part of Mitel’s “Discovery Series” where they invite in guest speakers from the industry. You can join the webinar for free at Mitel’s site. They asked me to speak about the threats/risks to voice over IP and unified communications and talk about best practices for protecting them. Here’s the abstract:
Discover Best Practices for Secure Unified Communications
Presented by: Dan York, Voice Over IP Security Alliance (VOIPSA)
October 28, 2008, 1:00 PM EDT / 10:00 AM PDT / 5:00PM GMTWith the emergence of Voice-over-IP and Unified Communications, companies now have incredible opportunities to provide a rich communication experience to employees located in a single location or distributed globally. But how does a company do this in a secure manner? How is the confidentiality and integrity of corporate conversations protected? How can a company be sure that its IP phone systems and IP trunks will always be available for usage? What are the issues around protecting SIP trunks or using hosted services?
In this webinar, VoIP Security Alliance Best Practices Chair Dan York will discuss the threats and risks to Voice-over-IP, the tools that are out to test (or attack) VoIP system and solutions and best practices for protecting your systems. He’ll also address concerns around SIP trunking, Spam for Internet Telephony (SPIT) and the move to push voice out into hosted/cloud computing environments and the associated concerns. Come prepared to learn about securing your VoIP system, to ask questions about your deployments and to leave with tips and resources to protect and defend your systems.
The webinar will be recorded and posted for later viewing as well. I’ll note that they also have a nice companion webinar to the one I’ll be giving tomorrow in one that HP representatives recently have on network security as it relates to VoIP.
Anyway, if you are available tomorrow (Oct 28th) at 1pm please do feel free to join into the webinar. I’ll post a note on this site, too, when it is available for later listening.
P.S. And yes, as a couple of people have asked, I do obviously have a closer association with this webinar than I do with some of the other vendors given that I worked at Mitel for 6 years and was their point person on VoIP security issues for much of that time. It will be fun to be speaking with them again.
Technorati Tags:
voip, voip security, security, voice, voice security, mitel, voipsa, danyork, dan york, unified communications
Last week I posted Blue Box Podcast #83 and you can now either download it or listen to it from the website. In this show where Jonathan and I were catching up on VoIP security topics from over the summer, we talked about SIP and Asterisk vulnerabilities, voice biometrics, P2PSIP, Aircell blocking Skype and other pieces of VoIP security news. You can listen to it now.
Technorati Tags:
bluebox, blue box, danyork, dan york, jonathan zar, voip, voip security, security, podcasts
The Times of London is out today with a provocatively titled piece: “Internet phone calls are crippling fight against terrorism” and leads with this:
The huge growth in internet telephone traffic is jeopardising the capability of police to investigate almost every type of crime, senior sources have told The Times.
As more and more phone calls are routed over the web – using software such as Skype – police are losing the ability to track who has called whom, from where and for how long.
The key difficulty facing police is that, unlike mobile phone companies, which retain call data for billing purposes, internet call companies have no reason to keep the material.
And goes on to mention issues security officials have with the new world of online communication:
At present security and intelligence agencies can demand to see telephone and e-mail traffic from communication service providers, such as mobile telephone companies. But rapid expansion of new providers, such as gaming, social networking, auction and video sites, and technologies, such as wireless internet and broadband, present a serious problem for the police, MI5, Customs and other government agencies.
Communications data is now a key weapon in securing convictions of both terrorists and serious criminals. It also plays a central role in investigations into kidnappings and inquiries into missing and vulnerable people.
It is indeed a challenging problem. How do government security services exercise their legitimate need to have access to some communications-related data in the pursuit of a crime when the communications providers are no longer easy to identify?
In the old days of just the PSTN, the communications carriers were easy to identify and easy to work with… in the sense that jurisdiction was usually rather clear since the provider was based in the country where the communication was taking place. Government security services could work with those companies to be able to do lawful intercept and other such actions.
VoIP changes all of that. From a technical perspective, geography goes out the window. You can use a software product created by a company from anywhere in the world to communicate with someone else. It can be encrypted. It can use different protocols. It can be unencrypted yet go over an encrypted VPN.
THERE IS NO CENTRAL CONTROL!
And without central control, there is no central way for a government agency to be able to easily obtain that communications data.
So what do you do? Do you create (and somehow futilely attempt to enforce?) draconian and Orwellian legislation that gives government agencies extremely broad powers to access Internet-carried information? (As it sounds like is happening in the UK?) Do you try to have industry entities voluntarily assist security agencies? Do you give up and admit that it’s next to impossible to really get all this kind of information?
There’s a balance to be struck somewhere in there – and finding that balance is going to be one of the toughest policy issues we all will confront over the next few years.
I can see both sides… as a strong privacy advocate, I do not want the government to have broad powers to intercept and view Internet traffic – the potential for abuse and mis-use is far too high in my opinion. Yet at the same time as a father and husband I can assure you that if something were ever to happen to any of my family, I would want law enforcement to have access to every tool imaginable to track down the perpetrators and bring them to justice.
Where’s the line? What’s the right approach?
No easy answers…
Technorati Tags:
voip, security, skype, lawfulintercept, calea, terrorism, voip security
According to a report published on October 1st by Citizen Lab, full chat text messages from TOM-Skype users were found on publicly-accessible web servers as well as the encryption key required to decrypt the data. Additional data such as millions of IP address, user names, and land-line phone numbers, and records of international users who regularly communicated with Chinese users were found alongside the chat logs.
From an Ars Technica article about the report:
Clearly, there are a number of problems with this discovery, starting with security. Villeneuve notes that the information contained on the servers could be used to exploit the TOM-Skype server network, and an attacker can access detailed user profiles. “In fact, evidence suggests that the servers used to store captured data have been compromised in the past and used to host pirated movies and torrents (for peer-to-peer file sharing),” reads the report. Clearly, crafty hackers already know where these servers are and how to get into them.
While troubling from an overall Skype security standpoint, it’s not much of a surprise that the Chinese government had a way to monitor their Skype users, especially with Skype being partnered with TOM Online, a Chinese company.
Since around September 2005, Chinese users attempting to download the Skype client were blocked from doing so, instead being redirected to a modified Chinese version hosted by TOM. Did anyone really think that this modified version wasn’t backdoored? Who wants to bet that they have keys to decrypt the voice channels as well?
How does an emergency call to 9-1-1 or 1-1-2 (or whatever your local emergency number may be) work in a world of voice-over-IP?
It’s not a topic we cover hardly at all here on this blog, yet it’s definitely one of the security and social/cultural aspects of our migration to IP that we definitely have to get right. If we as an industry don’t, people can die. (Or the migration to VoIP will be significantly delayed.)
To that end, a number of emergency services experts are meeting to discuss ongoing work on IP-based emergency services in Vienna, Austria on 21st to 23rd October 2008. The first workshop day is focusing on tutorials to help those interested in the classical 1-1-2 (or 9-1-1) emergency call to get up-to-speed with architectures and standards developed for next generation emergency calling. During the second day various recent activities of standardization organizations around the world will be presented. The third workshop day is dedicated to early warning standardization efforts and the outlook to future emergency services activities.
Participation from those working in standardization organizations as well as persons with interest into the subject is highly appreciated. The event is open to the public and anyone may attend.
For socializing an evening program has been organized. There is a nominal fee of 120 Euros charged to cover the facilities cost, food, drinks, etc. Arrangements are also being made for participants to join remotely.
More information about the workshop can be found behind the following link:
This page also points to previous workshops that took place in New York, Washington, Brussels and Atlanta.
(Thanks to Hannes Tschofenig for providing the majority of this text.)
Earlier this month out at ITEXPO in Los Angeles, I participated in the Ingate SIP Trunking seminars as I have been doing for the last year or so. My talk was “SIP Trunking and Security in an Enterprise Network“. The slides are available for viewing or download from my SlideShare account and I’ll also embed them here in this post.
I did record the presentation in both audio and video and hope to be making that available as a Blue Box podcast some time soon. I’ll then sync the slides to the audio. Meanwhile… enjoy the slides!
Technorati Tags:
voip, voip security, sip, sip security, voice, security, dan york, itexpo, commdev, voipsa
It’s not “VoIP security”-related, but this piece in NetworkWorld today is worth a read: “Feds tighten security on .gov“. Here’s the intro:
When you file your taxes online, you want to be sure that the Web site you visit — www.irs.gov — is operated by the Internal Revenue Service and not a scam artist. By the end of next year, you can be confident that every U.S. government Web page is being served up by the appropriate agency.
That’s because the feds have launched the largest-ever rollout of a new authentication mechanism for the Internet’s DNS. All federal agencies are deploying DNS Security Extensions (DNSSEC) on the .gov top-level domain, and some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites.
The article goes on at some length into what the US government is doing, the issues involved and why it all matters. From a larger “Internet infrastructure” point-of-view, actions such as securing the DNS infrastructure will only help in securing services such as VoIP. There’s still a long way to go to getting DNSSEC widely available, but I applaud the US government for helping push efforts along.
FYI, the article references the obsolete RFC 2065 for DNSSEC. For those wishing the read the standard itself, DNSSEC is now defined in RFC’s 4033, 4034 and 4035 with a bit of an update in RFC 4470.
In a message to the VOIPSEC mailing list over the weekend, Mark Collier announced the release of a new suite of VoIP security test tools. Mark, as you may recall, is the co-author with (VOIPSA Chair) David Endler of the book “Hacking Exposed: VoIP” and as part of the book publication he and Dave made available a series of voip security tools through their hackingvoip.com website.
Now, Mark’s back with a second version of those VoIP security tools. He describes the new tools in one blog post on his VoIP security blog and announces their availability in a second blog post. Here’s his description of new tools:
We also built several new tools:
– Several new flood-based DoS tools, which generate floods using different SIP requests, including byeflood, optionsflood, regflood, and subflood. The regflood tool is certainly the most potent of the group.
– dirsniff and dirsortmerge – a passive scanner that builds a directory of valid SIP phone addresses. By using the dirsortmerge tool, you can manage results from this tool, as well as output from the dirscan active scanner.
– Call Monitor and sipsniffer – this tool provides a GUI that shows active SIP calls. The tool allows you to select a call and terminate it (via teardown) or insert/mix in audio (via rtpinsertsound or rtpmixsound). The tool allows you to define up to 10 sound files, that can be inserted/mixed in on command. The tool also streams the call audio to the XMMS player, so you can listen in and “time” when you affect the call.
The Call Monitor tool is particularly interesting. It makes using the rtpinsertsound/rtpmixsound tools a lot easier and more effective. It makes real audio manipulation possible.
Interestingly, the tools are not being made available through Hackingvoip.com but rather directly from SecureLogix’s web site, where you have to register first to download the tools.
Mark also provides a PowerPoint presentation about the “Call Monitor” tool he mentions here. He’d mentioned this tool to me once before when we met at one of the conferences…. basically it provides a “point-and-click” interface to allow you to inject or mix in new audio into existing audio streams. Making it this easy is definitely a scary prospect (and another good argument for why you should be using SRTP to encrypt audio streams).
Anyway, the new tools are now out there if you want to try them out. (Joining the long list of existing VoIP security tools.)
Technorati Tags:
voip, voip security, security, sip, sip security, securelogix, mark collier
Many of you may have received this in your email inbox – Audiocodes and Interactive Intelligence are jointly sponsoring a TMCnet webinar on Thursday, September 11, 2008, at 12noon US Eastern time called “Do You Know Who is Listening? – The Truth of Enterprise SIP Security The abstract is here:
Session Initiation Protocol (SIP) has emerged as the predominant protocol for VoIP deployments. While SIP is gaining headway in the IP communications market, any new technology brings with it some inherent security challenges. In this webinar, we discuss these challenges, the misconceptions surrounding SIP Security, and examine the tools available to counter them. This session will also explore robust solutions that not only tackle security threats, but also empower businesses to proactively protect their networks from current and future attacks. Included in this webinar, we will examine the Interactive Intelligence suite of products as a communications platform case study that empowers businesses to tackle security threats while maintaining affordability and performance.
Obviously it is a vendor presentation with the associated perspective, but for those wishing to attend, you can register online.
[VOIPSA is a vendor-neutral organization and we do not endorse or recommend solutions from any particular vendors. However, as our interest is in elevating the level of discussion about VoIP security issues in general, we are glad to post notices here about upcoming vendor presentations.]
Technorati Tags:
security, sip, sip security, audiocodes, interactive intelligence, voip, voip security