Voice of VOIPSA

While I was sick at VoiceCon and didn’t record any of the videos I was planning to do, it’s great to see that Fritz Nelson over at Information Week did capture this video of Mark Collier of SecureLogix:

The TechWeb folks did a nice job on the video, particularly in cutting in to some of the slides explaining what Mark was talking about. Fritz has an article accompanying the video as well.

Oh, yeah, Mark was great, too!

P.S. For those who don’t know, Mark has been involved with VOIPSA and in fact was on a panel I moderated on VoIP security there at VoiceCon.

Technorati Tags:
voip, voip security, securelogix, mark collier, security

On April 1st VuNet reported that hackers had taken down the International Space Station’s email capabilities.

So, this was a good April Fool’s joke, right?

Three astronauts onboard the Space Station reported last night that email was no longer working.
Hackers are thought to have planted a Trojan in the computer systems at Houston and used the infection to ride the satellite uplink to the Space Station.

What is especially troubling is the email system’s reliance upon older Microsoft operating systems that are no longer supported by Microsoft.

“I am sorry but there is nothing we can do. It is past its deadline, said Professor Brian Offin, Microsoft’s head of obsolete operating systems.

Again, a good April Fool’s joke, right?

However, this false article brings to light the fact that as newer technologies replace legacy systems, we must bear in mind that the new technology changes will, over time, themselves become legacy systems and subject to the same outdated, unsupported and insecurities that plagued the very legacy systems they replaced.

So what’s this have to do with VoIP and the International Space Station? Well, details are thin, but way back in 2000 VoIP Group Inc. was awarded a contract to provide a VoIP replacement for the ISS to “bring about significant cost reductions as it supplements and then replaces an existing legacy system.”

Initially deployed at NASA’s Marshall Space Flight Center in Huntsville, Alabama, and later at other International Space Station operations centers, the solution will consist of VoIP Group’s gateways connected to the Internet and to Raytheon voice switches and CUseeMe conference servers to support voice conferencing. The system is designed to link together researchers, NASA operations personnel, and potentially ISS crew, to support collaboration during Space Station experiment planning and operations. Because users can access the system using a standard Internet browser on an inexpensive multimedia PC, they can be located at NASA centers, universities, and companies throughout the world, and still connect in real-time, 24 x 7.

I hope that the sharp folks at NASA and VoIPgroup are taking the proactive steps to avoid security problems with critical communications with the ISS.

Some of you may remember Peter Cox who put out an eavesdropping tool SIPTap last November.

For those who have a short memory, SIPTap monitors “multiple voice-over-IP call streams, listening in and recording them for remote inspection as .wav files.”

At the time, however, the tool didn’t appear to me to be much of a threat because it only worked on the VLAN it was attached to and only if it saw the traffic. Meaning that if you weren’t attached to a span port, a hub or used another tool such as Ettercap, you wouldn’t be able to do much recording.

BUT the tool served Peter Cox’s purpose. Apparently for some time now, Peter Cox has been preaching VoIP security to anyone who will listen… and if he’s like most IA people I know, anyone who doesn’t want to listen, but needs to. The tool, therefore, appeared to be aimed at educating people outside the IA world about the importance of VoIP security and how easy it is to eavesdrop on calls.

Now Peter Cox has started a new company UM Labs where his goal is to develop and deliver products that provide VoIP security in a world where the traditional security foundation of voice and data separation no longer apply.

They are already announcing three products described on the company’s website and here

New VoIP security products are always welcome and UM Labs appears to be looking towards the future to find ways to meet some of the upcoming security challenges of unified networks.

Perhaps it has been up for a while, but I just noticed today the new Zfone Project Home Page. Previously Phil Zimmermann had Zfone as a subset of his philzimmermann.com website, but now it’s off on its own sharp-looking site. There’s also news of a new beta for download as of February 9th. Kudos to Phil and his team for launching the new site and, as always, we’re definitely interested in hearing what people think (okay, at least I am).

I’m guessing there’s going to be a resurgence soon in protocol fuzzing against different VoIP phones, PBXs, and especially VoIP softphones. The practice of fuzzing, otherwise known as robustness testing or functional protocol testing, has been around for a while in the security community. The practice has proven itself to be pretty effective at automating vulnerability discovery in applications and devices that support a target protocol.

The prize for the most prolific university fuzzing results to date belongs to the PROTOS project of Oulu University’s Secure Programming Group. Through various incarnations of student projects, the PROTOS group has been faithfully discovering vulnerabilities in a variety of protocol implementations, including SIP and H.323. Ari Takanen of that group eventually graduated and went on to cofound a commercial fuzzing tool company called Codenomicon, along with others from Oulu. In just the last year alone, the market has seen several other new commercial fuzzing entrants including:

• Musecurity’s Mu-4000
• Gleg.net’s ProtoVer Professional
• Beyond Security’s BeStorm
• Security Innovation’s Hydra

Today, VoIP is starting to become a more interesting target for security researchers as the technology becomes more affordable and popular among enterprise customers. While it would be ideal if all VoIP vendors tested their own products internally for security bugs, the reality is that not all of them have the time, resources, or even the security DNA to find them all ahead of time.

For a great list of other fuzzing tools and presentations, check out Matthew Franz’s wiki.