Voice of VOIPSA

After a bit of a production hiatus, Jonathan and I are back with Blue Box Podcast #75 where we talk about the VoIP security news back in early January. We talked about the Asterisk vulnerability out then, the SANS white paper on VoIP security, several other news items and a ton of listener comments. More information is available in the show notes.

If any of you will be in Miami next week for Internet Telephony Expo, I will be speaking on VOIPSA’s behalf at Ingate’s SIP Trunking Seminar Series held in conjunction with IT Expo. Predictably, my session from 8:30-9:45am on Thursday, January 24th is titled “Seminar/myth 1: VoIP is not secure“. Should be fun.

If you are going to be down at IT Expo, do check out the full schedule for Ingate’s SIP Trunking Seminar Series. They have a good range of speakers and the seminars are free.

If any of you are attending either IT Expo or the SIP Trunking Seminar Series, please do drop a note as I’m always interested in meeting readers.

Technorati Tags:
sip, sip trunking, ingate, itexpo, conferences

Back at the end of September, I gave a presentation down at Astricon 2007 called “Hacking and Attacking VoIP Systems: What you need to know” which talked generically about VoIP security and then got into some specific suggestions for securing Asterisk (which I posted on this blog). A number of folks have asked for the slides… and so here they are:

| View | Upload your own

If you’ve seen other presentations I’ve given, it’s a fairly typical presentation of mine with the addition of Asterisk-specific information toward the end.

Comments are, of course, welcome.

P.S. And yes, there is an audio recording of this presentation which I will, eventually, get up as a Blue Box podcast.

Technorati Tags:
asterisk, security, voip, voip security, voipsa, conferences, astricon

If any of you are at Fall VON this week in Boston, both Martyn Davies and I (Dan York) will be there. Martyn is moderating a panel Wednesday in the Innovator’s Track and I will be speaking on Thursday about (surprise!) security on a “Strategies for Solving Security” panel. If any of you reading this will be there, feel free to drop a note and we can perhaps connect to say hello.

Technorati Tags: conferences, fallvon, security, voip, voip security, voipsa

In a few hours I’ll be boarding a plane back to New York where I’ll be attending Interop New York this afternoon and tomorrow. If any of you reading this will be there, please do drop an email. Tomorrow, I’ll be on a panel at 2:45pm with Jonathan Rosenberg about “Voice-oriented Attacks”. (Side note to Interop: Please make it so that we can link to individual sessions instead of having to link to the entire list of “security”-related sessions!) If you aren’t aware of who Jonathan Rosenberg is, he works for Cisco and is a huge contributor to IETF efforts related to SIP and in fact was one of the co-authors of RFC 3261 which is the primary RFC defining SIP. He’s also the author of “The Hitchhiker’s Guide to SIP” which aims to help guide people through the maze of the many, many documents that now are part of “SIP”. More relevant to tomorrow’s session, he’s also the author of a series of NAT traversal protocols for SIP, namely STUN, TURN and now ICE. Eric Krapf, the moderator of the session, is aiming to make it a more interactive and discussion-focused session (i.e. no slideware-to-death)… we’ll see if we can make it fun as well. I’ve also asked Interop for permission to record it and run it as a Blue Box podcast – we’ll see if they give me permission.
Note that if you are a CISSP, the ISC2 is holding a member reception today (Wednesday October 24, 2007) starting at 5:30 PM in Jacob Javits Center Room 1EO2 – LEVEL 1. Assuming that everything works with my flights today, I’ll be there.
I’ll even have some new business cards to give out…

P.S. I’ve now been public about who my new employer is.

Technorati Tags: cisco, conferences, danyork, jonathanrosenberg, security, voip, voip security, voipsa, voxeo

Blue Box Podcast #69 is now available for download. In this 46-minute episode, Jonathan and I discuss the Linksys SPA-941 vulnerability mentioned in the VOIPSEC list, a potential SIP DDoS, a new release of SIPVicious, a suggested Asterisk security roadmap, other VoIP security news, listener comments and more.

If you are an Asterisk user, what do you see as the “security features” that it needs to have? I’m out here at the annual AstriCon event in Phoenix, Arizona, where on Thursday I am giving an “industry perspective” under the title: “Hacking and Attacking VoIP Systems – What You Need to Worry About” Given that I’m doing the talk under the VOIPSA banner, I’ll be giving my “standard” view on what the main threats are to VoIP, the tools that are out there to attack them and the best practices to protect against those threats. However, whenever I do this kind of “industry view” at a conference like this, I always try to include a section at the end that is specific to the audience.

So in this case, I thought I’d tack on a bit at the end about a “security roadmap” for Asterisk, i.e. what are the top 5 things that Asterisk developers should be thinking about. My slides are actually done (and I’m currently at 6 items on the list), but I’m not going to really post them here until I give my talk. (Come on, I have to have a bit of suspense, don’t I?) In the meantime, I thought I’d ask the question here on the blog:

What security features do you think are necessary in Asterisk?

Well, okay, I’ll list three obvious ones: 1) TLS-encrypted SIP; 2) SRTP (yes, there’s a patch, but it’s not in the main load); and 3) SRTP key exchange (sdes, DTLS, ZRTP, etc.)

But what are the other three on my list? And what would be on your list? (And if you list some great ones I haven’t thought of I’ll be sure to credit you in my preso.)

By the way, Thursday should be an interesting day (for me) here at AstriCon because there are actually three talks related to security. Obviously mine but then one right before me from someone named Mike Storella and titled “Realizing the Benefits of a Secure VoIP Telephony System” and one in the afternoon from a Patrick Young titled “Enterprise VoIP Security“. It will be entertaining to see if we are all reading from the same general pages. I’m also going to see if I can get their permission to record the sessions and put them out as Blue Box special editions. We’ll see.

In the meantime, if any of you reading this are attending AstriCon, feel free to drop me a note as I always enjoy meeting up with readers.

Technorati Tags: asterisk, astricon, security, voip, voip security, voipsa

FYI, for those of you attending the Internet Telephony Conference & Expo in Los Angeles on September 10-12, I’ll be participating in a panel session that is part of Ingate’s SIP Trunking Seminar Series.  I expect it will surprise no one to learn that I’ll be on the panel about “Enterprise Security and VoIP” speaking on behalf of VOIPSA.  My particular session is Tuesday, September 11, 2007, from 9:30-11:00 am.  More details and the schedule are available online.

The sessions are free and open to anyone to attend.  Simply fill out the pre-registration form. If you are going to be there at the show, please do drop me a note, as I’m always interested in meeting readers or others interested in VoIP security.

There were a number of new tools released at the recent BlackHat and DEFCON conferences that I’ve just finished adding to the VoIPSA Security Tools List.

First, during the BlackHat Voice Services Security track, Himanshu Dwivedi & Zane Lackey spoke about attacks against H.323 and IAX. They released a number of tools including H225regreject, IAXHangup, IAXAuthJack, and IAX.Brute. Now you can easily launch many of the same attacks (as well as a few new ones) that you’ve known and loved from attacking SIP against both H.323 and IAX.

Next, Zane Lackey & Alex Garbutt debuted their RTPInject tool during the BlackHat turbo-talk track. It’s essentially a nice, pretty, easy to use GUI version of the RTP audio injection attack that I demoed last year at EUSecWest using the rtpinsertsound and rtpmixsound tools.

At DEFCON, Ian G. Harris released a tool called INTERSTATE which is a stateful protocol fuzzer for SIP.

Finally, I released my new RTP steganography tool, SteganRTP, at DEFCON. It uses steganographic data embedding techniques to create a covert channel in an RTP session’s audio payloads which it uses to transport it’s own custom communications protocol. The protocol provides user chat, file transfer, and remote shell access (if enabled).

All of the tools mentioned above can be found via the VoIPSA Security Tools List.

Were you unable to get to VON Europe ‘07 in Stockholm, Sweden back in June to hear the panel session on “The Real Risks of VoIP Security“?  Well now you can hear it.  Blue Box Special Edition #19 is now available for download.

In this session, our own Martyn Davies is the moderator and the panelists are Ari Takanen of Codenomicon, Cullen Jennings of Cisco and Akif Arsoy of Verisign.  Readers of the VOIPSEC mailing list will have seen posts from Ari at various times and it’s hard to escape Cullen in the world of IETF standards!  Rather than just going through endless slides, the panel engaged in a conversation based on questions from Martyn and then the audience.   It was a lively session with lots of good questions, interaction from all three of the panelists and Martyn with the audience… and Cullen making the kind of statement “that everytime someone from Cisco makes a statement like this we make ourselves subject to attack” (you’ll have to listen to understand that teaser

I think you’ll find it both enjoyable and educational.  Thanks to Martyn for producing the recording and for Ari, Cullen and Akif for agreeing to have it distributed.  Thanks also to Carl Ford, Jeff Pulver and the rest of the VON team for allowing us to record and distribute the session.

Jonathan and I welcome any and all comments about these special editions.  You can leave them here on the VOIPSA weblog, on the Blue Box weblog, sent to blueboxpodcast@gmail.com or called in to our comment lines at +1-206-350-2583 or sip:bluebox@voipuser.org.