Voice of VOIPSA

I am pleased to announce that the VOIPSA Best Practices project will be kicking off this week. As noted in the project description, the goal is to gather into one document the core set of “best common practices” that can be used to address the threats to VoIP that were outlined in the VoIP Security Threat Taxonomy project. I’m still making some changes to the wiki in advance of the formal project kickoff, but right now you can subscribe to the best practices email list if you would like to assist in the project. All are welcome, regardless of experience level. If you don’t want to join a mailing list, updates will be posted here on this blog from time to time.

The October edition of Internet Telephony Magazine (free download can be found on the TMC website) names the 100 Top Voices of IP Communications.  A nice list of industry thought leaders, including VOIPSA Chairman, David Endler.

The same issue also has an article about CALEA, if that floats your boat. 

 

Today SANS announced the 2006 version of their annual “Top-20 Internet Security Attack Targets” and for the first time, VoIP is included as one of the threats. The press release identifies six major trends in attack patterns and includes this:

5. VOIP (Voice over Internet Protocol) attacks used now to make money by reselling minutes and potentially for injection of misleading messages and even for creating massive outages in the old phone network.

The press release contains an “Expert Analysis” section with a contribution from Rohit Dhamankar, senior manager of security research at TippingPoint, that states:

Last year we saw many remote code execution vulnerabilities in Asterisk, a popular VoIP server that is being used by mid to large size companies. The FBI reports many VOIP systems are being compromised so criminals can sell minutes and leave the bill with the victim. But that’s not my major concern.

The VoIP system marries the IP network with the old-style phone network (SS7). The latter has not been accessible to hackers on an easy basis prior to the VoIP deployments. By compromising a VoIP server, an attacker now has the ability to inject bad messages in the phone network. One may ask, what would that do: The most disastrous consequence can be bringing down the old phone network.

A crash that happened in 1990 brought down a phone system for 9 hours -
http://www.cs.berkeley.edu/~nikitab/courses/cs294-8/hw1.html

Although the 1990 outage was not due to a cyber attack, such an attack is feasible in the near future by controlling a VoIP server.

While we all can debate whether a VoIP attack today could actually bring down the PSTN, the potential (however large or minute) is certainly out there and the larger point is that, as we have been saying here for quite some time, there are very real issues within VoIP security that do need to be addressed. Many, if not most, of those issues have solutions or ways to be mitigated, but doing so does involve some work and typically configuration changes, network improvements, etc.

The section on VoIP in the SANS Top 20 includes this text:

VoIP technology has seen rapid adoption during the past year. At the same time, there has been an increase in security scrutiny of typical components of a VoIP network such as the call proxy and media servers and the VoIP phones themselves. Various products such as Cisco Unified Call Manager , Asterisk and a number of VoIP phones from various vendors have been found to contain vulnerabilities that can either lead to a crash or a complete control over the vulnerable server/device. By gaining a control over the VoIP server and phones, an attacker could carry out VoIP phishing scams, eavesdropping, toll fraud or denial-of-service attacks.

Since many VoIP servers especially the ones at VoIP service providers are an interface between SS7 (traditional phone signaling) and IP networks, an attacker capable of compromising a vulnerable VoIP server could even potentially manipulate the SS7 signaling interconnection to disrupt services on the Public Switched Telephone Network (PSTN).

The section goes on to list CVEs related to Asterisk and Cisco Call Manager, and then includes a section on ways to mitigate those vulnerabilities. (Which is good input into the VoIP Security Best Practices project we are about to launch.)

It is great to see SANS putting the spotlight on VoIP, and we within VOIPSA look forward to continuing to work with people all across the industry to both point out the vulnerabilities in VoIP and also to help identify solutions to address the concerns.

(If you are just finding VOIPSA as a result of the SANS Top 20, you may want to look at the VoIP Security Threat Taxonomy that we developed last year. You may also wish to sign up on the mailing list for our VoIP Security Best Practices project that is about to launch.)

UPDATE: I should also note that the SANS Top 20 list also includes a section on “Phishing“, which does mention VoIP phishing as well.

P.S. Many thanks to the Blue Box podcast listener who sent in word that the SANS Top 20 had just been released this morning.

Blue Box Podcast #44 is now available for download. In this show, we cover the new SIP attack tools released by Mark Collier and Dave Endler, talk about the IETF meeting, ZRTP and Phil Zimmermann’s patent disclosure, Skype security issues, a war dialling script for Asterisk, listener comments and much more. Feedback is, as always, welcome.

Blue Box Podcast #42 is now available and covers a range of topics, including the security (or lack thereof) of VoIP service providers, news from the Internet Telephony conference, Skype security and the usual other VoIP security news, listener comments, etc.

Blue Box Podcast #39 and Podcast #40 were both made available for download last week. Both cover the usual recent VoIP security news, listener comments, etc., but Blue Box #39 discusses my recent trip to Fall VON 2006 and also gets into a discussion around 802.11i and why wireless VoIP doesn’t work now with a full PKI. Blue Box #40 also covers the continued VoIP fraud case that we started covering back in June or so. Skype security, of course, also gets more coverage in #40 as well. Please do give a listen - and comments and feedback are definitely welcome.

We have been a wee bit busy over at Blue Box in recent weeks, but the results are now appearing. I’ve uploaded three shows in recent days:

• Blue Box Podcast #38 is perhaps the only place you can hear about fugitive CEOs, Phil Zimmermann, Paris Hilton, Skype security, Asterisk, SIP and the IETF all in one place!
• Blue Box Special Edition #10 provides a great interview with Gary Miliefsky of Netclarity where we explore his views on the future of VoIP security, NIST and CVEs related to VoIP, his company’s tools and much more
• Blue Box Special Edition #11 dives into IMS security through an interview with Morgan Stern from Lucent who had just been on a panel at Fall VON 2006 on securing IMS. We cover his views on the challenges ahead for IMS, the various standards bodies involved, how to address lawful intercept and much more. Morgan also provided a copy of his presentation and links to a webinar on IMS that he recently gave.

All that and more is available… please do give a listen and let us know what you think.

Blue Box Podcast #36 is now available for download. In this super-sized show, we discuss the voice security talks given at Black Hat 2006 last week in Las Vegas. There is an interview with David Endler and Mark Collier about the VoIP security tools they released, an interview with Ofir Arkin about his talk on NAC and involvment with VOIPSA, and many other news items coming out of the conference.

Blue Box Podcast #34 is now available for download. In this show, Jonathan and I cover VoIP security news and then have a 27-minute interview with Yurie Rich and John Spence of Command Information about IPv6: What is new with security in IPv6? Is it really more secure? Who is using IPv6? etc. A good opportunity to learn what you do - or don’t - need to know about IPv6 and security.

Blue Box Podcast #32 is now available for download.  In this show, Jonathan and I provide a tutorial about ENUM, discuss the latest VoIP security news and address a range of other comments.  If you are not aware of ENUM and how it allows regular telephone numbers to be mapped to SIP URIs, you may find this very useful.