Last week we discovered that messages to the VOIPSEC mailing list were not being distributed to all recipients. Dave Endler has raised a ticket with our hosting provider and hopes to have it resolved soon.
I’ll update the ticket here once I have more information.
This is a guest post from Andy Zmolek, Senior Manager, Security Planning and Strategy at Avaya, and past participant in VOIPSEC mailing list discussions and other VOIPSA activities. Andy asked if I could publicize this because he believes it is a discussion which we in the security community need to have.
Text by Andy Zmolek of Avaya:
Is it appropriate for a security research firm to require payment from a product vendor prior to detailed vulnerability disclosure? I received the following notification this morning from the CEO of a VoIP security startup:
“I wanted to inform you that VoIPshield is making significant changes to its Vulnerabilities Disclosure Policy to VoIP products vendors. Effective immediately, we will no longer make voluntary disclosures of vulnerabilities to Avaya or any other vendor. Instead, the results of the vulnerability research performed by VoIPshield Labs, including technical descriptions, exploit code and other elements necessary to recreate and test the vulnerabilities in your lab, is available to be licensed from VoIPshield for use by Avaya on an annual subscription basis.
“It is VoIPshield’s intention to continue to disclose all vulnerabilities to the public at a summary level, in a manner similar to what we’ve done in the past. We will also make more detailed vulnerability information available to enterprise security professionals, and even more detailed information available to security products companies, both for an annual subscription fee.”
I would like to solicit opinions about what appears to me to be a new challenge to infosec industry best practices. For those of you who work for software or equipment vendors, have you ever received similar notices from legitimate security researchers? Does anyone here believe the practice of equipment vendors making payments to security researchers in order to receive details about potential exploits is an acceptable business practice?
For infosec professionals, would you be comfortable purchasing services from a security research firm that follows such a policy?
NOTE from Dan York: In an effort to get VoIPshield’s perspective, I attempted to reach CEO Rick Dalmazzi but could only get his voicemail. (Perhaps because it is Canada Day and they are in Ottawa.) Andy Zmolek informed me on a call today that he had emailed Rick this morning asking when VoIPShield would be updating their Vendor Disclosure Policy (dated Nov 2007) that is on their Vulnerability Advisories page, as this email from Rick represents a significant departure from that stated policy. I also called the number of the PR contact listed on VoIPShield’s website but that extension went to a “general delivery” mailbox. This post will be updated with information from VoIPShield Systems when such information can be obtained.
Technorati Tags:
voip, security, voipsecurity, voipshield, avaya
Our apologies for the outage of both this blog and the main VOIPSA web site over the last weekend – and many thanks to all of you who wrote in to let us know. We recently moved the site to a new hosting provider and unfortunately it seems that in the initial move they missed moving over the domain name. That has now obviously been fixed and we’re back in action. Thanks again to those who let us know.
Cisco Press and Patrick Park released, “Cisco: IP Communications, Voice over IP Security” in the beginning of 2009. There is a good knowledge transfer in this book for newcomers and I suspect a bit of review for seasoned practitioners. Nonetheless, you’ll be given a nice primer to VoIP security from the packet level, all the way through architecture. This book is divided into three different areas , which consists of VoIP Security Fundamentals, VoIP Security Best Practices and Lawful Interception (CALEA). I’ll briefly describe some content from each area, to give you a better idea of what is covered in the book and to help you protect your investment. I would encourage anyone reading this book to read the VoIPSA Threat Taxonomy version 1, side by side with this book, “http://voipsa.org/Activities/taxonomy.php”
The first part of the book gets into VoIP Security, where you’ll read about inherited and protocol vulnerabilities. You’ll also find that Cisco Press classifies attacks in four categories, which are threats against availability, confidentiality, integrity and social context. They explain call flows and security profiles that are associated with H.323 “D,E,F”, SIP and MGCP. If you have little to no experience with cryptography, they explain the functions and uses of a few implementations that are in use today. If you’re looking for network modeling for architecture and design they have something in the book for you as well.
Switching gears to VoIP Security Best Practices, you’ll be introduced to analysis and simulation of current threats, where they talk about mitigating DoS, sniffing, spoofing and VoIP spam. This section of the book identifies how to secure VoIP protocols with authentication, encryption, transport and network layer security, threat modeling and prevention. They will give you an overview in how SBC’s are deployed and used to resolve DoS, L.I.“Lawful Interception’’, exposed network topology, and performance issues. Then they get into Enterprise Network Devices and security devices, so you’ll be introduced to “Cisco Solutions” like Call Managers, End-Points, ASA’s, PIX’s and FWSM’s.
The last section of the book explains Lawful Interception (CALEA). They talk about requirements and standards that have been developed and implemented in Europe and the United States. There will also be a walk through in how L.I. is generally implemented and “possibly detected”, but the examples in the book are not limited to certain geographic areas or countries.
I would recommend this book to folks who are looking for a solid introduction to VoIP Security. After reading this book, along with the VoIPSA Threat Taxonomy “http://voipsa.org/Activities/taxonomy.php”, you will be aware of the different types of attacks and methods of mitigation that you may use to stop or just stall your next attacker……
Two new versions of existing open source VoIP software were recently released and deserve mention.
Last week, the folks at SIPfoundry released the 4.0 version of their SIP server, sipXecs. I don’t hear a lot of talk about sipXecs so let me say a few things about it here:
* it’s a great SIP software proxy/registrar package, with an active development and support community
* It’s free.
* It has a distributed component software design, which optimizes HA configurations for clustering
* It has a very intuitive web console GUI, and it has a bootable CD with all software pre-loaded on it
* Great documentation wiki. For example, I had set up a working SIP trunk configuration in under five minutes.
This is not to take away from other high quality open source SIP server software projects like opensips, but I’ve been using and testing the previous version of sipXecs for a while now, and love this software. I’ve just started testing this exciting new 4.0 release. The most noticeable feature of this release is full sip trunking and remote worker support (far-end and near-end NAT traversal, and HA media anchoring). What this means is that you have a full solution for running your own SBC and SIP Proxy. The sipxbridge component of sipXecs is the SBC software component. With sipXecs and sipxbridge, you can set up a proof of concept service provider network in your home, set up an enterprise lab for interop testing and comparison to commercial SBC vendors, use the software for a security testing demo toolkit, or just use the solution to register your remote phones into your network, and place outbound calls. Great job and thanks to SIPfoundry for this work.
A new version of the VoIP Hopper security assessment tool was released earlier this week, with Nortel VLAN Discovery support. VoIP Hopper is a free security assessment tool that supports VLAN Hopping – in essence, it mimicks the behavior of an IP phone for the Voice VLAN Discovery protocol or mechanism. Then it rapidly automates a VLAN Hop, tagging the DHCP request and all subsequent Voice traffic with the discovered Voice VLAN ID. Since most new VoIP deployments use the segmentation of discrete Voice VLANs for increasing QoS requirements, an attacker must sometimes first gain access into the Voice VLAN as a prerequisite vector, before running other VoIP exploits. VoIP Hopper enables a regular PC to become a member of the IP Phone VLAN. The tool is simple yet powerful, and has been used in many security assessments in the past. The new features of VoIP Hopper:
* Nortel Voice VLAN Discovery and VLAN Hop
* A new CDP Spoof mode for more rapid and automated VLAN Hop in a CDP network
* An integrated DHCP client
From the VoIP Hopper website, the next features planned for VoIP Hopper are LLDP-MED support and trunk port testing.
Finally, I recently used the SIPVicious tool in a remote VoIP security assessment, and it’s a very useful tool that any VoIP security professional should have. When you look at the business risk of toll fraud / service theft, this tool can be pretty valuable in enumerating vulnerabilities that can be a risk to your business in the form of remote attackers trying to gain unauthorized access to your VoIP network and placing unauthorized calls. As VoIP proliferates, we’ll see more usage of tools like this to conduct reconnaissance of open SIP services, valid users, and the brute forcing of subscriber/user passwords. On the proactive protection side, it’s also good to see folks contributing open source proof of concepts for mitigating this risk. Here is a “Simple Asterisk Based Toll Fraud Prevention Script”. If you use an active response firewall/IDS/IPS solution, you could actually detect the attempts to toll fraud/service theft attacks based on a signature, and have your VoIP IPS and/or firewall block the source IP address of the would-be attacker. It’s called a “Voice Toll-Fraud Intrusion Prevention System” (VTIPS) ;-). Good to see open source software progress in this direction.
On a lightning visit to the Infosec show in London, I chanced to meet with Ari Takanen of Codenomicon (fuzzing and quality assurance experts). Ari has a new book out: “Fuzzing for Software Security Testing and Quality Assurance”, from Artech House, available at Amazon.com and (as they say) all good bookstores. Of course, just because there’s a credit crunch doesn’t mean that security is any less of a problem, and it doesn’t mean that software defects are any the better. It sounds like Codenomicon have a pretty good market niche.
Facetime were talking about their new Unfied Security Gateway. This appliance goes beyond URL blocking and reporting, and implements reporting for VoIP and Skype, and the whole range of IM and P2P applications. In addition they have some pretty granular tools for finding out what the usage of social sites like Facebook (FB) and Myspace, and the resulting bandwidth usage might be. You can even drill down into the subsections being used (apps, music etc), which will be useful as increasingly FB is used for legitimate messaging and networking purposes in business. Facetime’s “special guest” on the stand was an original Engima encryption device, brought down from Bletchley Park (a.k.a “Station X”), the UK’s premier code-breaking museum. This is a refurbished and fully working Enigma, and on the Facetime stand they were even allowing us to have a go. I can report that it is satisfyingly mechanical to use.
AEP were also there showing some high-grade encryption equipment for enabling remote sites with access to secure systems. Law enforcement and government customers have a legal duty to protect the data that they handle, which and even remote users (or temporary sites) must protect data from snooping. Data at rest is a particular risk, and UK government agencies have embarrassingly lost large numbers of laptops and pen drives in recent years. It’s safer to leave the data in the secure site (rather than the USB stick) and access it over secure links when needed. The AEP solution fits into a laptop bag, and enables a team of people to share secure data and VoIP links to a central site, routed over any convenient satellite, 3G or WAN links.
The Infosec show is still on today and tomorrow at Earls Court exhibition centre in London.
Verizon recently released its data breach report for 2009. I was interested in reading this as I still have the 2008 report. What better way to educate yourself on trends, good or bad, then comparing historical data when someone else is taking the time to do the work for you? Quickly comparing the two reports I was surprised to find very little appears to have changed. I was hoping to see improvements in increased awareness, improved processes mitigating attacks and possible new attack vectors due to this vigilance, but unfortunately this was not the case. The most telling was the section regarding attack difficulty. In 2008 approximately 55% of attacks required no skill or that of a ‘script kiddie’. In 2009 this total number decreased to 52% but surprisingly there was an increase in the ‘no skill’ needed – from 3% to 10%. Based on this report it appears that security professionals are not getting the message across regarding the basics of securing systems. Now I understand that this is one report from one vendor but Verizon is a known name as a provider. You have to assume they respond to and investigate claims by customers with their service offerings and the report should carry some weight regarding security threats and trends. One wonders if this report opens a window to the current state of VoIP security. Even during difficult economic times it appears VoIP deployments are maintaining a good pace. The expense to deploy VoIP when measured over the operating expense ROI (using the existing ip network for interoffice calls, SIP Trunking, unified communications to streamline business processes) is still attractive. Regarding a VoIP security focus are we in the industry doing enough to emphasizing the need to secure VoIP? What can we do to improve getting the message across?
Of course you can’t stop criminals from stealing mobile phones; they’re small, they’re expensive and there are many channels (online and offline) for selling the handsets on. However, it should be possible to make the things useless once stolen, to make resale difficult or impossible, ultimately reducing the demand for theft.
The Design Council in the UK are currently running a competition to generate ideas to make mobile phones safer, with the best idea receiving support to the tune of £100,000 to develop the idea further. This seems to me a whole lot better way to raise money than appearing on Dragons Den for a ritual butt-kicking and dilution of your share capital.
As I discovered to my cost at the recent Mobile World Congress in Barcelona, mobile phone crime is rife, and a barbarian horde of dark ages proportions is seemingly there working the city for February. I heard tales of muggings, crews targetting group dinners in restaurants, and of course pickpockets. One friend of mine had an experience in the Metro with one guy blocking his way, while another tried to slip a hand into his pocket from the other side. My friend is over 2m tall, and looks more like an international rugby player than a telco geek, and probably could have wiped the floor with both of them at the same time. Some of these teams have no fear.
In my case, my Nokia smartphone disappeared never to return. They got no satisfaction from the SIM card (which was PIN-locked), but sadly I had disabled coded locking on the handset itself, making it a useful asset, possibly worth £70 on Ebay. Just look for smartphones with no cables, no charger, no manual; guess where they came from?
Incidentally, my phone was marked with a label from yougetitback.com, a worthwhile property registration and return service. Sadly in this case, the phone didn’t fall into the hands of “friendlies”, but rather those of WeHaveNickedYourPhone.com.
Of course with smartphones the problems don’t stop with your cellco contract being exposed to call fraud, or the sale of the handset itself. The phone also contains signup information in applications, and the data itself. In my case, several applications were installed including Skype, Truphone and Gizmo. A lot of VoIP apps have the capability to connect out to the PSTN using some kind of pre-pay balance, which of course could also be at the mercy of a crim once he gets his hands on your smartphone.
With the proliferation of app-stores, many handsets may also be ready to provide “free” downloads to the enterprising criminal. In general, there is a lot of industry work going into making mobile phones into “wallets” that can be used for a whole variety of micro-payments, for example car parking fees. In addition there maybe DRM-locked content that is in the handset when stolen; it has a monetary value, and yet is difficult claim on insurance.
Smartphones can potentially have a lot of different apps loaded, and if we are lazy we mght have them setup (for our own convenience) to logon automatically to countless online systems. The risk is not only financial, but also opening you to impersonation and data theft, via a variety of online services that you access from your phone.
We certainly need to think hard about the way we use services and the way we buy using our mobile handsets. PIN-codes, passwords, time-locks and encryption are tools that we should have enabled, even though it means more inconvenience for us to make calls, lookup our location and so on. I hope the £100K Design Council bursary generates some good ideas, and for my barbarian friends that visit Barcelona each February, let me wish you failure and humiliation in your every venture.
Amusingly, at the time my phone was stolen, I was running a number of location applications including Palringo, Buddycloud and I think also Google Latitude (and yes, it does run hot with all the apps running!). A friend suggested that we go and look-up where the handset travelled to, and then put the Police on to them! Sadly, in this case the crim was not so dumb, and had already powered-off the phone. That would have been sweet revenge indeed.
Last year Sweden effectuated a law giving the Powers That Be the right to listen in on all Internet traffic passing the border of the country. Sweden was just the first country to put such legislation into play. When I was visiting the CeBIT fair in Hannover earlier this year, I learned the Germany also are putting such legislation in place and that other EU countries will follow suit.
The really grave issue here is that the Powers That Be can monitor and intercept such traffic without needing a court order. Yes – you read this correctly. It is no joke.
So what does this have to do with your legal VoIP traffic?
The huge problem with this scenario is that you will have low-level clerks listen in on your business conversation. In theory, the VoIP packets passing through the wire will never get into the hands of a 3rd party modulo the person monitoring your conversation. In certain parts of the business world the climate is so harsh that corporate espionage is more the rule than the exception. The easiest way to get to information is to pay someone to leak that information to you. So what you really need is access to the right one of those low-level clerks and just pay enough money to get hold of your information.
Do not get me wrong – I am not saying that every people on the planet is corrupt, but it would be sticking your head in the sand if you do not believe that corruption does exist. Even in, what appears to be, more open European countries corruption exist. It would thus be very strange if a low paid clerk would not give away information to the wrong people.
Also, if a clerk is approached by a company from their own country and is asked to “help out with the foreign competitors” – this may be deemed morally acceptable. After all – who does not want to help their own kind. In fact, this is really nothing new and it is not uncommon that this is even done pro bono. From time to time we read about Powers That Be handing over secret information to domestic companies regarding their foreign competitors.
Especially in a country like Germany people are not happy. People from the former East Germany still have the workings of the Stasi fresh in their mind. Most Germans seems to be very weary to issues regarding monitoring and signal interception.
The current legislation’s in the various countries regarding signal interception is still too new to have had any negative impact on law abiding citizens. However, it is only a matter of time before we are going to read in the press about company secrets being spilled by persons close to, or working in, the Powers That Be. When this happens the press will have a field day.
The net result is that when this happens, many more people will actively begin to seek encryption capabilities for their business communication. First out will be email. Second out will be VoIP traffic. Telephony is still a very important business tool
A very interesting observation so far is that European VoIP equipment manufacturers are putting readily available encryption schemes into their offerings – this to a bigger extent than their American counterparts. This may have to do with what the market wants. A recent BBC Digital Plantet podcast outlined the same view: It seems that in Europe we are much more concerned about privacy than elsewhere.
Currently there are a slew of providers offering encrypted telephony solution and there are even a few that do encrypted VoIP. If the offering is done right these companies will become the heroes of 2010.
After reading this article you should really ask both your equipment vendor and your service provider if they are planning to offer encrypted VoIP. My guess is that they will probably look at you with blank eyes and not understand what you are asking.
I’m very pleased to say that the response has been great to my request for new contributors to this site and over the past few days I’ve given author credentials to nine new authors. They represent a great range in experience and geography. A couple are seasoned VoIP/communication security professionals who have been around VOIPSA circles for a while and in a couple of cases have written books on the topic. (Some I’ve written about here or interviewed on Blue Box.) Others have been involved in security or VoIP but haven’t really had a profile in “VoIP security”, per se. And there are a couple who are brand new to the field but have some great passion to contribute.
I’m also pleased that we’ve added a couple of Europeans so that Martyn Davies is no longer holding down the fort as the only non-US regular contributor. We’ve also added our first contributor from India (or for that matter anywhere in Asia). While the vast majority of VoIP security issues have no relation to geography, there are of course laws and regulations that come up in different regions, as well as regional news items, and so it is nice to have a wider geographical distribution.
Thanks again to all who responded (and we’re still open to others) and we look forward to the additional posts they may bring over time.
Our whole goal with this site is to create conversations around VoIP / communications / UC / SIP security regarding what the issues are, what the “real” dangers are (as opposed to those sometimes hyped in the mainstream media), what the solutions are, etc. so that in the end we will all have safer and more secure communication systems.
Thanks to all of you – both writing and reading – for joining in that conversation.
If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.