You can now follow VOIPSA on Twitter

Yes, indeed, the VoIP Security Alliance has joined the Twittersphere with:

http://twitter.com/voipsa

Feel free to follow us there if you are a Twitter user. The primary reason we are on Twitter is so that Twitter users can follow whatever blog posts we post here on the Voice of VOIPSA blog. We’ve noticed over time on other sites (and in our own actions) that some folks prefer to be notified of new blog posts via Twitter versus a RSS feed. So now you have that choice. Subscribe via RSS or via Twitter. We’ll respond to tweets as well, of course, but our primary goal is to provide another way to consume VOIPSA content.

If you are on Twitter, please do feel free to follow us. Thanks.

Looking for a few good VoIP security writers…

Are you interesting in writing about VoIP security? In providing updates on security news? Product reviews? Threat analyses? Notes about recent security advisories?

Would you like your writing to appear on this blog?

As you have probably noticed, the frequency of our posting here in recent months has dropped a bit. It’s definitely not for lack of content… anyone subscribing to a Google Alert on “voip security” or subscribing to the VOIPSEC mailing list will know that there are definitely ongoing VoIP security issues. But we collectively haven’t been writing all that often about those issues here on this blog. Many reasons… but mostly that those of us who have been writing for the three years since we started this blog have just been finding ourselves insanely busy and not able to make the time to write here frequently. A couple of folks have moved into roles where they no longer work directly with VoIP security. Others have started their own blogs or just gone on to other things.

So we are looking to recharge the “Voice of VOIPSA” writing corps a bit. Our goal all along has been to make this site a portal for news and analysis about “VoIP security” in whatever form that may take. We are looking for people who might be willing to write short notes about news stories related to security of VoIP, Unified Communications, etc. We are also looking for people interested in writing longer pieces like some of the deep analyses we have posted here in the past.

VOIPSA’s overall mission is to raise the level of discussion about communication security issues in the IP space – and we’re looking for anyone who would like to help us in doing that through this blog.

The only major requirement we have for writers here is that any pieces must be vendor-neutral, i.e. we are not looking for people to write here about how their company’s product will solve all your security woes. We’re not a marketing site for either VoIP or security vendors. However, we do welcome posts from people at those companies that talk about the general state of the industry. We also welcome posts from folks who may not be at any company in the space but are just passionately interested in the topic.

If you are interested in writing for Voice of VOIPSA, please send me an email expressing your interest and providing some background about your connection to VoIP security. If you write at an existing weblog, even on a completely different topic, it would be helpful if you sent along that link as well.

Thanks for continuing to follow this site and after three years of blogging, we’re looking forward to continuing to provide you information and analysis about VoIP/communication security for the next three years… and beyond!

Technorati Tags:
, , , , ,

Tricking SIP Endpoints Into Divulging Authentication Credentials

This is a neat trick. By doing a little up-front scanning and/or guesswork, an attacker can send an INVITE directly to a SIP user agent, causing the device to ring.  Then, when the user agent issues the BYE message to hang-up, the attacker can respond with a 407 Proxy authorization required message, causing the endpoint to then respond with it’s authentication credentials, essentially handing them directly to the attacker.

The page linked above indicates that this attack is currently implemented in the VoIP Pack for CANVAS, so it’s essentially packaged and ready to use for you CANVAS users.  You can see a video of this being used in CANVAS here.  I would expect to see this credential-harvesting attack in other exploitation frameworks or stand-alone tools shortly…

“UC Security” group now on LinkedIn

linkedin-ucsecurity.jpgIf you are a LinkedIn user (as I am), there is now a “UC Security” group that you can join. The description of the group is:

Unified Communications is blurring the boundaries between Voice, Video and Data networks. As such, security threats that used to be in islands are now easily traversing across the network boundaries. UC Security provides a forum for people to share the common security issues around UC.

I can see that several of the “usual characters” in our security circles are already members of the group.

As we mentioned back in July, there is also a VOIPSA group on LinkedIn which you are welcome to join as well.

I am still not personally entirely sold on the value of LinkedIn groups, but I do have to admit that some of the discussions have in fact been useful and interesting. If you are a LinkedIn user, you may want to check out these groups and join in the discussions (or at least promote the existence of the groups through having them on your LinkedIn profile).

Technorati Tags:
, , , , , ,

Shall We Play a Game?

HD Moore of Metasploit Project fame has just released a new set of free War Dialing tools called WarVOX.  What makes these new tools so interesting is that they leverage VoIP service providers to scan and analyze hundreds of phone numbers, finding modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders much much faster than any modem ever could.  Check out the WarVOX screenshots which show the interface and slick reporting features.

Back Online

As some of you may have noticed, our servers were offline for the past 24 hours due to unforeseen circumstances.  It seems the recent global economic turmoil has not left VOIPSA unscathed.  Turns out our hosting provider was delinquent on paying their bills to their upstream data center provider.   Supposedly, the hosting provider’s management is no where to be found and did not respond to repeated billing inquiries,  leaving the upstream data center no choice but to unplug all of the hosting provider’s customers.

Apologies for the inconvenience and we’re working on moving to a more permanant and solvent hosting provider in the near future!

New book: “Voice over IP Security” from Cisco…

amazon-voipsecurity.jpgIt appears that there is a new book out on VoIP security named, rather simply, “Voice over IP Security“. It’s from Cisco Press and written by a Patrick Park. I haven’t seen the book yet but ITworld has an interview with the author. Amazon.com of course has some user reviews as well.

Good to see additional books coming out into the field. It will be interesting to see how this compares to the others out there.

P.S. If you have the book and would be interested in writing a review for this site, please feel free to contact me.

Technorati Tags:
, , , ,

VoIP fraudster Pena’s fugitive run comes to an end

Over the past three years, we’ve covered at great length the case of Edwin Pena and Robert Moore where Pena created a scheme where he apparently represented himself as a legitimate VoIP service provider – and then routed calls over other people’s networks. When last we left the story, Pena’s co-conspirator Robert Moore was sitting in jail while Pena was reportedly off somewhere in South American.

ComputerWorld now reports that Edwin Pena has been caught in Mexico and will be extradited back to the US. It will be interesting to see what, if any, new information turns up during his trial.

(Hat tip to Shawn Merdinger for passing along this link in the VOIPSEC mailing list.)

“SIP Trunking And Security” workshop coming up at ITEXPO on February 3, 2009

ITEXPO-East-logo-2.jpgIf you will be in Miami at ITEXPO February 2-4 you are welcome to attend a free “SIP Trunking And Security” session I (Dan York) will be doing as part of Ingate Systems’ SIP Trunking Workshops. The SIP trunking workshops are free to all attendees even if you only register for an exhibit pass.

My session will be 11:15-12:30 on Wednesday, February 3rd, and if you do attend please feel free to come up and introduce yourself (or drop me a note in advance to let me know to look out for you). I’ll be bringing my recording gear, too, and the talk will eventually go out in my Blue Box Podcast feed so you will be able to hear it later.

P.S. If you are attending ITEXPO and your company makes a product or provides a service related to VoIP security, please feel free to let me know and perhaps we can schedule an interview to go out as a Blue Box Special Edition.

Technorati Tags:
, , , , , , , ,

Truth in Caller ID Act Update

Welcome to the 111th United States Congress!  On January 7th, the bill that never made it through the Senate in the last Congress has been reintroduced as S. 30, the Truth in Caller ID Act of 2009.  It was apparently read twice and referred to the Committee on Commerce, Science, and Transportation.  It’s now got two more years to attempt to make it through the Senate and get signed into law…  Is anyone else as skeptical as I am that it’ll actually happen?  Remember, this bill started as the Truth in Caller ID Act of 2006.