VoIP/Network Security classes at upcoming ITEXPO show

Our friend Craig Bowser recently pointed out that TMC will have a schedule of “Network Security” classes at the upcoming ITEXPO in Miami on February 4th. The three classes are:

  • Security Threat Mitigation in Enterprise UC Environments
  • Securing the SIP Trunk
  • VoIP Security Best Practices

The companies involved are Acme Packet, Sipera and VoIPShield Systems, all of whom we’ve mentioned at various times either on this blog on over on Blue Box. Anyway, if you are heading down to ITEXPO, you may want to check out these session.

P.S. And if you ARE heading down to ITEXPO, please do let me know as I’ll be down there, too.

Fuzzing gets its own blog…

Over in his “Security: Secrets and Hype” blog, our friend Ari Takanen has announced because “Fuzzing Is Still Widely Unknown“, he’s going to evolve his blog there a bit:

Therefore, as a part of my new year resolution to change this blog into more generic fuzzing blog, I will start by sharing my experiences in the current state of fuzzing market. Based on a recent study by Gary McGraw and other well known security gurus, all major product security teams apparently use fuzzing (my comments on it here). But most (even security specialists) still seem to misunderstand what fuzzing really is about. So, I will focus on that here also. Enter the world of fuzzing!

Ari has a wealth of information on the topic of fuzzing (and has written a book on the subject) and so it will be interesting to see where he takes the blog. We’ll see…

Technorati Tags:
, ,

CNET: Why Obama’s cell phone calls will always go through

Interesting piece over on CNET today about “Why Obama’s cell phone calls will always go through“. Here is a snippet:

It may sound a bit like a storyline from the West Wing, but there actually is a branch of the government called the National Communications System tasked with ensuring that telecommunications related to “national security” remain intact and ready to use. President Kennedy created NCS in 1963, and its mandate has expanded to include high-priority Internet and mobile phone calls too.

While I assumed these agencies and systems were in place, I admit I did not know of their names. Browsing through the NCS website, it’s interesting to see the information that is publicly available. And yes, their advisory about the impending inauguration is probably right on… I imagine that cell phone traffic will just be a wee bit elevated over the next few days down in DC! 😉

Technorati Tags:
, , ,

Judge Rejects Feds’ Attempts to Eavesdrop On DTMF Without a Warrant

Score one for sanity.  Apparently the FBI believed that while eavesdropping on the audio of a conversation required a warrant, capturing any DTMF transmissions sent during the call did not.  From the CNet report:

Just about everyone knows that the FBI must obtain a formal wiretap order from a judge to listen in on your phone calls legally. But the U.S. Department of Justice believes that police don’t need one if they want to eavesdrop on what touch tones you press during the call.

Those touch tones can be innocuous (“press 0 for an operator”). Or they can include personal information including bank account numbers, passwords, prescription identification numbers, Social Security numbers, credit card numbers, and so on–all of which most of us would reasonably view as private and confidential.

That brings us to New York state, where federal prosecutors have been arguing that no wiretap order is necessary. They insist that touch tones cannot be “content,” a term of art that triggers legal protections under the Fourth Amendment.

Asterisk Security advisory – Information leak in IAX2 authentication

asterisklogo.jpgIf you are an Asterisk user, you should be aware that Digium has released AST-2009-001 Information leak in IAX2 authentication. The description is:

IAX2 provides a different response during authentication when a user does not exist, as compared to when the password is merely wrong. This allows an attacker to scan a host to find specific users on which to concentrate password cracking attempts.

The workaround involves sending back responses that are valid for that particular site. For example, if it were known that a site only uses RSA authentication, then sending back an MD5 authentication request would similarly identify the user as not existing. The opposite is also true. So the solution is always to send back an authentication response that corresponds to a known frequency with which real authentication responses are returned, when the user does not exist. This makes it very difficult for an attacker to guess whether a user exists or not, based upon this particular mechanism.

Digium classifies it as a minor security issue and notes in the advisory that patches are available.

Technorati Tags:
, , , ,

W3C Voice Biometrics workshop coming up in March

Through a colleague of mine, Dan Burnett, I just learned about an upcoming W3C Biometrics workshop in March in California around the subject of “Speaker Identification and Verification (SIV)”. As Dan writes:

To get more information from the knowledgeable public, W3C is holding a workshop to “identify and prioritize directions for SIV standards work as a means of making SIV more useful in current and emerging markets. ” The workshop will be held in early March at SRI in Menlo Park, California.

Although the paper submission deadline has passed, if you were unaware of this workshop and are dying to attend, please email member-siv-submit@w3.org as described in the Call for Participation.

More information can also be found on the W3C Biometrics Workshop site. Sounds like an interesting conference to attend… (Dan Burnett will be there, but I will not).

Technorati Tags:
, , , ,

Video demo of “sipautohack” tool

Over in the VOIPSEC mailing list, Shawn Merdinger recently pointed out a video produced by the folks at Enable Security to highlight one of their new tools, “sipautohack”, that they sell as part of one of their packages of tools called “VOIPPack”. From their description page, VOIPPack includes:

  • sipscan – Scans the network for SIP devices and identifies the user-agent and if the device is a PBX
  • sipenumerate – Enumerates extensions on a PBX server
  • sipcrack – Launches password attacks on the PBX server
  • sipautohack – Given a target network, this module will scan for SIP devices, enumerate any extensions on all PBX servers found and try to guess their password

This video, then, is a demonstration of the last of the listed tools:


Demonstrating sipautohack from Sandro Gauci on Vimeo.

We here at VOIPSA have no connection to this tool or vendor and cannot say anything positive or negative about the tool or company… it’s just another entry in the very long list of VoIP security tools out there (see our Tools list). I just think it’s great to see video screencasts out there showing what tools like this can do. (And if you have a screencast related to VoIP security out there you’d like us to mention, feel free to contact me.)

Technorati Tags:
, , , ,

FYI – “Security Bloggers Network” in transition… stay tuned…

For those of you who may be used to reading this blog through the “Security Bloggers Network” set up originally by Alan Shimel, you need to be aware that the “SBN” is going through a transition. As Alan details on his blog, Google is in the process of shutting down the “Network” feature of Feedburner and as a result the page and feed for the SBN will be going away.

Alan is working on a new solution but in the meantime you may want to grab the OPML file for the Security Bloggers Network (you should then be able to import this into most feed readers). There are a lot of great security blogs out there.

Stay tuned for more information – once Alan has another solution in place I’ll post an update.

XTest – a tool to test how well 802.1X endpoints secure your VoIP infrastructure

Back in August, the folks at Sipera’s VIPER Lab released a free test tool, XTest, that tests how well (or not) 802.1X with EAP-MD5 protects IP phones and the overall VoIP infrastructure. You can get it at http://xtest.sourceforge.net/.

(And yes, I’ve been meaning to write about this since back in August…. and was intending to write a more thorough review. Perhaps I will at some point, but for now I thought I’d mention the tool’s availability.)