Calling All Vendors! Test Your SIP over TLS at SIPit 29 Oct 24-28 in Monaco

SIPitAre you a vendor of SIP software or hardware devices? If so, do you support SRTP or SIP over TLS? If you do – or are thinking about doing so – why don’t you join Olle Johansson for some interoperability testing at SIPit 29, October 24-28, in Monaco?

Olle raised just that suggestion today in the VOIPSEC mailing list and said that he will be there focused on testing VoIP security (and also IPv6). As he said:

Customers need at least first hop TLS and SRTP to work as expected. They also need interoperability between devices. To get interoperability, everyone needs to work with it. It just doesn’t happen by accident. SIPit has been organised twice a year for 15 years in order to get the amount of interoperability we have today in SIP.

If you develop SIP software or devices – register for SIPit now. If you are a customer and have seen issues in this area, remind your vendors to participate. The more we are, the more time we can spend on VoIP protocol security.

The SIPit test events are outstanding places to go and test your software or hardware. For the relatively small fee and your time and travel, you have access to an incredible test bed in the form of all the other vendors participating. Where else will you get to interact with designers and engineers from all the major vendors and not only test your software/hardware, but also re-test your equipment if you try some fixes while you are there.

You still have time to register for SIPit29 and join Olle and others in the security testing.

P.S. If you aren’t aware of the SIPit events, more info can be found on the main SIPit site. They are held twice a year in various locations. The summaries of past SIPit events give you a good flavor for the type of testing that goes on.

Skype for iOS/iPhone Vulnerable to Cross-Site-Scripting (XSS) Attack

News from the SUPEREVR security blog is that Skype for iOS is vulnerable to a cross-site scripting (XSS) attack that allows an attacker to send someone a message and, for instance, capture that user’s address book from their iPhone.

The author of the article posted a video that demonstrates the attack:

He further states in a tweet that he notified Skype of the vulnerability on August 24th:

In case anyone is wondering, I disclosed the vulnerability to Skype on 8/24. I was told an update would be released early this month.

Skype has issued a statement through their PR firm:

We are working hard to fix this reported issue in our next planned release which we hope to roll out imminently. In the meantime, we always recommend people exercise caution in only accepting friend requests from people they know and practice common sense Internet security as always.

Skype’s mitigation recommendation is a good one as the default privacy setting is typically that you can only receive chat messages from people on your Contact list. Therefore, the attacker would have to be someone who you have authorized and added to your contact list.

Meanwhile, hopefully Skype will be out with their update soon.

P.S. Hat tip to Tom Keating for writing about this exploit as that was where I first learned of it.

New Android Malware/Trojan Records Your Phone Calls

AndroidtrojanNews out of the CA Security Advisor Blog today is that there is a new piece of Android malware that records phone calls that you make on an Android phone. The post author, Dinesh Venkatesan, goes into some detail about what they found – and how they found it – in testing this malware.

While this is not a “VoIP” issue, per se, as the trojan seems to record calls over the “regular” phone connection it is a general communications security issue and something we all have to watch out for. Over on the ReadWriteWeb, Dan Rowinski published a good piece putting this malware in context with other recent Android malware.

The net of both posts is that ultimately you need to be extremely careful about the source of applications you are installing on your Android phone – and what permissions you are granting them.

Meanwhile, I expect that we’ll continue to more creativity coming out of the attacker community..

Image credit: CA Security Advisor Blog

VoIP Fraudster Pleads Guilty to $4.4 Million USD Theft of Services from AT&T, Verizon, Others

FbiNews out of the U.S. Federal Bureau of Investigation (FBI) last week was that a New Jersey man pled guilty to charges that he and his co-conspirators stole over $4.4 million USD of VoIP services from a range of VoIP service providers including AT&T, Verizon and many others.

Reading through the FBI news release, the scam really has nothing to do with “VoIP security”, per se, and everything to do with “social engineering.” Essentially, the group managed to appear to be a legitimate business so that VoIP service providers would let them resell their services to businesses. They then resold that service and pocketed the money without ever paying the service providers.

From the news release, it seems to have been a rather extensive scam:

To make it appear as if the shell companies were legitimate VoIP wholesalers and to induce the victim providers to extend credit to the companies on favorable terms, Tonangi and his co-conspirators took several fraudulent steps, including establishing fake business addresses for the shell companies at prominent New York locations, including the Empire State Building.

The co-conspirators also used Internet-based answering services that purported to connect callers to the shell companies’ various departments, such as accounts receivable and marketing, but really connected to cell phones controlled by the co-conspirators.

Tonangi and his co-conspirators created shell company e-mail accounts in the names of non-existent employees for communicating with victim providers; websites that contained false information, such as the names of non-existent employees and the companies’ fabricated qualifications to serve as VoIP wholesalers; and aliases to negotiate the purchase of VoIP services.

They also fabricated year-end financial reports that bore the logo of a national accounting firm in order to give the appearance that the shell companies’ financial reports had been reviewed by that firm.

When the victim providers sold VoIP services to the shell companies on credit, Tonangi and his co-conspirators would “bust out” the account by causing the companies to use substantially more VoIP services than the companies had been approved to buy in such a short period of time. The co-conspirators would do this over weekends and holidays so that the providers would not notice.

When the invoices for the services came due, the co-conspirators would send fake wire transfer confirmations via e-mail or submit small payments to keep the victim providers from cutting off service.

If victim providers sued or threatened to sue the shell companies, Tonangi and his co-conspirators would respond in legal pleadings or letters that they prepared in the name of a non-existent attorney, Frank Soss. Tonangi and Bhambhani created and used a fraudulent United States passport in the name Frank Soss by downloading and altering a exemplar passport image and photograph from the Internet.

Given the degree of subterfuge undertaken by the group, I’m not at all surprised that they fooled numerous companies into extending credit for VoIP services. When you are doing due diligence on a new customer, you would explore many of the avenues that these folks seem to have covered.

It’s not clear from the news release or any other information I’ve seen online what if any VoIP technology was used here but given that the group was acting as a legitimate business they didn’t need anything very sophisticated. Many software and service options would have met their needs.

It’s good to see the FBI successfully cracking this fraud ring… sadly I’m sure there will be others as we see the increased usage of VoIP across the industry.

P.S. Thanks to J. Oquendo in the VOIPSEC mailing list for alerting us to this news from the FBI.

Voipscanner.com – a hosted service for scanning IP-PBXs

VoipscannerThis week at the SIPNOC event near DC, an attendee asked if I knew of any hosted services that would scan the external interface of a network to see if the VoIP services were secure. He sells SIP connectivity to small businesses, many of whom typically have purchased an IP-PBX from somewhere like a retail store and have minimal IT expertise. He wondered if there was a service he could refer these small businesses to so that they could check the security of their system. Basically something for VoIP along the lines of hosted services like “Shields Up” that will check the security of your firewall.

I didn’t know of such a service, but posted the question to the VOIPSEC mailing list. A couple of people contacted me privately about some services in the works, but then someone did pass along a link to a public service available now:

https://voipscanner.com/voipscanner/

Now, I’ve not used this service but I’m certainly aware of Sandro Gauci and a number of the different tools he has been working on, including SIPVicious and VOIPPACK. After watching his short video and seeing the sample report, this definitely looks like an interesting service.

Of course, with any hosted service my security paranoia is heightened and I want to know what will be done with my data. Will the scan of my IP-PBX be recorded on the Voipscanner.com servers? Will a copy of my report be saved there? Basically… can I trust the site? In looking through the terms of service after you click the graphic to “apply” for access I didn’t see any wording around this… but it’s also Friday and I’m tired… I could have missed it.

Anyway, this service is out there and for those of you comfortable with using such a service it may be useful for you. If you know of other similar services I’d also love to hear about them.

Speaking at SIPNOC on SIP Security – What Would You Like Me to Say To Service Providers?

Sipnoc2011 1Tomorrow I will be in Herndon, Virginia, outside of Washington, DC, at “SIPNOC: The SIP Network Operators Conference“. I will be speaking in two sessions (details here), one of which is a panel about “SIP Adoption and Network Security” and will include two other panelists from Acme Packet and Sipera Systems.

The panel discussion is planned to be about what are the primary security issues related to wider deployment of SIP at the network operator / service provider level, and what can we do about them. The discussion will be in a room full of people from various large operators / service providers.

I have my list of topics I intend to raise, but I’m curious about what you all might say… if you were to stand up in front of a room of network operators to talk about how they could improve the security of their SIP networks… or what the major issues are that you see… what would you say?

If you have thoughts, please do leave them as comments here. As I am on the panel representing VOIPSA, I’m certainly glad to incorporate comments from the wider community.

P.S. If you are at SIPNOC this week, please do say hello!

VoIP Security and the Service Provider

I recently had the opportunity to sit down with David Cargill, member of the council at the ITSPA trade association (www.itspa.org.uk). David is chairing the VoIP Security committee at ITSPA, and I wanted to ask him about that.

MD: Firstly, tell me something about ITSPA, and its goals?

DC:
The Internet Telephony Service Providers’ Association was formed in 2004 to represent UK based network operators, service providers and other businesses involved in VoIP services. ITSPA members supply to business and residential consumers within the UK and across the European Union. ITSPA aims to promote competition and self-regulation in order to encourage the development of a flourishing and innovative VoIP industry.

MD:
You’ve recently formed a VoIP Security committee; what was the spark that drove you to do that?

DC: Industrial-grade scanners are now operating around the clock to find and exploit IP-PBX’s and VoIP handsets that are not secured. The majority of these are operated by low level fraudsters which can be stopped by taking fairly simple security measures.

The Security Committee was setup with two primary aims: firstly to collate and share information on relevant security issues to ITSPA members, and secondly to produce and distribute Best Practice Papers on key security issues to ITSPA Members as well as to existing and potential VoIP customers.

MD: What are the main threats that you are focusing on?

DC: We’re currently focusing on hacking of IP-PBX’s and VoIP telephones.

MD: Are these the main problems perceived by customers, and is this driven by them?

DC: When you mention VoIP security, most people think about Eavesdropping. While hackers can eavesdrop on media streams and intercept VoIP packets, eavesdropping is not simple, whereas hacking into unsecured IP-PBX’s is not only simple, it can be done using free tools downloaded from the internet.

Many VoIP users don’t seem to be concerned with security until they have been hacked, the driver for this is that while ITSPA members have systems for protection from exploits for their core systems, often their downstream customers do not. For example a reseller of an ITSPA member, sells SIP trunks to an end user who then downloads free PBX software, like Asterisk, and gets the system online. The system is then hacked resulting in a large phone bill for the end user and customer service problems for the reseller and service provider.

MD: And what actions are you taking? Is it mainly an exercise in education for partners and customers?

DC: Yes it is. The strength of ITSPA is that we’re getting input from across the VoIP industry, enabling Service Providers to pool their knowledge and experience for the common good. So internally within ITSPA service providers are sharing information on new exploits as well as the external drive to raise awareness of the threats and solutions to partners and customers.

MD: Will the committee go on to tackle further VoIP Security issues?

DC: The barbarians are at the gates, 24/7 and we need to be vigilant. The ITSPA Security Committee is planning a pro-active program to keep its members and the wider VoIP community up to date with key security issues as they develop.

MD: Overall would you say that security is more of a problem for VoIP than for conventional voice services?

DC: No, PBX’s have been targeted by hackers for years, starting with people who could whistle the right tones into a handset in the 1960’s. The difference now is that IP-PBX’s can be downloaded for free, so it’s a problem of scale and understanding, as the number of the hackers has increased exponentially and many IP-PBX’s are setup by people with little understanding of VoIP let alone network security.

It’s also worth mentioning that many ITSPA members provide Hosted VoIP services, where in effect they operate the PBX in the cloud on behalf of their customers and ensure that the service is run securely. Customers of reputable Hosted VoIP services are not at risk of being hacked by fraudsters looking to make free calls.

MD: Is your initiative open for other service providers that want to get involved?

DC: At this stage it’s an ITSPA initiative with news and updates to be posted on the ITSPA Directory (http://directory.itspa.org.uk) but if anyone would like to get involved or would like further information they should contact us at admin@itspa.org.uk

David Cargill is CTO of Coms plc and an ITSPA council member.

Is TelePacific’s SmartVoice Outage a Result of SIP Attacks?

TelepacificIs the voice service outage that TelePacific Communications experienced today the result of cybercriminials attacking TelePacific’s SIP infrastructure?

TelePacific offers a service called “SmartVoice” that appears from their website to be the basic type of SIP service provided by many service providers these days. On March 24th, they started experiencing an outage and their Twitter page tells the tale, from the initial report to the beginning of a recovery to a 50% recovery to more reports on March 25th through to full restoration on the 25th.

Today, however, there is a report in Channel Partners Online provocatively titled: “TELEPACIFIC NETWORK OUTAGE: CYBER-TERRORISM?” The article quotes TelePacific President and CEO Dick Jalkut:

Jalkut said the “cyber attack choked our servers and resulted in a significant loss of service to customers – in most cases an inability to make and receive calls.” But the attack did not impact customers’ Internet or data services.

He goes to say that they have implemented further monitoring and protection, particularly in their session border controllers.

At this point TelePacific indicates they have engaged the FBI to assist in tracking down the external sources of the attack. TelePacific also indicates that they plan to more information during upcoming industry forums and I look forward to hearing more about this. From the bare details provided thus far, it certainly sounds like an attack focused on their SIP infrastructure – and it would be good for the rest of the industry to hear about and learn from.

P.S. Kudos to TelePacific, too, for what appears to be a solid use of Twitter as a way to keep customers and others informed of what was going on during the outage.


If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.


Two Asterisk Security Advisories, Including One Critical Remote Vulnerability

The Digium security team issued two security advisories this week for Asterisk:

The second one, AST-2011-004, is the far more concerning because it indicates that a remote attacker could connect to an Asterisk system and cause it to crash.

The solution, in both cases, is to upgrade to the latest Asterisk releases.

UPDATE: 3/18/11 – Olle Johansson pointed out on Twitter:

Either upgrade or do not use SIP/TCP. Installations only using SIP/udp is not affected and do not need to upgrade.

Thanks for the clarification, Olle.