[VOIPSEC] Anyone at the 25th Chaos Communications Congress in Berlin and interested in doing some writeups for the VOIPSA blog?
Johansson Olle E
oej at edvina.net
Tue Dec 30 16:20:55 GMT 2008
30 dec 2008 kl. 16.55 skrev Dan York:
> VOIPSEC readers,
> Are any of you at the 25th Chaos Communication Congress this week in
> Berlin, Germany? http://events.ccc.de/congress/2008/
> If so, would you be interested in writing up any posts about some of
> the news coming out of the event for the VOIPSA weblog at http://www.voipsa.org/blog/
> I note that today there were announcements at 25C3 about serious
> vulnerabilities in DECT:
> And while that's not really "VoIP", per se, it is a technology that
> is being used to provide wireless handsets into VoIP systems. I
> noted that earlier there were discussions around iPhone security: http://www.heise-online.co.uk/news/25C3-Cracks-in-the-iPhone-security-architecture--/112321
> Again, not "VoIP" exactly, but "communications security" related.
> Anyway, if any of you are there and interested in writing something
> up for the VOIPSA blog, please do drop me a line.
I just heard that a group was using vulnerabilities in MD5 to crack
SSL by using rogue certificates.
It's really high time to move away from MD5 digests in SIP - the
problem is how to use another algorithm in the HTTP digest challenge/
response. And using SSL with certificates ... let's wait and see...
We have identified a vulnerability in the Internet Public Key
Infrastructure (PKI) used to issue digital certificates for secure
websites. As a proof of concept we executed a practical attack
scenario and successfully created a rogue Certification Authority (CA)
certificate trusted by all common web browsers. This certificate
allows us to impersonate any website on the Internet, including
banking and e-commerce sites secured using the HTTPS protocol.
More information about the Voipsec