[VOIPSEC] Voipsec Digest, Vol 54, Issue 2

Radu State radu.state at loria.fr
Thu Jun 4 15:10:25 EDT 2009

Hi all,

I am reading SIP Security  now and the book is great. It covers many
aspects of the security  of SIP  and the most important , it's written
in a very clear and easy understandable way.

I can post a complete review of it, in  few days from now on.


On Jun 4, 2009, at 1:00 PM, voipsec-request at voipsa.org wrote:

> Send Voipsec mailing list submissions to
> 	voipsec at voipsa.org
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> or, via email, send a message with subject or body 'help' to
> 	voipsec-request at voipsa.org
> You can reach the person managing the list at
> 	voipsec-owner at voipsa.org
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Voipsec digest..."
> Today's Topics:
>   1. SIP Security (Saverio Niccolini)
>   2. Re: Is there a anti-phishing "blackhole list" of phone
>      numbers? (Geoff Devine)
> ----------------------------------------------------------------------
> Message: 1
> Date: Wed, 3 Jun 2009 13:36:44 +0200
> From: "Saverio Niccolini" <Saverio.Niccolini at nw.neclab.eu>
> Subject: [VOIPSEC] SIP Security
> To: "Voipsec" <Voipsec at voipsa.org>
> Message-ID: <547F018265F92642B577B986577D671C10B417 at VENUS.office>
> Content-Type: text/plain;	charset="US-ASCII"
> Hi,
> I was wondering if you had a chance to have a look at this:
> http://www.sipsecurity.org/
> It is the supplemental webpage to the SIP Security book that
> recently came out. I had a chance to have a look at the book
> and I find it quite nice as I think it is a good reference for
> both administrators and people willing to start understanding
> the topic and possible actions that can be taken in order to
> secure SIP networks without the need to dig into thousands of
> documents spread on the web. In addition it highlights open
> areas where the solutions are not mature enough being a good
> starting point for researchers willing to start his carrier
> along these topics.
> And I think is good that people that really touched the issues
> they write about (it is thanks to Dorgham and Jiri that we had
> SER and all its derivations today and they have seen quite a bit
> of the issues they speak about when working in iptel.org) take
> the time to write book to teach people.
> Anyone else already had a chance to see the book and can share
> his view?
> Cheers,
> Saverio
> ------------------------------
> Message: 2
> Date: Wed, 3 Jun 2009 08:49:57 -0400
> From: "Geoff Devine" <Geoff at GeoffDevine.com>
> Subject: Re: [VOIPSEC] Is there a anti-phishing "blackhole list" of
> 	phone	numbers?
> To: <voipsec at voipsa.org>
> Message-ID: <002a01c9e449$cdc11b20$69435160$@com>
> Content-Type: text/plain;	charset="us-ascii"
> Jonathan K. Creasy writes:
>> In many of the cases I have witnessed the source number is that of an
>> innocent victim. Many cases involve systems that are hacked because
>> of poor security and the outbound calls are placed using the
>> credentials of a phone on their network.
> On a Primary Rate ISDN interface, the integrity of  
> Calling_Party_Number
> usually isn't policed by the circuit switch.  When the interface was
> designed and implemented, everyone assumed that there would be a  
> business
> relationship (a service contract) between the Telco and the customer  
> where
> the Telco could pull the plug on the interface if the customer  
> abused their
> identity assertion.  Nobody envisioned that PRI would be used as a  
> service
> provider interface to bridge VoIP to the PSTN.  Nobody is going to  
> upgrade
> their legacy circuit switches to correct the problem.  SS#7 has the  
> exact
> same problem.  Many SIP trunking implementations also have no way of
> policing this CallerID information.  Once you've done your SIP digest
> authentication, you can pass whatever you want.  I was working this  
> issue a
> year ago from the Cable side feeding requirements into the SIP Forum  
> for
> SIPConnect since it's a real hole.  Today, if you're using an IP-PBX  
> with a
> SIP handoff to a service provider, you can offer whatever you want for
> CallerID and the network will blindly pass it through in many
> implementations.
> The conclusion is that CallerID is horribly broken and you can't  
> reliably
> construct a "blackhole list" of phone numbers since it's so trivial to
> supply a different one.
> Geoff Devine
> ------------------------------
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> End of Voipsec Digest, Vol 54, Issue 2
> **************************************

More information about the Voipsec mailing list