[VOIPSEC] Voipsec Digest, Vol 54, Issue 2
radu.state at loria.fr
Thu Jun 4 15:10:25 EDT 2009
I am reading SIP Security now and the book is great. It covers many
aspects of the security of SIP and the most important , it's written
in a very clear and easy understandable way.
I can post a complete review of it, in few days from now on.
On Jun 4, 2009, at 1:00 PM, voipsec-request at voipsa.org wrote:
> Send Voipsec mailing list submissions to
> voipsec at voipsa.org
> To subscribe or unsubscribe via the World Wide Web, visit
> or, via email, send a message with subject or body 'help' to
> voipsec-request at voipsa.org
> You can reach the person managing the list at
> voipsec-owner at voipsa.org
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Voipsec digest..."
> Today's Topics:
> 1. SIP Security (Saverio Niccolini)
> 2. Re: Is there a anti-phishing "blackhole list" of phone
> numbers? (Geoff Devine)
> Message: 1
> Date: Wed, 3 Jun 2009 13:36:44 +0200
> From: "Saverio Niccolini" <Saverio.Niccolini at nw.neclab.eu>
> Subject: [VOIPSEC] SIP Security
> To: "Voipsec" <Voipsec at voipsa.org>
> Message-ID: <547F018265F92642B577B986577D671C10B417 at VENUS.office>
> Content-Type: text/plain; charset="US-ASCII"
> I was wondering if you had a chance to have a look at this:
> It is the supplemental webpage to the SIP Security book that
> recently came out. I had a chance to have a look at the book
> and I find it quite nice as I think it is a good reference for
> both administrators and people willing to start understanding
> the topic and possible actions that can be taken in order to
> secure SIP networks without the need to dig into thousands of
> documents spread on the web. In addition it highlights open
> areas where the solutions are not mature enough being a good
> starting point for researchers willing to start his carrier
> along these topics.
> And I think is good that people that really touched the issues
> they write about (it is thanks to Dorgham and Jiri that we had
> SER and all its derivations today and they have seen quite a bit
> of the issues they speak about when working in iptel.org) take
> the time to write book to teach people.
> Anyone else already had a chance to see the book and can share
> his view?
> Message: 2
> Date: Wed, 3 Jun 2009 08:49:57 -0400
> From: "Geoff Devine" <Geoff at GeoffDevine.com>
> Subject: Re: [VOIPSEC] Is there a anti-phishing "blackhole list" of
> phone numbers?
> To: <voipsec at voipsa.org>
> Message-ID: <002a01c9e449$cdc11b20$69435160$@com>
> Content-Type: text/plain; charset="us-ascii"
> Jonathan K. Creasy writes:
>> In many of the cases I have witnessed the source number is that of an
>> innocent victim. Many cases involve systems that are hacked because
>> of poor security and the outbound calls are placed using the
>> credentials of a phone on their network.
> On a Primary Rate ISDN interface, the integrity of
> usually isn't policed by the circuit switch. When the interface was
> designed and implemented, everyone assumed that there would be a
> relationship (a service contract) between the Telco and the customer
> the Telco could pull the plug on the interface if the customer
> abused their
> identity assertion. Nobody envisioned that PRI would be used as a
> provider interface to bridge VoIP to the PSTN. Nobody is going to
> their legacy circuit switches to correct the problem. SS#7 has the
> same problem. Many SIP trunking implementations also have no way of
> policing this CallerID information. Once you've done your SIP digest
> authentication, you can pass whatever you want. I was working this
> issue a
> year ago from the Cable side feeding requirements into the SIP Forum
> SIPConnect since it's a real hole. Today, if you're using an IP-PBX
> with a
> SIP handoff to a service provider, you can offer whatever you want for
> CallerID and the network will blindly pass it through in many
> The conclusion is that CallerID is horribly broken and you can't
> construct a "blackhole list" of phone numbers since it's so trivial to
> supply a different one.
> Geoff Devine
> Voipsec mailing list
> Voipsec at voipsa.org
> End of Voipsec Digest, Vol 54, Issue 2
More information about the Voipsec