[VOIPSEC] Who the heck needs security anyway...

J. Oquendo sil at infiltrated.net
Mon Apr 19 19:38:45 BST 2010 

Ari Takanen wrote:
> Sooner? ;)
>
> The VoIP industry should be proud of itself! Already in 2002, majority
> of VoIP vendors had some type systematic security testing (smart
> fuzzing) in place, whereas rest of the communication domains are still
> struggling to convince their management of the benefits of proactive
> security testing. Check out e.g. PROTOS tool release from 2002/2003:
>
>   

Personally, I feel that those within the VoIP arena are willing to
listen to the "hat" wearers and perhaps that's because the vast majority
of those involved with VoIP from my point of view have more of a
technical background. VoIP to me was one of those "heaped on you"
industries where most had to learn it on the fly. I'm sure in other
domains, there were similar advances however VoIP is still young as
opposed to those other domains. In other areas there are far too many
Praetorian Guards unwilling to investigate/test/listen.

> http://www.cert.org/advisories/CA-2003-06.html
>
>   
I note: Microsoft Corporation
Microsoft has investigated these issues. The Microsoft SIP client
implementation is not affected.

Luckily that advisory is dated 2003, I was about to cry foul. I'm still
banging my head right now as I've discovered a gaping hole in an MS
product that uses SIP. Their response: "WSF files are considered unsafe
filetypes in Windows and other Microsoft products. The MSRC does not
open cases on file types that are designed to run code and considered
unsafe." ... Translation: "Ok so you found an exploit that can affect
our product. However, the exploit will only work if you construct a
malicious page. We cannot investigate because 'MSRC does not open cases
on file types that are designed to run code and considered unsafe.'"
ActiveX anyone? ... Maybe I should Zero Day Initiative it... Anyhow.
There are plenty of vendors in the VoIP arena that do listen and to
those vendors and their engineers... Kudos to you guys. To the RFCer's
(Schulzrinne), kudos to them too for lending an ear and keeping an open
mind (Asteroid anyone?).

Of another note... Special thanks to Andy Zmolek who once allowed me to
talk him and his former colleagues to death on security via a conference
call. Not only did he and his colleagues understand the nature of the
security beast, it showed they were and are willing to reach out to mesh
security and research for the sake of getting better products and
standards on the market.

Now only if you Codenomicon guys let me freely play with your fuzzers
for the sake of research!

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E

More information about the Voipsec mailing list