Monthly Archives: March 2011

VoIP Security and the Service Provider

I recently had the opportunity to sit down with David Cargill, member of the council at the ITSPA trade association (www.itspa.org.uk). David is chairing the VoIP Security committee at ITSPA, and I wanted to ask him about that.

MD: Firstly, tell me something about ITSPA, and its goals?

DC: The Internet Telephony Service Providers’ Association was formed in 2004 to represent UK based network operators, service providers and other businesses involved in VoIP services. ITSPA members supply to business and residential consumers within the UK and across the European Union. ITSPA aims to promote competition and self-regulation in order to encourage the development of a flourishing and innovative VoIP industry.

MD: You’ve recently formed a VoIP Security committee; what was the spark that drove you to do that?

DC: Industrial-grade scanners are now operating around the clock to find and exploit IP-PBX’s and VoIP handsets that are not secured. The majority of these are operated by low level fraudsters which can be stopped by taking fairly simple security measures.

The Security Committee was setup with two primary aims: firstly to collate and share information on relevant security issues to ITSPA members, and secondly to produce and distribute Best Practice Papers on key security issues to ITSPA Members as well as to existing and potential VoIP customers.

MD: What are the main threats that you are focusing on?

DC: We’re currently focusing on hacking of IP-PBX’s and VoIP telephones.

MD: Are these the main problems perceived by customers, and is this driven by them?

DC: When you mention VoIP security, most people think about Eavesdropping. While hackers can eavesdrop on media streams and intercept VoIP packets, eavesdropping is not simple, whereas hacking into unsecured IP-PBX’s is not only simple, it can be done using free tools downloaded from the internet.

Many VoIP users don’t seem to be concerned with security until they have been hacked, the driver for this is that while ITSPA members have systems for protection from exploits for their core systems, often their downstream customers do not. For example a reseller of an ITSPA member, sells SIP trunks to an end user who then downloads free PBX software, like Asterisk, and gets the system online. The system is then hacked resulting in a large phone bill for the end user and customer service problems for the reseller and service provider.

MD: And what actions are you taking? Is it mainly an exercise in education for partners and customers?

DC: Yes it is. The strength of ITSPA is that we’re getting input from across the VoIP industry, enabling Service Providers to pool their knowledge and experience for the common good. So internally within ITSPA service providers are sharing information on new exploits as well as the external drive to raise awareness of the threats and solutions to partners and customers.

MD: Will the committee go on to tackle further VoIP Security issues?

DC: The barbarians are at the gates, 24/7 and we need to be vigilant. The ITSPA Security Committee is planning a pro-active program to keep its members and the wider VoIP community up to date with key security issues as they develop.

MD: Overall would you say that security is more of a problem for VoIP than for conventional voice services?

DC: No, PBX’s have been targeted by hackers for years, starting with people who could whistle the right tones into a handset in the 1960’s. The difference now is that IP-PBX’s can be downloaded for free, so it’s a problem of scale and understanding, as the number of the hackers has increased exponentially and many IP-PBX’s are setup by people with little understanding of VoIP let alone network security.

It’s also worth mentioning that many ITSPA members provide Hosted VoIP services, where in effect they operate the PBX in the cloud on behalf of their customers and ensure that the service is run securely. Customers of reputable Hosted VoIP services are not at risk of being hacked by fraudsters looking to make free calls.

MD: Is your initiative open for other service providers that want to get involved?

DC: At this stage it’s an ITSPA initiative with news and updates to be posted on the ITSPA Directory (http://directory.itspa.org.uk) but if anyone would like to get involved or would like further information they should contact us at admin@itspa.org.uk

David Cargill is CTO of Coms plc and an ITSPA council member.

Is TelePacific’s SmartVoice Outage a Result of SIP Attacks?

TelepacificIs the voice service outage that TelePacific Communications experienced today the result of cybercriminials attacking TelePacific’s SIP infrastructure?

TelePacific offers a service called “SmartVoice” that appears from their website to be the basic type of SIP service provided by many service providers these days. On March 24th, they started experiencing an outage and their Twitter page tells the tale, from the initial report to the beginning of a recovery to a 50% recovery to more reports on March 25th through to full restoration on the 25th.

Today, however, there is a report in Channel Partners Online provocatively titled: “TELEPACIFIC NETWORK OUTAGE: CYBER-TERRORISM?” The article quotes TelePacific President and CEO Dick Jalkut:

Jalkut said the “cyber attack choked our servers and resulted in a significant loss of service to customers – in most cases an inability to make and receive calls.” But the attack did not impact customers’ Internet or data services.

He goes to say that they have implemented further monitoring and protection, particularly in their session border controllers.

At this point TelePacific indicates they have engaged the FBI to assist in tracking down the external sources of the attack. TelePacific also indicates that they plan to more information during upcoming industry forums and I look forward to hearing more about this. From the bare details provided thus far, it certainly sounds like an attack focused on their SIP infrastructure – and it would be good for the rest of the industry to hear about and learn from.

P.S. Kudos to TelePacific, too, for what appears to be a solid use of Twitter as a way to keep customers and others informed of what was going on during the outage.

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

Two Asterisk Security Advisories, Including One Critical Remote Vulnerability

The Digium security team issued two security advisories this week for Asterisk:

The second one, AST-2011-004, is the far more concerning because it indicates that a remote attacker could connect to an Asterisk system and cause it to crash.

The solution, in both cases, is to upgrade to the latest Asterisk releases.

UPDATE: 3/18/11 – Olle Johansson pointed out on Twitter:

Either upgrade or do not use SIP/TCP. Installations only using SIP/udp is not affected and do not need to upgrade.

Thanks for the clarification, Olle.

State of Communications Security Report is Live

Here is a link to the SecureLogix State of Communications Security Report. It is currently at the NoJitter site. We will post it to our website and here in a couple of weeks.

http://www.nojitter.com/sponsoredcontent/view/cid/3900003

This is the first time ever that anyone has released a security report that is focused on voice/VoIP/communications. The report describes voice security trends and includes a ton of data from 100’s of assessments, that backs up the trends we present.

Video: Fascinating Visualization of an Attack on a VoIP Server

By way of the Infosthetics site, I learned this morning of a video produced by Dataviz Australia that uses data from a VoIP honeypot server to visualize what the attack looks like. The Dataviz Australia blog post has more information about what they are specifically showing here. I am always intrigued to see how people can come up with new ways to enable us to look at data differently, and this is an interesting video for that. Enjoy…

Visualizing a cyber attack on a VOIP server from Ben Reardon, Dataviz Australia on Vimeo.

At Enterprise Connect This Week? The NSA Wants To Talk To You

Nsaboothentconnect2011If you have been at the Enterprise Connect show this week in Orlando, Florida, one of the perhaps unexpected booths on the exhibit hall floor was that of the National Security Agency (NSA). The booth was staffed by two great guys (who rapidly moved away when I raised my iPhone camera) who explained that they were there as part of the agency’s “Commercial Solutions Center” looking to find commercial technology that can help with the secure mobile solutions they are looking to deploy for the NSA.

One of the NSA staff will be on a Enterprise Connect communications security panel at 9:00am in the “Sun B” room of the Gaylord Palms tomorrow (Thursday, March 3, 2011). They are also hosting a private meeting tomorrow at the Gaylord Palms from 1-3pm for people interested in learning more. The best way to find out more about that meeting would probably be to attend the 9am session. (They were promoting details at their booth, too, but the exhibit area is now closed.)

UPDATE: The session today (March 3, 2011) will be in “Emerald 8” at the Gaylord Palms in Orlando from 1-3pm.

Good to see the NSA reaching out to the commercial sector and when more information is available about their program (they said it would be soon) I’ll update this post.