Author Archives: Craig Bowser

Senate OKs E911 requirements

I gotta run and coach my kids basketball, but I’ll put this up real quick.

Ars Technica has a write up about the new E911 requirements bill passed by the Senate.

Ars usually does a great job with their analysis, so I won’t bother. My only comment is that congress seems to write Policy without concern for the effort of implementing Procedures. Now that the FCC will have the authority to dictate new requirements, I hope (but I doubt) they will work with companies and technologies to implement this correctly.

OK, so I’m cynical about the government, I’ve worked in it all my life.

EDIT: BTW, just in case some were wondering if this applies to VoIP Security, for my environment, E911 service is a security requirement.

Update Asterisk

Over on Bugtraq, another Asterisk vulnerability has been announced. Several buffer overflows affect the below version:

Package / Vulnerable / Unaffected
1 net-misc/asterisk = 1.2.17-r1

This one comes with an admonishment to upgrade to the latest patch:

All Asterisk users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=net-misc/asterisk-1.2.17-r1”

This is the link to the announcement at Gentoo Linux. I was hoping to find the link to the actual patch over at Asterisk, but I don’t see the right reference yet. The CVE #’s are all from 2007, but the announcement seems to be from 2008. If anyone finds the link, drop me a line or leave it in the comments.

On a minor note, the Nortel Networks UNIStim IP Phone with firmware version 0604DAS is vulnerable to a ping of death. No patch yet, but keep your eye on Nortel’s Security Advisory site for a response from the company.

SIPTap Author forms VoIP Security Company

Some of you may remember Peter Cox who put out an eavesdropping tool SIPTap last November.

For those who have a short memory, SIPTap monitors “multiple voice-over-IP call streams, listening in and recording them for remote inspection as .wav files.”

At the time, however, the tool didn’t appear to me to be much of a threat because it only worked on the VLAN it was attached to and only if it saw the traffic. Meaning that if you weren’t attached to a span port, a hub or used another tool such as Ettercap, you wouldn’t be able to do much recording.

BUT the tool served Peter Cox’s purpose. Apparently for some time now, Peter Cox has been preaching VoIP security to anyone who will listen… and if he’s like most IA people I know, anyone who doesn’t want to listen, but needs to. The tool, therefore, appeared to be aimed at educating people outside the IA world about the importance of VoIP security and how easy it is to eavesdrop on calls.

Now Peter Cox has started a new company UM Labs where his goal is to develop and deliver products that provide VoIP security in a world where the traditional security foundation of voice and data separation no longer apply.

They are already announcing three products described on the company’s website and here

New VoIP security products are always welcome and UM Labs appears to be looking towards the future to find ways to meet some of the upcoming security challenges of unified networks.

Everything old is new again

Many of you probably have seen Sipera’s Top 5 VoIP Security threats for 2008.

VoIP-News has an article about that list, but they have added quite of few links that provide further information.

[If anyone saw the previous post before it got deleted, I apologize. I didn’t recognize the list until after I published the post]