Author Archives: David Endler

VOIPSA 2.0

It’s been over 5 years since the Voice over IP Security Alliance was born.  A small group of us originally aimed to fill a very large gap in the voip security landscape. Namely that outside of IETF meetings, the thought leaders in the carrier, vendor, and security industries didn’t really have many other vehicles to discuss and address security issues in VoIP.  VOIPSA was and is meant to bring those people together by promoting security research, testing methodologies, tools, and most importantly, discussion.

The need for VOIPSA is greater than ever, and we need fresh input to evolve to the next phase.  My professional interests have changed recently so that I will no longer have the time to devote as Chairman.

It gives me great pleasure (and relief) to announce that Dan York has graciously agreed to step up as our new Chairman and fearless leader. I am also pleased to announce that Jonathan Zar has agreed to continue on in the meantime as Secretary.  Dan and Jonathan have been instrumental since the beginning of VOIPSA in setting up the organization with me and evangelizing many of the issues that still plague VoIP deployments today.  Many of you already know Dan from his podcasts, his conference speaking, and his prolific blogging on Voipsa.org, and Jonathan from his industry leadership and venture expertise.

You’ll be hearing from Dan and Jonathan in the near future on the vision and next steps at relaunching VOIPSA.  Thank you to everyone I’ve worked with over the last 5+ years who have given selflessly of their time and effort to VOIPSA.

-dave

David Endler
david.endler@voipsa.org

Shall We Play a Game?

HD Moore of Metasploit Project fame has just released a new set of free War Dialing tools called WarVOX.  What makes these new tools so interesting is that they leverage VoIP service providers to scan and analyze hundreds of phone numbers, finding modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders much much faster than any modem ever could.  Check out the WarVOX screenshots which show the interface and slick reporting features.

Back Online

As some of you may have noticed, our servers were offline for the past 24 hours due to unforeseen circumstances.  It seems the recent global economic turmoil has not left VOIPSA unscathed.  Turns out our hosting provider was delinquent on paying their bills to their upstream data center provider.   Supposedly, the hosting provider’s management is no where to be found and did not respond to repeated billing inquiries,  leaving the upstream data center no choice but to unplug all of the hosting provider’s customers.

Apologies for the inconvenience and we’re working on moving to a more permanant and solvent hosting provider in the near future!

VoIP makes the SANS Top 20 Internet Security Risks of 2007 (again)

The SANS Institute just released its Top 20 Internet Security Risks of 2007 Annual update. Yet again this year, VoIP made the list, with a collection of just some of the VoIP vulnerabilities that were disclosed this past year. Check it out. For those of you who don’t want to read the entire document, a decent executive summary is available here.

VOIPSA Releases its VoIP Security Tools List

I’m pleased to announce the public release of VOIPSA’s VoIP Security Tool List. The list was developed to address the current void of VoIP security testing resources and sites, for vendors and VoIP users alike. The list is separated into the following seven broad categories:

  • VoIP Sniffing Tools
  • VoIP Scanning and Enumeration Tools
  • VoIP Packet Creation and Flooding Tools
  • VoIP Fuzzing Tools
  • VoIP Signaling Manipulation Tools
  • VoIP Media Manipulation Tools
  • Miscellaneous Tools

Special thanks to VOIPSA members Shawn Merdinger and Dustin Trammell who created the list and have graciously agreed to maintain it. For more information about the tools list, you can listen to Dan York and Jonathan Zar discuss it in Blue Box Podcast #54 and also with Shawn Merdinger in Blue Box Special Edition #16 available at http://www.blueboxpodcast.com.

Phone “Phreakers” Steal Minutes

The March 19th edition of NewsWeek has an article about cyber thieves stealing VoIP minutes by hacking into VoIP providers’ gateways. It’s the first time I’ve actually seen real numbers applied to VoIP theft:

‘These thieves steal 200 million minutes a month, worth $26 million, says New York telecom Stealth Communications. With more than 5,000 wholesale-minutes markets worldwide, located mainly on Internet forums, fraud is hard to track. Emmanuel Gadaix, head of TSTF, a Hong Kong firm that investigates VoIP thefts, says it’s “very easy to set up a temporary link” through a hacked gateway. His company was recently hired by a Panamanian telecom that lost $110,000 to phreakers. TSTF followed tracks, in vain, that snaked through Bulgaria, Canada, Costa Rica, Hong Kong and the United States. Phreaker trails are “way too complicated” to track successfully, says Gadaix.’

This brings up memories of the Edwin Pena case, in which he was able to rake in over $1 million USD in profits from stealing and reselling VoIP minutes from several providers.

Does anyone know for sure how these VoIP provider gateways are being broken into? Default passwords? Well known vulnerabilities in the operating system? Stolen access codes?

New VoIP Phishing Scheme

Brian Krebs from the Washington Post reports on a new VoIP Phishing (Vishing) scheme targeting Bank of America customers. The scam appears as an official looking Bank of America email and tries to convince the victim to dial a toll free number to sort out some account problems. Once the victim dials that number, they’re prompted to enter in their account number and secret pin number. The evil doers are then able to easily access the bogus system and reconstruct all of the numbers you entered. Much like how traditional email phishing attacks flourished in the last couple of years, I absolutely believe that VoIP Phishing scams will skyrocket this year.

For some background, there was a compelling presentation at last year’s BlackHat security conference by Jay Schulman, entitled Phishing with Asterisk (PDF). In his presentation, Jay showed how easy it was for attackers to use Asterisk PBX to set up a spoofed banking automated attendant and route all calls to a toll free number through to that PBX. Additionally, Mark Collier and I devoted an entire chapter to VoIP Phishing in our book, Hacking Exposed: VoIP.

I’ve included a snapshot below of one of the first VoIP Phishing emails targeting PayPal that emerged last year that we showcased in our book. Click on it to see the larger image.

Skype Protocol Cracked?

Several news sources are reporting that an unnamed 10-person Chinese company has successfully reverse engineered the Skype protocol. This company is supposedly planning to release their own software in two weeks that take advantage of Skype’s networks.

The main source of this information seems to be from the blog posting of Charlie Paglee, the CEO of Vozin Communications. The posting details a Skype call Paglee supposedly received from his Chinese contact at this unnamed company, through a non-Skype client. Several news outlets reporting on this:

VuNet
NetworkWorld
TechWorld
SecurityProNews

So far, no mention of this on Skype’s security blog.

Cisco Unified CallManager Vulnerabilities

Cisco announced vulnerabilities today in Unified CallManager versions 5.x:

Cisco Unified CallManager (CUCM) 5.0 has Command Line Interface (CLI) and Session Initiation Protocol (SIP) related vulnerabilities. There are potential privilege escalation vulnerabilities in the CLI which may allow an authenticated administrator to access the base operating system with root privileges. There is also a buffer overflow vulnerability in the processing of hostnames contained in a SIP request which may result in arbitrary code execution or cause a denial of service. These vulnerabilities only affect Cisco Unified CallManager 5.0.

The remote code execution SIP vulnerability is obviously the most concerning of all of these issues.  Luckily, it looks like the issue was discovered internally, which means an exploit may not publicly emerge for a while since Cisco’s advisory lacks detail on the actual malformed SIP message required to trigger the flaw.

Skype security

RECON (Reverse Engineering Conference) was recently held from June 16-18 in Montreal. One of the presentations involved some in-depth Skype reverse engineering and analysis. The slides for the presentation are available in pdf format for part1 and part2. Among other things, the talk covered Skype’s crypto scheme, easter eggs, and general traffic analysis. Worth a read.