VoIP Security

VoIP and tech's murky role in Mumbai attacks

Doug Mohney — Wed, 03 Dec 2008 11:38:30 -0500

Reports out of Mumbai claim the 10 member Lashker-e-Taiba terrorist attack group was steeped in off-the-shelf consumer technology. The FBI is reportedly assisting Indian intelligence agencies in deciphering "Internet telephony signatures" originating in Pakistan.

Terrorist controllers/handlers in Pakistan used VoIP to communicate with the Mumbai attack cell, with calls flowing out of Pakistan to satellite phones carried by the group. Conducting traffic analysis - number of calls, type of calls, frequency, and length - on the communications stream between Pakistan and Mumbai seems to have occurred, but it is not clear if Indian authorities have access to any media streams - the actual verbal conversations -- of calls.

The FBI is apparently providing support to trace back when calls started coming in to the cell phone. While not being publicly discussed, it is likely that a United States National Security Agency "vacuum cleaner" system sucked up the broadcasted satellite phone conversations in some form; it is unknown if the communications were encrypted end-to-end, but if they were, it would provide an additional complication to learning the substance of the communications between Lashker-e-Taiba and its Mumbai cell.

Players on both sides of the terrorist equation - both attackers and defenders - are aware of the use and application of off-the-shelf technologies for attacks. In October, a short report by the U.S. Army 304th Military Intelligence open source intelligence team examined the potential use and application of mobile phone and VoIP technologies by terrorist groups. While the media generally obsessed over the application of Twitter, the report also highlighted the use of GPS, software to change voices in conjunction with VoIP calls, and Google Maps.

For more:
- The Economic Times of India briefly discusses FBI involvement in VoIP cracking.
- Ars Technica and the media fetished on Twitter as a terrorist tool, but the U.S. Army report highlights other technologies as well.

SPOTLIGHT: Hacking VoIP gets reviewed

Doug Mohney — Sun, 23 Nov 2008 21:54:49 -0500

The recently released "Hacking VoIP" has received a quick review via desicritics.org. Targeted to VoIP administrators and other IT personnel working with VoIP on a daily basis, the book goes through a series of discussions and exercises discussing SIP signaling and H.323, as well as media-layer issues via RTP and IAX issues in signaling and media. There's the usual tour of free tools and a wrap at the end with countermeasures and auditing. No Starch Press is listing the 232 page tome at $44.95, but Amazon.com is offering it for $29.67 with free shipping.

For more:
- Desicritics.org book review. Post.
- Dr. Dobb's CodeTalk also reviews Hacking VoIP

Thinking about Vishing VoIP security

Doug Mohney — Wed, 19 Nov 2008 19:00:21 -0500

How do you avoid being phished over VoIP? No, we're not talking about a Ben and Jerry's flavor, we're discussing the tactic of being called up over the phone and being socially engineered into disclosing confidential information.

Phishing is now a widespread tactic, with bogus emails spammed out on a daily basis. Initial attacks were mostly for-profit in nature, with an inbox letter posing as a bank or the IRS requesting security and personal information. The information would then be utilized by the attacker for either a simple credit card exploit or a more elaborate identity theft exploit. Varients such as Spear Phising and Vishing are now in vogue, but phishing attacks can be broken down into four parts: Redirect, Disclosure, Impersonation and Unauthorized Usage.

Vishing is a faster way to gain information if the attacker feels confident in his or her social engineering skills. In the days before computers, this was known as "The art of the con." Regardless, we still have to wonder if J. Michael Straczynski understood he was writing a double-entendre when he penned the line, "Who do you serve? And who do you trust?" A look at the general practices of phishing can help in the development of strategies against vishing.

For more:
- TopTechNews breaks down Phishing and Vishing. Article

SPOTLIGHT: UCSniff VoIP security tool officially unveiled

Doug Mohney — Fri, 14 Nov 2008 16:19:09 -0500

If you haven't worried enough about VoIP security, UCSniff has been released officially by the Sipera Viper Lab.

First unveiled at the Toorcon security conference in late September, UCSniff allows you to target users based on corporate directory and/or extensions, record entire voice conversations, discover and hope VLANs, perform man-in-the-middle (MitM) redirection and plenty more. Sipera has now made the tool available for public download, so, if you want to really torque off your security and IT people, you could record and email them a couple of their phone calls.

If you want really scary/really paranoid thoughts, since UCSniff (and of course, a lot of other security tools) are written in C and available for Linux systems, an attacker could buy a $300 Netbook, install it in a phone closet somewhere, and with a little hackwork, record and email your conversations outside the office.

Hmm, maybe its time to re-install the old key system...

For more:
- Read the quick blog post at Dark Reading.

VoIPShield says Microsoft OCS vulnerable to attacks

Doug Mohney — Fri, 14 Nov 2008 15:56:05 -0500

Media stream attacks could affect Micrsofot Office Communications Server (OCS) as well as Office Communicator and Windows Messenger, says VoIPshield Systems. Microsoft is looking into the report.

VoIPshield says the vulnerabilities affect applications using protocols like RTP and, if exploited, could cause a denial of service (DOS) attack against not only the stated applications, but against the whole desktop. The company is not publicly disclosing details of the vulnerabilities, but says it confidentially discloses full details to affected vendors.

A spokesperson for VoIPshield Labs said the company is currently validating new research that shows an attacker can gain unauthorized access to an unsuspecting user's laptop by manipulating the packets of a VoIP phone call - an attack that might even be able to traverse a PSTN gateway. If possible, this attack would be a far more subtle and serious threat than a DoS attack since there would be no warning.

Microsoft is investigating the finding and recommends both managing patches and keeping all software up to date.

For more:
- Read the details of the alleged vulnerability. Article.

Arbor Networks: VoIP, IPv6 emerging security threats

Doug Mohney — Tue, 11 Nov 2008 21:25:05 -0500

Summing up responses from "nearly 70" IP network operators around the globe, Arbor Networks issued a gloomy report on worldwide infrastructure security. Malicious attacks (are there any friendly attacks?) continued to grow at "an alarming rate" over the past year, with VoIP and IPv6 labeled as emerging threats.

Only 21 percent of respondents said they had the tools in place to detect threats against VoIP infrastructure or services, but those that do are prepared with solutions to mitigate threats against VoIP infrastructure and services. The report doesn't specifically break out VoIP-specific attacks into a unique category, but at least one operator noted "Heavy VoIP scans on the increase recently."

Chasing new reviews means that ISPs are increasingly deploying more complex infrastructure to deliver VoIP, video and IP services. Adding more complex infrastructure also adds more opportunities for an attacker because everything gets so much more complicated.

Arbor says providers need to have deep application insight into IP services and apps - can we say DPI and an Arbor Networks sales brochure? On the other hand, any sarcasm is tampered by reports of DDoS attacks as large as 40 gigabits, with the largest sustained attacks of 24 and 17 Gbps respectively. When you stop to consider that all but the largest carriers run at about 10 Gbps or so, life gets very ugly.

For more:
- Arbor Networks summarizes its fourth annual infrastructure security report. Release.

Acme Packet reports slight slowdown in 3Q results

Pete Wylie — Fri, 07 Nov 2008 09:46:08 -0500

Acme Packet, the Burlington, Mass.-based session border controller manufacturer, announced fiscal third quarter results showing revenues were up 11 percent sequentially from the second quarter of 2008 and down year-over-year.

Acme Packet reported $28.4 million in revenue for the third quarter 2008, and $85.7 million in year-to-date revenue. Acme Packet slipped slightly in trading yesterday, down to $3.80 per share from its opening price of $4.20 per share.

A company spokesperson cited the economic slowdown as a cause of the slightly lower revenues, but maintained that the company's gross margin was still strong and capex was being managed prudently through the soft economic period.

The company slightly adjusted guidance for the rest of the fiscal year, bringing the high end of its revenue forecast down to $118 million from $119 million, and adjusted its expected revenue from interest up to between $3.4 and 3.6 million from its previous estimate of $3 million.

Acme Packet also announced it has repurchased 6.3 million shares of its common stock for an aggregate price of $35.8 million through Nov. 5, 2008.

For more:
- see the company release here

Related articles
Acme Packet: Canary in the (VoIP) Coal Mine?
Acme Packet new Net-Net product offering
FierceVoIP Leaders: Andy Ory, President, CEO, and Co-founder, Acme Packet

Sipera Systems, Top VoIP Company 2008: FierceVoIP, Fierce 15

Tue, 04 Nov 2008 14:44:55 -0500

Sipera Systems

Where it's based: Richardson, Texas
When it was founded: 2003
Website: www.sipera.com

Why it's Fierce: Proactive VoIP security testing and vulnerability assessment is something Fierce to our professionally paranoid hearts, so Sipera would win consideration simply for its in-house VIPER lab. However, Sipera has moved beyond simply flogging the latest VoIP threats to incorporate unified communications into its assessments and security appliances. Its latest product release offers advanced security for SIP trunking, better integration into SIP trunk provider services and adding additional SBC functionality. We expect to see more out of Sipera in the months to come.

SPOTLIGHT: Implementation headaches for VoIP & UC

Doug Mohney — Sun, 02 Nov 2008 17:36:59 -0500

Adding the latest and greatest in voice and UC to your network can generate five different types of problems, says Processor.com.

Adding or migrating voice to an existing network can result in problems if a careful assessment of existing resources isn't taken. Care must be taken to provide priority to voice packets over data and to make sure there's enough bandwidth to support voice in the first place. Older equipment, even old Ethernet switches and shared hubs -- not to mention first generation WiFi devices - weren't built to support QoS.

Shifting to VoIP also brings security and continuity of service considerations you just don't find in the POTS world.

For more:
- Processor.com gives advice on tackling VoIP and UC trouble. Article.

Skype responds to security breach

Pete Wylie — Fri, 03 Oct 2008 14:55:58 -0400

Josh Silverman, president of Skype, responded in his blog Thursday to media reports about unauthorized storage of text messages and user data by Skype's Chinese partner TOM Online. Silverman explains that Skype considered the possibility of texts not going through because of Chinese censorship standards that TOM had to meet in order to operate in the country. He stressed that TOM had to ensure Chinese government access to the communications to operate at all, but that Skype leadership was assured any "offensive" communications would simply be deleted.

"Breaching Trust," the report that sparked Silverman's response, found a security breach on the servers where "offensive" communications are stored that enabled public access to the information. Silverman assured Skype users that TOM remedied the security breach after Skype made them aware of it. He also noted that Skype was working with TOM on the storage of the "offensive" text conversations and accompanying user data.

Silverman also stressed that the compromised communications only affected text conversations in which at least one of the users was using TOM, and that Skype-Skype communications are completely secure and safe.

For more:
- see Silverman's blog post here

UCSniff targets VoIP, UC, and the inside job

Doug Mohney — Sun, 28 Sep 2008 22:16:27 -0400

Over the weekend, the Toorcon security conference in San Diego showcased a next-generation VoIP sniffer. Trust no one, and that goes double if they are on your side of the firewall.

The UCSniff tool, created by VoIP Hopper author and director of Sipera's VIPER VoIP vulnerabilities lab Jason Ostrom, has two settings for mischief. One is a learning mode that sniffs IP traffic and maps phone extensions to specific IP addresses. By default, it captures all the calls and saves them to .WAV files, says CNET news.

Once you have a map of phones to IP addresses, an attacker could use UCSniff to listen to all the VoIP conversations made by a specific mode. If that's not exciting enough, a second model allows for monitoring calls made exclusively between two extensions.

Readers should note that Ostrom's presentation outlines scenarios for the "trusted insider" within the corporation that has access to an organization's VoIP infrastructure and calls for consideration of internal controls and best practices to prevent VoIP eavesdropping.

For more:
- CNet blogs about Toorcon VoIP security session. Posting.

SPOTLIGHT: Skype - The other birthday

Doug Mohney — Tue, 09 Sep 2008 15:00:15 -0400

As Google celebrates 10 years of world domination, er, operation, Skype wants you to know that the peer-to-peer VoIP/IM/video client is celebrating its fifth birthday.

Skype's PR firm has sent out a pretty folder containing a time line of accomplishments over the past 5 years, a "Five Fun Facts" sheet, a couple of tear-jerker case studies on how people use the software, a voucher for three months of unlimited service and a cookie (Iced, a bit dry). From April to June 2008, Skype added nearly 29 million users and clocked 1.9 billion SkypeOut minutes.

Taking a different tack, ITWire chimes in with some of Skype's product and company stumbles, but misses three grade-A headaches for the company. First among these was a multi-day crash of Skype in August 2007 attributed to a set of Windows Update patches. Can government entities conduct lawful intercept activities on Skype? Some say there's a back door which leads to Skype's third faux pas - an utter lack of transparency and a "black box" closed system which makes security experts nervous and leaves open source developers frustrated.

For more:
- ITWire talks about Skype's lower moments. Article

VoIP drives broadband service growth

Pete Wylie — Wed, 03 Sep 2008 11:46:27 -0400

Broadband value-added services reaped $25.7 billion worldwide in 2007, an increase of 62 percent from 2006, according to Point-Topic research. VoIP and security made up the largest percentage of this gross as well, accounting for 56 percent of the service revenue, or more than $14 billion.

"Value added services are growing strongly and are increasingly significant in overall revenue terms," said John Bosnell, senior analyst at Point-Topic. "The success story of 2007 has been VOIP. Overall revenue has very nearly doubled, average revenue per user (ARPU) is up and take-up in major markets, particularly North America and Western Europe is growing quickly."

Bosnell predicted continued rapid growth in both components of the VoIP business, IP telephony and Internet telephony. He said market saturation is not imminent, but could occur in the future.

For more:
- read the rest of the rosy Point-Topic forecast here

SPOTLIGHT: The Menace of Hannah Montana

Doug Mohney — Mon, 04 Aug 2008 16:07:04 -0400

Disney's "Hannah Montana Wake-Up Call" has apparently been overwhelmed with bad people abusing the power of VoIP.

The service allows you to enter in a phone number on a website to deliver a special pre-recorded message from Miley Cyrus for a wake up call or activity reminder. There's no sender authentication and no opt-out mechanism or audit trail, so people are doing whatever they want and the system is apparently swamped with some individuals scheduled to receive up to five calls already. Not to mention the potential to game the system for calls to be made at early hours of the morning.

For more:
- Gigaom warns us about Hanna Montana's bad VoIP habit

Related articles:
Last HOPE Launches Security Season
VoIP Security and the Circle of Trust

The Ease of Hacking VoIP

Doug Mohney — Sun, 03 Aug 2008 21:54:14 -0400

Most of the 300,000 privately owned IP PBX systems throughout the U.S. are "wide open" to anyone that wants to hack them, says ChannelWeb. Compounding matters are a lack of regulatory interest and failure of vendors to disclose vulnerabilities.

With VoIP systems being implemented on data LANs and blended with other software for unified communications solutions, the potential for mischief can get very large very quickly. VoIPshield has been posting and demonstrating publicly documented (i.e. available through The Google) hacks. While Cisco Call Manager gets a workout on how easy it is to exploit, the real problem lies in companies not updating their VoIP and IP PBX software with the latest security patches and fixes like they do all with all their other software.

If you're not worried yet, there's a free utility called VoIPhopper to jump between voice and data VLANs so one can easily bypass firewalls and nearly all the IDS software for sale today.

For more:
- Hacking VoIP is easy, reports ChannelWeb

Related articles:
Last HOPE Launches Security Season
SPOTLIGHT: Survey: U.S. firms lax about VoIP security

A Skype Back Door?

Doug Mohney — Fri, 25 Jul 2008 15:28:40 -0400

High-ranking officials at the Austrian interior ministry have said it isn't a problem to listen into Skype conversations, implying that there is a back door built into the program.

Heise online has talked to a number of parties present at a June 25 meeting between ISP representatives and the Austrian regulator on lawful intercept of IP services who confirm the report. Skype has declined comment on if the software has a back door or if there is a specific key for decrypting data streams.

Rumors have been floating around on Skype selling a special listening device to interested governments and there has long been speculation about a back door to the program. Because Skype's code and protocols are both proprietary and closed, security experts have long wondered what Skype is capable of and what risks may arise in deploying the software in an enterprise environment.

Austrian officials have demanded that ISP allow the interior ministry to install network bridges and Linux servers in their network centers to copy and filter data traffic. If they don't, officials will work to enforce more expensive European ETSI lawful intercept standards.

For more:
- Heise Online reports on the potential for a Skype backdoor

Related articles:
Skype Wiretap Nuances
Skype resists inter-operability

The sky is (not) falling (this summer)

Doug Mohney — Wed, 23 Jul 2008 16:14:13 -0400

Last weekend, The Last HOPE conference kicked off hacker awareness month. Between now and mid-August, prepare to hear about plenty of scary security stuff that may or may not affect you in the slightest.

VoIP and voice security seem to be almost passé for the corporate-focused Black Hat conference in Las Vegas (No session on VoIP) and its irregular weekend party/knowledgefest DEFCON (one session). Compare that to three VoIP sessions at Last HOPE, plus Kevin Mitnick's quickie workaround to crack Caller ID blocking and it's very quiet when compared to dramatic announcements at previous events in past years.

The sole VoIP attack session at DEFCON discusses VoIPER, a toolkit to automatically and extensively test VoIP devices. VoIPER has been thrown at IP desk sets, softphones, and servers to find vulnerabilities. It's open source and you can take a look at the code at http://sourceforge.net/projects/voiper.

Is the quiet a good thing? I'm not sure if this means VoIP security has become seriously boring or if there's a lot of behind-the-scenes activity we'll hear about in a more dramatic fashion next year. Certainly there's bound to be some UC security activity to be discussed in the months ahead.

But for now, I'd say that it's a good time to enjoy the rest of the summer--unless you have to worry about all the other security headaches bound to be pouring out of Black Hat and DEFCON in a couple of weeks.

- Doug

Digium CTO parses unblocked Caller ID hack

Doug Mohney — Tue, 22 Jul 2008 12:05:53 -0400

Normally, punching *67 should block Caller ID information being passed through to a receiving caller. But, as security consultant Kevin Mitnick has demonstrated and Digium CTO Mark Spencer explains, it's not 100 percent foolproof.

At The Last HOPE hacker conference over the weekend, Mitnick demonstrated how an appropriately configured Asterisk box and a suitable SIP trunking service can be used to deliver Caller ID information even on inbound calls that have a "Private" flag set.

"There are legitimate reasons why you need to set the Caller ID to normal [and carry that information forward,]" said Digium CTO Mark Spencer. "If, for example, I'm in an enterprise environment and I want to have calls forwarded [from my office number] to my cell phone, [the PBX] needs that information."

Mitnick used the "enterprise class" VoIP/SIP trunking provider FlowRoute to get a phone number (DID) and service that would deliver all of the call information to an Asterisk server. The Asterisk server is simply setup/scripted to pass along all Caller ID information for inbound calls regardless of the setting of the privacy flag on the call.

Spencer also noted that Caller ID information is also carried along and recorded for "private" calls to toll free numbers; the information is necessary for proper billing.

Mark is not happy with the use of Asterisk for questionable uses, but since it is open source, there is little he can do about it. "I hate to say it, but the same reasons why Asterisk is attractive to a lot of businesses, it's low cost, it can be easily tweaked, it's more flexible, make it easy for using it for an illegitimate purpose," said Spencer. "It's a very powerful platform. I'm not thrilled about it being used for fraud and I'm not thrilled with companies who build products on it in competition with Digium, but there's not a lot I can do about it."

For more:
- Engadget snags Mitnick demo video from The Last HOPE conference

Related articles:
Last Hope Launches Security Season
VoIP Security and the Circle of Trust

Last Hope Launches Security Season

Doug Mohney — Sun, 20 Jul 2008 16:26:58 -0400

Over the weekend, 2600's The Last HOPE (Hackers On Planet Earth) conference launched what this reporter dubs "Security Season." Be prepared for an onslaught of computer security stories featuring oh-so-clever hackers between now and the wrap-up of DEFCON 16 in mid-August.

At the conference, hacker celebrity Kevin Mitnick appeared to plug his coming tell-all book and demonstrated a script for Digium's Asterisk IP PBX to show Caller ID information for someone calling even if the phone's Caller ID is set to "private."

Other presentations at the conference went much deeper into VoIP security. Blake Cornell and Jeremy McNamara discussed how a number of foreign governments and ISPs are blocking VoIP services in attempt to protect a telephone monopoly and/or to censor information. The duo will release a pair of tools to determine if an ISP is blocking SIP and to scan entire netblocks to determine if any Asterisk IAX2 services are available. Details were also provided as to how Asterisk and VoIP providers who support IAX2 can provide virtually un-blockable VoIP services in a country that is actively blocking SIP-based VoIP services.

Sessions also touched upon the ability to use VoIP as a low cost method to probe phone networks around the world and incidents last year where a group of Italian VoIP hackers exploited VoIP vulnerabilities.

For more:
- Silicon Valley Insider spots Mitnick hacking Asterisk
- The Last Hope website
- Jeremy McNamara's VoIP/Asterisk blog

Related articles:
Newport Networks Riles Up VoIP Security Fears
VoIP Security and the Circle of Trust

UC Data Leakage Dangers

Doug Mohney — Sat, 19 Jul 2008 20:40:51 -0400

It's not just Light Reading that's talking about UC security this week. Osterman Research has conducted a survey polling enterprises on their security thoughts and features about UC.

Companies are starting to understand that UC is a good thing, but it creates even more opportunities for data leaks. Nearly 50 percent of respondents are concerned about information leak prevention in their current or planned UC implementation with 23 percent viewing leak prevention as a top priority, said 109 mid- to large-IT organizations in North America.

IT shops are worried that attackers get a menu of choices by putting all communications traffic onto one common data network. An attacker can intercept VoIP, IM and other traffic or choose to inflict a denial-of-service attack by using VoIP to flood systems with session requests.

Outsider attacks, however, pale in comparison to insider threats from either unintentional or accidental leaks, with 48 percent of respondents worried about such a problem compared to 31 percent who worry about data loss from malicious software.

For more:
- SearchSecurity.com reports on the UC security survey by Osterman Research

Related articles:
UC Insecurity
UC security urgent priority