Last Hope

The sky is (not) falling (this summer)

Doug Mohney — Wed, 23 Jul 2008 16:14:13 -0400

Last weekend, The Last HOPE conference kicked off hacker awareness month. Between now and mid-August, prepare to hear about plenty of scary security stuff that may or may not affect you in the slightest.

VoIP and voice security seem to be almost passé for the corporate-focused Black Hat conference in Las Vegas (No session on VoIP) and its irregular weekend party/knowledgefest DEFCON (one session). Compare that to three VoIP sessions at Last HOPE, plus Kevin Mitnick's quickie workaround to crack Caller ID blocking and it's very quiet when compared to dramatic announcements at previous events in past years.

The sole VoIP attack session at DEFCON discusses VoIPER, a toolkit to automatically and extensively test VoIP devices. VoIPER has been thrown at IP desk sets, softphones, and servers to find vulnerabilities. It's open source and you can take a look at the code at http://sourceforge.net/projects/voiper.

Is the quiet a good thing? I'm not sure if this means VoIP security has become seriously boring or if there's a lot of behind-the-scenes activity we'll hear about in a more dramatic fashion next year. Certainly there's bound to be some UC security activity to be discussed in the months ahead.

But for now, I'd say that it's a good time to enjoy the rest of the summer--unless you have to worry about all the other security headaches bound to be pouring out of Black Hat and DEFCON in a couple of weeks.

- Doug

Digium CTO parses unblocked Caller ID hack

Doug Mohney — Tue, 22 Jul 2008 12:05:53 -0400

Normally, punching *67 should block Caller ID information being passed through to a receiving caller. But, as security consultant Kevin Mitnick has demonstrated and Digium CTO Mark Spencer explains, it's not 100 percent foolproof.

At The Last HOPE hacker conference over the weekend, Mitnick demonstrated how an appropriately configured Asterisk box and a suitable SIP trunking service can be used to deliver Caller ID information even on inbound calls that have a "Private" flag set.

"There are legitimate reasons why you need to set the Caller ID to normal [and carry that information forward,]" said Digium CTO Mark Spencer. "If, for example, I'm in an enterprise environment and I want to have calls forwarded [from my office number] to my cell phone, [the PBX] needs that information."

Mitnick used the "enterprise class" VoIP/SIP trunking provider FlowRoute to get a phone number (DID) and service that would deliver all of the call information to an Asterisk server. The Asterisk server is simply setup/scripted to pass along all Caller ID information for inbound calls regardless of the setting of the privacy flag on the call.

Spencer also noted that Caller ID information is also carried along and recorded for "private" calls to toll free numbers; the information is necessary for proper billing.

Mark is not happy with the use of Asterisk for questionable uses, but since it is open source, there is little he can do about it. "I hate to say it, but the same reasons why Asterisk is attractive to a lot of businesses, it's low cost, it can be easily tweaked, it's more flexible, make it easy for using it for an illegitimate purpose," said Spencer. "It's a very powerful platform. I'm not thrilled about it being used for fraud and I'm not thrilled with companies who build products on it in competition with Digium, but there's not a lot I can do about it."

For more:
- Engadget snags Mitnick demo video from The Last HOPE conference

Related articles:
Last Hope Launches Security Season
VoIP Security and the Circle of Trust

Last Hope Launches Security Season

Doug Mohney — Sun, 20 Jul 2008 16:26:58 -0400

Over the weekend, 2600's The Last HOPE (Hackers On Planet Earth) conference launched what this reporter dubs "Security Season." Be prepared for an onslaught of computer security stories featuring oh-so-clever hackers between now and the wrap-up of DEFCON 16 in mid-August.

At the conference, hacker celebrity Kevin Mitnick appeared to plug his coming tell-all book and demonstrated a script for Digium's Asterisk IP PBX to show Caller ID information for someone calling even if the phone's Caller ID is set to "private."

Other presentations at the conference went much deeper into VoIP security. Blake Cornell and Jeremy McNamara discussed how a number of foreign governments and ISPs are blocking VoIP services in attempt to protect a telephone monopoly and/or to censor information. The duo will release a pair of tools to determine if an ISP is blocking SIP and to scan entire netblocks to determine if any Asterisk IAX2 services are available. Details were also provided as to how Asterisk and VoIP providers who support IAX2 can provide virtually un-blockable VoIP services in a country that is actively blocking SIP-based VoIP services.

Sessions also touched upon the ability to use VoIP as a low cost method to probe phone networks around the world and incidents last year where a group of Italian VoIP hackers exploited VoIP vulnerabilities.

For more:
- Silicon Valley Insider spots Mitnick hacking Asterisk
- The Last Hope website
- Jeremy McNamara's VoIP/Asterisk blog

Related articles:
Newport Networks Riles Up VoIP Security Fears
VoIP Security and the Circle of Trust