The Security Skeptic

I live on a part of Hilton Head Island that is cell service-challenged. We are several miles from the nearest tower, surrounded by towering pines. The architectural review board of my owners' association insists that antennae and towers of any kind detract from the island's beauty.

For years our cell reception is in the point-5 bar range, enough to receive Blackberry email and incoming call ringtone. If my family and neighbors actually want to accept an incoming call, we sprint out the door, down the driveway, towards an opening in the pine tree canopy.

I am now the happy user of a Blackberry Curve with a WiFi implementation that works with my IEEE 802.11 b/g access point and supports WPA2/AES with pre-shared keys. You can hear me now - and I don't need a horde of Ver1zon technicians trailing me and my cellie.

If you get a Curve's, bear in mind that the WiFi implementation tunnels voice service over an IPSEC connection. IPSEC (and IKE) may be blocked at firewalls as part of an egress traffic policy. This may affect you in the following scenarios:

1. You are in a hotel where you can't get good cell coverage BUT the hotel offers WiFi. You may have to choose the option "give me a public IP address" to get IPSEC to work (I won't bore you with the details, simply know that network address translation and IPSEC don't always play well together and that IPv6 should fix this:-)

2. You are visiting a company that offers you WiFi guest connectivity but blocks all but a limited set of PORTS. Some companies don't permit visitors to use IPSEC from their networks (it's an opaque tunnel and represents an information disclosure risk) so they may block your phone.

3. Like me, you run a very secure firewall in your home office. I only open TCP/UDP ports outbound for applications that fall within my household acceptable use policy and block all the rest. So, like me, you will need to create a policy at your firewall that allows IKE port 500 and IPSEC/AH/ESP to port 4500 outbound from your wireless LAN to the Internet. (Go ahead, be like Dave, experience what a firewall admin really deals with.)

Assuming you've configured your WLAN connection properly, you should be able to surf the net from your Curve without IPSEC. Thus, if you have WiFi signal and are able to browse, a "Call failed" popup on your phone is a solid indicator that your tunnel's being blocked.

A word about the service. The call quality over a 3 Mbps DSL connection is about the same as you'd get from Vonage VoIP: a bit tinny but tolerable. If you use the browser on your Blackberry, you'll notice much improved download times. I quickly glanced at the traffic the Blackberry generates while it is connected using the WiFi. I noticed that my proxy firewall was stripping 3^rd party cookies for hitbox.com. Grats to my firewall and bite me, Hitbox. The Bberry appears to work fine without them so if

you have HTTP proxy capabilities, a cookie blocker, or are willing to flog at your browser preferences, you might think about thwarting Hitbox, too.

Archived at http://www.securityskeptic.com/arc20080501.htm#BlogID687 by Dave Piscitello  

A colleague at BCR forwarded a hyperlink to the SNOCER project. The project abstract describes SNOCER as "a general secure and high available software architecture for VoIP infrastructures. Security is achieved through the utilization of Intrusion detection sys-tems enhanced for VoIP traffic plus extended VoIP servers that perform advanced traffic monitoring. Additionally, we propose to increase server throughput through the use of an advanced DNS caching solution."

SNOCER is a defensive approach to VoIP security. It doesn't propose security extensions that might mitigate the growing spectrum of attacks against VoIP endpoints and infrastructures but it does offer a helpful taxonomy of attacks and, more importantly, measures an organization can take to detect and block attacks, and identifies an intriguing toolkit for deploying these measures.

Find a draft of SNOCER here.

Archived at http://www.securityskeptic.com/arc20061201.htm#BlogID573 by Dave Piscitello  

I've added a dozen or so articles to my VoIP Security Resources and have included a short list of books on this subject (including my own, with Alan Johnston). I am a little surprised that relatively few new articles have been published over the past six months, and that many of the recently published merely regurgitate what has been exposed for several years. Recent articles, however, appear in trendier online pubs and news portals. This suggests that the press has begun to campaign that VoIP Security is *the* most worrisome issue on every CSO's list. By February, Internet toll fraud and eavesdropping attacks will replace rootkits and key loggers as the most popular parlor talk among the (not so) techno-craties.

Apparently, Christmas has arrived early for VoIP security vendors and the 4^th estate. In an industry measured by FUD-ometers, these folks couldn't ask for better "proof" that Internet telephony is at the edge of the security abyss than finding VoIP server and phone security on the SANS Top 20 Internet Security Target List for November 2006.

Time to sing "The more things change, the more they remain the same" to the tune of a Christmas Carol. I think this works with Jingle Bells: "The more things change, the more things change, the more they remain the same...we innovate with plain text apps although we know they're lame."

Archived at http://www.securityskeptic.com/arc20061101.htm#BlogID572 by Dave Piscitello  

Journalist Geoff Long wrote an interesting piece for TelecomAsia.net on the increased attention VoIP is receiving from attackers. Whilst gathering background information for the article, Geoff interviewed me via email, and has included several observations I made in response to his questions concerning escalation, complexity, and threat levels associated with recent attacks against VoIP subscribers and service providers (with attribution). You can read the article here.

Archived at http://www.securityskeptic.com/arc20060801.htm#BlogID545 by Dave Piscitello  

I received an email today from a blog visitor who was performing research for an article on VoIP security for Telecom Asia. I've transcribed the three questions he asked and share my replies below...

Do you see the recent hacking/fraud incident with Net2phone as a wake-up call for VoIP security? (the hacking case in Miami)

If you follow public mailing lists like pen-test@securityfocus.com and bug-traq@securityfocus.com you will have noticed a trend. Increasingly, more VOIP product vulnerabilities are being reported and more inquiries are made about how to penetrate networks through VoIP protocols and SIP/IPBX configurations. This tells me that VoIP is large enough and there is a financial motivation (e.g., toll fraud) to make it a serious target.

Are these incidents common but the industry doesn't want them to become public?

Yes, but this is in my opinion merely consistent with the pattern for data that's been present for years. Few organizations want the negative exposure, tarnish of brand, and loss of consumer/customer confidence associated with security incidents.

What will be the biggest security-related problem with VoIP in future?

User and proxy authentication first, then confidentiality.

Archived at http://www.securityskeptic.com/arc20060701.htm#BlogID540 by Dave Piscitello  

VoIP has finally arrived as a mainstream application. IP PBX equipment sales topped $1 billion in 2005, for the first time outpacing traditional TDM PBXs, according to Dell' Oro Group. In fact, analysts predict that IP PBXs will account for more than 90% of the market by 2009. Before you deploy VoIP, however, you need to be aware of the security risks and the countermeasures that you can take.

Security is important in every context, but especially when you're replacing the world's oldest, largest and most resilient and available communications network. While no individual security measure will eliminate attacks against VoIP deployments entirely, a layered approach can meaningfully reduce the probability that attacks will succeed.

Read the rest of my feature article at Network World.

Archived at http://www.securityskeptic.com/arc20060501.htm#BlogID526 by Dave Piscitello  

Artech House is accepting orders for the VoIP security book I co-authored with Alan Johnston. You can read the preview material and order an advanced copy at a discount here..

The ISBN is 1-59693-050-0.

Thanks!

Archived at http://www.securityskeptic.com/arc20060301.htm#BlogID508 by Dave Piscitello  

It's unusual to see three SIP-related posts on BugTraq in the span of less than a week. Perhaps it's an anomaly, but last week, exploit code for two vulnerabilities and a new SIP war dialing tool were announced. The exploits are (predictably) buffer handling problems in SIP softphones. The war dialing tool is actually a set of enhancements to a PSTN (ahem) auditing tool, iWar, that allow you to scan IP PBX and voice mail systems for active SIP URIs. The tool also captures banners for remote system identification and several other rudimentary scanning functions.

These posts suggest that there are enough SIP UAs to make attacking interesting and that traditional scanning and information gathering tools can and are being extended to probe SIP-based applications. It's also no coincidence that SIP softphones are attracting early attention. They are cheap or free, require only a LAN to server as an attack network and tool development environment. At least some if not many of vulnerabilities revealed from softphone experimentation are likely to apply to SIP phones, SIP network adapters, and core VOIP network equipment.

Whether attackers begin by disrupting subscribers of public VOIP services like Vonage, Packet8, SunRocket, and the major players like AT&T, or target enterprise SIP installations probably depends on the mindset and objectives of the attackers. I can't help but believe that we are entering another interesting time in the history of Internet-based communications.

Archived at http://www.securityskeptic.com/arc20060101.htm#BlogID494 by Dave Piscitello  

Alan Johnston and I have submitted our manuscript for our forthcoming book, VOIP security. As I resume regular posting, I thought I'd begin by expanding my VOIP Security resources page to include relevant references from our manuscript. Enjoy!

Archived at http://www.securityskeptic.com/arc20051101.htm#BlogID476 by Dave Piscitello  

I have been quieter than usual blogging this month. ICANN is keeping me quite busy, and I have been spending all my spare writing cycles completing a book on VoIP Security with Alan Johnston of Tello Corporation. The book will be published by Artech House in the March 2006 timeframe so we are well into the eleventh hour.

Our VOIP Security book is a complement to Alan's SIP: Understanding the Session Initiation Protocol, 2^nd Edition (also available as an eBook).

Archived at http://www.securityskeptic.com/arc20051101.htm#BlogID475 by Dave Piscitello  

I received my daily phishing email, which provided an opportunity to check out the fraud detection features of the FraudEliminator plug-in I mentioned in Blog ID #428. For your amusement, here's the URL:

https://www.paypal.com/us/fq/ac=AgXbgHbg5kBErQ6p1CMgR
QA4or1Eydl2FhLW3Ku0wMykpxcu8Ob.kCvAl6K9u3XTCd5.7LaiQxA&t=pr

FraudEliminator flagged the hyperlink as suspicious, explaining why in a popup window. FraudEliminator also provides one-click anonymous fraud reporting. By reporting suspected phishing, you help the FraudEliminator expand its database of fraud sites.

I have no basis for comparison (and no time to build one). This plug-in is worth a try. I'm heartened that these folks have a companion plug-in for IE.

Archived at http://www.securityskeptic.com/arc20050701.htm#BlogID430 by Dave Piscitello  

Our VOIP Security Resources is recommended by TechTarget as one of the top five Enterprise Voice Web Links.

Archived at http://www.securityskeptic.com/arc20050101.htm#BlogID347 by Dave Piscitello  

I've been sitting on this resource page for nearly a month, and finally managed to publish it last night. Voice over IP and Voice over WLAN are hot topics. Enterprises and even small and medium businesses are adopting or integrating VOIP; service providers are offering consumers VOIP service over broadband; and WiFi hotspots are bracing for the inevitable VOWLAN storm. VOIP's kewl, but operators and users alike should become familiar with VOIP security issues. I've accumulated useful links at VoIP Security Resources. Happy reading!

Archived at http://www.securityskeptic.com/arc20041001.htm#BlogID315 by Dave Piscitello  

In Part I of my IP Telephony Security series of articles, I explained how IP networks are now used to handle an increasing number of voice calls, and I identified ways that IPT users and phones are vulnerable to attack. IPT operators are vulnerable as well. Part II examines threats to operators.

Archived at http://www.securityskeptic.com/arc20040701.htm#BlogID281 by Dave Piscitello  

I've made a copy of my Networld+Interop presentation, VOIP Security Threats available here.

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID266 by Dave Piscitello  

IP networks are now used to handle an increasing number of voice calls. The marriage of voice and IP offers many benefits, but there's a dark side of this union. The combined attack targets and vectors present a formidable threat to users and IPT operators (private and public). Read the complete LOOP column here

Archived at http://www.securityskeptic.com/arc20040601.htm#BlogID263 by Dave Piscitello