Category: VoIP Security

U.S. DHS Warns of TDoS (Telephony Denial of Service) Attacks

DHS TDOS AlertThe U.S. Department of Homeland Security recently issued a bulletin titled “TDoS Attacks on Public Safety Communications” and while it was “Law Enforcement Use Sensitive/For Official Use Only” a copy was obtained by Brian Krebs who wrote about it on his site and also published the DHS bulletin publicly.

This resulted in a small flurry of related articles that Mark Collier listed on his VoIP security blog. Most of the articles, unfortunately somewhat predictably, seem to be rehashes of Brian Krebs’ post and/or the DHS bulletin.  However, the point is definitely solid – these are real attacks that are happening on call centers out there, including those operated by emergency services organizations.  No one wants to be on the receiving end of hundreds (or thousands) of phone calls clogging up your call center and making it unusable for regular business.

The connection to VoIP is that made by Brian Krebs in his article:

According to a recent report from SecureLogix, a company that sells security services to call centers, free IP-PBX software such as Asterisk, as well as computer-based call generation tools and easy-to-access SIP services, are greatly lowering the barrier-to-entry for voice network attackers.

This is the key point.  VoIP systems make these kind of attacks much easier to create.  Anyone can take one of the various free VoIP servers and create a script that will generate a crazy number of phone calls.  And of course the Caller-ID can be easily spoofed using the same servers.  I’m sure there are already scripts out there that automate all of this for would-be attackers.

The challenge is then finding either a VoIP service provider (or “ITSP” or “SIP Service Provider”) who will let the attacker send out phone calls to the PSTN – or to find victims that allow incoming SIP connections (which means that attacks could come from any Internet connection).  Or to find components of the SIP signaling infrastructure that have weak (or no) authentication and through which an attacker can send calls.  For example, SIP gateways that allow incoming SIP calls with minimal (or easily spoofable) authentication.

It’s not necessarily easy to do, but VoIP systems do make it easier than it was in the past, largely because the attackers can obtain a degree of anonymity through masking their source, and also because of the automation of the calling possible through the systems.

Defending against a TDoS is not the easiest, particularly when the attackers can use spoofed Caller IDs to hide their origin.  Here is a place where VoIP actually helps because if the calls are coming in over IP, firewalls and other network monitoring tools can be used to recognize patterns and potentially identify and block sources of the attacks.  There are companies such as SecureLogix (whose CTO is Mark Collier, whom I linked to earlier) who do sell products and services to help address these threats. As we increasingly move to IP-based communications there will no doubt be many more companies and service providers offering such services.

We as an industry do need to do what we can to help people understand both the threat posed by these attacks, and also the mitigations and possible solutions.

In the meantime, expect more people to be talking about this issue due to this DHS bulletin and the surrounding attention in the media.

What do you think?  What should be done within the VoIP vendor/organization community?  What are good steps to promote to defend against TDoS attacks?

Video Interview: Emil Ivov about how the Jitsi softphone works with IPv6 and DNSSEC

How does the Jitsi softphone work with IPv6? And what role could DNSSEC play with VoIP? At IETF86 earlier this month, I sat down with Emil Ivov, project leader of the Jitsi Project to talk about a wide range of topics including how Jitsi got started and why it does so much with IPv6 (interesting reason!), what they are looking to do with Jitsi now, the role of DNSSEC and why they added that support to Jitsi... and much, much more... I quite enjoyed talking to Emil and the Jitsi project is certainly one that I will continue to watch - and use!

If you found this post interesting or useful, please consider either:


Is The “VoIP” in “VoIP Security” Still The Right Term?

VoipqShould we still be talking about “VoIP security”? Or should we be using some other language?

Back when we started VOIPSA in 2005, “voice over IP (VoIP)” was the term we all were using, but as we look at what kind of activities come next, we’re starting to wonder if we should be talking about “communications security” a bit differently.

For starters, in the past 8 years we’ve moved far beyond simply “voice” into video over IP, text messaging over IP, data sharing over IP… all within a single communications session. Is that still “VoIP”?

Beyond that, we’ve seen a range of other terms coming into usage, including:

  • unified communications (UC)
  • real-time communications (RTC)
  • cloud communications
  • IP communications

and many more. Plus new technologies are out that have pushed “VoIP” beyond its traditional proprietary protocols and the open standard of the Session Initiation Protocol (SIP). We’ve seen the strong emergence of XMPP (Jabber) and its related “Jingle” protocol. We’ve seen the explosion of interest in the WebRTC / RTCWEB protocols and tools.

Are all of those “VoIP”? Or are they something more?

Should we be talking about…

  • UC security?
  • real-time communications security?
  • IP communications security?

Or perhaps just plain old “communications security”? (or is that too generic?) I’ve seen some people talking about “SIP security”, but now that is specific to a single protocol.

Or is “VoIP security” still an okay term to use?

What do you think? What do you use? What do you hear vendors and others using? How should we be talking about securing all these many ways we have to communicate now over IP networks?

Please do let us know either as comments here or out on social networks. (Thanks!)

Oracle Buys Acme Packet For $2 Billion To Gain SIP Session Border Controllers (SBCs) And More

AcmepacketFascinating news today out of Oracle that they have purchased Acme Packet in a transaction estimated to be around $2 billion US. For those of you not really tracking the VoIP security space, Acme Packet is probably the world's largest vendor of "session border controllers (SBCs)", devices that are used to securely and reliable interconnect VoIP networks. SBCs also provide a very important role in helping with interoperability of Session Initiation Protocol (SIP) signaling between the SIP products and networks of different vendors.

As Andy Abramson writes, the fascinating aspect of this acquisition is this:

This is an interesting grab by one of the tech world's true giants because it sqaurly puts Oracle into a game where they begin to compete with the giants of telecom, many of whom run Oracle software to drive things including SBC's, media gateways and firewall technology that's sold.

This acquisition does put Oracle VERY firmly into the telecom sector at a carrier / large enterprise level, as Acme Packet's products are widely used within that tier of companies. As the news release notes:

"The company's solutions are deployed by more than 1,900 service providers and enterprises globally, including 89 of world's top 100 communications companies."

Acme Packet has also long been recognized as a leader by analyst firms such as Gartner. People from Acme Packet, in particular Hadriel Kaplan, have also been extremely involved with industry efforts such as the SIP Forum and standards activity in the IETF.

As far as integration, Oracle already has a wide array of "communications" products, including several unified communications (UC) products that could potentially interact with Acme Packet products extremely well. Beyond all of that, though, this acquisition will have Oracle being a strong player in providing telecom infrastructure as we continue to collectively move to basing all our communications on top of IP.

Congratulations to my friends at Acme Packet and Oracle... and I wish them the best as they proceed down the path to completing this acquisition.

More information here:


If you found this post interesting or useful, please consider either:


Microsoft Researching Skype Password Reset Security Hole

This morning The Next Web reported on an exploit where Skype’s password reset web page could be used to hijack a user’s Skype account using only the password associated with the account. So… if you could guess someone’s email address (which can often be found through a Google search), you could effectively take over their Skype account.

Microsoft/Skype has DISABLED this feature while they investigate further so it appears that for the moment the security risk is limited.

However, it may be wise to watch closely the email account associated with your Skype ID for the next bit to see if any random password reset messages are sent to your account. Odds are that attackers will be sniffing around trying to see if there is any other way to exploit the apparent vulnerability.

The Next Web team reports that they were able to reproduce the attack on two Skype accounts of willing victims, confirming that the vulnerability was indeed real. They also reported the issue to Skype and worked with folks there.

The vulnerability is interesting in that it shows the complexity of modern communication applications. Skype is for the most part a desktop/mobile application, but yet it does rely on a centralized cloud-based service for authentication/passwords, etc. A vulnerability in the web interface for that central service then weakens the security of the overall system.

The “good” news for Microsoft/Skype is that because this appears to be a vulnerability in the web interface of the centralized system, this is probably something relatively easy for them to fix – and without requiring any client updates.

Kudos to Microsoft/Skype for reacting quickly to minimize the risk and we look forward to the issue being addressed.


UPDATE #1: Skype has issued a brief statement on their “heartbeat” web site with the same text that has been quoted in several articles.

UPDATE #2: The Verge has an article out now where many people in the comments are suggesting you change the email address associated with your Skype account to something less likely to be guessed. While Microsoft seems to have removed the immediate attack vector and this change is no longer critical to do, it may be something some of you may want to consider.

UPDATE #3: There’s a long Hacker News thread on this issue that also includes a link to an article walking through the exploit step-by-step as well as walking through links to protect your account. Note that because of the steps Microsoft has taken the exploit steps no longer work.


Digium Releases 3 Asterisk Security Advisories

Asterisk logoThis week Digium released three security advisories allowing remote authenticated sessions to either crash an Asterisk server or escalate user privileges.  The advisories are:

In all cases the solution is to upgrade to the latest releases of Asterisk Open Source (1.6.2.24, 1.8.11.1 or  10.3.1 ) or Asterisk Business Edition (C.3.7.4).

 

Free Webinar Tomorrow: Securing VoIP and Unified Communications Systems

USTelecomWant to join in to a free webinar/webcast to learn about VoIP and Unified Communications security? Tomorrow, Thursday, January 26, 2012, I (Dan York) will be speaking as part of US Telecom’s monthly educational webinar series on the topic of: Securing VoIP and Unified Communications Systems

The session will be at 1:00pm US Eastern. Registration is free using the “Register Now” link on the right side of the US Telecom webinar page. I’ll be spending about 30 minutes covering the range of security issues with VoIP and UC and then will have plenty of time for questions.

The abstract of the session includes:

What are the major security threats to today’s telecommunications infrastructure?

As telecom has evolved from the traditional circuit-switched PSTN to a new world of Voice-over-IP (VoIP) and Unified Communications (UC), what are the security implications? As services move to be based on the Session Initiation Protocol (SIP), how does that change the security of the system? Is this new IP-based world less or more secure? What are the threats and what are the best practices to protect against those threats?

I’ve always found these sessions to be quite enjoyable to do and have always enjoyed the dialogue that frequently happens with questions. I encourage you to register and participate.

If you can’t join live, US Telecom will be making an archive of the session available for 90 days. I believe it will be linked from the webinar page, but if not I will update this post with the information.

Asterisk Remote Crash Vulnerability in SIP Channel Driver

Asterisk

The folks over at the Digium security team today released security bulletin AST-2011-012 for a remote crash vulnerability in the SIP channel drive. For info about the attack, they state only:

A remote authenticated user can cause a crash with a malformed request due to an uninitialized variable.

An assumption from this statement would be that an UNauthenticated user could not carry out this attack… but I admit to not personally knowing the SIP channel driver of Asterisk enough to be able to stand behind this conclusion.

Regardless, updates have been released in the form of new versions 1.8.7.1 and 10.0.0-rc1.

Avaya Acquires UC Security Firm and SBC Vendor Sipera Systems

Fascinating news today that Avaya has acquired Sipera Systems for an undisclosed sum. We’ve covered Sipera here on this blog any number of times over the past years as they have been one of the few firms very specifically focused on “VoIP security”, or, to be more appropriately buzzword-compliant in 2011, “Unified Communications security.” In fact, the first video podcast I did for the Blue Box Podcast (when I was doing that) way back in August 2007 was with Sipera.

Over the years Sipera has hired some truly excellent people in the field, released some useful tools, originated great research and done a great bit in general to help keep the dialog going on publicly about VoIP/UC security.

The Avaya purchase is fascinating because, as Eric Krapf noted in a NoJitter post this morning, Avaya has been OEMing a Session Border Controller (SBC) solution from market leader Acme Packet for quite some time. As Eric notes:

The deal therefore could represent a shift in the enterprise SBC market, at a moment when E-SBCs are emerging as a key component of enterprise real-time communications deployments, especially in SIP trunking deployments. Acme Packet has been far and away the market share leader in SBCs, with over 50%, and its SBC works with all the leading enterprise communications platforms.

However, enterprise vendors including Cisco and Siemens (and now, it seems, Avaya) have released their own SBCs, and in the case of Siemens, the SBC only talks to Siemens platforms on the enterprise side of the device. It remains to be seen whether the Sipera SBC will work only with Avaya Aura–but it seems unlikely that anyone other than an Avaya customer would buy an Avaya SBC.

Now, the news release of course plays up how Sipera’s solutions work with both Avaya and non-Avaya systems but to Eric’s point there may in the future be little incentive for non-Avaya customers to purchase a solution, given that there are other “independent” players out there in the SBC market like Acme Packet, Ingate Systems, Sonus Networks and others.

Regardless of how it all shakes out, it is an interesting move and one that bears watching.

Congrats to our friends at Sipera and Avaya on the acquisition, and we look forward to seeing how it evolves.

Speaking Next Week on IPv6 and VoIP Security at 7th Real-Time Communications Conference in Chicago

Rtcconf2011
If any of you will be in Chicago next week, October 4-6, 2011, for the 7th Annual Real-Time Communications Conference & Expo, I'll be there on the 5th and 6th as a speaker.

I'll be speaking twice. First on Wednesday the 5th at 4pm on "The Current State of VoIP Security", wearing my VOIPSA hat and leading off a series of talks about security. I'll be providing an overview of the main threats to VoIP and communications security in general, leading the way into the two more specific talks following mine.

I'm rather excited that my second session will be my first public appearance wearing my new Internet Society hat (if you are not aware, I've posted details about my recent move) and will of course be about IPv6... more specifically "How IPv6 Will Impact SIP And Telecom".

Due to ongoing events on the personal front, I wasn't sure that I was going to make it out there... and quite frankly there's still a chance that I won't... but I should be out there.

If you look at the conference schedule, the speakers include outstanding people involved with so many different aspects of real-time communications. It should be truly an excellent event!

P.S. You can still register if you would like to attend!


If you found this post interesting or useful, please consider either: