Source: www.voip-news.com

Ahhh, finally. I knew it had to happen sometime: the New York Times talking about VoIP (or more specifically, VoIP security).

So, what do they have to say about VoIP? Well, for starters, it is just as vulnerable to attacks as computers. (Duh.) And there is an unprecedented number of vulnerability.

Here’s a snippet:

“Nobody takes VoIP security seriously enough,” contends Rick Dalmazzi, chief executive of Ottawa-based VoIPshield Systems, Inc., a VoIP security firm. Consumers who use telephone systems from companies like Vonage are using VoIP technology.

Mr. Dalmazzi’s contention that the VoIP industry is at serious risk may start to get more attention Tuesday, when the company releases a report that details a total of more than 100 security issues spread across the VoIP networks of three large VoIP business providers: Avaya, Cisco and Nortel. Hackers who know about these vulnerabilities can institute denial-of-service attacks, harvest customer data, record conversations and break into voice mailboxes.

Need help with your VoIP security? Click here to check out VoIP News’s Essential Guide to VoIP Security.

Source: snapvoip.blogspot.com

It was unbelievably shocking to see the vulnerability database and so many of them. Ignorance is a bliss until something bad happens to someone. Follow the link below to see the database of vulnerabilities and related equipment. Yours might be there. At VoIPshield, you can also download a copy of VoIPauditLite.VoIPauditLite^TM is a basic version of the award winning VoIPaudit^TM Enterprise. It provides the same vulnerability assessment and penetration testing functions, and is intended to give the prospective VoIPaudit Enterprise purchaser a no cost introduction to the product. VoIPauditLite is a single-user license, includes vulnerabilities for a single vendor, and scans up to 128 targets on a single network.

Ottawa, Ontario (April 2, 2008) – VoIPshield Laboratories, the research division of VoIPshield Systems Inc., today announced it has discovered over 100 security vulnerabilities in Voice over IP systems marketed by Avaya, Cisco and Nortel.A vulnerability is a design or implementation flaw in a VoIP system that can be exploited by a hacker with malicious intentions, including extortion through service outage threats, industrial espionage through call recording, or identity theft through the stealing of sensitive customer information.

VoIPshield notified the vendors of its findings earlier this year. Under the terms of its Responsible Disclosure Policy, VoIPshield works with the vendors to help them recreate the vulnerabilities in their own test labs, and offers its services to assist the vendors in determining the best remediation approach.

“It is important that companies understand the security risks associated with their VoIP systems”, said Rick Dalmazzi, president and CEO of VoIPshield. “Now is the time to start planning a protection strategy, while the hacking community is still learning about VoIP, not after the attacks begin.”

The vulnerabilities are cataloged and presented on the company’s website at www.voipshield.com/research .Each vulnerability is categorized based on an exploit’s most likely malicious intent:unauthorized access, code execution, denial of service or information harvesting. Each is also given a severity rating based on a modified industry standard index. Vendor responses are also included, indicating what action if any the vendor has indicated they will take to remediate the vulnerability, and when.

“The limited number of high-profile attacks against IP telephony has lulled most chief information security officers and voice/data managers into a false sense of security, with the result that most do not have adequate protection for their converged networks,” said Lawrence Orans, research director for networking and communications equipment at Gartner Research. “As IP telephony continues to gain momentum, targeted attacks — and possibly broad-based attacks — will surface and gain greater visibility, highlighting vulnerabilities and the overall lack of focus on IP telephony security.”

The database marks the first of ongoing announcements that VoIPshield Labs will make as it continues its research into these and other vendors’ products. Avaya, Cisco and Nortel were chosen for the initial round of research because of their popularity in the North American market.Microsoft has recently announced its entry into the enterprise VoIP market.

Just this month, communications research firm In-Stat revealed that while 80% of companies said they’d deployed some type of VoIP solution, more than 40% do not have specific plans for securing them. This finding, based on a survey of U.S. companies conducted in September 2007, was published in a report titled U.S. Businesses Lag in Securing VoIP. “Regardless of the VoIP solution that is in place or planned, security should be an integral part of an implementation from the beginning,” the report summarized.

The vulnerabilities discovered are used by VoIPshield to create signatures for its enterprise VoIP security solutions:VoIPaudit^TM, a VoIP Vulnerability Assessment system, and VoIPguard^TM, a VoIP Intrusion Prevention System (VIPS).Users are protected against attacks attempting to exploit the known vulnerabilities. VoIPshield products are regularly updated with new signatures through the VoIPshield Update^TM subscription service.

"Digital video and voice enabled by Voice over IP technologies are vital to commerce and are substantially at risk", said Jonathan Zar, chairman of the threat taxonomy committee of the Voice over IP Security Alliance (VoIPSA). It is important that products be developed that are specifically designed to protect VoIP systems. VoIPSA encourages all research leading to such products."

For more information about the vulnerabilities database and VoIPshield’s products visit www.voipshield.com/research.

Source: snapvoip.blogspot.com

BELMONT, CALIFORNIA - FaceTime Communications, the leading provider of solutions that control Internet and unified communications (UC) in the enterprise, today announced enhancements to its Greynet Enterprise Manager (GEM) including detection of malicious URLs entering the enterprise network via Skype instant messaging conversations.

Skype is encrypted using a proprietary method, making it impossible for traditional security products to view the content of a Skype text conversation. Working in partnership with Skype over the last year, FaceTime is the only security vendor with the ability to examine the content of a Skype instant message as it enters the network. Using its leading malware signature database maintained by FaceTime Security Labs, FaceTime’s products verify that content is safe and free of malicious URL links before entering the network.

With 276 million registered business users worldwide, Skype’s growing popularity and inherent cost savings have made it very attractive to businesses looking to provide the advantages of presence and real-time Internet communications to their employees. Being able to protect against the threat of malware that can enter the network via something as simple as a URL in a chat screen is crucial to IT’s realization of the real-time presence benefits of Skype.

An add-on to FaceTime’s popular Unified Security Gateway and IMAuditor products, GEM enables organizations to manage security policies and aggregate reporting for IM, P2P and malware traffic across distributed enterprise environments. By integrating with USG, GEM delivers the industry’s most robust network-based anti-malware solution, allowing targeted remediation and repair of infected endpoints dynamically based on gateway malware detections from USG.

"Simple block or allow policies are no longer sufficient in most organizations," said Frank Cabri, vice president of marketing and product management for FaceTime. "IT managers are realizing they need to embrace the real-time communications that employees have introduced to the business environment with policies and tools to secure, control, manage, log and archive their use - as well as their content."

Malware entering enterprise networks via real-time communications such as instant messaging and Skype costs businesses nearly $289,000 annually on average, according to the 2007 survey "Greynets in the Enterprise: Third Annual Survey of Trends, Attitudes and Impact," conducted by NewDiligence Research and commissioned by FaceTime. The survey revealed that IT managers experience nearly 39 incidents per month, on average, that require some kind of repair or remediation to end user PCs, and each repair requires, on average, about nine hours of work.

Source: snapvoip.blogspot.com

Slashdot has discussion on VoIP Surveillance focusing on FBI Electronic Surveillance Needs for Carrier-Grade Voice over Packet (CGVoP) Service. The 88 paged document, which is part of the CALEA Implementation Plan.

Source: snapvoip.blogspot.com

"Who Might Be Spying on Your Communications? (Hint — It’s Not Just the NSA)", when I saw the title, I imagined a list of other government institutions and some phone companies. But when I scroll down the article by VoIP-News, it was surprising. Mafia, governments, monopolies and spouses might be listening to your calls.
I was happy to read the last paragraph because I do not want my Grand Ma (She is the one who keeps tabs on me nowadays) to hear what I am talking over the phone, VoIP Phone.
"Thankfully, there are a number of tools and strategies out there for protecting yourself and your business from online fraud and eavesdropping. If you’re afraid of discussing delicate matters over IM services or Skype, consider choosing a service or system that specializes in security."

Source: snapvoip.blogspot.com

VoIP News has a "feature article" on VoIP Security. There are many VoIP Solutions for making VoIP calls but security that people used to get with (did we really?) is certainly diminished. So go read the article to be savvy about VoIP Security Solutions.

Source: snapvoip.blogspot.com

The creator of Proof of concept tool for VoIP Security that I wrote about a while ago, Peter Cox, together with Stuart Morrice has launched a new company UM Labs, to provide effective security that he has been preaching for a while now. From the press release below it is evident that we will be seeing more of UM Labs and the products for long time to come. I for one, will seek a gateway that the company is bringing to the market.

London February, 11th 2008, a new company, UM Labs Ltd, has been created to address the growing need for effective security for Voice over IP (VoIP) and Unified Messaging (UM) Security. The founders of UM Labs are experienced Internet Security professionals, Peter Cox and Stuart Morrice. The adoption rate of VoIP and UM is growing; fueled by the promise of greater flexibility, integration with other applications and more cost effective service delivery. However, concerns over of the security of these applications are preventing many organizations from fully adopting the service and failing to realize the potential benefits. These concerns are founded partly on confusion over the scope and types of security threat that face the applications and partly over a lack of easy to use security products.
UM Labs was founded to address this problem by providing a range of easy to use, cost effective products that deliver effective security for VoIP and UM to users ranging from small business and branch offices through large enterprises to service providers and telco operators. Peter Cox CEO of UM Labs commented, “The security model applied to many VoIP networks is one of isolation, physically separating Voice and Data or using VLANS to keep them apart and preventing any external IP connections. Unfortunately separation sacrifices many of the benefits of VoIP and makes Unified Messaging and the integration of all communication applications impossible.” “Until this problem is addressed, VoIP networks will not deliver their full set of potential benefits. The first step to solving this problem is to recognize that VoIP is a specialist application requiring a specialist approach to security. Standard Firewall products do not do a good job at securing VoIP. At best they complicate the deployment of VoIP at worst they present so many barriers that it is virtually impossible to deliver a VoIP service without compromising the security of other applications.” “It should come as no surprise that the best way to secure applications such as VoIP and UM is to deploy a specialist security gateway. Both web and email have spawned their own security markets, in each market there are a number of products delivering security controls that standard Firewalls cannot deliver.”
The goal of UM Labs is to enable each VoIP network to delivery its full potential set of benefits by providing products that implement a more realistic security model. This security model recognises that VoIP networks need external connections to enable SIP trunk connections and to safely extend the service to home workers, roaming uses and branch offices.
To reach this goal, UM Labs will launch a range of security gateways through 2008. Each product will secure VoIP applications based on the Session Initiation Protocol (SIP) and other UM applications. The first release is designed to secure remote VoIP connections to home users and roaming workers and to provide security for SIP trunk services. Security controls include firewall grade IP level security coupled with application specific security controls designed to combat threats such as VoIP call hijacking, call flooding and unauthorized call monitoring. The latter is provided by VoIP encryption services using the industry standards TLS and SRTP with a choice of key management algorithms to support the widest possible range of hardware and software phones. Supported key management algorithms include Phil Zimmermann’s ZRTP and SDES as used by Snom and other phone manufacturers.
UM Labs Website

Source: snapvoip.blogspot.com

Source: snapvoip.blogspot.com

Sipera VIPER Lab determined the Top 5 VoIP Vulnerabilities for 2007 were:

1) Remote eavesdropping of VoIP phone calls, a practice that is exponentially easier in VoIP than with traditional PSTN telephone networks, and which represents a major breach of enterprise communications and security.
2) VoIP Hopping, one of the enablers of remote eavesdropping, but more critically compromises VLANs, that were previously trusted as providing VoIP security, by enabling a PC to mimic an IP phone so hackers can access VoIP systems.
3) Vishing, the practice of VoIP phishing, which enables hackers to spoof caller ID and present a fraudulent phone identity, causing some consumers to share sensitive, personal information, such as credit card numbers, with hackers masquerading as banking representatives.
4) Toll fraud, which allows unauthorized users to access enterprise VoIP networks and make calls, increasing VoIP costs and traffic. While there was a much publicized case in 2006, when the FBI charged two men with accessing VoIP networks and reselling minutes to unsuspecting "customers," toll fraud continues unabated, especially on VoIP networks with little authentication or call analysis.
5) The Skype worm, originally known as the w32/Ramex.A virus, spread via IM, which automatically stops access to security tools while it downloads to infected PCs, and changes the Skype user’s status to "Do not disturb" so that other users cannot contact the infected user.

Sipera VIPER Lab is comprised of experienced VoIP security researchers operating globally 24/7/365. Since its inception in 2003, Sipera VIPER Lab has identified thousands of vulnerabilities and security threats which include fuzzing, floods and distributed floods, spoofing, stealth attacks and spam. VIPER Lab research is used to continuously improve the Sipera IPCS products that protect, control and enable real-time unified communications for enterprises and service providers. For Sipera VIPER Lab blog, Threat Advisories and RSS feeds, please visit http://www.sipera.com/viper.

Source: snapvoip.blogspot.com

Secure Computing Corporation (NASDAQ: SCUR), a leading enterprise gateway security company, today announced that TeleCents Communications has deployed Secure Computing Sidewinder® to provide security for their traditional telecom as well as Voice over Internet Protocol (VoIP) services. TeleCents required one device to protect their entire enterprise gateway, and Sidewinder’s powerful, scaleable solution included all the components necessary for the secure exchange of both traditional data and VoIP calls across open networks.

TeleCents Communications is a wholly-owned subsidiary of iTeknik Holdings, specializing in international and long distance cellular services and virtual calling cards. The company recently chose to implement the Session Initiation Protocol (SIP) application to strengthen their VoIP offering. But with that implementation, potential security vulnerabilities increased dramatically, making an increased level of gateway security essential.

"In a very competitive telecom environment, we needed to make an impressive statement with regard to our VoIP and data security, so we selected the best product available. Sidewinder met or exceeded all of our security expectations," said Scott Pitcher, director of technical operations for TeleCents Communications. "Sidewinder’s industry-wide reputation brought us to Secure Computing, and the product’s proven VoIP and data security capabilities are helping us to meet our security goals."

VoIP risks are perhaps the best-kept secret on the Internet. Blinded by the promise of reduced costs and flashy features, VoIP deployments forge ahead despite millions in losses due to VoIP fraud and the growing trend of hackers using VoIP as a back door into enterprise networks. It is for these reasons that VoIP security is essential.

With the help of numerous sniffing, fuzzing and manipulation tools available on the Internet, VoIP and SIP technologies have inadvertently challenged traditional firewalls. TeleCents found that Sidewinder’s SIP application defense was the answer, combining intelligent filtering with VoIP signatures to protect SIP communications from attack, while allowing SIP traffic to pass through the firewall without requiring action by the user. The Sidewinder VoIP/SIP protection feature is standard with all Sidewinder appliances so only one device is needed to protect both data and VoIP calls for the entire gateway.

"As an Internet-facing application, VoIP is vulnerable to many of the same attack vectors that we see on the public Internet. Therefore VoIP is not immune to the new generation of security threats posed by Web 2.0 use," said Scott Montgomery, vice president of product management for Secure Computing. "VoIP inherits security concerns from IP networks, traditional phone networks and messaging applications. In addition, VoIP has its own vulnerabilities including call interception and modification, and call pattern tracking — all of which pose serious threats to a user. Sidewinder protects against each one of these vulnerabilities with reputation-based defenses."

Secure Computing ensures proactive security by applying the same research and technology for VoIP that’s used for blocking source IP addresses in Web and email transactions. Sidewinder blocks and allows gateway access based on the reputation of both IP addresses and domains from which each individual SIP communication originates. This reputation analysis is achieved via Secure Computing’s TrustedSource(TM) reputation technology.

TeleCents Communications relies upon Sidewinder’s capabilities completely and is highly satisfied with its superior level of security. "Our customers expect the best in voice communications and we believe that we’re ahead of the security curve by protecting not only our traditional data, but our SIP applications as well — as VoIP is often overlooked as a vulnerable platform. Since deploying the Sidewinder product, all of our security needs are met and we can sleep much better at night."

For assistance in deploying Sidewinder, TeleCents turned to one of Secure Computing’s reseller partners, TeleCents. Mark McClain, president of AmeriNet, oversaw the deployment of Sidewinder and will continue to manage the entire project personally. "We frequently recommend Sidewinder and other Secure Computing products to our clients," said McClain. "They really are in a class by themselves."
For more information, see http://www.securecomputing.com.

Source: snapvoip.blogspot.com

Cisco confirms that an attacker with valid Extension Mobility authentication credentials could cause a Cisco Unified IP Phone configured to use the Extension Mobility feature to transmit or receive a Real-Time Transport Protocol (RTP) audio stream. This ability can be exploited to perform a remote eavesdropping attack. All Cisco IP Phones that support the Extension Mobility feature are vulnerable.

For this attack to be possible, several conditions need to be satisfied:

• The internal web server of the IP phone must be enabled. The web server is enabled by default.
• The IP phone must be configured to use the Extension Mobility feature, which is not enabled by default.
• The attacker must possess or obtain valid Extension Mobility authentication credentials.

Extension Mobility authentication credentials are not tied to individual IP phones. Any Extension Mobility account configured on an IP phone’s Cisco Unified Communications Manager/CallManager (CUCM) server can be used to perform an eavesdropping attack.

To obtain Extension Mobility authentication credentials, an attacker needs physical access to the network to sniff credentials. This can be accomplished by inserting a sniffing device between an IP phone and switch port.

Before eavesdropping can occur, the user who is logged into the IP phone via Extension Mobility must first be logged off of the IP phone. This can be accomplished by sending an Extension Mobility logout message to the IP phone’s Cisco Unified Communications Manager/CallManager (CUCM) server.

If exploitation is successful, any IP phone that is undergoing an eavesdropping attack will have its speaker phone status light enabled, and the phone will display an off-hook icon that indicates an active call is in progress. Internal testing by Cisco also revealed that the described attack produced static noise on the IP phone while it was under attack.

Workarounds

There are workarounds to combat this attack:

• Disable the internal web server on IP phones.
• Disable the Extension Mobility feature on IP phones.
• Disable the speaker phone / headset functionality on IP phones.

This attack can also be mitigated by restricting access to the internal web server of IP phones (TCP port 80) using an access control list (ACL).

For more information about Cisco-recommended best practices for securely deploying Cisco Unified IP Phones, reference this link:

http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a008085f858.html#wp1045452

Cisco Response

This is the Cisco PSIRT response to a presentation given at the Hack.Lu 2007 security conference by Joffrey Czarny of Telindus regarding a technique to remotely eavesdrop using Cisco Unified IP Phones.

The original report is available at the following link:

http://www.hack.lu/pres/hacklu07_Remote_wiretapping.pdf

We greatly appreciate the opportunity to work with researchers on security vulnerabilities and welcome the opportunity to review and assist in product reports.

This Cisco Security Response is posted at the following link:

http://www.cisco.com/warp/public/707/cisco-sr-20071128-phone.shtml

Source: snapvoip.blogspot.com

I have written about 100 posts related to VoIP Security. The latest (last week) being SIPtap (A Proof of Concept Tool), Taps into SIP Based VoIP Calls Records Them.
A lot of sites have written about this same issue that SIPtap has brought about. Of all the articles, the theme is that we need VoIP Security.
The good old PSTN days, we did not know about security, or did not care as Ma Bells, Pa Bells and all other bells took care of securing, wiretapping our phone calls.
But the VoIP is mich more than a phone call. Our VoIP accounts will be tied to most of our information. Leaving VoIP unsecured will be like leaving your house door open, in a bad neighborhood.
In a corporate environments, there will be much more information that need to be secured. It is not much different from the needs of securing your Data Networks. But just because the data networks are secured, your VoIP or UC, Unified Communications will not be secured. One need to take care of addressing the special needs that comes with taking all the communications to a IP platform. Be it self hosted or out sourced.
By reading Rich Tehrani’s blog reminded me today that Internet Telephony Expo, ITEXPO East 2008 is coming soon. It will be held on January 23-25, 2008 at the Miami Beach ConventionCenter in Miami, Florida.
So what has this got to do with Security. A Lot!. The education is the key to success in any field and that is what you will be able to get at the ITEXPO East 2008.
Security Challenges in the Enterprise is a good starting point and will be presented by industry experts. There will be other interesting sessions that are typical at ITEXPO.
So register now and secure a seat so that you can learn how to secure your Unified or standalone communication networks.