Schneier on Security
A blog covering security and security technology.
« Fourth Undersea Cable Failure in Middle East |
| Cloned Trucks »
February 6, 2008
"The Top 5 VoIP Security Threats of 2008." A nice little list of things to worry about.
Posted on February 6, 2008 at 6:34 AM
• 15 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Good enough reason NOT to migrate ALL of your Voice Infrastructure SOLELY to a 21C VoIP network, then?
OT: Truecrypt 5.0 is available. It features pre-boot authentication.
This is so childish, I don't understand it's inclusion in this august list of "big" things this blog is normally worried about.
DOS is a known problem with everything internet. Others were just made up to make it "5" things.
And wire line voice is not "the" critical media, raw internet access is.
As long as Skype is the #1 VoIP application...
...there is no need to worry about attacks on VoIP as VoIP IS the attack.
So, let's see, we have to worry about attacks, eavesdropping, Microsoft's incompetence, social engineering, and... more attacks. In other words, nothing new.
The defense? Continue to use the solutions that have always been used for this: VPNs, firewalls, AV tools, IDSs, encryption. In other words, nothing new.
It's good to see these points reiterated so they aren't forgotten, of course, but still, that article really was a bit - well - underwhelming.
You all really should take a gander at TSA's shiny new blog: http://www.tsa.gov/blog/
The security theatre actors are defending their script.
Well, that was a nicely written P.R. piece (http://www.paulgraham.com/submarine.html). This illustrates some of the most frustrating things I find about information security (and I.T. in general) as a profession: Hyperbole is the first order of the day and sales the second, with providing actually useful information trailing a very, very distant third. And security people wonder why it's so hard to take them seriously. If I were a CIO or CEO with a functioning cerebrum, I sure wouldn't pay much attention to crap like this. Talk like this is cheap.
But hey, at least VOIP *isn't* vulnerable to comment thread hijacking, which if you're going to do it, at least do it properly (http://www.brainofshawn.com/2008/02/05/how-to-properly-hijack-a-comment-thread/).
"Hackers love attacking Microsoft, and Microsoft loves being unprepared."
"#1 DoS (denial of service) Attacks on VoIP Networks"
Funny story: I know someone who tried to set up VoIP in 2000. Needless to say, they did not have the sort of network topology and equipment necessary to roll out VoIP. Every time the helpdesk group tried to set up a block of machines with multicasting, the phones would stop working.
I would hope by now people have learned to protect their voice networks from their data networks...
um, vomit has been around for years. DoS has been an issue forever.
Move along, nothing to see here. At least, nothing remotely new.
That blog is really amazing. The TSA actually admits that is is next to impossible to mix up a bomb from liquid components on that blog - they said it took professionals in a specialized lab environment more than a couple of tries before they were successful.
Yet, despite admitting how extremely difficult it is to pull off under ideal conditions nevermind mid-flight, they still say that the liquid ban is sensible.
Hah, what a poor list. Actually, one of the big problems in VoIP is the absolutely pathetic security mindset inherited from telecom. Traditional telephony systems operate in a very simple, closed system. Taking those same engineering practices to the Internet does not work.
After finding several vulnerabilities in one very common VoIP switching platform, I spoke with their head of engineering. I asked them if such simple exploits were possible on their system (think hidden setup accounts on each box, all with the same password), how are they protecting their SIP stack, which is mainly string processing written in C? "What about buffer overflows?", I said. "Buffer overflows are only a problem if you have a fast network." I've found a few other vendors to be not much better.
Being able to hack a wholesale system and run millions of minutes of traffic for free is a much juicier target than working to wiretap a single company.
As far as MS, they've actually taken a far more secure approach to things. OCS doesn't even really use SIP (sure, SIP is used, but it's mainly a wrapper for CSTA -- I imagine they did this just to say they "use SIP"), and they don't even support SIP over UDP (versus most platforms only doing UDP). They also support TLS (again, unlike a lot of other players).
If you want to get worried as an end user, worry more about VoIP peering. Decentralized routing means it's now even easier for someone to take over someone elses number. It's not hard for an attacker to take over a phone number if a VoIP company peers. I asked a leading VoIP peering company "What prevents me from joining you and then publishing a bank's number as one that I own, hence routing all the banks calls to my own system?" "Oh, we make you sign an agreement saying you won't do that."
Another VoIP-ish security concern: ooma. ooma works like Pulver's Bellster (renamed to fwdOUT), although they call it "distributed termination" and say they're getting a patent. Users plug the device into their existing phone line (although they have a VoIP-only allowance too). Then, people calling to your local calling area use your line to terminate, and you get to use theirs.
First, it's probably against the user's agreement (it's toll bypass) which will get you cut off if you do too many minutes (go run 10,000 minutes over your "unlimited" plan and see what happens). But let's forget about that for now.
Since other peoples calls are going out your line, you can eavesdrop. ooma says they prevent this, but that's not technically possible -- the voice is going over YOUR wires in YOUR physical location.
Second, what happens as soon as one user calls in a bomb threat from your area? Oh, your phone line was used. Have fun explaining that to the police.
@ToBo: "OT: Truecrypt 5.0 is available. It features pre-boot authentication."
Also OT: About time. Thanks for the heads up. Now I don't have to drop the $150 for PGP full-disk encryption (sorry Bruce).
why did schneier delete the blog entry about the black guy wearing red polos stealing from target?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.