VoIP Tech Chat

John Todd (with Digium) sent a great email on SIP Security. Although written towards the Asterisk audience, this email provides a very good guideline towards increasing your VoIP SIP Security. It’s a must read and reprinted here for your easy viewing.

In case any of you were wondering why there has been a fairly notable upswing in the attacks happening on SIP endpoints, the answer is “script kiddies.”  In the last few months, a number of new tools have made it easy for knuckle-draggers to attack and defraud SIP endpoints, Asterisk-based systems included.  There are easily-available tools that scan networks looking for SIP hosts, and then scan hosts looking for valid extensions, and then scan valid extensions looking for passwords.  You can take steps, NOW, to eliminate many of these problems.  I think the community is interested in coming up with an integrated Asterisk-based solution that is much wider in scope for dynamic protection (community-shared blacklists is the current thinking) but that doesn’t mean you should wait for some new tool to defend your systems.  You can IMMEDIATELY take fairly common-sense measures to protect your Asterisk server from the bulk of the scans and attacks that are on the increase. The methods and tools for protection already exists – just apply them, and you’ll be able to sleep more soundly at night.

Seven Easy Steps to Better SIP Security on Asterisk: Read the rest of this entry »

Our hero Benjamin Franklin

The University of Florida is in Gainesville — my private information is everywhere.

GAINESVILLE, FLORIDA — For the third time in less than a year, the University of Florida reported a breach exposing personal information. This time, the breach includes the names and social security numbers for more than 90,000 people. In this latest attack, the University announced the hack was executed by an “intruder” and that the University of Florida Police Department was notified.

Ok, at this point, I need to go ahead and just vent. I’m sorry to have a soap box moment… but the Police Department was notified? Yay! Thank God, Buddha, that little idol Bobby found when the Brady’s visited Hawaii, or whatever higher power works for you. I can now sleep soundly knowing that the police department was notified after my information was already out there. Sweet!

If this was the first time this happened, I would be disappointed. I can tell you that without hesitation, because when this actually happened the first time (June 2008), I was disappointed. If this were the second time? Read the rest of this entry »

BREAKING NEWS — Barack Obama elected President of United States. Ah yes, in case you’ve been living in a cave like our loyal listener Osama Bin Laden (who loves our Ben Affleck references) you most likely already know that there’s a new President-Elect in town. (Interestingly, Barack Obama will not be elected President until mid December when the electoral college votes… and those ballots aren’t even counted until early January… but as usual, we digress)

So anyway, news outlets throughout the world reported on President-Elect Obama receiving congratulatory calls from World Leaders. Normally, news like this will only make Fred and Patrick hungry — but this time, it also made us curious. Do world leaders still use the telephone? And if so, do they use some sort of high-tech encrypted device like Tony Montana?

The State of Telecommunications actually appears to be, well, quite outdated. Pranksters have been able to successfully call the President of France, the President of Venezuela, Queen Elizabeth II, Pope John Paul II, Former UK Prime Minister Tony Blair, and Fidel Castro. Not to mention the recent prank phone call against Sarah Palin. Most of these calls were made using regular POTS lines over the Public Switched Telephone Network, or PSTN.

So, using our 8th Grade logic skills, we can say:

1. World Leaders received calls using PSTN
2. World Leaders received calls using PSTN that they assumed were other World Leaders
3. Therefore, World Leaders must typically use the PSTN

Surely the PSTN will not be utilized for all telecommunication within Political arenas. Back in the late 60’s the US and Russia integrated a Moscow-Russia Hotline, aka the Red Phone, to allow for direct communication between the two nations during the cold war. The hotline has been upgraded throughout the years and is still in place today.

PSTN with Human Roadblocks

Basically, World Leaders use the PSTN to communicate. However, the chances of you picking up the phone, dialing +1 (202) 456-1414, and having Mr. Obama answer the phone are about as good as having Fred and Patrick visit a buffet and only make one trip to the bar.

In between the phone on the President’s desk and the main switchboard of the White House are many levels of Operators and Screeners working to ensure only the “proper people” can speak to our illustrious leader.

Now of course, the US is the country of NORAD, so we hope (really, really hope) that there are advanced, encrypted telecommunications equipment transferring our national information from point to point. We also know that the Social Security Administration made a great decision and started the switch to VoIP. Fred also chatted with reps from the FAA during AstriCon (they are looking to replace the entire FAA phone system with Asterisk or another VoIP system).

But, for World Leaders to speak with other World Leaders, the method of choice seems to be the PSTN. And if the government’s reaction to Obama’s blackberry is any indicator, it would appear as if this will not change anytime soon.

Wouldn’t it be great if all world leaders embraced Unified Communication? Imagine the tweets! Or even making a direct SIP to SIP call using your favorite VoIP equipment. Ah, the future… we can always dream.

Last week, we talked about encryption during the VoIP Tech Chat podcast and posted a small blurb as well. A recent story shows how important this encryption can be to protecting privacy.

We first read the compression vulnerability on Network World, but the story has spread like butter. Like freshly opened, room temperature butter.

In a nutshell, many VoIP telephone conversations compress to save internet bandwidth. The compression allows conversations to flow with a reduction of bandwidth. As long as both parties have the same variable bitrate compression technique (or VBR), the conversation will sound “fine.”

Here’s where it gets neat…

Basically, the compression uses a method that keeps intact the voice patterns. In other words, when the voice is translated into a digital signal, the voice patterns create signal lengths. These lengths create identifiable voice patterns. So, although you wouldn’t be able to hear the voice, just knowing the lengths could give you 90% accuracy in identifying what was spoken.

Think of it as VoIP lip reading. You can’t hear, but you know what they’re saying.

How to get around this?

Use an encryption method that also changes lengths of packets or pads them to avoid detection. Encryption, like Ben Affleck, is still the bomb.

Network World is posting a timely article (“Stolen laptop teaches Stanford a lesson on encryption”) complimenting our recent encryption discussion. With this incident, on top of the University of Florida blunder that personally affected Fred, we must continue to ask ourselves — when will people embrace encryption?

When our nation’s respected educational institutions subject sensitive data to the public,  it’s time for the public to educate the educators. Sure, encryption is not the end all, god save the queen solution for protecting ourselves. But, encryption is a great tool and can provide a strong foundation for additional security measures.

The time for excuses is over. After all, our hero Benjamin Franklin used to say, “He that is good for making excuses is seldom good for anything else.“

Welcome to this week’s Voip Cast. In this week’s chat, we discuss topics such as George Michael, Skype, encryption, airports, slot machines, super-heroes and more.

You can download this week’s podcast for FREE at these fine locations:

• Voip Tech Chat (download mp3)
• iTunes
• And, thanks to popular request, you can also stream the chat by pressing the play button below:
   

  Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Looking for links from our podcast? Well look no further friends. Simply point, click, and read:

• That great IM Security article at CNET.com
• Asterisk
• Wikipedia’s list of Female Super-heroes
• Skype
• Las Vegas Airport
• George Michael

News.com (CNET.com for those who kick it old school) posted a great article about privacy, encryption, and security with instant messaging (“How safe is instant messaging? A security and privacy survey“). Not only did CNET.com make a nice, pretty chart of their findings, they actually talked to the most popular IM choices and some of the answers are really intriguing.

Among the many questions asked by CNET.com were:

• Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
• Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user’s IM account?
• If so, how many law enforcement requests have you received?
• Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users’ communications would be instantly forwarded to law enforcement?

The standard answer to these questions was the ol’ standard that communication with Law Enforcement is not discussed — aka, we fully comply. Skype though gets huge points from us for many reasons.

Read the rest of this entry »