John Todd (with Digium) sent a great email on SIP Security. Although written towards the Asterisk audience, this email provides a very good guideline towards increasing your VoIP SIP Security. It’s a must read and reprinted here for your easy viewing.

In case any of you were wondering why there has been a fairly notable upswing in the attacks happening on SIP endpoints, the answer is “script kiddies.”  In the last few months, a number of new tools have made it easy for knuckle-draggers to attack and defraud SIP endpoints, Asterisk-based systems included.  There are easily-available tools that scan networks looking for SIP hosts, and then scan hosts looking for valid extensions, and then scan valid extensions looking for passwords.  You can take steps, NOW, to eliminate many of these problems.  I think the community is interested in coming up with an integrated Asterisk-based solution that is much wider in scope for dynamic protection (community-shared blacklists is the current thinking) but that doesn’t mean you should wait for some new tool to defend your systems.  You can IMMEDIATELY take fairly common-sense measures to protect your Asterisk server from the bulk of the scans and attacks that are on the increase. The methods and tools for protection already exists – just apply them, and you’ll be able to sleep more soundly at night.

Seven Easy Steps to Better SIP Security on Asterisk:

1) Don’t accept SIP authentication requests from all IP addresses. Use the “permit=” and “deny=” lines in sip.conf to only allow a reasonable subset of IP addresess to reach each listed extension/user in your sip.conf file.  Even if you accept inbound calls from “anywhere” (via [default]) don’t let those users reach authenticated elements!

2) Set “alwaysauthreject=yes” in your sip.conf file.  This option has been around for a while (since 1.2?) but the default is “no”, which allows extension information leakage.  Setting this to “yes” will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks.

3) Use STRONG passwords for SIP entities.  This is probably the most important step you can take.  Don’t just concatenate two words together and suffix it with “1″ – if you’ve seen how sophisticated the tools are that guess passwords, you’d understand that trivial obfuscation like that is a minor hinderance to a modern CPU.  Use symbols, numbers, and a mix of upper and lowercase letters at least 12 digits long.

4) Block your AMI manager ports.  Use “permit=” and “deny=” lines in manager.conf to reduce inbound connections to known hosts only.  Use strong passwords here, again at least 12 characters with a complex mix of symbols, numbers, and letters.

5) Allow only one or two calls at a time per SIP entity, where possible.  At the worst, limiting your exposure to toll fraud is a wise thing to do.  This also limits your exposure when legitimate password holders on your system lose control of their passphrase – writing it on the bottom of the SIP phone, for instance, which I’ve seen.

6) Make your SIP usernames different than your extensions.  While it is convenient to have extension “1234″ map to SIP entry “1234″ which is also SIP user “1234″, this is an easy target for attackers to guess SIP authentication names.  Use the MAC address of the device, or some sort of combination of a common phrase + extension MD5 hash (example: from a shell prompt, try “md5 -s ThePassword5000″)

7) Ensure your [default] context is secure.  Don’t allow unauthenticated callers to reach any contexts that allow toll calls. Permit only a limited number of active calls through your default context (use the “GROUP” function as a counter.)  Prohibit unauthenticated calls entirely (if you don’t want them) by setting “allowguest=no” in the [general] part of sip.conf.

These 7 basics will protect most people, but there are certainly other steps you can take that are more complex and reactive.  Here is a fail2ban recipe ( http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk ) which might allow you to ban endpoints based on volume of requests.

If you’d like to see an example of the tools that you’re up against, see this demo video (http://enablesecurity.com/products/enablesecurity-voippack-sipautohack-demo/) of an automated attack tool that does scan, guess, and crack methods via a click-and-drool interface.

In summary: basic security measures will protect you against the vast majority of SIP-based brute-force attacks.  Most of the SIP attackers are fools with tools – they are opportunists who see an easy way to defraud people who have not considered the costs of insecure methods. Asterisk has some methods to prevent the most obvious attacks from succeeding at the network level, but the most effective method of protection are the administrative issues of password robustness and username obscurity.

JT

Check out John Todd’s blog post at Digium.

About Digium

Digium, Inc., the Asterisk Company, created, owns and is the innovative force behind Asterisk, the most widely used open source telephony software. Since its founding in 1999, Digium has become the open source alternative to proprietary communication providers, with offerings that cost as much as 80 percent less. Digium offers Asterisk software free to the open source community and offers Asterisk Business Edition and Switchvox IP PBX Software to power a broad family of products for small, medium and large businesses. The company’s product line includes a wide range of hardware to enable resellers and customers to implement turnkey solutions or to design their own voice over IP (VoIP) systems. More information is available at www.digium.com.

Our hero Benjamin Franklin

The University of Florida is in Gainesville — my private information is everywhere.

GAINESVILLE, FLORIDA — For the third time in less than a year, the University of Florida reported a breach exposing personal information. This time, the breach includes the names and social security numbers for more than 90,000 people. In this latest attack, the University announced the hack was executed by an “intruder” and that the University of Florida Police Department was notified.

Ok, at this point, I need to go ahead and just vent. I’m sorry to have a soap box moment… but the Police Department was notified? Yay! Thank God, Buddha, that little idol Bobby found when the Brady’s visited Hawaii, or whatever higher power works for you. I can now sleep soundly knowing that the police department was notified after my information was already out there. Sweet!

If this was the first time this happened, I would be disappointed. I can tell you that without hesitation, because when this actually happened the first time (June 2008), I was disappointed. If this were the second time? Well, when this happened the second time (November 2008), I was annoyed. Now that this has happened the for the third time? Well, honestly I haven’t decided if I’m angry, postal, or just bleeping bleeped off. (Trying to keep this PG rated)

In November, when we reported the breach of 344,000 names, birth dates, social security numbers (and more) from the University, I said simply that I expected “more” from Florida’s flagship University. Now, I demand it.

In June, we spoke of encryption. When you read “lessons learned” from security breaches, you most often hear of the business, institution, or even individual work to strengthen their outside protection while at the same time encrypting sensitive information. Encryption at this point isn’t just a good idea, it’s seriously the least UF can do to demonstrate that they take security seriously. And encryption isn’t the catch all end all here… it’s just a first step that should have been taken months ago.

And let’s think about this another way… Sure, the University as a public institution enjoys a certain degree of civil immunity. However, at what point do we say the University’s handling of Personally Identifiable Information is simply negligent. After the second breach, what actions were done to protect data? (I’m not being sarcastic here, I’m literally asking “Hey, what actions were taken?”)

Now that UF has three strikes, can we get a new batter to the plate? The University of Florida is a large, prosperous institution. Whilst (look I used whilst) the University complains of limited resources and inability to pay professors a decent salary, the University’s President banked $731,811 (in 2008). The football coach makes over $3 million dollars. I bet you that for only $200,000 we can get a great executive to run the University. This first year’s savings of 500k could more than fortify some immediate security needs.

Sadly, there’s no public outrage here. Maybe no-one else was effected, or maybe I’m one of the few who were effected each of these three times. But regardless, I am simply disgusted by my alma mater and think it’s time for us to demand that Florida not only learn from their mistakes, but actually demonstrate how to properly secure information.

Yes, you struck out. You missed three easy pitches. Pitches my friend’s daughter would have knocked into the nose-bleeders — but the good news is that there’s still another inning. The bad news is I’m in the stands and I got a whole box of cracker jacks. I think you hear me knocking…

So c’mon Gators. Let’s pretend this is important and knock it out of the park. My name is Fred and I’m a Gator.

For those of you not familiar with the University of Florida, the opening statement mocks an advertising campaign from Florida a few years back, “The University of Florida is in Gainesville — the Gator Nation is everywhere.” It’s actually a cool ad, available from YouTube.

BREAKING NEWS — Barack Obama elected President of United States. Ah yes, in case you’ve been living in a cave like our loyal listener Osama Bin Laden (who loves our Ben Affleck references) you most likely already know that there’s a new President-Elect in town. (Interestingly, Barack Obama will not be elected President until mid December when the electoral college votes… and those ballots aren’t even counted until early January… but as usual, we digress)

So anyway, news outlets throughout the world reported on President-Elect Obama receiving congratulatory calls from World Leaders. Normally, news like this will only make Fred and Patrick hungry — but this time, it also made us curious. Do world leaders still use the telephone? And if so, do they use some sort of high-tech encrypted device like Tony Montana?

The State of Telecommunications actually appears to be, well, quite outdated. Pranksters have been able to successfully call the President of France, the President of Venezuela, Queen Elizabeth II, Pope John Paul II, Former UK Prime Minister Tony Blair, and Fidel Castro. Not to mention the recent prank phone call against Sarah Palin. Most of these calls were made using regular POTS lines over the Public Switched Telephone Network, or PSTN.

So, using our 8th Grade logic skills, we can say:

1. World Leaders received calls using PSTN
2. World Leaders received calls using PSTN that they assumed were other World Leaders
3. Therefore, World Leaders must typically use the PSTN

Surely the PSTN will not be utilized for all telecommunication within Political arenas. Back in the late 60’s the US and Russia integrated a Moscow-Russia Hotline, aka the Red Phone, to allow for direct communication between the two nations during the cold war. The hotline has been upgraded throughout the years and is still in place today.

PSTN with Human Roadblocks

Basically, World Leaders use the PSTN to communicate. However, the chances of you picking up the phone, dialing +1 (202) 456-1414, and having Mr. Obama answer the phone are about as good as having Fred and Patrick visit a buffet and only make one trip to the bar.

In between the phone on the President’s desk and the main switchboard of the White House are many levels of Operators and Screeners working to ensure only the “proper people” can speak to our illustrious leader.

Now of course, the US is the country of NORAD, so we hope (really, really hope) that there are advanced, encrypted telecommunications equipment transferring our national information from point to point. We also know that the Social Security Administration made a great decision and started the switch to VoIP. Fred also chatted with reps from the FAA during AstriCon (they are looking to replace the entire FAA phone system with Asterisk or another VoIP system).

But, for World Leaders to speak with other World Leaders, the method of choice seems to be the PSTN. And if the government’s reaction to Obama’s blackberry is any indicator, it would appear as if this will not change anytime soon.

Wouldn’t it be great if all world leaders embraced Unified Communication? Imagine the tweets! Or even making a direct SIP to SIP call using your favorite VoIP equipment. Ah, the future… we can always dream.

Last week, we talked about encryption during the VoIP Tech Chat podcast and posted a small blurb as well. A recent story shows how important this encryption can be to protecting privacy.

We first read the compression vulnerability on Network World, but the story has spread like butter. Like freshly opened, room temperature butter.

In a nutshell, many VoIP telephone conversations compress to save internet bandwidth. The compression allows conversations to flow with a reduction of bandwidth. As long as both parties have the same variable bitrate compression technique (or VBR), the conversation will sound “fine.”

Here’s where it gets neat…

Basically, the compression uses a method that keeps intact the voice patterns. In other words, when the voice is translated into a digital signal, the voice patterns create signal lengths. These lengths create identifiable voice patterns. So, although you wouldn’t be able to hear the voice, just knowing the lengths could give you 90% accuracy in identifying what was spoken.

Think of it as VoIP lip reading. You can’t hear, but you know what they’re saying.

How to get around this?

Use an encryption method that also changes lengths of packets or pads them to avoid detection. Encryption, like Ben Affleck, is still the bomb.

Network World is posting a timely article (“Stolen laptop teaches Stanford a lesson on encryption”) complimenting our recent encryption discussion. With this incident, on top of the University of Florida blunder that personally affected Fred, we must continue to ask ourselves — when will people embrace encryption?

When our nation’s respected educational institutions subject sensitive data to the public,  it’s time for the public to educate the educators. Sure, encryption is not the end all, god save the queen solution for protecting ourselves. But, encryption is a great tool and can provide a strong foundation for additional security measures.

The time for excuses is over. After all, our hero Benjamin Franklin used to say, “He that is good for making excuses is seldom good for anything else.“

Welcome to this week’s Voip Cast. In this week’s chat, we discuss topics such as George Michael, Skype, encryption, airports, slot machines, super-heroes and more.

You can download this week’s podcast for FREE at these fine locations:

• Voip Tech Chat (download mp3)
• iTunes
• And, thanks to popular request, you can also stream the chat by pressing the play button below:
   Download audio file (080611_01.mp3)

Looking for links from our podcast? Well look no further friends. Simply point, click, and read:

• That great IM Security article at CNET.com
• Asterisk
• Wikipedia’s list of Female Super-heroes
• Skype
• Las Vegas Airport
• George Michael

News.com (CNET.com for those who kick it old school) posted a great article about privacy, encryption, and security with instant messaging (“How safe is instant messaging? A security and privacy survey“). Not only did CNET.com make a nice, pretty chart of their findings, they actually talked to the most popular IM choices and some of the answers are really intriguing.

Among the many questions asked by CNET.com were:

• Does your service keep server-based logs of the content of communications, meaning what a particular user sent and received?
• Have you ever received a subpoena, court order or other law enforcement request asking you to turn over information about a user’s IM account?
• If so, how many law enforcement requests have you received?
• Have you ever received a subpoena, court order or other law enforcement request asking you to perform a live interception or wiretap, meaning the contents of your users’ communications would be instantly forwarded to law enforcement?

The standard answer to these questions was the ol’ standard that communication with Law Enforcement is not discussed — aka, we fully comply. Skype though gets huge points from us for many reasons.

First, they don’t do the whole duck and cover non-answer answer. Skype actually answers a question completely and honestly. We love it! For example, when Skype was asked if they ever received subpoenas from law enforcement, they said:

Yes. We co-operate with law enforcement agencies as much as is legally and technically possible

They don’t say they won’t discuss these issues, they flat out say, BAM! We get a subpoena and we do whatever we can. An honest answer makes us trust a company a heck of a lot more than an evasive one.

Now, here’s the VoIP aspect. When asked if they had ever received a subpoena to wiretap or intercept communications, Skype said:

We have not received any subpoenas or court orders asking us to perform a live interception or wiretap of Skype-to-Skype communications. In any event, because of Skype’s peer-to-peer architecture and encryption techniques, Skype would not be able to comply with such a request.

Wow. So, this means that by using peer-to-peer, skype conversations (according to skype at least) are made outside their control and not able to be trapped by their servers for interception. Skype has always claimed that calls and instant messages between skype users were encrypted using AES 256-bit encryption. 

Now, we should mention here, if you’re using Skype to call a regular POTS line, your calls will not be encrypted. This means they will be susceptible to wiretapping.