Our Hero

Early humans found hollowed out rocks to turn into homes, originating the term “Cave men”. ¹ This constraint made community difficult, so humans advanced to creating homes from natural materials, such as wood. Primitive homes were modeled on the cave, with nothing but some closed walls and an uncovered opening. Thousands of years of evolution lead us to create doors that open, close, and lock, and windows that allow us to see out and in, then glass to keep what’s out out and what’s in in, then curtains to cover what’s both out and in. In the end, we have the same caves we had before, with our darkness and privacy.

In the 1600′s the Dutch East India company was like the Wal-Mart of the high seas. If you worked on a ship for the DEI, actually called VOC, but let’s not have an acromania tournament over it, you lived day in and day out with the other people on the ship. Everyone knew everyone’s business, and that’s just how it was. There would be no need to do a status update when you went to the head, because everyone watched you go.

With the onset of industrialization and assembly-style production in the 1900′s, factories became central to small towns and people began working together, but their was a similar environment of everyone knew everyone’s family and friends and kids and lifestyle. There just weren’t a lot of secrets. Only in the last 50 years have we moved to the cubiclised, white-collar, technically-oriented jobs where turnover is an expectation and no one really bothers to get to know everyone else. Cliques form, but on the whole there isn’t a sense of community.

In a relatively short span of time, we created a generation and a culture that has a “right to privacy.” We have seen this concept denied by courts who say employers can regulate lifestyle as a condition of employment, and that what an employee does outside of work can still be used against her at work. Drinking, drugs, cigarettes, and even functions allowed to be attended can all be used as conditions of employment in our “right to work” world.  Though it has been upheld time and time again, the belief in this right grows ever stronger.

The political buzzword of the last decade has been “transparency.” We the people should have an open window on the workings of our government, of our corporations, of our financial institutions. We should see how the cogs turn and the deals are made, we should have open access to it all. At the same time, a subculture of companies has grown around controlling the online image of individuals. Ex-boyfriend posted some risque pictures of you? They can fix that. You got fired from your old job for coming to work drunk, and some people decided to blog about it? They can fix that. From the benign to the outright slanderous, companies that specialize in online identity rehab are doing bang up business curing the internet of individuals’ indiscretions.

Should it matter? Should you want to work for a company that would use your facebook status update about hating filing against you in an interview? Does that tweet about being drunk at the Alice In Chains concert make you a bad person or in any way impact your job performance? Are companies better off pretending that their employees don’t have a personal life? Maybe this is the wake up call that companies need to start treating their employees like people. Maybe it’s time to open up the door to the cave and not worry about what others will see, because their cave door is wide open too.

^{1. This is rather vague and unresearched proposition, because this is a tech blog and not an anthropology blog. Please do not blame us when you crib this and fail your class.}

If you want to be judgmental of our thoughts, feel free to follow Fred and Patrick on twitter!

Or cleverly disguised secret agent for the video phone revolution?

I R Eatz U R Dataz!

I love my netbook. I love my netbook so much, I have two of them (okay, one is the wife’s). Surprisingly, I managed to survive months on nothing but my netbook doing fairly intensive SQL / VoIP / Web work. The hard drive is a little slow, but the overall performance is outstanding.

When I travel, I can use Skype to video chat with the built in webcam and get great quality (both ways) for both picture and sound. It’s like a giant smart phone. It reminds me of the $1000+ “video phones” that were supposed to be the future of talking on the phone… then people realized they really didn’t want to “get pretty” to use the phone. Now, for around $250 a unit, you can have that and so much more.

Recently, my wife’s netbook gave an error on boot that had something to do with a missing windows file (system32\ntoskrnl.exe). Apparently, she’s not the only one with this issue… it seems to be quite common. Of course, as the techie/geek/nerd of the castle, it was my job to slay this dragon and I came across the only problem I have had with this magical mini machine. Not so much a problem… more like open questions to Acer.

1. To access the hard drive, you have to remove 17 screws (maybe more, I think I lost some extras), you have to remove the keyboard, you have to remove the top, you have to remove this little card on top of the mother board, this side circuit board, the motherboard. Then you slide the hard drive out, reverse. Why not put a panel on the bottom to access the hard drive directly?
2. Why can I find nothing in your documentation about Alt-F10? This is a handy mode that lets you recover the operating system to factory defaults, but I don’t see it in my Acer manual.
3. In line with question 2, Why is the only recovery option to completely reset to factory? Since this is basically a stripped version of the OS, why not offer an explorer window so I can copy files to an SD or USB drive before formatting, or just backup the user files to another partition?
4. What degree in sadism lead to the design of the three little clips that hold the keyboard in place?

All told, from error to recovered could have been done in < 30 minutes, and I HIGHLY recommend Acer products to everyone I know. From their higher-end Ferrari laptop to the humble netbook (go with XP home, Windows 7 netbook edition is crippleware garbage), I have never had a problem with their hardware or software that made me lose respect for the brand, which is saying a lot.

For More Information:

• Acer: Acer Aspire One Website
• Skype: Free PC to PC Video Calls

Time for the negotiator

A recent incident (ok 2 recent incidents) shows how scary dependence on DNS can be. Hosted VoIP solutions are particularly prone to hijacking attacks / errors.

From BGPmon.net:

This morning many BGPmon.net users received an alert regarding a possible prefix hijack by AS23724. Normally AS23724 CHINANET-IDC-BJ-AP IDC, China Telecommunications Corporation only originates about 40 prefixes, however today for about 15 minutes they originated about ~37,000 unique prefixes that are not assigned to them. This is what we typically call a prefix hijack. This incident follows another concerning incident from China 2 weeks ago.

Although it seems they have leaked a whole table, only about 10% of these prefixes propagated outside of the Chinese network. These include prefixes for popular websites such as dell.com, cnn.com, www.amazon.de, www.rapidshare.com and www.geocities.jp.

A large number of networks impacted this morning were actually Chinese networks. These include some popular Chinese website such as www.joy.cn , www.pconline.com.cn , www.huanqiu.com, www.tianya.cn and www.chinaz.com. A list of all prefixes that were announced/hijacked can be found here

Read the full article at BGPmon.net.

This year marks the second decennial census since widespread use of the internet began in the 1990′s. The bulk of census activity takes place during the time when people are traditionally preparing taxes and vying for an infusion of cash  from their tax return.  The evil peoples of the interwebs will be out in force to take advantage of  the under-informed.

Keep these simple rules in mind:

• No one from the IRS or the Census bureau will ever email you about your taxes or the Census. Ever.
• No one from the IRS or the Census bureau will call you and ask for your address, social security number, and bank account information. Ever.
• No one from the IRS or the Census bureau will ask for money, a donation, passwords, or pin numbers over the phone or via email. Ever.

If you get a phone call from the IRS and do not feel comfortable with the questions they ask to identify you, the real IRS is always willing to accept a callback. Their phone number is 1-800-829-1040 (800-TAX-1040). Doing this callback will (almost) always ensure you are talking to the IRS.

This is a good rule of thumb for any unsolicited phone call. If the questioning or “verification process” makes you feel uncomfortable or involves revealing sensitive information such as a mother’s maiden name, social security number, driver’s license number, bank information, or credit information, get a callback name and number. Anyone can spoof an outgoing phone number, so caller id is no protection here. In the case of official agencies, it’s fairly easy to verify the listed phone number before making the callback, and legitimate businesses will never try to goad you into giving information.

If you are struggling with confrontation, all legitimate businesses will also be willing to conduct business via mail. Specifically in cases of debt collection or IRS matters, request the correspondence be provided via US mail instead of the telephone. Legitimate agencies will comply with this request, anyone who doesn’t you can safely hang up on.

Further Reading:
Census on Scams
IRS on Scams

When my little girl went from being a benign, unmoving lump of sleeping, drooling baby to a terroristic unplugging, biting, chewing, eating, swallowing, gagging, breaking, pulling, tugging beast of a toddler, my home decor changed. When we moved into our excessive 4 bed / 2.5 bath home in 2007, we had dreams. We had a guest room, and a Disney room, and my home office taking up about 25% of the under A/C space. When the beast began terrorizing our home, we retreated into a fallback position and isolated her to the safest room in the house, my former office. I was relegated to the Disney room. It’s purple. Very purple.

When moving between old office and new, as is my tradition in packing, I crammed everything into boxes with the knowledge that should I come to need an item, I would go searching through the boxes piled in the “supply closet” of my new “office”. In almost two years, I have not touched these boxes. Today was a day of reckoning when I was reminded of an important rule: Don’t use old Cat 5 and other copper cables.

There are people who will disagree with me, and I accept their disagreement with the knowledge they are wrong. Cat 5 (ie. network cable)  and copper coax cable (ie. cable tv cable) costs between $0.25 and $1 per foot. On a new VoIP phone, you need anywhere from 3 to 25 ft. of Cat 5 depending on the location of your phone / adapter in relation to your router and with the assumption that you are not using a wireless solution.

Many homes, like mine, have an accumulation of old cables, and when you get a new ATA (analog telephone adapter, aka. that veyeop thingy) that inexplicably comes without one, you go to the pile, untangle the least confined cable, and hook it up. Time and time again I have gone through ten and twenty minute troubleshooting sessions with people (and, in true ‘Dr. heal thyself’ fashion, spent hours myself) only to find that a strange or intermittent problem with connectivity, registration, or voice quality was remedied by putting on a fresh Cat 5 cable.

In fifteen years of working with networking setups, one in ten intermittent or quality issues end up being plain old bad cables (remember from previous posts, 50% are unplug or partially unplugged cables). Just in my five years of VoIP experience, I can’t count the number of times voice quality issues have been wiped out completely by getting fresh cables with good connectors. Considering the cost is < $15 for almost any project, save yourself the time and hassle. Throw away the old Cat 5 and coax cables, buy fresh ones for the new install, and you are eliminating a huge point of failure for years to come.

Note: You can play or download the MP3 audio of the “Telemarketer Torture” calls towards the end of the article.

When I first started working with VoIP, I began to hate telephony, and any and all things telephone related. This bothered me on many levels. You see, as a kid, I loved telephones. Growing up in the “big city,” pay phones seemed to be on every corner. Family stories talk about walking several blocks extra, just to avoid me seeing and wanting to play with a phone. But, as usual, I digress…

When I worked with an unnamed switch (let’s just say it rhymed with Broadmoft), I hated working with VoIP. I knew there had to be a better way and started playing with Asterisk. Soon, my memories of playing with phones started coming back and my love rekindled. Now, I look forward to working with phone systems, only because I truly feel that the use of a phone can only be limited by your imagination. And with companies like Twilio, Adhearsion, and Digium, the community of telephone developers seems only to grow.

With that long winded introduction, let’s discuss today’s topic — telemarketer torture. I, like every other person I know, receives the random yet continual undesired telemarketer call (yes, I’m on the DND databases and let’s not get into that). Thanks to Asterisk, I can send my telemarketers to a little place I call the Annoyatron.

Now, many developers and users implement their own version of Telemarketer Torture. Some like using IVR’s. Some like endless ringing. Personally, I like to keep them on the line for a long time. You see, since I add numbers to the Annoyatron after they call me, by the time they reach the Annoyatron they have already called and wasted my time at least once before. So, instead of just having them hang up and move on to the next home, I like to see if I can keep them talking for a while. My Goal? At least 2 minutes.

I use Asterisk’s “WaitForSilence” command to keep my torture conversational. When there’s a pause, the Annoyatron will play a file. While the telemarketer speaks, the Annoyatron will patiently wait. You put it all together, and wala — the Annoyatron Telemarketer Torture.

Today, I received unwanted calls regarding long distance to India. I added the number to the Annoyatron and well, the results of their continued calls no longer annoy me. Here are two examples:

Listen to Call 1:
Download audio file (annoyatron.mp3)
(or you can download the MP3)

Listen to Call 2:
Download audio file (annoyatron2.mp3)
(or you can download this MP3, too)

Ok, so here’s an example of how you would write the dialplan in Asterisk:

[annoyatron]
exten => s,1,Answer()
exten => s,n,Wait(2)
exten => s,n,Playback(annoy/annoy-hello)
exten => s,n,WaitForSilence(2200)
;...
; record a file for "your side" of the conversation
; wait for silence, and then play it
; lather rinse repeat
;...
exten => s,n,Hangup()

Simple, no? Just one of the reasons Asterisk allowed me to enjoy working with telephones. Awwww.

We’d love to hear about your fun examples with Asterisk. And you know, Leif Madsen is requesting some ideas for Asterisk Recipes himself.

Asterisk is free, open source software provided under the GNU General Public License (GPL). Asterisk is the most popular open source software available, with the Asterisk Community being the top influencer in VoIP.

Why free? It’s just how Digium rolls. They really take that GPL open source to heart.

Firefox has released version 3.5.1 to address a security flaw announced earlier this week. For more information, please read the post at Team Forrest.

How's the view up there?

Cloud Computing, the buzz phrase that won’t go away, attracts new users daily. The most common “cloud” approach uses resources, accessible through the public internet, as a service. Although this computing approach provides (generally) much higher rates of reliability and lower rollout cost, an organization looking to the cloud may find some grey skies on the security forecast.

Besides unknown physical access concerns to your data (as well as not truly knowing who can access your “system”), the main security risk resides with the end user. Take for example Twitter. For the third time this year, someone accessed sensitive corporate documents via an employee email account. If a password can be guessed, cracked, or obtained, chances are your security just became a little foggy (ok, no more cloud puns).

Storing sensitive information in the cloud (including your web accessible email accounts) seems to be the 2009 equivalent of leaving your briefcase on the front seat of your car parked in a very open driveway. The AP recently posted an article on the Twitter reference, and it’s not a bad read.

Twitter hacked by old technique — again

July 15, 2009
JORDAN ROBERTSON

SAN FRANCISCO (AP) - Breaking into someone’s e-mail can be child’s play for a determined hacker, as Twitter Inc. employees have learned the hard way – again.

For the third time this year, the San Francisco-based company was the victim of a security breach stemming from a simple end-run around its defenses. In the latest case, a hacker guessed the password for an employee’s personal e-mail account and worked from there to steal confidential company documents.

The techniques used by the attackers highlight the dangers of a broader trend promoted by Google Inc. and others toward storing more data online, instead of on computers under your control.

The shift toward doing more over the Web – a practice known as “cloud computing” – means that mistakes employees make in their private lives can do serious damage to their employers, because a single e-mail account can tie the two worlds together.

Stealing the password for  someone’s Gmail account, for example, not only gives the hacker access to that person’s personal e-mail, but also to any other Google applications they might use for work, like those used to create spreadsheets or presentations.

That’s apparently what happened to Twitter, which shares confidential data within the company through the Google Apps package that incorporates e-mail, word processing, spreadsheet, calendar and other Google services for $50 per user per year.

Co-founder Biz Stone wrote in a blog posting Wednesday that the personal e-mail of an unnamed Twitter administrative employee was hacked about a month ago, and through that the attacker got access to the employee’s Google Apps account.

Separately, the wife of co-founder Evan Williams also had her personal e-mail hacked around the same time, Stone wrote. Through that, the attacker got access to Williams’ personal Amazon and PayPal accounts.

Stone said the attacks are “about Twitter being in enough of a spotlight that folks who work here can become targets.”

Some of the material the hacker posted online from the Google Apps documents was more embarrassing than damaging, like floor plans for new office space and a pitch for a TV show about the increasingly popular online messaging service.

Twitter says only one user account was potentially compromised because a screenshot of the account was included among the stolen documents. The value in hijacking a user’s account is limited, as those attacks are mainly used to post fake messages and try to trick the victim’s friends into clicking on links that will infect their computers.

Sensitive Twitter documents were filched, though.

The hacker claims to have employee salaries and credit card numbers, resumes from job applicants, internal meeting reports and growth projections.

TechCrunch, a widely read technology blog, says it was e-mailed the documents, and subsequently published some of them, including financial projections that Twitter drew up in February. The forecast envisioned Twitter generating its first revenue in the current quarter, with sales of about $400,000 and about 60 employees. By the end of next year, Twitter expected to employ about 345 people with annual revenue of about $140 million, according to the documents published by TechCrunch.

Stone said in an e-mail that most of the documents TechCrunch has access to are “speculative exercises.”

In his blog post, Stone said the stolen documents “are not polished or ready for prime time and they’re certainly not revealing some big, secret plan for taking over the world,” but said they are sensitive enough that their public release could jeopardize relationships with Twitter’s partners.

Stone said the company is talking to lawyers about “what this theft means for Twitter, the hacker, and anyone who accepts and subsequently shares or publishes these stolen documents.”

What the attacks on Twitter show is that Web sites don’t need to get compromised in the traditional sense to put its users and employees at risk.

Hackers don’t need to find a vulnerability in the site itself, or plant a virus on an employee’s computer, to sneak inside.

Our sponsor, Team Forrest, is reporting a serious security flaw in Firefox 3.5. The Zero-day exploit allows malicious javascript code to take control of a end-user.

For more information, please read the post at Team Forrest.

John Todd (with Digium) sent a great email on SIP Security. Although written towards the Asterisk audience, this email provides a very good guideline towards increasing your VoIP SIP Security. It’s a must read and reprinted here for your easy viewing.

In case any of you were wondering why there has been a fairly notable upswing in the attacks happening on SIP endpoints, the answer is “script kiddies.”  In the last few months, a number of new tools have made it easy for knuckle-draggers to attack and defraud SIP endpoints, Asterisk-based systems included.  There are easily-available tools that scan networks looking for SIP hosts, and then scan hosts looking for valid extensions, and then scan valid extensions looking for passwords.  You can take steps, NOW, to eliminate many of these problems.  I think the community is interested in coming up with an integrated Asterisk-based solution that is much wider in scope for dynamic protection (community-shared blacklists is the current thinking) but that doesn’t mean you should wait for some new tool to defend your systems.  You can IMMEDIATELY take fairly common-sense measures to protect your Asterisk server from the bulk of the scans and attacks that are on the increase. The methods and tools for protection already exists – just apply them, and you’ll be able to sleep more soundly at night.

Seven Easy Steps to Better SIP Security on Asterisk:

1) Don’t accept SIP authentication requests from all IP addresses. Use the “permit=” and “deny=” lines in sip.conf to only allow a reasonable subset of IP addresess to reach each listed extension/user in your sip.conf file.  Even if you accept inbound calls from “anywhere” (via [default]) don’t let those users reach authenticated elements!

2) Set “alwaysauthreject=yes” in your sip.conf file.  This option has been around for a while (since 1.2?) but the default is “no”, which allows extension information leakage.  Setting this to “yes” will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks.

3) Use STRONG passwords for SIP entities.  This is probably the most important step you can take.  Don’t just concatenate two words together and suffix it with “1″ – if you’ve seen how sophisticated the tools are that guess passwords, you’d understand that trivial obfuscation like that is a minor hinderance to a modern CPU.  Use symbols, numbers, and a mix of upper and lowercase letters at least 12 digits long.

4) Block your AMI manager ports.  Use “permit=” and “deny=” lines in manager.conf to reduce inbound connections to known hosts only.  Use strong passwords here, again at least 12 characters with a complex mix of symbols, numbers, and letters.

5) Allow only one or two calls at a time per SIP entity, where possible.  At the worst, limiting your exposure to toll fraud is a wise thing to do.  This also limits your exposure when legitimate password holders on your system lose control of their passphrase – writing it on the bottom of the SIP phone, for instance, which I’ve seen.

6) Make your SIP usernames different than your extensions.  While it is convenient to have extension “1234″ map to SIP entry “1234″ which is also SIP user “1234″, this is an easy target for attackers to guess SIP authentication names.  Use the MAC address of the device, or some sort of combination of a common phrase + extension MD5 hash (example: from a shell prompt, try “md5 -s ThePassword5000″)

7) Ensure your [default] context is secure.  Don’t allow unauthenticated callers to reach any contexts that allow toll calls. Permit only a limited number of active calls through your default context (use the “GROUP” function as a counter.)  Prohibit unauthenticated calls entirely (if you don’t want them) by setting “allowguest=no” in the [general] part of sip.conf.

These 7 basics will protect most people, but there are certainly other steps you can take that are more complex and reactive.  Here is a fail2ban recipe ( http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk ) which might allow you to ban endpoints based on volume of requests.

If you’d like to see an example of the tools that you’re up against, see this demo video (http://enablesecurity.com/products/enablesecurity-voippack-sipautohack-demo/) of an automated attack tool that does scan, guess, and crack methods via a click-and-drool interface.

In summary: basic security measures will protect you against the vast majority of SIP-based brute-force attacks.  Most of the SIP attackers are fools with tools – they are opportunists who see an easy way to defraud people who have not considered the costs of insecure methods. Asterisk has some methods to prevent the most obvious attacks from succeeding at the network level, but the most effective method of protection are the administrative issues of password robustness and username obscurity.

JT

Check out John Todd’s blog post at Digium.

About Digium

Digium, Inc., the Asterisk Company, created, owns and is the innovative force behind Asterisk, the most widely used open source telephony software. Since its founding in 1999, Digium has become the open source alternative to proprietary communication providers, with offerings that cost as much as 80 percent less. Digium offers Asterisk software free to the open source community and offers Asterisk Business Edition and Switchvox IP PBX Software to power a broad family of products for small, medium and large businesses. The company’s product line includes a wide range of hardware to enable resellers and customers to implement turnkey solutions or to design their own voice over IP (VoIP) systems. More information is available at www.digium.com.