VoIP Tech Chat

Every now and then a weakness becomes exploited in a manner that deserves recognition. A 41 year unemployed systems admin from Moscow did just this — he exploited a weakness in a video billboard and rigged it to play a pornographic movie. A traffic jam followed as Moscow drivers slowed to watch. The man was arrested, any negatives in his history brought to light, and then all video billboards in the Moscow area were banned.

Here’s the article, from The Moscow Times: Read the rest of this entry »

The Asterisk team of Digium announced new versions of Asterisk in reference to a potential security issue. The release highlights best practices and hopes to raise awareness of some potential security issues and injection statments. The announcement follows:

The Asterisk Development Team has announced security releases for the following
versions of Asterisk: Read the rest of this entry »

Be careful out there

A older scam gains popularity — or at least that’s what recent reports indicate. Targeting American cellphones, the goal of the scam is to have you make an international call and rack up your phone bill. Here’s how it works:

1. Your phone rings and becomes a missed call within 2 rings
2. You call back the number, assuming it’s in the US
3. Your phone bill imitates Cheech and Chong (aka becomes very high)

The recommendation is that you only call back numbers you either recognize or can identify by area code.

Here’s the FCC release: Read the rest of this entry »

Firefox has released version 3.5.1 to address a security flaw announced earlier this week. For more information, please read the post at Team Forrest.

How's the view up there?

Cloud Computing, the buzz phrase that won’t go away, attracts new users daily. The most common “cloud” approach uses resources, accessible through the public internet, as a service. Although this computing approach provides (generally) much higher rates of reliability and lower rollout cost, an organization looking to the cloud may find some grey skies on the security forecast.

Besides unknown physical access concerns to your data (as well as not truly knowing who can access your “system”), the main security risk resides with the end user. Take for example Twitter. For the third time this year, someone accessed sensitive corporate documents via an employee email account. If a password can be guessed, cracked, or obtained, chances are your security just became a little foggy (ok, no more cloud puns).

Storing sensitive information in the cloud (including your web accessible email accounts) seems to be the 2009 equivalent of leaving your briefcase on the front seat of your car parked in a very open driveway. The AP recently posted an article on the Twitter reference, and it’s not a bad read. Read the rest of this entry »

Our sponsor, Team Forrest, is reporting a serious security flaw in Firefox 3.5. The Zero-day exploit allows malicious javascript code to take control of a end-user.

For more information, please read the post at Team Forrest.

John Todd (with Digium) sent a great email on SIP Security. Although written towards the Asterisk audience, this email provides a very good guideline towards increasing your VoIP SIP Security. It’s a must read and reprinted here for your easy viewing.

In case any of you were wondering why there has been a fairly notable upswing in the attacks happening on SIP endpoints, the answer is “script kiddies.”  In the last few months, a number of new tools have made it easy for knuckle-draggers to attack and defraud SIP endpoints, Asterisk-based systems included.  There are easily-available tools that scan networks looking for SIP hosts, and then scan hosts looking for valid extensions, and then scan valid extensions looking for passwords.  You can take steps, NOW, to eliminate many of these problems.  I think the community is interested in coming up with an integrated Asterisk-based solution that is much wider in scope for dynamic protection (community-shared blacklists is the current thinking) but that doesn’t mean you should wait for some new tool to defend your systems.  You can IMMEDIATELY take fairly common-sense measures to protect your Asterisk server from the bulk of the scans and attacks that are on the increase. The methods and tools for protection already exists – just apply them, and you’ll be able to sleep more soundly at night.

Seven Easy Steps to Better SIP Security on Asterisk: Read the rest of this entry »

Note: There’s an intro, the DDA response, and Fred’s response in this article. Jump to the end to read Fred’s response.

A few months back, we posted a nice little article on using Asterisk to get Parking Space Availability from Ann Arbor garages. The response from the VoIP community was fantastic! We received great comments and feedback from people like Jason Goecke, Dug Song, Dave Michels, Evan Cooke, and more! People not only responded, they even showed different ways of providing access to this information. And everyone shared their work in an open forum — truly a great example of open source coding inspiring innovation (albeit with Parking Spaces).

Even better was the local response in Ann Arbor. Edward Vielmetti and Fred Posner were interviewed in the local papers, appeared on a radio show, and even rode the teeter totter. Everyone loved the idea of being able to check on parking space availability… everyone except for the DDA (insert scary music).

The DDA (Ann Arbor Downtown Development Authority), funded by tax dollars,  “provides a diversity of transportation and parking options to meet downtown’s [Ann Arbor’s] ever-changing needs.” The DDA does not like us making information of parking spaces available to the public via phone. Instead, the DDA wants to control this information. Seriously, they want to control parking space availability information.

Tyler Erickson helped Edward Vielmetti and Fred make this project even more fascinating by tracking parking space availability over time. The plan was to provide predictability of availability. For example, “We’re sorry, the lot at 4th and Washington is currently filled, we predict the parking lot will be available in 7 minutes. Press 1 to be notified…”

Wouldn’t that be neat? We thought so… The DDA’s response was to block Tyler’s access. Of course, since it was using Google Apps, it blocked Google, but that’s another story. We inquired as to why this blockage occurred and… well enter Susan Pollay. Susan Pollay is Executive Director of the DDA. She told us (and remember, this is a tax funded organization): Read the rest of this entry »

Our hero Benjamin Franklin

The University of Florida is in Gainesville — my private information is everywhere.

GAINESVILLE, FLORIDA — For the third time in less than a year, the University of Florida reported a breach exposing personal information. This time, the breach includes the names and social security numbers for more than 90,000 people. In this latest attack, the University announced the hack was executed by an “intruder” and that the University of Florida Police Department was notified.

Ok, at this point, I need to go ahead and just vent. I’m sorry to have a soap box moment… but the Police Department was notified? Yay! Thank God, Buddha, that little idol Bobby found when the Brady’s visited Hawaii, or whatever higher power works for you. I can now sleep soundly knowing that the police department was notified after my information was already out there. Sweet!

If this was the first time this happened, I would be disappointed. I can tell you that without hesitation, because when this actually happened the first time (June 2008), I was disappointed. If this were the second time? Read the rest of this entry »

Microsoft announced today several critical warnings for Microsoft products, including Windows 2000, Windows 2003 Server, and Windows XP. Microsoft Security Advisories are a way for Microsoft to communicate security information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin. Each advisory will be accompanied with a unique Microsoft Knowledge Base Article number for reference to provide additional information about the changes. Read the rest of this entry »