VoIP security

Test and Verify OCS Security with OAT

At Voicecon 2009 in Orlando this week Sipera Systems announced a new free tool for assessing unified communications and VoIP security. The OCS Assessment Tool, dubbed OAT, is available as a free download from Sourceforge.

According to the OAT download site, Sipera’s “VIPER Lab created OAT because OCS and other Microsoft products are frequently being used as part of a unified communications infrastructure in many enterprises. Our mission is to help IT manager and security practitioners evaluate the security architecture of their deployments and ensure that their mission-critical communications and systems are protected.”

OAT starts off with a dictionary attack against a known user. Once the password is determined, OAT can run a variety of UC / VoIP attacks against the OCS environment. OAT can be run internally, as if an authorized user is performing malicious or unauthorized activities, or as an external attack against OCS. OAT can perform the following functions:

• Online Dictionary Attack
• Presence Stealing
• Contact List Stealing
• Single User Flood Mode (Internal)
• Domain Flood Mode (Internal)
• Call Walk (Internal/External)
• Play Spam Audio
• Detailed Report Generation

Follow me on Twitter

BCI Chooses Sipera for UC Security

Chile-based Banco de Credito e Inversiones (BCI) has chosen Sipera to secure their unified communications infrastructure. Using Sipera’s IPCS unified communications security appliances provides BCI with real-time unified communications security backed by the research and expertise of Sipera’s VIPER Lab.

Sipera also enables BCI to leverage more cost-effective SIP trunking rather than relying on trunk lines, and allows BCI to deploy unified communications more efficiently and provides quality of service monitoring and reporting that BCI didn’t previously have. You can learn more about Sipera unified communications security appliances and services at Voicecon in Orlando this week. Sipera is at Booth 1500.

Follow me on Twitter

Attackers Place $120,000 in Unauthorized Phone Calls

Your phone bill varies from month to month in many cases. Actually- maybe not. I have been using Vonage for my home phone service for about 5 years now and the flat fee is what it is. I don’t pay for voicemail service, or any additional amounts for long distance like my cable provider charges customers of their digital voice service (although I think they finally realized those things are supposed to be included. now they just charge $15 a month more for fewer features). I just pay the same amount every month and I get all of the features and services available (psst - if you want to sign up for Vonage drop me an email. We can both get 2 months of free service if I refer you).

Ah, but I digress. My phone bill has been the same for years, but even phone bills that vary tend to stay within a certain range. If you run a business perhaps the bill is $2,000 one month, $2250 the next month, and $1900 the month after that. You would probably be pretty shocked then to open the mail and find a bill for $120,000!!

That is what happend to one Australian company. Preliminary reports from the investigation suggest that the attackers gained access to both traditional PBX and VoIP communications systems and place more than 11,000 unauthorized international calls in a span of about 2 days. Toll fraud has been around forever, and VoIP attacks are on the rise. Make sure you understand the threat and how to protect your systems.

Do-It-Yourself DECT Hacking

I have DECT cordless phones in my home. I didn’t really get them for the security factor per se. I bought them because their operation isn’t impacted or interfered with by wireless networks, microwave ovens, or baby monitors. I was tired of having 27 different devices all competing for the same frequency range and having my wireless network lose the battle more often than not.

Regardless though, DECT handsets were also notable for the claimed security of the communications. Apparently though, the security is based more or less on security-by-obscurity. Essentially, the communications aren’t encrypted or authenticated in any way, but the DECT algorithm was kept private so that was meant to prevent attackers or eavesdroppers from breaking into the communications.

Well, it would at least prevent novice or poorly funded attackers. A team of researchers had previously demonstrated that an attack was possible using expensive sniffer tools. However, that same research team has now devised a method for eavesdropping on DECT conversations ‘MacGyver style’ using a modified off-the-shelf VoIP card with a laptop.

I guess my conversations about what to get at the grocery store, or how the weather is at my in-laws house are no longer guaranteed to be private. But, on the bright side, they still don’t interfere with my wireless network.

Protecting VoIP Against Three Common Threats

There are a number of way, theoretically, that a VoIP communications system could pose a security risk to an enterprise. Let’s face it, while the network administrators have been in the trenches fighting unauthorized access, malware infections, data compromise, and more on a daily basis for the last 10 years, the voice guys have been sitting on a pretty stable and secure platform. While there are huge benefits for an enterprise to migrate from traditional voice to VoIP, those benefits come with a convergence onto that data network that is constantly under attack. That means that the benefits and efficiency of VoIP come with an increase in the number of security threats as well.

That said, attackers are still working on refining how to compromise VoIP for gain. Many of the VoIP weaknesss are proprietary, meaning that they vary from vendor to vendor and make it more difficult for attackers to determine targets. However, there are three VoIP threats that are consistent across pretty much all VoIP implementations and two of the three are actually just new twists on old attacks that were used against traditional voice systems as well.

The three most common VoIP threats are voice spam (sometimes referred to as SPIT (Spam over Internet Telephony), toll fraud (or theft of service), and denial-of-service attacks. For more details about these threats and what you can do to protect your VoIP network against them, check out The Biggest VoIP Securiy Threats - and How to Stop Them.

Security Funding First To Go In Tough Economic Times

Let’s be honest - even in a good economy, when business is booming, security is still a reluctant after-thought in most cases. Why do we have Sarbanes-Oxley, HIPAA, GLBA, PCI DSS and other legislation and regulatory requirements? Because companies can’t be trusted to do the right thing of their own accord. Had they done that, the situations that sparked the creation of each of the various laws and guidelines would never have occurred.

Spending on security is like buying insurance. You spend money on health, auto, home, and life insurance (and perhaps others), but you hope to never use it. If you never get in a car accident in your life, that could be more than $50,000 you spend in your driving lifetime to protect yourself against something that never happens. You could buy two new cars outright with cash and just forget about the insurance.

Companies tend to look at security like that as well. There is no return on investment (ROI). There is no upside gain. Budget is being allocated and money is being spent to safeguard against a gamble that may never come to pass. All that money may just be wasted. Even before there were laws demanding a baseline minimum of security controls, many companies waited to address security until after an incident. At least once the company experienced the pain of an enterprise-wide malware infection, or a data compromise of sensitive information they had a barometer against which to measure the cost of making sure it didn’t happen again.

So- in a recession, or a depression, or even just a quarter of down revenue, security is often one of the first things to go. However, we do have SOX, and HIPAA, and GLBA, an PCI DSS. That means that aside from the pain the company will feel if there is a data breach or malware compromise, and aside from the damage that will be done to the reputation of the company if customer data is leaked or compromised in any way, there are also additional fines and consequences, including possible jail time, to try and create the proper ‘incentive’ for companies to do the right thing.

But, money is tight. According to the article ‘What Can You Afford NOT To Do On IT Security?‘ from CIO.com, budgets may not be cut from 2008, but they also won’tbe going up in many cases. Personally, I think that more will be cut than this article suggests. Unified Communcations and VoIP security administrators will need to be more resourceful and perhaps look into the free and open source tools available to help protect the unified communications infrastructure. It is possible to protect the network on a minimum budget, but the learning curve may be higher and getting support requires more initiative and effort than simply dialing the vendor’s toll-free number.

Exploiting VoIP for Toll Fraud

Toll fraud is nothing new. Pretty much since there have been telephones, or at least enterprise telephone systems, attackers have sought to somehow hijack or piggyback on them in order to place toll phone calls at the expense of the company that owns the phone system. As with many other types of ‘cyber crime’, the crime itself is not new, but technology often makes it easier and faster than the more traditional version of the crime.

Mark Collier, CTO of SecureLogix and co-author of Hacking Exposed: VoIP, noted in a recent blog post what a threat VoIP toll fraud is. Collier points out that, while there may be a variety of ways to attack a VoIP system, toll fraud is one of the few with a clear and direct motive. Collier refers to a white paper detailing a recent toll fraud VoIP breach in Germany, and also alludes to a similar situation here in the United States that resulted in $250,000 of toll fraud theft. You can get more details on these incidents and VoIP toll fraud in general by checking out this post on Collier’s blog.

FBI Warns of Asterisk-based Vishing Attacks

The FBI has issued a warning that a vulnerability in the open-source Asterisk platform, used by many as a free IP PBX, can lead to the system being exploited to initiate vishing calls. Vishing, a term concocted to mean a voice or VoIP based phishing attack, uses a voice system to contact potential victims and attempt to get them to share sensitive or confidential information which can be used to compromise their accounts. Generally, the purpose would be to gain access to financial information and be able to gain access to bank or investment accounts to steal money from the victims.

VoIP Security: The Great Afterthought

Why is security always an afterthought? It seems that time and again there are technological innovations that businesses embrace. They do their due diligence to compare their options. They invest heavily to purchase and implement the new technology. They spend money to educate users to take advantage of the new technology. Much later, usually after there is an actual incident, security finally comes into the picture.

Often, it is a matter of money. New technologies can help the business run more efficiently. New technologies can increase productivity. Security, on the other hand, is an investment of money to prevent a greater loss of money as a result of a security incident or data compromise. It works in reverse. Rather than increasing the bottom line, security prevents the bottom line from going down. But, security is only beneficial if and when there is an actual security incident to prevent. It is like an insurance policy. You pay for it and hope you never have to use it, and it is very easy to rationalize that it is reasonable to accept the risk and take the gamble that the event will never occur rather than investing money to safeguard against it.

TechTarget’s SearchUnifiedCommunications site takes a deeper look at the issue of VoIP and unified communications security in the article Unified Communications Security Ignored and Misunderstood.

Security Concerns of UC Networks

When voice was just voice, it did not pose a security risk to the data network…at least not directly. It could be argued that there is still potential to exploit the voice network for social engineering purposes that result in a compromised data network, but that is a semi-convoluted argument and not really the point of this post.

With VoIP alone, standard best practices suggest keeping the voice VLAN and the data VLAN separate so that a compromise of the voice network would not have any effect on the data network. However, we live in a converged world. Unified communications merges voice and data and requires that they all play nice on the same network. Where does that leave us? That leaves us with some new security concerns to be aware of and guard against.

This post from Nortel’s Voice Security Blog, in conjunction with Sipera Systems Chief Marketing Officer, Eric Winsborrow, provides some additional detail and illustrates some potential scenarios that could exploit a vulnerable VoIP system and lead to a compromise of the UC or data network.