Posted by Eric Krapf | Aug 12, 2008

About a week ago, a member of my household who shall go nameless left both the sliding door and the screen door to the patio wide open for about 2 hours. When this individual returned and saw the doors open, panic ensued, only to dissipate when the cats were found sprawled in the family room a few feet from the opening, displaying no interest in taking advantage of the situation. "So, this is the new system?" asked Angus. "You might want to think about closing that next time," Foo added helpfully.

READ POST | Comment on this blog entry

Posted by Eric Krapf | Jul 25, 2008

If you want to read an absolutely brilliant discussion of a key technical/security/policy issue around SIP in general and SIP trunking in particular, check out this VOIPSA blog post by Dan York.

READ POST | Comment on this blog entry

Posted by Eric Krapf | Jul 24, 2008

On Nortel's VOIP Security blog, Stephen Varty of the company's R&D labs has a post explaining why eavesdropping on VOIP calls may not be as easy as you think.

READ POST | Comment on this blog entry

Posted by Eric Krapf | Jul 9, 2008

On his blog, renowned security expert Bruce Schneier recently picked up on an article about a Verizon Business study questioning the conventional wisdom that the major security threat to enterprises comes from within, not from without. Schneier explains why this makes sense, and why it's also a highly constricted view of the problem in any event:

READ POST | Comments(1)

Posted by Eric Krapf | Jun 26, 2008

VOIPShield has released a new raft of vulnerabilities that it found in IP telephony systems from Cisco, Avaya and Nortel (announcement here; vulnerability details here). Unlike its previous such announcement, VOIPShield has this time coordinated the release with the affected vendors, avoiding the criticism it faced the last time, when VOIPShield went public with the vulnerabilities before the affected vendors could address all of them.

READ POST | Comment on this blog entry

Posted by Eric Krapf | Jun 18, 2008

The issue of security for IP telephony is, if not well understood, at least satisfactorily grasped by professionals in the IT/telecom and security organizations today. There's the gamut of potential problems, which will be serious challenge if and when they actually materialize—like spam over IP telephony (SPIT), eavesdropping, voice phishing and the like. And then there are the problems we see in the wild today, which mostly involve exploits against IP "data" networks that affect the voice traffic running on those networks; basically, when a denial of service or other attack brings down the IP network, it now takes voice traffic with it, or at least it can. Experts like Mark Collier of SecureLogix and the VOIP Security Alliance say such exploits are the real danger for now.

READ POST | Comment on this blog entry

Posted by Gary Audin, Delphi, Inc. | Apr 29, 2008

The U.S. is the biggest source of security threats in the world. So says the Sophos “Security Threat Report Q1 08”.

READ POST | Comment on this blog entry

Posted by Eric Krapf | Apr 16, 2008

This is a sexist piece of crap, right? I mean, I get the part about tricking people into giving up information to prove that they're not careful enough about security. But the chocolate bar stuff? Give me a break.

READ POST | Comments(3)

Posted by Eric Krapf | Apr 7, 2008

On the VOIPSA blog, Dan York offers some concerns about the way VOIPShield handled its recent announcement of the vulnerabilities it had found, an announcement that just happened to be coupled to a new product release.

READ POST | Comment on this blog entry

Posted by Eric Krapf | Apr 2, 2008

VOIPShield, a VOIP security company, says it's found some 80 vulnerabilities in Avaya, Cisco and Nortel IP-telephony gear, and another 44 vulnerabilities in the SIP protocol. More detail on each vulnerability is spelled out in the Research section of VOIPShield's website. According to the website, the vendors are working on fixes for their respective vulnerabilities, and in cases of 3 vulnerabilities rated as "critical," patches are already available.

READ POST | Comment on this blog entry

Posted by Eric Krapf | Mar 31, 2008

Fritz Nelson of TechWeb TV interviews Mark Collier, CTO of SecureLogix, about the state of VOIP Security. Mark pegs denial-of-service attacks aimed at the underlying IP infrastructure as the greatest security threat to enterprise IP telephony at this point.

Let's go to the video:

READ POST | Comments(1)

Posted by Matt Brunk, Telecomworx | Mar 14, 2008

Back in February, I read Confessions of a Caller-ID Spoofer by Paul McNamara over at Network World.

Caller-ID spoofing is a “feature” in many telephony platforms.

Let me explain further. Showing the main billing number or master directory number listing on digital trunks for outbound calls is an old practice but substituting the number for someone else isn’t. This is what McNamara points out in his article and this substitution is perfectly legal today, probably because it wasn’t given any thought.

READ POST | Comments(3)

Posted by Eric Krapf | Feb 22, 2008

Here's another great post by Dustin Trammell over at VOIPSA about a practical concern in ensuring VOIP security: The need for VOIP hardware to have enough processing power so it can be upgraded as security demands require.

READ POST | Comment on this blog entry

Posted by Eric Krapf | Feb 19, 2008

Over at VOIPSA, Dustin Trammell offers a bleak assessment of VOIP Security in real-world products, basing his judgment on a recent Cisco advisory concerning a number of vulnerabilities.

READ POST | Comments(1)

Posted by Eric Krapf | Feb 4, 2008

Once again via the invaluable VOIPSA, comes word that some IETF members are exploring a more formal effort to pre-emptively deal with the nascent problem of SPIT (spam over IP telephony), with a proposed BoF session at the next IETF meeting. Enterprises and their vendors should support any effort to have defenses in place for this next generation of spam.

READ POST | Comment on this blog entry

Posted by Eric Krapf | Jan 24, 2008

As SIP continues to seep into the mainstream, more attention is being paid to security issues, especially in public IP networks/the Internet. At VoiceCon Orlando in March, we're bringing back Cullen Jennings and Eric Rescorla to once again give their "SIP Security" tutorial, which offers enterprises a jump on many of the key issues. And, via VOIPSA, I've discovered a trove of SIP-related and other Internet security presentations from the most recent ETSI Security Workshop (click on the Agenda link for the topics of each presentation).

READ POST | Comment on this blog entry

Posted by Eric Krapf | Jan 17, 2008

Sipera, a VOIP security company, has come out with its Top 5 VOIP Threat Predictions for 2008. Their top concern is denial-of-service attacks through SIP trunks and mobile infrastructures. This makes sense both in its own right, and because DoS attacks are a legitimate concern based on their effect on the underlying data network.

READ POST | Comment on this blog entry

Posted by Eric Krapf | Jan 17, 2008

Dan York presents a conundrum: Once VOIP has reached critical mass in the enterprise, how will you filter out SPIT (spam over IP telephony) while allowing legitimate traffic such as notifications to go through?

READ POST | Comment on this blog entry

Posted by Eric Krapf | Dec 10, 2007

Lending some credence to the idea that VOIP hacking will increase in 2008 is the hacking of Cisco phones that occurred on a hotel network earlier this year (the exploit is described here. Cisco has now confirmed that this exploit is possible (Cisco's response is here.

READ POST | Comment on this blog entry

Posted by Eric Krapf | Dec 10, 2007

The SANS Institute has compiled its year-end list of security vulnerabilities, and there's quite a bit of detail on VOIP. Their suggestions for mitigation:

READ POST | Comment on this blog entry

Posted by Eric Krapf | Dec 10, 2007

VOIP security makes McAfee's list of Top 10 Threat Predictions for 2008, taking the ninth spot based on McAfee's projection that VOIP attacks will increase 50% next year (link to the PDF is at VOIPSA).

READ POST | Comment on this blog entry

Posted by Eric Krapf | Dec 10, 2007

One of the gospel truths since the first IP voice packets were put on a data network is that you have to establish separate VLANs for voice and data traffic. But that piece of conventional wisdom may not be so wise.

READ POST | Comment on this blog entry