Category Archives: Security

Asterisk Vulnerability Discovered

Posted on by
1

man hitting computer

Here is something for all Asterisk users out there.  Though we may all be very enthusiastic about Asterisk and the service it provides, we have to be practical and keep our eyes open for vulnerabilities.  Even the people over at Digium do not act like ostriches and keep their head buried in the sand – I guess most other service providers act the same way.  They are always on the look out for weaknesses that other unscrupulous individuals may take advantage of.

Recently, Joel R. Voss aka. Javantea reported a vulnerability in Asterisk systems that may result in denial of service.  Many other sites and blogs have subsequently spread the word about the possible problems that may arise from the vulnerability.  People over at Digium themselves have released an advisory about the issue.  They have also released work arounds that could help solve the issue and avoid potential problems that may arise from it.

Below is the description of the vulnerability as well as other important details that you may need to resolve the issue.  This was taken from Secunia:

Description:
A vulnerability has been reported in Asterisk, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to improper verification of ACK responses during IAX2 handshakes, which can be exploited to spoof an IAX2 handshake and cause a DoS via high bandwidth usage.

The vulnerability is reported in the following versions:
* Asterisk Open Source 1.0.x (all versions)
* Asterisk Open Source 1.2.x (all versions prior to 1.2.28)
* Asterisk Open Source 1.4.x (all versions prior to 1.4.19.1)
* Asterisk Business Edition A.x.x (all versions)
* Asterisk Business Edition B.x.x (all versions prior to B.2.5.2)
* Asterisk Business Edition C.x.x (all versions prior to C.1.8.1)
* AsteriskNOW 1.0.x (all versions prior to 1.0.3)
* Asterisk Appliance Developer Kit 0.x.x (all versions)
* s800i (Asterisk Appliance) 1.0.x (all versions prior to 1.1.0.3)

Solution:
Asterisk Open Source 1.2.x:
Fixed in 1.2.28.

Asterisk Open Source 1.4.x:
Fixed in 1.4.19.1.

Asterisk Business Edition B.x.x:
Fixed in B.2.5.2

Asterisk Business Edition C.x.x:
Fixed in C.1.8.1.

AsteriskNOW:
Fixed in 1.0.3.

s800i (Asterisk Appliance):
Fixed in 1.1.0.3.

Provided and/or discovered by:
Joel R. Voss a.k.a. Javantea

Original Advisory:
Asterisk:
http://downloads.digium.com/pub/security/AST-2008-006.html

AltSci:
https://www.altsci.com/concepts/page.php?s=asteri&p=2

Here’s to hoping that you will be able to take care of the vulnerability before anything adverse happens!

Got VOIP Spam?

Posted on by
1

SPAM
Did you know that they can spam VOIP just like they spam e-mails? Whoever “they” may be, the threat may very well be quite real and has actually been given a name. “Spit” stands for spam attacks against internet telephony connections. Alright, I do not know who coined this term and whether I think it is clever or just plain silly. Still, that is beside the point – it might exist and might pose a problem in the future.

According to the Heise Online News, the Internet Engineering Task Force is going to be working on this issue over the next 6 to 12 months. Yet is there really a threat? According to Jon Petersen, “there was no evidence at the present time that a “spit” problem existed. In his opinion it was still, at best, theoretical. A representative of the NEC Lab in Heidelberg, on the other hand, said that work on possible solutions to “spit” had already been going on there for three years. At present, he said, the “spit” figures were still small, but “spit” was expected to become a serious problem as internet telephony became more widespread.”

However, if spit does become a serious threat, some people are concerned about the consequences:

“The costs incurred if we do nothing are very high,” warns SIP developer Henning Schulzrinne of Columbia University . It had taken a long time before anyone reacted to the now-familiar email spam, he pointed out, and now the implementation of countermeasures was struggling along behind the problem. Schulzrinne is one of the authors of an internet draft that contains preliminary recommendations. “Do we really want to wait until we have a VoIP botnet problem?”, Schulzrinne asked.
As with email spam, the developers who are already working on possible defences have no magic recipe against “Spit”. Among the possible options mooted are solutions involving the identification and authentication of callers, statistical solutions – meaning the blocking of mass calls emanating from one account – or defence through the cost of making a contact (something that was considered for email, but was swiftly rejected).

I tend to lean towards the side of caution here. I would rather have people working on this as early as now and ready to face the threat when it does arise. How about you? What do you think about all this ruckus?

Keeping Your Voice Calls Confidential

Posted on by
1

Zfone GUI
Everyone knows this – IP voice calls can be prone to eavesdroppers. Yup, even the virtual walls have ears. Whether you are using VOIP for business or for personal purposes, I am quite sure that you would rather have your conversations private, right? Though VOIP has tons of positive points on its side, it is a sad fact that it could be more prone to eavesdropping than wired telephones. How so? It is because of a simple thing – VOIP has no wired connection that would require an eavesdropper to tap into the wires, something that might not be that easy to do without being detected. With VOIP, however, all one needs to listen in on another person’s conversation is to intercept the data that is being transmitted over the network. With the proper tools, anyone can capture and analyze the data – in effect, listen to your conversations.

How do you ensure that no one is listening in on your voice calls? It is simple – by using some sort of encryption method. Encrypting your voice calls is a simple matter and will make it almost impossible for other people to snoop on your conversations.

One popular method of encrypting VOIP calls is Zfone. This software is developed by Phil Zimmerman and is free to download. It is perfect for VOIP users who do not have much know how, technologically speaking. All you need to do is to download the program, install it and you’re good to go. One drawback of the Zfone is that in order for your call to be secure, the party you are calling has to have it installed as well.

Another method of encryption is what is dubbed as built-in encryption. It is basically what VOIP clients do. Skype, for example, has built-in encryption – the user does not have to do anything in this regard.

For businesses, Transport Layer Security (TLS) and IP Security (IPSec) seem to be the best bet. These two methods are quite robust and prevent external unauthorized tampering. The level of security they offer makes them very attractive for business owners. To date, TLS seems to be gaining more ground in terms of popularity simply due to the fact that it is more efficient and does not take up as much bandwidth as IPSec does.

There are other ways of keeping your voice calls confidential. So what’s keeping you? Take that step and rest assured that no one is eavesdropping on you.

Top VOIP Security Threats Continued

Posted on by
Reply

vishing

So in the last post, you saw how DoS attacks and eavesdropping would be big concerns this year. Here are the last 3 points that Jim Higdon wrote about earlier this year:

3. Microsoft Office Communications Server: Hackers love attacking Microsoft, and Microsoft loves being unprepared. VIPER Lab predicts that hackers will find vulnerabilities in Microsoft Office Communications Server’s VoIP client and use it to access networks that had previously been secure, and the organization is not alone in reaching this conclusion. Network World blogger Mitchell Ashley suggests that Microsoft could learn from Vonage’s vulnerability to spoofing attacks.

I guess those of us who are using Windows are out of luck in this point. Then again, this is why business are leaning towards alternatives.

4. Vishing by VoIP: The FBI has been aware of vishing for nearly a year now, and the IC3 (Internet Crime Complain Center) recently released a report stating that vishing attacks are on the rise. With caller ID spoofing, the criminals can be very difficult to track, “due to rapidly evolving criminal methodologies,” according to the IC3.

Yup, first it was phishing, now it’s vishing.

5. VoIP Attacks Against Service Providers: These sorts of attacks will escalate, VIPER Lab predicts, because of readily available, anonymous $20 SIM cards. As UMA (Unlicensed Mobile Access) technology becomes more widely deployed to allow calls to switch from cell networks to VoIP networks, VIPER Labs warns that “service providers are, for the first time, allowing subscribers to have direct access to mobile core networks over IP, making it easier to spoof identities and use illegal accounts to launch a variety of attacks.” Such attacks include scripting “various flood, fuzzing and spoofing attacks,” according to VoIP blogger Rich Tehrani. “The hacker could set up multiple IPSec tunnels to various PDGs in the network or across multiple GPRS sessions [generating] up to 10,000 messages per second … equal [to] the traffic of 10 million users,” he wrote.

Knowledge is power. I hope that exposing these threats will help you make your VOIP system more secure.

Top VOIP Security Threats

Posted on by
1

security threat
VOIP is definitely a cost effective way to manage communications, both for business and personal use alike. As with many other things in life, though, VOIP does have some downsides to it. Jim Higdon writes a very information article on the top security threats for VOIP this year. Here is his list – complete with explanations as to why they have predicted these items as part of the top VOIP security threats for 2008:


1. DoS (denial of service) Attacks on VoIP Networks: This has been a concern for the IEEE (Institute of Electrical and Electronics Engineers) since 2006, and VoIP watchers have been concerned about DoS attacks for the past year. DoS attacks can overwhelm your company’s phone lines, creating long-term busy signals, forced call disconnects and an exhausted work force.

2. VoIP Eavesdropping: In June 2007, it was learned that a hacker with a packet sniffer and VOMIT could tap directly into VoIP calls. Then it was learned that those vulnerabilities could also lead to DoS attacks. “Anyone on your network,” stated an article found at EnterpriseVoIPPlanet, “anyone on other networks that you contact — and all points in between, including service providers — all have the opportunity to do an awful lot of juicy snooping.” Not to mention, of course, that the FBI and other security agencies can do all the VoIP snooping that they want. How do you prevent unwanted listeners on your VoIP calls? Place all VoIP phones on separate, secured vLANs to protect against rogue devices, then protect that vLAN against the introduction of unauthorized devices. Once you’ve isolated your VoIP devices, limit their inbound and outbound traffic so that they can only communicate with their call manager, encrypt the calls that travel over public networks, and watch the news and get ready to react, according to SearchSecurity.com.

Let’s cut this short for now – I’ll post the other points in the next entry.

Keep Your Phone Numbers Private

Posted on by
Reply

Yes, we know that with the advent of the internet, privacy has become almost obsolete. But if you’re one of those who still believe that there’s some way to keep your landline, cell or VOIP phone numbers accessible only to people who actually know you, there might be some hope yet. Yes, Virginia, there are technologies that can anonymize your phone number or at least make it tougher for callers to reach you. VoIP News lists several ways how. Here’s a summary:

Jangl – Jangle’s MatchTalk service for Match.com, centers on VoIP-enabled online dating. The MatchTalk service creates an anonymous number that two people can use to call one another.

Craigsnumber – it’s a free service that auto-generates a phone number where people can reach you. Callers dial it and record a short introductory message, then Craigsnumber calls you at your designated number and plays the message. You decide whether to accept it. Callers won’t know your real phone number, and they won’t even be able to reach you through your Craigsnumber unless you permit it. Another plus is Craigsnumbers are not re-used.

Jaxtr – Sign up for Jaxtr and get a designated URL for yourself. To make calls, you first type in another person’s designated Jaxtr URL, then type in your phone number. Jaxtr will call you, then call the other person, and viola! You’re connected, anonymously and even internationally, for the price of a local call. Jaxtr can also handle calls on a per-caller basis, putting some people through, while shunting anyone not pre-approved by you to voice mail. In addition, Jaxtr’s VoiceBlast feature promises to bring prerecorded voice greetings to people’s blogs.

Privacy Corps – if your phone number is already public, you can block unwanted callers by using their Caller ID Manager. It’s a $100 device that blocks up to 175 numbers, area codes or even prefixes while giving you the ability to receive calls only from specific numbers.

VoicePulse – you can access a large menu of call-handling capabilities to block telemarketers and anonymous or unavailable callers, schedule do-not-disturb times and modify how your phone rings depending on the caller.

For a better look at the article, visit http://www.voip-news.com/feature/anonymous-voip-calling-052107/

How Secure Is Your VoIP System?

Posted on by
Reply

Recently, we wrote about PGP for VoIP, and how developers are integrating such security systems into Asterisk. But here’s one fundamental question: how secure is your VoIP system? are you aware of any vulnerabilities you might face through the course of your setup, use, and maintenance of your system?

Remember that your VoIP network is only as secure as the rest of your network. It’s not like plain old telephone systems, where people would need to physically access the circuit (whether from within your office, the interconnection to your local exchange carrier, or within the phone company itself). There are various risks involved, and these usually come in the form of fraud and theft (such as theft of information due to eavesdropping), and spam via VoIP. After all, valuable information is usually exchanged through voice communications (including financial information, medical advice, stock trading, and so forth), and these can be easily intercepted by third parties without adequate security.

Enterprise-oriented solutions are usually more secure than end-user solutions. This means that commercial-grade systems usually come built-in with encryption and risk-detection mechanisms. Still, it pays to double-check with your service or hardware provider just to be sure.

For instance, here are five fundamental things that IT managers should look out for.

  • First is protecting the actual voice stream from eavesdropping.
  • Second, is ensuring that the message gets from point A to point B without being modified en route.
  • Third, you should make sure that Web interfaces and APIs that monitor traffic are secure and authenticated.
  • Fourth, you should monitor the interconnection with the regular telephone lines (POTS), to make sure these are free of toll fraud.
  • Fifth, you should secure the underlying TCP/IP network against attacks itself. One good way to be easily detect attacks on the VoIP network itself is to have separate LANs for voice and data. If your network is being attacked or is experiencing severely heavy loads (such as from DDOS attacks), then voice quality severely degrades.

PGP for VoIP, Anyone?

Posted on by
1

Most of us who lived in the days pre-WWW remember PGP. Actually anyone who has ever needed to send email or any message securely would remember PGP, which stands for Pretty Good Privacy. These days, it’s the de facto standard for encryption. But this is for data. What about voice? Specifically, what about VoIP?

Apparently, PGP’s creator Phill Zimmerman is still working on making our lives more secure from eavesdropping, and yes, his work now is about VoIP. VoIP news shares a feature where Zimmerman’s latest project is introduced.

The concept behind this latest endeavor is the possibility of man-in-the-middle attacks in VoIP conversations. In public switched telephony (your plain old telephone system), it was easy for governments to eavesdrop into conversations because they have power/control over the telcos. But it’s not so, the other way around. But with VoIP, the playing field is leveled. Now individuals can eavesdrop on anyone (with the right tools), even government officials. Therefore there’s a need to ensure top grade security, especially for sensitive calls.

Zimmerman and company created a product, Zfone, which incorporates the best features of PGP into voice communications. And this is done by doing away with the public key setup that most security systems use. This is purely peer-to-peer, meaning only you and the person on the other line should have this “key” and you can be sure that it’s the same person you are talking to. It’s like meeting someone face to face the first time. The next time you meet, you’ll know it’s that same person.

Zfone, the ZRTP-based product Zimmermann sells through a company with the same name, also incorporates “key continuity,” where you hash the keys just used in the conversation, and they become part of the keys for the next conversation, thus assuring that you’re talking with the same person as the last time.

“You check to see if there was a previous, retained shared secret from the earlier call,” Zimmermann says, “and if there was, you mix it in with the key that you’re generating for this call, so that if there was no man in middle in the last call, there cannot be one in this call.”

The numbers generated by this process should match up, even a hundred conversations later, Zimmermann says. “You don’t have to lie awake at night worrying about whether they heard you talking six months ago in that call that you forgot to check.”

Zfone offers plenty of features, including a GUI for management, and a packet interceptor that turns software and hardware VoIP clients into secure connections. Zfone also has licensing deals with other VoIP providers and open-source solutions, including Asterisk. Zimmerman is hoping this could be adopted as a standard in the VoIP industry and community.