Speaking at VoiceCon

Posted August 16, 2007 by hackingvoip
Categories: VoIP Security

We’ll be speaking at VoiceCon in San Francisco next week. On Monday, August 20 we teach a three hour long tutorial entitled IP Telephony Security Threats and Countermeasures. Here’s the agenda:

IP Telephony has already become a popular playground for attackers. This tutorial provides the latest information on security issues for IP Telephony implementations. The instructors are co-authors of the new book, Hacking Exposed: VOIP. The course will help you assess the potential dangers and identify the steps that can be taken to improve security. You will gain an appreciation for the nature of the security threats to IP-PBX gear and receive practical recommendations for how to handle threats. The tutorial covers how attacks are perpetrated against IP Telephony end users and operators, outlines the steps to take to protect both users/subscribers and the IP Telephony infrastructure, describes the relevant standards for improving IP Telephony security and looks at emerging issues and technologies.

On Tuesday August 21, we’ll both be in the panel entitled Preparing for the Inevitable: Voice-Oriented Attacks. Here’s the session description:

So far, the emphasis in VOIP security has been to protect the underlying IP network –rather than voice elements–from attacks. However, it’s only a matter of time before call-control servers and other voice network elements are targeted directly. This session will familiarize you with voice-oriented attacks and give you ammunition to help prevent–or contain–any damage.

KEY QUESTIONS:

  • What are the most serious voice-oriented attacks being seen “in the wild?” Which have only appeared as hackers’ “proof of concept,” but could soon go live?
  • What avenues are used to attack voice-specific infrastructure, and how do you protect these?
  • What types of equipment and technologies must you implement to stop voice-oriented attacks?
  • What specific kinds of damage can these attacks cause?

Please stop by and say hello!

Speaking at Interop

Posted May 7, 2007 by hackingvoip
Categories: VoIP Security

We will both be speaking at the Interop conference in Las Vegas in a session entitled, VoIP Security, on Thursday May 24th. We’ll have a few copies of our book to give away. Please stop by and say hi if you’re around.

VOIPSA releases a list of security tools

Posted March 14, 2007 by hackingvoip
Categories: VoIP Security

The folks over at VOIPSA today just released a comprehensive list of security tools. Quite a few of the tools referenced are the tools that we wrote for our book. It’s great to see the industry getting together to make these types of resources available. Kudos to VOIPSA!

New VoIP Phishing Scheme

Posted March 8, 2007 by hackingvoip
Categories: VoIP Security

Brian Krebs from the Washington Post reports on a new VoIP Phishing (Vishing) scheme targeting Bank of America customers. The scam appears as an official looking Bank of America email and tries to convince the victim to dial a toll free number to sort out some account problems. Once the victim dials that number, they’re prompted to enter in their account number and secret pin number. The evil doers are then able to easily access the bogus system and reconstruct all of the numbers you entered. Much like how traditional email phishing attacks flourished in the last couple of years, I absolutely believe that VoIP Phishing scams will skyrocket this year.

For some background, there was a compelling presentation at last year’s BlackHat security conference by Jay Schulman, entitled Phishing with Asterisk (PDF). In his presentation, Jay showed how easy it was for attackers to use Asterisk PBX to set up a spoofed banking automated attendant and route all calls to a toll free number through to that PBX. Additionally, we devoted an entire chapter to VoIP Phishing in our book, Hacking Exposed: VoIP.

We’ve included a snapshot below of one of the first VoIP Phishing emails targeting PayPal that emerged last year that we showcased in our book. Click on it to see the larger image.

Another review

Posted February 28, 2007 by hackingvoip
Categories: VoIP Security

Gary Audin from VoIP Loop wrote a nice follow-up review of our book entitled Attacking VoIP Security. In his writeup, he goes over several of the hacking scenarios we present throughout the chapters.

Teaching and Speaking at VoiceCon

Posted February 27, 2007 by hackingvoip
Categories: VoIP Security


We’ll be teaching a tutorial at VoiceCon next week:

Monday, March 5th
1:30 p.m. – 4:30 p.m.
IP Telephony Security Threats and Countermeasures

This tutorial will provide the latest information on security issues for IP Telephony implementations. The course is divided into two parts: Assessing the potential danger, and what you can do about it. Course participants will gain an appreciation for the nature of the security threats to IP-PBX gear, and will get concrete recommendations for how to handle this threat.

Also, we’ll be doing a panel session on Wednesday:

Wednesday, March 7th
1:00 p.m. – 2:15 p.m.
Voice-Oriented Attacks

You’ve heard all the clever new acronyms and slang like SPIT (spam over IP telephony) and VOIP phishing, and these attacks are becoming more of a concern. At the same time, however, attacks traditionally aimed at the data network are being tailored toward voice infrastructure–for example, denial of service attacks that tie up telephone trunks and block the call center. This session will familiarize you with voice-oriented attacks that you may not have encountered yet, but do need to think about preventing.
KEY QUESTIONS:
* What are the most serious voice-oriented attacks being seen “in the wild”? Which have only appeared as hackers’ “proof of concept,” but could soon go live?
* What avenues are used to attack voice-specific infrastructure, and how do you protect these?
* What types of equipment and technologies must you implement to stop voice-oriented attacks?
* What specific kinds of damage can these attacks cause?

If you’re attending VoiceCon, please stop by and say hello!  We’ll be also giving away a couple of copies of the book throughout the week.

Nice review from eWeek

Posted February 20, 2007 by hackingvoip
Categories: VoIP Security

Andrew Garcia over at eWeek had some nice things to say about our book:

http://www.eweek.com/article2/0,1895,2096267,00.asp

As VOIP systems proliferate, so, too, must the measures taken to secure them. Luckily for IT administrators, several resources are available to help them do just that. In the book “Hacking Exposed VOIP: Voice over IP Security Secrets & Solutions,” for example, authors David Endler (director of security research at TippingPoint) and Mark Collier (chief technology officer of SecureLogix) bring to life the imminent threat of VOIP attacks, describing in detail how an attacker could discover, enumerate, probe and eventually co-opt an existing voice network


Follow

Get every new post delivered to your Inbox.