Speaking at VoiceCon

We’ll be speaking at VoiceCon in San Francisco next week. On Monday, August 20 we teach a three hour long tutorial entitled IP Telephony Security Threats and Countermeasures. Here’s the agenda:

IP Telephony has already become a popular playground for attackers. This tutorial provides the latest information on security issues for IP Telephony implementations. The instructors are co-authors of the new book, Hacking Exposed: VOIP. The course will help you assess the potential dangers and identify the steps that can be taken to improve security. You will gain an appreciation for the nature of the security threats to IP-PBX gear and receive practical recommendations for how to handle threats. The tutorial covers how attacks are perpetrated against IP Telephony end users and operators, outlines the steps to take to protect both users/subscribers and the IP Telephony infrastructure, describes the relevant standards for improving IP Telephony security and looks at emerging issues and technologies.

On Tuesday August 21, we’ll both be in the panel entitled Preparing for the Inevitable: Voice-Oriented Attacks. Here’s the session description:

So far, the emphasis in VOIP security has been to protect the underlying IP network –rather than voice elements–from attacks. However, it’s only a matter of time before call-control servers and other voice network elements are targeted directly. This session will familiarize you with voice-oriented attacks and give you ammunition to help prevent–or contain–any damage.

KEY QUESTIONS:

• What are the most serious voice-oriented attacks being seen “in the wild?” Which have only appeared as hackers’ “proof of concept,” but could soon go live?
• What avenues are used to attack voice-specific infrastructure, and how do you protect these?
• What types of equipment and technologies must you implement to stop voice-oriented attacks?
• What specific kinds of damage can these attacks cause?

Please stop by and say hello!

Speaking at Interop

We will both be speaking at the Interop conference in Las Vegas in a session entitled, VoIP Security, on Thursday May 24th. We’ll have a few copies of our book to give away. Please stop by and say hi if you’re around.

VOIPSA releases a list of security tools

The folks over at VOIPSA today just released a comprehensive list of security tools. Quite a few of the tools referenced are the tools that we wrote for our book. It’s great to see the industry getting together to make these types of resources available. Kudos to VOIPSA!

New VoIP Phishing Scheme

Brian Krebs from the Washington Post reports on a new VoIP Phishing (Vishing) scheme targeting Bank of America customers. The scam appears as an official looking Bank of America email and tries to convince the victim to dial a toll free number to sort out some account problems. Once the victim dials that number, they’re prompted to enter in their account number and secret pin number. The evil doers are then able to easily access the bogus system and reconstruct all of the numbers you entered. Much like how traditional email phishing attacks flourished in the last couple of years, I absolutely believe that VoIP Phishing scams will skyrocket this year.

For some background, there was a compelling presentation at last year’s BlackHat security conference by Jay Schulman, entitled Phishing with Asterisk (PDF). In his presentation, Jay showed how easy it was for attackers to use Asterisk PBX to set up a spoofed banking automated attendant and route all calls to a toll free number through to that PBX. Additionally, we devoted an entire chapter to VoIP Phishing in our book, Hacking Exposed: VoIP.

We’ve included a snapshot below of one of the first VoIP Phishing emails targeting PayPal that emerged last year that we showcased in our book. Click on it to see the larger image.

Another review

Gary Audin from VoIP Loop wrote a nice follow-up review of our book entitled Attacking VoIP Security. In his writeup, he goes over several of the hacking scenarios we present throughout the chapters.

Teaching and Speaking at VoiceCon

We’ll be teaching a tutorial at VoiceCon next week:

Monday, March 5th
1:30 p.m. – 4:30 p.m.
IP Telephony Security Threats and Countermeasures

This tutorial will provide the latest information on security issues for IP Telephony implementations. The course is divided into two parts: Assessing the potential danger, and what you can do about it. Course participants will gain an appreciation for the nature of the security threats to IP-PBX gear, and will get concrete recommendations for how to handle this threat.

Also, we’ll be doing a panel session on Wednesday:

Wednesday, March 7th
1:00 p.m. – 2:15 p.m.
Voice-Oriented Attacks

You’ve heard all the clever new acronyms and slang like SPIT (spam over IP telephony) and VOIP phishing, and these attacks are becoming more of a concern. At the same time, however, attacks traditionally aimed at the data network are being tailored toward voice infrastructure–for example, denial of service attacks that tie up telephone trunks and block the call center. This session will familiarize you with voice-oriented attacks that you may not have encountered yet, but do need to think about preventing.
KEY QUESTIONS:
* What are the most serious voice-oriented attacks being seen “in the wild”? Which have only appeared as hackers’ “proof of concept,” but could soon go live?
* What avenues are used to attack voice-specific infrastructure, and how do you protect these?
* What types of equipment and technologies must you implement to stop voice-oriented attacks?
* What specific kinds of damage can these attacks cause?

If you’re attending VoiceCon, please stop by and say hello!  We’ll be also giving away a couple of copies of the book throughout the week.

Nice review from eWeek

Andrew Garcia over at eWeek had some nice things to say about our book:

http://www.eweek.com/article2/0,1895,2096267,00.asp

As VOIP systems proliferate, so, too, must the measures taken to secure them. Luckily for IT administrators, several resources are available to help them do just that. In the book “Hacking Exposed VOIP: Voice over IP Security Secrets & Solutions,” for example, authors David Endler (director of security research at TippingPoint) and Mark Collier (chief technology officer of SecureLogix) bring to life the imminent threat of VOIP attacks, describing in detail how an attacker could discover, enumerate, probe and eventually co-opt an existing voice network

RSA Conference Presentation and Book Signing

Both of us will be presenting “Exploiting Voice over IP Networks” at the RSA conference next week, on Wednesday February 7th in San Francisco. We will be discussing some of the latest VoIP security research we performed for the book, and showing off some of the tools we released as well. We’ll try to give away a couple of books at the end as well. Here’s the info:

Session Track: Hackers & Threats II
Session Code: 2192
Scheduled Date: 2/7/2007
Scheduled Time: 9:10 AM – 10:20 AM
Session Title: Exploiting Voice Over IP Networks

Also, our publisher McGraw-Hill has organized a booksigning event at the RSA conference later that day from 12:30pm – 1:30pm at the RSA bookstore. Please stop by and say hello!

UPDATE: Here are our slides from the presentation!

Interview in NetworkWorld

Dave was recently interviewed in NetworkWorld about VoIP Phishing and other new VoIP threats. We cover VoIP Phishing in granular detail and include several examples in Chapter 15 of our book. You can read the full article here: NetworkWorld – Expert: Phishing and other social attacks threaten VoIP

Nice Book Reviews

Some rave new reviews of our book over the last couple of weeks:

• ComputerWorld: VoIP Soon to Be a Target for …
• CMP: Book Review – Hacking Exposed VoIP
• VoIP Loop: Hacking VoIP Exposed – The Book
• Dark Reading: VOIP More Vulnerable
• SearchVoIP: VoIP hacking exposed in new book