VoIP Security

The holidays are over, time to focus on the new year ahead. For some the holidays provide a little more time – as others are busy preparing for the holidays – to research, review and ‘catch up’ on security news and trends from around the industry.
I have always been an advocate for security awareness in the small to medium business (SMB) space. Working in this field I have come to understand the balance between equipment and resources cost and the margins which SMB’s operate within to remain viable. Calls for increasing security can appear to negatively impact this balance. Unfortunately the SMB space is becoming an increasingly popular target for internet criminals as witnessed by these two recent articles.

http://www.krebsonsecurity.com/2010/01/fbi-investigating-theft-of-500000...

http://www.wired.com/threatlevel/2009/12/feds-warn-small-businesses/

Earlier this week, the security team at Digium released Asterisk Projects Security Advisory AST-2009-010 identifying an interesting attack where an attacker can send a malformed RTP packet within the RTP stream and crash the Asterisk system. The fix identified is to upgrade to the latest version of Asterisk.

My one bit of feedback to the folks at Digium would be that their advisories do not provide any information about mitigating circumstances. (Would be great if they could add such a section.)

Sipera
Systems announces availability of the Sipera Secure Live Communications (SLiC)
mobility solution. Delivering breakthrough enterprise-class communications privacy
and security for VoIP and UC on smartphones, Sipera SLiC makes smartphone VoIP and
UC "business ready."

Sipera SLiC is the industry's first security solution enabling enterprises to "tame"
the smartphone, permitting employees to use VoIP, UC, cloud telephony, and other low-cost
and feature-rich communications applications on mobile devices with complete security
and privacy. In an important industry first, Sipera SLiC enables smartphone VoIP to
include smart-card card authentication for accessing enterprise resources, providing

Earlier this month out at ITEXPO in Los Angeles, I participated in the Ingate SIP Trunking seminars as I have been doing for the last year or so. My talk was ?SIP Trunking and Security in an Enterprise Network?. The slides are available for viewing or download from my SlideShare account and I?ll also embed them here in this post.

I did record the presentation in both audio and video and hope to be making that available as a Blue Box podcast some time soon. I?ll then sync the slides to the audio. Meanwhile? enjoy the slides!

Extreme Networks made enhancements to its network solutions that provide behavior-based rules to protect IP Telephony and VoIP traffic. These security rules help mitigate the threat of malicious users and hackers who are actively trying to exploit vulnerabilities and breach the IP communications network. Based on these rules, users or devices that demonstrate destructive behavior when entering the network can rapidly be addressed to preserve the quality of voice communications.

NextAlarm announces two major new security features for its VoIPAlarm 2 IP alarm signal transmission platform. VoIPAlarm 2 is centered around the VoIPAlarm ABN adapter, an IP communicator which connects to any Contact ID compatible alarm system. Signals from the alarm system are received by VoIPAlarm over broadband Internet, and retransmitted over PSTN phone lines or IP to the central station of the alarm installer's choice.

Skype today announced that there is a serious security vulnerability in Skype for Windows versions older than 3.6.x.216. As noted:

With all of the VoIP tools available it?s easy to forget to test the IP stack of your VoIP phone for stability from classic attacks. With that in mind, a good tool for accomplishing this basic vetting is called Targa3. Written way back in 1999, Targa3 encompasses several attacks such as Jolt, Nestea, etc. to ?generate attacks using invalid fragmentation, protocol, packet size, header values, options, offsets, tcp segments, routing flags, and other unknown/unexpected packet values.?

Blue Box Podcast #69 is now available for download.