• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
VOIP 2: Is Free too Expensive?

VOIP 2: Is Free too Expensive?






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    VOIP 2: Is Free too Expensive? VOIP 2: Is Free too Expensive? Presentation Transcript

    • VoIP 2 Is free too Expensive? by Darren Bilby and Nick von Dadelszen
    • Different Types of VoIP
      • There are many different implementations of IP telephony:
        • Skype
        • MSN
        • Firefly
        • Cisco Office
        • Asterix
    • VoIP Technology
      • Each type of VoIP uses different technology:
        • Skype – Proprietary
        • MSN – SIP
        • Firefly – IAX
        • Cisco – H.323, Skinny
        • Asterix – SIP, IAX2
        • Others – MGCP
      • Most of these do not have security built-in so rely on network controls
    • Attacks Against VoIP
      • Multiple attack avenues:
        • Standard traffic capture attacks
        • Traffic manipulation
        • Dynamic configuration attacks
        • Phone-based vulnerabilities
        • Management interface attacks
    • Consequences of Attacks
      • Eavesdropping and recording phone calls
      • Active modification of phone calls
      • Call Tracking
      • Crashing phones
      • Denying phone service – Slammer?
      • VoIP Spamming
      • Free calls
      • Spoofing caller ID
    • Capturing VoIP Data
      • Ethereal has built-in support for some VoIP protocols
      • Has the ability to capture VoIP traffic
      • Can dump some forms of VoIP traffic directly to WAV files.
      • Point and click hacking!
    • Audio Capture
    • VoIP Security Solutions
      • You must protect the network traffic
        • Separate data and voice traffic – VLANs
        • Ensure IPSEC or other VPN technology used over WAN links
        • IDS monitoring on the network – ARP inspection
        • Host Security
        • VOIP enabled firewalls
        • Excellent guidelines in Cisco SAFE documentation
      • Or wait for more secure protocols
    • Skype – What Is It?
      • Proprietary VOIP system for calls over the Internet
      • Free and simple to use
      • Developed by the creators of KaZaA
      • Relies on P2P technology
      • Over 29 million users worldwide
      • Allows connections to regular phones through SkypeOut
    • Skype Connection Details
      • Listens on a random port, 80 and 443
      • Connects to known Supernodes stored in the registry
      • Must establish connection with login server to authenticate
      • NAT and Firewall traversal
      • Any Skype client with an Internet IP address and suitable bandwith/CPU may become a Supernode
    • Skype Architecture Ref: "An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol“ Salman A. Baset and Henning Schulzrinne
    • Skype Call Security
      • Skype claims to encrypt all voice traffic with 128-bit or better encryption
      • The encryption implementation used is proprietary and closed-source
      • It is unknown whether the Skype organisation has the ability to decrypt all voice traffic
    • Other Skype Security Concerns
      • Same developers as KaZaA, known for spyware
      • Cannot stop client becoming a Supernode
      • Client allows file transfer, even through firewalls, an access path for malicious code, information leakage
      • Login server reliance
    • Should You Use Skype?
      • If you can answer yes to four questions:
        • Are you willing to circumvent the perimeter controls of your network?
        • Do you trust the Skype developers to implement security correctly (being closed-source)?
        • Do you trust the ethics of the Skype developers?
        • Can you tolerate the Skype network being unavailable?
    • Other VoIP Issues – Commercial Caller ID Spoofing
      • Multiple companies are now offering caller ID spoofing:
        • - CovertCall - PI Phone
        • - Star38 - Us Tracers
        • - Camophone - Telespoof
      • Makes Social Engineering a lot easier
      • Many systems authenticate on CID
    • Other VoIP Issues – New Attack Tools
      • New tools make finding vulnerabilities easier
        • SIP Bomber
        • PROTOS Test-Suite
        • SiVuS
    • Good Sites For Learning More
      • Some good links for learning more about VoIP
        • http://www.voip-info.org/tiki-index.php?page=voip-info.org
        • http://www.vopsecurity.org/index.php