ETel2007: The Black Bag Security Review (VoIP Security)

The Black Bag Security Review Dan York, CISSP Emerging Telephony 2007

The Story of SysAdmin Steve
Part 1

Once upon a time...

big company

smaller company

promotion

phones, too!

new VoIP system

net head

open standard

Security Isn’t Possible

education

IP-PBX SIP Service Provider LAN Internet PSTN

merged

new IT staff

Juvenile Joe

read e-mail

monitor

comment

playground

exploit chaos

ultimate truism

voice = packets

packets = bits

bits can be manipulated

“ VoIP security tools”

tools, tools, tools

voipsa.org

hackingvoip.com

sectools.org

tools, tools, tools

test/defend

attack

perspective

white hat

black hat

wireshark
the tool formerly known as Ethereal

cain & abel

2-hour commute

corporate conversations

personal iPod

(scared yet?)

conversations

voicemail PINs

banking PINs

DTMF decoder

(fun stuff, eh?)

Teleworker Ted

grudge

hang up Ted

cell phone

devious

mix in new background

amusement park

screaming kids

Ted’s dog

endless barking

no clue

Process Paul

new rules

worked late

female

no clue

insecure firewall

family

SIP softphone

free long distance

(toll fraud)

Board conf calls

revenues in the tank

acquisition

only hope

IT outsourced

(Uh-oh)

SIP trunk

unencrypted

sniff CID

lawyers

SIP Redirect

random extension

shipping

kitchen

acquire?

@#$@?%$!

SysAdmin Steve

fix it

hang up CEO

set reload

erase SIP registration

packet flood

degrade

cell phones

acquire?

@#$@?%$!

SysAdmin Steve

fix it

3 strikes

investigation

discovered

heart attack

SIP trunk

unencrypted

public Internet

call records

public Internet

cleartext

(not good)

Fire Joe!

defense in depth

layers

encryption

call control

SIP trunk

clueless

new provider

call accounting

IP network

IDS/IPS

monitoring

rate throttling

secure perimeter

firewall traversal

firmware

o/s patches

disable services

die, default passwords, die, die, die

layers

secure VoIP

caveat

internal

disgruntled

compromised servers

spyware

unsecured WiFi

(checked your parking lot lately?)

offline analysis

SIP trunk

security

(differentiator?)

Botnet Bob

zombies

profit

Criminal Chris

espionage

identity theft

human replay attack

Spammer Sue

1,000s of calls

“ significant event”

Congressman

mistress

public official

porn line

identity theft

13-yr-old

podcast

Wall Street Journal

“ VOIP IS INSECURE!”

VoIP *can* be secure

questions

education

good news

voipsa.org

VOIPSA Threat Taxonomy

VOIPSA Best Practices

VOIPSEC mailing list

blueboxpodcast.com

(if you’re not reading them, be aware the attackers ARE!)

defense in depth

layers and layers

call control

SIP trunks

management interfaces / APIs

PSTN interfaces

voip = IP + PSTN

it’s the network, stupid

IP network

voice = packets

packets = bits

bits can be manipulated

VoIP *can* be secure

SysAdmin Steve?

happily ever after?

acquisition?

another story

To be continued...

The End
(or is it the beginning?)

Please practice safe VoIP!

Q&eh?
www.voipsa.org www.voipsa.org/blog www.blueboxpodcast.com www.disruptivetelephony.com www.mitel.com

Thank you
(Please practice safe VoIP!)

http://www.wirechatter.com	73
http://www.blueboxpodcast.com	34
http://www.slideshare.net	14
http://www.disruptiveconversations.com	13
http://websecurity.com.ua	10
http://www.disruptivetelephony.com	8
http://q-ontech.blogspot.com	2
http://feeds.feedburner.com	1
http://translate.googleusercontent.com	1
http://www.marc-seeger.de	1
http://rashmisinha.blogspot.com	1
http://64.233.169.104	1
http://feeds2.feedburner.com	1

ETel2007: The Black Bag Security Review (VoIP Security)

by Dan York on Mar 01, 2007

Accessibility

Categories

Tags

Upload Details

Usage Rights

13 Embeds 160

Statistics

ETel2007: The Black Bag Security Review (VoIP Security) — Webinar Transcript