The Black Bag Security Review Dan York, CISSP Emerging Telephony 2007

The Story of SysAdmin Steve Part 1

Part 1

Once upon a time...

big company

smaller company

promotion

IT

phones, too!

new VoIP system

net head

V

Voice

SIP

open standard

Security Isn’t Possible

education

IP-PBX SIP Service Provider LAN Internet PSTN

cheap

merged

quit

?

new IT staff

Juvenile Joe

BOFH

read e-mail

monitor

comment

playground

exploit chaos

fun

ultimate truism

voice = packets

packets = bits

bits can be manipulated

“ VoIP security tools”

tools, tools, tools

voipsa.org

hackingvoip.com

sectools.org

tools, tools, tools

good

evil

test/defend

attack

perspective

white hat

black hat

wireshark the tool formerly known as Ethereal

the tool formerly known as Ethereal

cain & abel

RTP

WAV

MP3s

iPod

2-hour commute

corporate conversations

personal iPod

corporate conversations

personal iPod

(scared yet?)

conversations

PIN

voicemail PINs

banking PINs

DTMF decoder

(fun stuff, eh?)

Teleworker Ted

envy

grudge

hang up Ted

cell phone

devious

mix in new background

amusement park

screaming kids

dog

Ted’s dog

endless barking

no clue

Process Paul

new rules

worked late

wife

female

no clue

???

insecure firewall

family

SIP softphone

free long distance

(toll fraud)

Board conf calls

revenues in the tank

acquisition

only hope

IT outsourced

job

(Uh-oh)

war

SIP trunk

unencrypted

sniff CID

lawyers

CFO

SIP Redirect

random extension

shipping

HR

labs

kitchen

?

acquire?

@#$@?%$!

SysAdmin Steve

fix it

DoS

BYE

hang up CEO

set reload

erase SIP registration

busy

packet flood

degrade

cell phones

acquire?

@#$@?%$!

SysAdmin Steve

fix it

3 strikes

investigation

truth

discovered

heart attack

SIP trunk

unencrypted

corporate conversations

public Internet

clear

call records

public Internet

cleartext

(not good)

plan

Fire Joe!

defense in depth

layers

encryption

voice

call control

LAN

SIP trunk

clueless

new provider

call accounting

IP network

VLANs

IDS/IPS

monitoring

rate throttling

secure perimeter

firewall traversal

firmware

o/s patches

disable services

die, default passwords, die, die, die

layers

secure VoIP

caveat

internal

disgruntled

x%?

compromised servers

spyware

unsecured WiFi

(checked your parking lot lately?)

offline analysis

SIP trunk

$$$

security

(differentiator?)

Botnet Bob

zombies

fun

profit

Criminal Chris

espionage

identity theft

human replay attack

Spammer Sue

SPIT

1,000s of calls

“ significant event”

Congressman

mistress

public official

porn line

identity theft

13-yr-old

podcast

Wall Street Journal

“ VOIP IS INSECURE!”

moral

VoIP *can* be secure

work

plan

questions

education

good news

voipsa.org

VOIPSA Threat Taxonomy

VOIPSA Best Practices

VOIPSEC mailing list

blueboxpodcast.com

(if you’re not reading them, be aware the attackers ARE!)

defense in depth

layers and layers

voice

call control

SIP trunks

management interfaces / APIs

PSTN interfaces

PSTN

voip = IP + PSTN

it’s the network, stupid

IP network

voice = packets

packets = bits

bits can be manipulated

VoIP *can* be secure

work

plan

SysAdmin Steve?

happily ever after?

acquisition?

job?

CIO?

another story

To be continued...

The End (or is it the beginning?)

(or is it the beginning?)

Please practice safe VoIP!

Q&eh? www.voipsa.org www.voipsa.org/blog www.blueboxpodcast.com www.disruptivetelephony.com www.mitel.com

www.voipsa.org www.voipsa.org/blog www.blueboxpodcast.com www.disruptivetelephony.com www.mitel.com

Thank you (Please practice safe VoIP!)

(Please practice safe VoIP!)