Download as PDF, PPTX
Uploaded byDan York
The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoIP Security?"
The document discusses the current state of VoIP security, highlighting a general lack of concern among users despite the presence of security measures like TLS and SRTP. It addresses the complexity and finger-pointing in troubleshooting and identifies challenges such as toll fraud and the evolution of attacks. The author emphasizes the need for improved security practices, user education, and proactive measures in the industry to enhance VoIP security.
More Related Content
Similar to The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoIP Security?"
The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoIP Security?"
- 1. The State OfVoIP Security, a.k.a.! ! “Does Anyone Really Give A _____ About VoIP Security?” Dan York, CISSP! Chair, VoIP Security Alliance October 5, 2011
- 2. © 2011 VOIPSA http://www.flickr.com/photos/willpate/46488553/
- 3. Does Anyone Really! Give A _____ About! VoIP Security? © 2011 VOIPSA
- 4. Does Anyone Really! Give A _____ About! VoIP Unified Communications Security? © 2011 VOIPSA
- 5.
- 6. Widely Deployed © 2011VOIPSA
- 7. TLS-Encrypted SIP © 2011VOIPSA
- 8. Secure RTP (SRTP) ©2011 VOIPSA
- 9. MORE Secure! Than PSTN © 2011 VOIPSA
- 10. © 2011 VOIPSA http://www.flickr.com/photos/mattblaze/2275723713/
- 11. MORE Secure! Than Ever Before © 2011 VOIPSA
- 12. Almost All Venders! Have Support © 2011 VOIPSA
- 13. Almost All Customers! Don’t Turn It On © 2011 VOIPSA
- 14. Why Not? © 2011VOIPSA
- 15.
- 16. Fingerpointing, a.k.a. “OneThroat To Choke” PSTN PBX Gateways Physical Voicemail Wiring © 2011 VOIPSA
- 17. Fingerpointing - 2011 Mobile Devices IM Application Internet Servers Networks Operating Systems PSTN IP-PBX Gateways VoIP Web IP Social Firewalls Servers Network Networks Physical Directory Voicemail Wiring Servers Desktop Email PCs Database Servers CRM Servers Systems Session Border Controllers © 2011 VOIPSA
- 18.
- 19.
- 20. Turn It BackOn? © 2011 VOIPSA
- 21. SIP Is SoSimple, Right? © 2011 VOIPSA
- 22. Riiiiiigggghhhttt… (Fingerpointing Redux) ©2011 VOIPSA
- 23.
- 24. The Old Boys’Club Carrier Carrier Carrier PSTN Carrier Carrier Carrier Carrier © 2011 VOIPSA
- 25. The Wild West… ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP PSTN ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP © 2010 VOIPSA and Owners as Marked © 2011 VOIPSA
- 26. Evolution of Attacks ©2011 VOIPSA
- 27.
- 28.
- 29.
- 30. If 1 IsGood, Why Not 3? © 2011 VOIPSA
- 31.
- 32. Internet LAN © 2011 VOIPSA
- 33. PC UC System Firewall Internet Home Firewall IP Corp HQ Phone Home © 2011 VOIPSA
- 34. Laptop UC client WiFi UC System Firewall Internet Café Router Corp HQ Mobile Data Network Mobile UC client © 2011 VOIPSA
- 35. Corporate Internet Network IVR Voicemail IM IM IM Presence Presence Presence Call Call Call Control Control Control Conferencing Corp HQ Office A Office B PSTN © 2011 VOIPSA
- 36.
- 37. Benefits (for us… and for attackers) © 2011 VOIPSA
- 38. DDoS! (the old-fashioned kind)! (Asterisk & Amazon EC2, anyone?) © 2011 VOIPSA
- 39. SPIT! (“SPam for Internet Telephony”) SPAM © 2011 VOIPSA
- 40.
- 41. Fingerpointing - 2011 Mobile Devices IM Application Internet Servers Networks Operating Systems PSTN IP-PBX Gateways VoIP Web IP Social Firewalls Servers Network Networks Physical Directory Voicemail Wiring Servers Desktop Email PCs Database Servers CRM Servers Systems Session Border Controllers © 2011 VOIPSA
- 42. The Device Formerly! Known As A! “Phone” © 2011 VOIPSA
- 43.
- 44. RTCWEB / WebRTC ©2011 VOIPSA
- 45.
- 46. Fingerpointing - 2011 Mobile Devices IM Application Internet Servers Networks Operating Systems PSTN IP-PBX Gateways VoIP Web IP Social Firewalls Servers Network Networks Physical Directory Voicemail Wiring Servers Desktop Email PCs Database Servers CRM Servers Systems Session Border Controllers © 2011 VOIPSA
- 47.
- 48. “The Hitchiker’s Guide! To SIP” © 2011 VOIPSA
- 49. Forgotten! Simple Things © 2011 VOIPSA
- 50. Biggest Financial Threat? ©2011 VOIPSA
- 51. Toll Fraud © 2011VOIPSA
- 52. IT Security 101 ©2011 VOIPSA
- 53. PIN = “1234” ©2011 VOIPSA
- 54. Password = “password” ©2011 VOIPSA
- 55. Default password list ©2011 VOIPSA
- 56. VoIP = bits ©2011 VOIPSA
- 57. IT Security 101 ©2011 VOIPSA
- 58. Does Anyone Really! Give A _____ About! VoIP Security? © 2011 VOIPSA
- 59. WHEN Will TheyCare? © 2011 VOIPSA
- 60.
- 61. Identity Theft © 2011VOIPSA
- 62.
- 63. Trusted Leader © 2011VOIPSA
- 64. “VoIP Is Insecure!!!” ©2011 VOIPSA
- 65. depl oyed tupi dly S “VoIP Is Insecure!!!” ^ © 2011 VOIPSA
- 66. “VoIP Is Insecure!!!” ©2011 VOIPSA
- 67. Cover Your ____ ©2011 VOIPSA
- 68.
- 69. IT Security 101 ©2011 VOIPSA
- 70. Audit, Audit, Audit ©2011 VOIPSA
- 71. Enable What YouHave © 2011 VOIPSA
- 72.
- 73.
- 74.
- 75.
- 76.
- 77.
- 78.
- 79. Secure By Default ©2011 VOIPSA
- 80.
- 81. What is theIndustry Doing to Help? Security Vendors VoIP Vendors “The Sky Is Falling!” “Don’t Worry, Trust Us!” (Buy our products!) (Buy our products!) © 2011 VOIPSA
- 82.
- 83. Security Links • VoIP Security Alliance - http://www.voipsa.org/ – Threat Taxonomy - http://www.voipsa.org/Activities/taxonomy.php – VOIPSEC email list - http://www.voipsa.org/VOIPSEC/ – Weblog - http://www.voipsa.org/blog/ – Security Tools list - http://www.voipsa.org/Resources/tools.php – Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com • NIST SP800-58, “Security Considerations for VoIP Systems” – http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf • Network Security Tools – http://sectools.org/ • Hacking Exposed VoIP site and tools – http://www.hackingvoip.com/ • Seven Deadliest Unified Communications Attacks – http://www.7ducattacks.com/ © 2011 VOIPSA
- 84. Thank You For! Giving A _____ © 2011 VOIPSA
- 85. Thank you! Q & eh? www.voipsa.org 7ducattacks.com Dan York - dan.york@voipsa.org! +1-802-735-1624 DisruptiveTelephony.com danyork.com! blueboxpodcast.com twitter.com/danyork © 2011 VOIPSA