Fortinet is a network security company founded in 2000 with over 1,250 employees. It provides end-to-end security solutions including firewalls, antivirus software, and intrusion prevention systems. The document discusses Fortinet's VoIP security capabilities including SIP protocol inspection, rate limiting, and denial of service protection for VoIP servers. It also covers topics like SIP network address translation, RTP pinholing, media inactivity detection, and load balancing to ensure good VoIP traffic is prioritized over potential denial of service attacks.
The MyPBX SOHO is a standalone IP-PBX for small businesses with up to 32 users that offers flexibility through integration of ISDN, PSTN lines, and VoIP trunks. It provides enterprise-class communication features to reduce communication costs by taking advantage of VoIP technology while ensuring reliability. It has a customizable combination of FXO, FXS, and BRI modules and is compatible with a wide range of IP phones through a web-based interface.
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...Positive Hack Days
Integrated services by telecom operators and Unified Communications technology promise a quick payback and great convenience. However, it was discovered from practice that VOIP and IPPBX services can cause many problems, first of all relating to information security and fraud. What information security issues can arise for a company if Unified Communications are used? VOIP/PBX/MGW broken in 60 seconds - is it possible? Effective methods and practicalities of Unified Communications security will be discussed.
This document discusses state-actor surveillance techniques including hardware bugs, software exploits, and compromising cellular and WiFi networks. It describes various surveillance device codenames like "RAGEMASTER" and "HOWLERMONKEY" and explains how hardware can be implanted or firmware hacked to enable persistent surveillance. The document advocates for detection of these devices and urges caution but also skepticism of conspiracy theories without evidence. It provides sources for further reading on technical surveillance techniques.
This document discusses using a SIP-416 server to provide IP PBX and VoIP services. It can support up to 16 extensions and concurrent calls. The SIP-416 can be used alone as a SIP proxy server or combined with a PABX. It also supports SIP trunking and connections to smartphones via WiFi. Sample configurations include using the SIP-416 for voice with a separate router for data, connecting two SIP-416 servers via the internet, and supporting smartphone softphones over 3G or WiFi.
This document discusses using a SIP-416 server to provide IP PBX and VoIP services. It can support up to 16 extensions and concurrent calls. The SIP-416 can be used alone as a SIP proxy server or combined with a PABX. It also supports SIP trunking and connections to smartphones via WiFi. Sample configurations include using the SIP-416 for voice with a separate router for data, connecting two SIP-416 servers via the internet, and supporting smartphone softphones over 3G or WiFi.
The MyPBX U200 is an embedded hybrid IP-PBX designed for small businesses requiring up to 50 concurrent calls and 200 users. It supports landline, mobile, and VoIP connections, and has audio input/output ports along with a customizable combination of interface modules. The MyPBX U200 provides enterprise-level communication features and functionality to SMBs at an affordable price.
Matrix Presenting SIMADO GFX11, a compact and intelligent terminal that satisfies all your voice communication needs using the GSM line. The FXS port of the SIMADO GFX11 can be interfaced to the trunk (CO) port of any PBX. This allows all users of the PBX to make and receive calls through the GSM line.
This document provides an overview and agenda for a presentation on attacking Cisco VoIP environments. It discusses discovering the VoIP network configuration and gaining access to the voice VLAN. It covers attacking Cisco Unified Communications Manager, SIP services, and Skinny services used for Cisco IP phones. It also addresses vulnerabilities in hosted VoIP services, tenant management portals, and IP phone management services that could allow privilege escalation or unauthorized access. The presentation aims to demonstrate real attacks on these systems using tools like Viproy and Metasploit.
The MyPBX SOHO is a standalone IP-PBX for small businesses with up to 32 users that offers flexibility through integration of ISDN, PSTN lines, and VoIP trunks. It provides enterprise-class communication features to reduce communication costs by taking advantage of VoIP technology while ensuring reliability. It has a customizable combination of FXO, FXS, and BRI modules and is compatible with a wide range of IP phones through a web-based interface.
Positive Hack Days. Gurzov. VOIP - Reduce Your Expenses, Increase Your Income...Positive Hack Days
Integrated services by telecom operators and Unified Communications technology promise a quick payback and great convenience. However, it was discovered from practice that VOIP and IPPBX services can cause many problems, first of all relating to information security and fraud. What information security issues can arise for a company if Unified Communications are used? VOIP/PBX/MGW broken in 60 seconds - is it possible? Effective methods and practicalities of Unified Communications security will be discussed.
This document discusses state-actor surveillance techniques including hardware bugs, software exploits, and compromising cellular and WiFi networks. It describes various surveillance device codenames like "RAGEMASTER" and "HOWLERMONKEY" and explains how hardware can be implanted or firmware hacked to enable persistent surveillance. The document advocates for detection of these devices and urges caution but also skepticism of conspiracy theories without evidence. It provides sources for further reading on technical surveillance techniques.
This document discusses using a SIP-416 server to provide IP PBX and VoIP services. It can support up to 16 extensions and concurrent calls. The SIP-416 can be used alone as a SIP proxy server or combined with a PABX. It also supports SIP trunking and connections to smartphones via WiFi. Sample configurations include using the SIP-416 for voice with a separate router for data, connecting two SIP-416 servers via the internet, and supporting smartphone softphones over 3G or WiFi.
This document discusses using a SIP-416 server to provide IP PBX and VoIP services. It can support up to 16 extensions and concurrent calls. The SIP-416 can be used alone as a SIP proxy server or combined with a PABX. It also supports SIP trunking and connections to smartphones via WiFi. Sample configurations include using the SIP-416 for voice with a separate router for data, connecting two SIP-416 servers via the internet, and supporting smartphone softphones over 3G or WiFi.
The MyPBX U200 is an embedded hybrid IP-PBX designed for small businesses requiring up to 50 concurrent calls and 200 users. It supports landline, mobile, and VoIP connections, and has audio input/output ports along with a customizable combination of interface modules. The MyPBX U200 provides enterprise-level communication features and functionality to SMBs at an affordable price.
Matrix Presenting SIMADO GFX11, a compact and intelligent terminal that satisfies all your voice communication needs using the GSM line. The FXS port of the SIMADO GFX11 can be interfaced to the trunk (CO) port of any PBX. This allows all users of the PBX to make and receive calls through the GSM line.
This document provides an overview and agenda for a presentation on attacking Cisco VoIP environments. It discusses discovering the VoIP network configuration and gaining access to the voice VLAN. It covers attacking Cisco Unified Communications Manager, SIP services, and Skinny services used for Cisco IP phones. It also addresses vulnerabilities in hosted VoIP services, tenant management portals, and IP phone management services that could allow privilege escalation or unauthorized access. The presentation aims to demonstrate real attacks on these systems using tools like Viproy and Metasploit.
Hacking Trust Relationships Between SIP GatewaysFatih Ozavci
This document describes how to hack the trust relationships between SIP proxies by spoofing SIP INVITE requests. It involves sending IP spoofed INVITEs from a trusted operator's network to detect the IP address and port of another operator's SIP trunk, which accepts calls without authentication. A template INVITE is prepared and looped through possible IP/port combinations. If a call is received, the spoofed SIP trunk details have been discovered and can be used to initiate fake calls.
This document discusses security issues related to Voice over Internet Protocol (VoIP). It begins by explaining what VoIP is and some of its early implementations. It then describes the basic protocols and protocol stacks used for VoIP signaling and sessions, including H.323, SIP, and RTP. The document outlines various roles in VoIP systems, such as administrators and operators. It identifies common attacks against VoIP networks like theft of service, man-in-the-middle attacks, IP spoofing, and denial-of-service attacks. It concludes that VoIP inherits security vulnerabilities from the Internet and that encryption, authentication, firewalls, and separating voice and data traffic are needed to secure VoIP networks.
The MyPBX U100 is a 1U rack mount IP PBX for up to 100 users that supports ISDN, PSTN, GSM, and VoIP network access. It provides enterprise-class communication features and functionality for small businesses through an easy to use web interface. The modular system allows for customizable hardware combinations and is compatible with a wide range of IP phones with no future licensing fees required.
FortressFone is a secure smartphone system engineered for military-grade security. It features encrypted calls, texts, and cloud access. The system hardens the entire device to prevent hacking or data extraction from a stolen phone. It uses a secret-level approved secure SD card and "double pipe" encryption to securely establish communications channels. The system provides customers full control over their secure server and key management through proprietary technology.
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
Enterprise companies are increasingly using Microsoft Lync 2010/2013 (a.k.a Skype for Business 2015) services as call centre, internal communication, cloud communication and video conference platform. These services are based on the VoIP and instant messaging protocols, and support multiple client types such as Microsoft Office 365, Microsoft Lync, Skype for Business, IP phones and teleconference devices. Also the official clients are available for mobile devices (e.g. Windows phone, Android and iOS), desktops (Mac, Linux and Windows) and web applications developed with .NET framework. Although the Microsoft Lync platform has been developed along with the new technologies, it still suffers from old VoIP, teleconference and platform issues.
Modern VoIP attacks can be used to attack Microsoft Lync environments to obtain unauthorised access to the infrastructure. Open MS Lync frontend and edge servers, insecure federation security design, lack of encryption, insufficient defence for VoIP attacks and insecure compatibility options may allow attackers to hijack enterprise communications. The enterprise users and employees are also the next generation targets for these attackers. They can attack client soft phones and handsets using the broken communication, invalid protocol options and malicious messaging content to compromise sensitive business assets. These attacks may lead to privacy violations, legal issues, call/toll fraud and intelligence collection.
Attack vectors and practical threats against the Microsoft Lync ecosystem will be presented with newly published vulnerabilities and Microsoft Lync testing modules of the Viproy VoIP kit developed by the speaker. This will be accompanied by live demonstrations against a test environment.
• A brief introduction to Microsoft Lync ecosystem
• Security requirements, design vulnerabilities and priorities
• Modern threats against commercial Microsoft Lync services
• Demonstration of new attack vectors against target test platform
This document discusses penetration testing of voice over IP (VoIP) systems. It begins with an overview of VoIP, describing how it allows phone calls over the internet and its common protocols like SIP and RTP. It then covers attacks like information gathering, eavesdropping on traffic, VLAN hopping, spoofing caller ID, and denial of service vulnerabilities. The document concludes with a checklist of penetration testing techniques for VoIP systems, such as VLAN hopping, extension enumeration, capturing SIP authentication, eavesdropping on calls, and callerID spoofing.
This document discusses the importance of Session Border Controllers (SBCs) for Voice over Internet Protocol (VoIP) networks. It outlines how SBCs provide session control, security, interoperability, and demarcation. SBCs help protect against various VoIP threats like denial of service attacks, spoofing, and toll fraud. They can filter traffic, authenticate users, and enforce policies to secure VoIP infrastructure and services. The document also compares SBCs to traditional firewalls and explains how SBCs can better handle real-time multimedia communications.
FLIR provides security cameras and video management software for commercial and government customers. The document discusses FLIR's product portfolio including thermal cameras, network video recorders, video management software, and IP cameras. It also outlines FLIR's local support structure in Latin America and lists some of their customers in the region.
This document discusses penetration testing of VoIP networks using the Viproy VoIP penetration testing kit. It begins with an introduction of the author and his background in VoIP security. It then demonstrates the Viproy kit in action and discusses basic attacks against SIP services like discovery, footprinting, and spoofing calls. It also covers more advanced attacks like the SIP proxy bounce attack, creating fake services to perform man-in-the-middle attacks, distributed denial of service attacks, and exploiting trust relationships between SIP gateways. The document concludes by discussing fuzzing SIP services and clients to find vulnerabilities.
The MyPBX U5 Series is an enterprise-grade IP PBX solution for businesses requiring up to 500 users and 80 concurrent calls. It offers modular hardware that can be customized with different port types, as well as robust communication features, scalability, and cost savings through an easy-to-use web interface without additional licensing fees.
Self Contained Encrypted Voice solution for business and government. Central server + iphone and android app, high level of encrypted voice and text message capability that resides completely onsite, works anywhere from one enabled comms device to another on the same network
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
Enterprise companies are using consumer and IoT devices to complete (or expand) their services such as broadband, IPTV, media streaming, satellite, voice and 3G/4G services. Although the devices are owned by the service providers, subscribers have limited (or full) access to them with service agreements. In addition to that, some of consumer devices also have roles on corporate communications, environment security or employee services. Consumer devices are located at subscriber premises; therefore, the traditional security testing approach only covers backend services security, not the devices.
Consumer and IoT devices are susceptible to hardware hacking based attacks such as firmware dumping, re-flashing with a custom firmware, and getting low level access using the physical management interfaces such as SPI, JTAG and UART. Low level access obtained can be used to modify device behaviours or their initial states. This helps attackers to debug consumer devices and operator services, to find new vulnerabilities, and to obtain the device configuration which may contain credentials for the service infrastructure.
Embedded device and hardware hacking is a rising skill set for penetration testers. It is required to understand targeted attacks which may include hardware implants, modified hardware attacking their own infrastructure or compromised devices that target the human factor. Some of advanced testing examples to be discussed are preparing a custom hardware for persistent access during a red teaming exercise, preparing a compromised consumer device for human factor pen-testing, attacking TR-069 services of a provider using smart home modems or altering the security controls of a device to abuse the service.
The presentation focuses on how the existing security testing techniques should be evolved with hardware and IoT hacking, and how service providers can make their infrastructure secure for cutting-edge attacks. Essential hardware hacking information, identifying and using physical management interfaces, hardware hacking toolset, well-known hardware attacks and hardware testing procedure will be presented in a road map for consumer devices security testing. Also a security testing approach will be explained to develop new security testing services and to improve existing ones such as red teaming, human factor pen-testing and infrastructure pen-testing.
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
VoIP attacks have evolved, and they are targeting Unified Communications (UC), commercial services, hosted environment and call centres using major vendor and protocol vulnerabilities. This workshop is designed to demonstrate these cutting edge VoIP attacks, and improve the VoIP skills of the incident response teams, penetration testers and network engineers. Signalling protocols are the centre of UC environments, but also susceptible to IP spoofing, trust issues, call spoofing, authentication bypass and invalid signalling flows. They can be hacked with legacy techniques, but a set of new attacks will be demonstrated in this workshop. This workshop includes basic attack types for UC infrastructure, advanced attacks to the SIP and Skinny protocol weaknesses, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy use to analyse signalling services using novel techniques. Also the well-known attacks to the network infrastructure will be combined with the current VoIP vulnerabilities to test the target workshop network. Attacking VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by Fatih). It has a dozen modules to test trust hacking issues, information collected from SIP and Skinny services, gaining unauthorised access, call redirection, call spoofing, brute-forcing VoIP accounts, Cisco CUCDM exploitation and debugging services using as MITM. Furthermore, Viproy provides these attack modules in the Metasploit Framework environment with full integration. The workshop contains live demonstration of practical VoIP attacks and usage of the Viproy modules.
In this hands-on workshop, attendees will learn about basic attack types for UC infrastructure, advanced attacks to the SIP protocol weaknesses, Cisco Skinny protocol hacking, hacking Cisco CUCDM and CUCM servers, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy VoIP pen-test kit to analyse VoIP services using novel techniques. New CDP, CUCDM and Cisco Skinny modules and techniques of Viproy will be demonstrated in the workshop as well.
This document discusses techniques for system enumeration, including establishing null sessions, enumerating user accounts, SNMP scanning, and Active Directory enumeration. It provides an overview of the system hacking cycle and covers various tools that can be used to extract information like user names, machine names, shares, and services through techniques like null sessions, SNMP probing, and using default credentials. The document also discusses countermeasures for these enumeration methods.
The document discusses the evolution of ICT security from the perspective of wiretapping scandals. It covers how phone and network communications can be intercepted through both legal and potentially illegal means. Methods of interception include lawful intercept systems, direct access to telecom infrastructure, wireless hijacking using devices like IMSI catchers, and installing malware. Oversight of wiretapping is an issue if the same organizations conducting investigations also control the interception systems and approve requests. Encryption and decentralized networks may help address some interception risks.
This document provides a user guide for CounterPath X-Lite 3.0 softphone application. It describes what X-Lite is, how to install and configure it, and how to use its basic calling features. The guide explains how to set up accounts, contacts lists, and voicemail. It also outlines the on-screen interface and call controls, and how to place, receive, and end calls.
The document discusses techniques for detecting denial-of-service (DoS) attacks in Session Initiation Protocol (SIP)-based Voice over IP (VoIP) networks. It reviews several proposed detection mechanisms, including statistical detection using Hellinger's distance, a double-layered architecture using traffic scanning, and a distributed filtering mechanism. It also summarizes a mitigation mechanism that analyzes SIP messages and calls and a technique using entropy analysis to identify attacks. Overall, the document surveys different existing approaches for detecting DoS attacks that aim to disrupt availability in SIP-based VoIP networks.
SIP Threat Management device which is released by ALLO.COM is installed in front of any SIP based PBX system or VOIP gateway and offers extra layers of security against numerous types of attacks that are targeted towards IP telephony infrastructure. The features offered by the STM complement those of a traditional firewall or UTM, and it can be installed in conjunction with a UTM.
Instead of losing thousands of dollars due to the victim of VOIP attacks, invest on 300$ worth of ALLO STM, which is plug & play.
Investing in an STM to protect your communications network is a must.
As presented at ITExpo 2017 and the April Peerlyst Tel-Aviv security Meetup.
Can your company afford to ignore VoIP security? With the number of attacks on your telephone services and mobile devices your chance of being attacked and financial liability is at an all time high. This session offers an introductory primer to securing your VoIP PBX. This talk will include explanations about common attacks, how they can find you, and common techniques you can use to defend your company.
Hacking Trust Relationships Between SIP GatewaysFatih Ozavci
This document describes how to hack the trust relationships between SIP proxies by spoofing SIP INVITE requests. It involves sending IP spoofed INVITEs from a trusted operator's network to detect the IP address and port of another operator's SIP trunk, which accepts calls without authentication. A template INVITE is prepared and looped through possible IP/port combinations. If a call is received, the spoofed SIP trunk details have been discovered and can be used to initiate fake calls.
This document discusses security issues related to Voice over Internet Protocol (VoIP). It begins by explaining what VoIP is and some of its early implementations. It then describes the basic protocols and protocol stacks used for VoIP signaling and sessions, including H.323, SIP, and RTP. The document outlines various roles in VoIP systems, such as administrators and operators. It identifies common attacks against VoIP networks like theft of service, man-in-the-middle attacks, IP spoofing, and denial-of-service attacks. It concludes that VoIP inherits security vulnerabilities from the Internet and that encryption, authentication, firewalls, and separating voice and data traffic are needed to secure VoIP networks.
The MyPBX U100 is a 1U rack mount IP PBX for up to 100 users that supports ISDN, PSTN, GSM, and VoIP network access. It provides enterprise-class communication features and functionality for small businesses through an easy to use web interface. The modular system allows for customizable hardware combinations and is compatible with a wide range of IP phones with no future licensing fees required.
FortressFone is a secure smartphone system engineered for military-grade security. It features encrypted calls, texts, and cloud access. The system hardens the entire device to prevent hacking or data extraction from a stolen phone. It uses a secret-level approved secure SD card and "double pipe" encryption to securely establish communications channels. The system provides customers full control over their secure server and key management through proprietary technology.
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)Fatih Ozavci
Enterprise companies are increasingly using Microsoft Lync 2010/2013 (a.k.a Skype for Business 2015) services as call centre, internal communication, cloud communication and video conference platform. These services are based on the VoIP and instant messaging protocols, and support multiple client types such as Microsoft Office 365, Microsoft Lync, Skype for Business, IP phones and teleconference devices. Also the official clients are available for mobile devices (e.g. Windows phone, Android and iOS), desktops (Mac, Linux and Windows) and web applications developed with .NET framework. Although the Microsoft Lync platform has been developed along with the new technologies, it still suffers from old VoIP, teleconference and platform issues.
Modern VoIP attacks can be used to attack Microsoft Lync environments to obtain unauthorised access to the infrastructure. Open MS Lync frontend and edge servers, insecure federation security design, lack of encryption, insufficient defence for VoIP attacks and insecure compatibility options may allow attackers to hijack enterprise communications. The enterprise users and employees are also the next generation targets for these attackers. They can attack client soft phones and handsets using the broken communication, invalid protocol options and malicious messaging content to compromise sensitive business assets. These attacks may lead to privacy violations, legal issues, call/toll fraud and intelligence collection.
Attack vectors and practical threats against the Microsoft Lync ecosystem will be presented with newly published vulnerabilities and Microsoft Lync testing modules of the Viproy VoIP kit developed by the speaker. This will be accompanied by live demonstrations against a test environment.
• A brief introduction to Microsoft Lync ecosystem
• Security requirements, design vulnerabilities and priorities
• Modern threats against commercial Microsoft Lync services
• Demonstration of new attack vectors against target test platform
This document discusses penetration testing of voice over IP (VoIP) systems. It begins with an overview of VoIP, describing how it allows phone calls over the internet and its common protocols like SIP and RTP. It then covers attacks like information gathering, eavesdropping on traffic, VLAN hopping, spoofing caller ID, and denial of service vulnerabilities. The document concludes with a checklist of penetration testing techniques for VoIP systems, such as VLAN hopping, extension enumeration, capturing SIP authentication, eavesdropping on calls, and callerID spoofing.
This document discusses the importance of Session Border Controllers (SBCs) for Voice over Internet Protocol (VoIP) networks. It outlines how SBCs provide session control, security, interoperability, and demarcation. SBCs help protect against various VoIP threats like denial of service attacks, spoofing, and toll fraud. They can filter traffic, authenticate users, and enforce policies to secure VoIP infrastructure and services. The document also compares SBCs to traditional firewalls and explains how SBCs can better handle real-time multimedia communications.
FLIR provides security cameras and video management software for commercial and government customers. The document discusses FLIR's product portfolio including thermal cameras, network video recorders, video management software, and IP cameras. It also outlines FLIR's local support structure in Latin America and lists some of their customers in the region.
This document discusses penetration testing of VoIP networks using the Viproy VoIP penetration testing kit. It begins with an introduction of the author and his background in VoIP security. It then demonstrates the Viproy kit in action and discusses basic attacks against SIP services like discovery, footprinting, and spoofing calls. It also covers more advanced attacks like the SIP proxy bounce attack, creating fake services to perform man-in-the-middle attacks, distributed denial of service attacks, and exploiting trust relationships between SIP gateways. The document concludes by discussing fuzzing SIP services and clients to find vulnerabilities.
The MyPBX U5 Series is an enterprise-grade IP PBX solution for businesses requiring up to 500 users and 80 concurrent calls. It offers modular hardware that can be customized with different port types, as well as robust communication features, scalability, and cost savings through an easy-to-use web interface without additional licensing fees.
Self Contained Encrypted Voice solution for business and government. Central server + iphone and android app, high level of encrypted voice and text message capability that resides completely onsite, works anywhere from one enabled comms device to another on the same network
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceFatih Ozavci
Enterprise companies are using consumer and IoT devices to complete (or expand) their services such as broadband, IPTV, media streaming, satellite, voice and 3G/4G services. Although the devices are owned by the service providers, subscribers have limited (or full) access to them with service agreements. In addition to that, some of consumer devices also have roles on corporate communications, environment security or employee services. Consumer devices are located at subscriber premises; therefore, the traditional security testing approach only covers backend services security, not the devices.
Consumer and IoT devices are susceptible to hardware hacking based attacks such as firmware dumping, re-flashing with a custom firmware, and getting low level access using the physical management interfaces such as SPI, JTAG and UART. Low level access obtained can be used to modify device behaviours or their initial states. This helps attackers to debug consumer devices and operator services, to find new vulnerabilities, and to obtain the device configuration which may contain credentials for the service infrastructure.
Embedded device and hardware hacking is a rising skill set for penetration testers. It is required to understand targeted attacks which may include hardware implants, modified hardware attacking their own infrastructure or compromised devices that target the human factor. Some of advanced testing examples to be discussed are preparing a custom hardware for persistent access during a red teaming exercise, preparing a compromised consumer device for human factor pen-testing, attacking TR-069 services of a provider using smart home modems or altering the security controls of a device to abuse the service.
The presentation focuses on how the existing security testing techniques should be evolved with hardware and IoT hacking, and how service providers can make their infrastructure secure for cutting-edge attacks. Essential hardware hacking information, identifying and using physical management interfaces, hardware hacking toolset, well-known hardware attacks and hardware testing procedure will be presented in a road map for consumer devices security testing. Also a security testing approach will be explained to develop new security testing services and to improve existing ones such as red teaming, human factor pen-testing and infrastructure pen-testing.
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
VoIP attacks have evolved, and they are targeting Unified Communications (UC), commercial services, hosted environment and call centres using major vendor and protocol vulnerabilities. This workshop is designed to demonstrate these cutting edge VoIP attacks, and improve the VoIP skills of the incident response teams, penetration testers and network engineers. Signalling protocols are the centre of UC environments, but also susceptible to IP spoofing, trust issues, call spoofing, authentication bypass and invalid signalling flows. They can be hacked with legacy techniques, but a set of new attacks will be demonstrated in this workshop. This workshop includes basic attack types for UC infrastructure, advanced attacks to the SIP and Skinny protocol weaknesses, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy use to analyse signalling services using novel techniques. Also the well-known attacks to the network infrastructure will be combined with the current VoIP vulnerabilities to test the target workshop network. Attacking VoIP services requires limited knowledge today with the Viproy Penetration Testing Kit (written by Fatih). It has a dozen modules to test trust hacking issues, information collected from SIP and Skinny services, gaining unauthorised access, call redirection, call spoofing, brute-forcing VoIP accounts, Cisco CUCDM exploitation and debugging services using as MITM. Furthermore, Viproy provides these attack modules in the Metasploit Framework environment with full integration. The workshop contains live demonstration of practical VoIP attacks and usage of the Viproy modules.
In this hands-on workshop, attendees will learn about basic attack types for UC infrastructure, advanced attacks to the SIP protocol weaknesses, Cisco Skinny protocol hacking, hacking Cisco CUCDM and CUCM servers, network infrastructure attacks, value added services analysis, Cdr/Log/Billing analysis and Viproy VoIP pen-test kit to analyse VoIP services using novel techniques. New CDP, CUCDM and Cisco Skinny modules and techniques of Viproy will be demonstrated in the workshop as well.
This document discusses techniques for system enumeration, including establishing null sessions, enumerating user accounts, SNMP scanning, and Active Directory enumeration. It provides an overview of the system hacking cycle and covers various tools that can be used to extract information like user names, machine names, shares, and services through techniques like null sessions, SNMP probing, and using default credentials. The document also discusses countermeasures for these enumeration methods.
The document discusses the evolution of ICT security from the perspective of wiretapping scandals. It covers how phone and network communications can be intercepted through both legal and potentially illegal means. Methods of interception include lawful intercept systems, direct access to telecom infrastructure, wireless hijacking using devices like IMSI catchers, and installing malware. Oversight of wiretapping is an issue if the same organizations conducting investigations also control the interception systems and approve requests. Encryption and decentralized networks may help address some interception risks.
This document provides a user guide for CounterPath X-Lite 3.0 softphone application. It describes what X-Lite is, how to install and configure it, and how to use its basic calling features. The guide explains how to set up accounts, contacts lists, and voicemail. It also outlines the on-screen interface and call controls, and how to place, receive, and end calls.
The document discusses techniques for detecting denial-of-service (DoS) attacks in Session Initiation Protocol (SIP)-based Voice over IP (VoIP) networks. It reviews several proposed detection mechanisms, including statistical detection using Hellinger's distance, a double-layered architecture using traffic scanning, and a distributed filtering mechanism. It also summarizes a mitigation mechanism that analyzes SIP messages and calls and a technique using entropy analysis to identify attacks. Overall, the document surveys different existing approaches for detecting DoS attacks that aim to disrupt availability in SIP-based VoIP networks.
SIP Threat Management device which is released by ALLO.COM is installed in front of any SIP based PBX system or VOIP gateway and offers extra layers of security against numerous types of attacks that are targeted towards IP telephony infrastructure. The features offered by the STM complement those of a traditional firewall or UTM, and it can be installed in conjunction with a UTM.
Instead of losing thousands of dollars due to the victim of VOIP attacks, invest on 300$ worth of ALLO STM, which is plug & play.
Investing in an STM to protect your communications network is a must.
As presented at ITExpo 2017 and the April Peerlyst Tel-Aviv security Meetup.
Can your company afford to ignore VoIP security? With the number of attacks on your telephone services and mobile devices your chance of being attacked and financial liability is at an all time high. This session offers an introductory primer to securing your VoIP PBX. This talk will include explanations about common attacks, how they can find you, and common techniques you can use to defend your company.
An approach to mitigate DDoS attacks on SIP.pptxamalouwarda1
This document proposes an approach to mitigate distributed denial of service (DDoS) attacks on voice over internet protocol (VoIP) systems. It discusses common VoIP attacks like eavesdropping, reconnaissance, and DDoS attacks. The proposed system would use Suricata as an intrusion detection and prevention system to analyze VoIP traffic, detect attacks, and trigger mitigation responses. It recommends configuring call limits, updating device firmware, and using a buffer server to filter traffic as countermeasures against DDoS attacks on SIP-based VoIP networks.
WebRTC introduces new security considerations for real-time communications. The document discusses various VoIP attacks that could impact WebRTC like denial of service, fraud, and illegal interception. It also examines vulnerabilities from accessing devices, signaling sent in plain text, and cross protocol attacks. The presentation recommends using TLS for signaling, getting user permission for devices, DTLS-SRTP for media encryption, and identity management through providers. Integrating WebRTC with IMS can leverage the authentication of IMS subscriptions for web credentials.
- VoIP attacks Denial of service. Fraud. Illegal interception. Illegal control.
- Adhoc WebRTC attacks: malicious HTML code. Webservers. Forced DoS. Cam/mic control. Etc.
- Protection: Role of border elements (SBC, media gateways,...). WebRTC Portal and web servers. Browser mechanisms
- Identity Management: Anonymous calls. OpenID and third parties. Telco identity. Real implementations
This document discusses how to make an Asterisk system more secure. It begins by explaining that PBX systems are targets for hackers and how they can find unsecured systems. It then provides recommendations for securing the physical device, operating system, network, Asterisk configuration, SIP, and dialplan. Resources discussed include taking Asterisk security courses, reviewing the Asterisk wiki for security articles, keeping systems updated, and using dedicated VoIP security products to monitor for attacks.
The document discusses using inexpensive prepaid phones to conduct telephony denial-of-service (TDoS) attacks. It describes how the phones can be modified by unlocking their bootloaders and flashing them with custom firmware, allowing them to make thousands of spoofed calls in order to crash a target organization's phone system. The document shows how a kit with multiple modified phones, solar chargers, and other basic equipment could be used to conduct sustained TDoS attacks for around $21.
Authenticated Identites in VoIP Call ControlWarren Bent
- IETF RFC 4474 proposes using public key infrastructure and certificate signing to authenticate the identity of the originator of SIP messages like INVITE requests. This allows receivers to verify identities and eliminates the need for complex firewall rules between peering networks.
- While it offers security and efficiency benefits, challenges include getting widespread adoption given the "chicken and egg" problem, managing certificates, and handling alterations to SIP messages by network elements that could invalidate signatures.
- A reference system is needed to test interoperability, address real-world issues, and potentially revise the RFC based on lessons learned.
The document discusses authentication of identities in VoIP calls and proposes using IETF RFC 4474 as an alternative to current authentication methods. RFC 4474 utilizes PKI techniques like signed SIP messages to authenticate identities, simplifying peering relationships while providing more security. However, challenges include getting widespread adoption as real-world issues around message alterations in networks need to be addressed.
Conferencia de Santiago Troncoso expuesta en la última edición de VoIP2DAY en la que nos explica cómo WebRTC hereda todas las amenazas de los servicios VoIP tradicionales junto con los ataques web existentes y nos da algunas claves sobre cómo mantener la seguridad de los servicios.
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"Quobis
WebRTC inherits all the threats of traditional VoIP services together with existing web attacks. In this session Antón Román will explain this together with ad-hoc WebRTC attacks and ways to deal with Identity and keep the services secure.
- VoIP attacks Denial of service. Fraud. Illegal interception. Illegal control.
- Adhoc WebRTC attacks: malicious HTML code. Webservers. Forced DoS. Cam/mic control. Etc.
- Protection: Role of border elements (SBC, media gateways,...). WebRTC Portal and web servers. Browser mechanisms
- Identity Management: Anonymous calls. OpenID and third parties. Telco identity. Real implementations
F5 provides comprehensive application security and DDoS protection solutions. It uses a full proxy security architecture with hardware-based mitigation of DDoS attacks. The document describes F5's security architecture which includes perimeter network firewall services, DNS security, web application firewall, and DDoS protection across layers 3 to 7 using scrubbing centers and global points of presence. It also summarizes F5's routed and proxy configuration options for DDoS protection and provides details on its AttackView portal for attack visibility and mitigation configuration.
F5 provides both on-premises and cloud-based DDoS protection solutions. Their hybrid approach mitigates attacks at the network, transport, and application layers using hardware-accelerated detection and filtering of over 110 DDoS vector types. Key capabilities include comprehensive L3-L7 protection, multi-terabit cloud scrubbing, and integration of network firewall and web application firewall technologies to strengthen security and ensure application availability even during large DDoS attacks.
Fortinet Mikulov 2020 -Jen chránit síť nestačí.ppsxAlejandro Daricz
Fortinet offers a comprehensive cybersecurity platform called the Fortinet Security Fabric. The platform provides:
1) Broad visibility and management of the entire digital attack surface through an integrated solution of multiple security components to simplify operations.
2) Automated workflows to increase the speed of security operations and response.
3) Flexible consumption models and a single management console for deploying security across networks, endpoints, cloud, and applications.
More businesses are adopting VoIP due to cost savings and features, but it also brings security risks if not properly secured. VoIP traffic flows like unprotected data and is vulnerable to eavesdropping, hacked voicemail, spoofing and denial of service attacks. The Shodan search engine reveals unsecured VoIP devices online. Best practices include separating voice and data traffic, encrypting sensitive calls, keeping systems updated, restricting call types and training employees. Without proper security, VoIP systems risk exposing private information through breaches.
This document provides an overview of the Fortinet Security Fabric. It discusses how the Security Fabric provides end-to-end security across the entire network from IoT to cloud by integrating Fortinet's security solutions. It also highlights key capabilities of the Security Fabric such as being scalable, aware, secure, actionable and open.
VoIP Security: An Overview discusses the security challenges of Voice over IP (VoIP) technology. It notes that VoIP inherits vulnerabilities from TCP/IP networks and uses the corporate network, making it complex to secure. Common VoIP threats include denial of service attacks, interception attacks, covert channels, and vulnerabilities in VoIP platforms. The document outlines example attacks and tools used by hackers. It recommends countermeasures like network separation, encryption of SIP and RTP, firewalls, intrusion detection systems, and hardening VoIP infrastructure and devices. VoIP honeypots can also be used to detect attackers.
This document is a presentation on VOIP (Voice over Internet Protocol) submitted by Md. Rokonuzzaman to Md. Abdul Baset at Dhaka International University. It defines VOIP as technology that allows phone calls over the internet instead of traditional phone lines. It discusses VOIP applications like Skype, how VOIP works by converting voice to digital signals over internet, the VOIP architecture, and some technical issues like choppy voice, echo, jitter buffer, bandwidth problems, and how to monitor the network. It also briefly mentions some legal issues regarding international location independence and encryption with VOIP.
PacNOG 22: Intrusion in cybsecurity - observations from Honeynet dataAPNIC
This document discusses trends in cybersecurity intrusions based on observations from a honeynet project. It begins with an overview of the agenda and discusses trends seen in hacking incidents and data breaches. The document then examines observations from a honeynet project run by APNIC, noting that routers and IoT devices are frequently compromised via weak or default credentials to download and run malicious scripts from remote servers. The document concludes with recommendations on basic cybersecurity best practices like keeping systems updated and using strong, unique passwords to help prevent intrusions.
Similar to PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security (20)
Why Psychological Safety Matters for Software Teams - ACE 2024 - Ben Linders.pdfBen Linders
Psychological safety in teams is important; team members must feel safe and able to communicate and collaborate effectively to deliver value. It’s also necessary to build long-lasting teams since things will happen and relationships will be strained.
But, how safe is a team? How can we determine if there are any factors that make the team unsafe or have an impact on the team’s culture?
In this mini-workshop, we’ll play games for psychological safety and team culture utilizing a deck of coaching cards, The Psychological Safety Cards. We will learn how to use gamification to gain a better understanding of what’s going on in teams. Individuals share what they have learned from working in teams, what has impacted the team’s safety and culture, and what has led to positive change.
Different game formats will be played in groups in parallel. Examples are an ice-breaker to get people talking about psychological safety, a constellation where people take positions about aspects of psychological safety in their team or organization, and collaborative card games where people work together to create an environment that fosters psychological safety.
This presentation by Professor Alex Robson, Deputy Chair of Australia’s Productivity Commission, was made during the discussion “Competition and Regulation in Professions and Occupations” held at the 77th meeting of the OECD Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found at oe.cd/crps.
This presentation was uploaded with the author’s consent.
This presentation by OECD, OECD Secretariat, was made during the discussion “Pro-competitive Industrial Policy” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/pcip.
This presentation was uploaded with the author’s consent.
The importance of sustainable and efficient computational practices in artificial intelligence (AI) and deep learning has become increasingly critical. This webinar focuses on the intersection of sustainability and AI, highlighting the significance of energy-efficient deep learning, innovative randomization techniques in neural networks, the potential of reservoir computing, and the cutting-edge realm of neuromorphic computing. This webinar aims to connect theoretical knowledge with practical applications and provide insights into how these innovative approaches can lead to more robust, efficient, and environmentally conscious AI systems.
Webinar Speaker: Prof. Claudio Gallicchio, Assistant Professor, University of Pisa
Claudio Gallicchio is an Assistant Professor at the Department of Computer Science of the University of Pisa, Italy. His research involves merging concepts from Deep Learning, Dynamical Systems, and Randomized Neural Systems, and he has co-authored over 100 scientific publications on the subject. He is the founder of the IEEE CIS Task Force on Reservoir Computing, and the co-founder and chair of the IEEE Task Force on Randomization-based Neural Networks and Learning Systems. He is an associate editor of IEEE Transactions on Neural Networks and Learning Systems (TNNLS).
XP 2024 presentation: A New Look to Leadershipsamililja
Presentation slides from XP2024 conference, Bolzano IT. The slides describe a new view to leadership and combines it with anthro-complexity (aka cynefin).
This presentation by Professor Giuseppe Colangelo, Jean Monnet Professor of European Innovation Policy, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
This presentation by Nathaniel Lane, Associate Professor in Economics at Oxford University, was made during the discussion “Pro-competitive Industrial Policy” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/pcip.
This presentation was uploaded with the author’s consent.
This presentation by Yong Lim, Professor of Economic Law at Seoul National University School of Law, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
This presentation by Katharine Kemp, Associate Professor at the Faculty of Law & Justice at UNSW Sydney, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
This presentation by Thibault Schrepel, Associate Professor of Law at Vrije Universiteit Amsterdam University, was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
Carrer goals.pptx and their importance in real lifeartemacademy2
Career goals serve as a roadmap for individuals, guiding them toward achieving long-term professional aspirations and personal fulfillment. Establishing clear career goals enables professionals to focus their efforts on developing specific skills, gaining relevant experience, and making strategic decisions that align with their desired career trajectory. By setting both short-term and long-term objectives, individuals can systematically track their progress, make necessary adjustments, and stay motivated. Short-term goals often include acquiring new qualifications, mastering particular competencies, or securing a specific role, while long-term goals might encompass reaching executive positions, becoming industry experts, or launching entrepreneurial ventures.
Moreover, having well-defined career goals fosters a sense of purpose and direction, enhancing job satisfaction and overall productivity. It encourages continuous learning and adaptation, as professionals remain attuned to industry trends and evolving job market demands. Career goals also facilitate better time management and resource allocation, as individuals prioritize tasks and opportunities that advance their professional growth. In addition, articulating career goals can aid in networking and mentorship, as it allows individuals to communicate their aspirations clearly to potential mentors, colleagues, and employers, thereby opening doors to valuable guidance and support. Ultimately, career goals are integral to personal and professional development, driving individuals toward sustained success and fulfillment in their chosen fields.
This presentation by OECD, OECD Secretariat, was made during the discussion “The Intersection between Competition and Data Privacy” held at the 143rd meeting of the OECD Competition Committee on 13 June 2024. More papers and presentations on the topic can be found at oe.cd/ibcdp.
This presentation was uploaded with the author’s consent.
This presentation by Juraj Čorba, Chair of OECD Working Party on Artificial Intelligence Governance (AIGO), was made during the discussion “Artificial Intelligence, Data and Competition” held at the 143rd meeting of the OECD Competition Committee on 12 June 2024. More papers and presentations on the topic can be found at oe.cd/aicomp.
This presentation was uploaded with the author’s consent.
Suzanne Lagerweij - Influence Without Power - Why Empathy is Your Best Friend...Suzanne Lagerweij
This is a workshop about communication and collaboration. We will experience how we can analyze the reasons for resistance to change (exercise 1) and practice how to improve our conversation style and be more in control and effective in the way we communicate (exercise 2).
This session will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
Abstract:
Let’s talk about powerful conversations! We all know how to lead a constructive conversation, right? Then why is it so difficult to have those conversations with people at work, especially those in powerful positions that show resistance to change?
Learning to control and direct conversations takes understanding and practice.
We can combine our innate empathy with our analytical skills to gain a deeper understanding of complex situations at work. Join this session to learn how to prepare for difficult conversations and how to improve our agile conversations in order to be more influential without power. We will use Dave Gray’s Empathy Mapping, Argyris’ Ladder of Inference and The Four Rs from Agile Conversations (Squirrel and Fredrick).
In the session you will experience how preparing and reflecting on your conversation can help you be more influential at work. You will learn how to communicate more effectively with the people needed to achieve positive change. You will leave with a self-revised version of a difficult conversation and a practical model to use when you get back to work.
Come learn more on how to become a real influencer!
2. Fortinet ConfidentialFortinet Confidential
Fortinet Overview
Market-Leading Provider of End-to-End IT Security Solutions
Company Stats
• Founded in 2000
• Silicon Valley-based, strong
global presence with
32+ offices worldwide
• $212M+ in revenues (2008)
• Seasoned and proven
executive management team
• 1,250+ employees /
750+ engineers
• 550,000+ FortiGate devices
shipped worldwide
Innovative,
Best-in-Class
Technologies and
Products
• Six ICSA certifications
(Firewall, AV, IPS, IPSec VPN,
SSL VPN, Anti-Spam)
• Strong IP portfolio – 20+
patents; 80+ pending
• Government Certifications
(FIPS-2, Common Criteria
EAL4+, NIST)
• Consistent Antivirus Validation
– (Virus Bulletin 100 approved; 2005,
2006, 2007, 2008)
3. Fortinet ConfidentialFortinet Confidential
Still not relevant to you ??
Cyberwarfare: VoIP and Convergence
Increase Vulnerability
David L. Fraley
By 2005, the United States and other nations will have the ability to
conduct cyberwarfare. The increasing use of Voice over IP and the
converging of voice/data networks is facilitating it.
The U.S. military complex continues work on Presidential Directive 16, including developing the
rules and tools. The United States is not the only government thinking about cyberattacks. In the
second quarter of 1995, Major General Wang Pufeng of The Chinese Army published a paper,
―The Challenge of Information Warfare.‖ In this paper, Pufeng writes that the information era will
touch off a revolution in military affairs.
The aspects of cyberwarfare have been considered for years. Future cyberattacks could
constitute an entire war or an attack type as part of a larger campaign. Cyberwarfare, like any
military operation, has two components — offensive and defensive operations.
4. Fortinet ConfidentialFortinet Confidential
Phony Phone Calls Distract Consumers from Genuine Theft
TDoS - FBI and Partners Warn Public
• NEWARK, NJ—Have you recently received a large number of
strange and unexplained calls on your mobile or landline
telephones? The FBI is warning consumers about a new scheme
that uses telecommunications denial-of-service attacks as a
diversion to what is really happening: the looting of bank and
online trading accounts.
• The Scheme
– The scheme is known as telephony denial-of–service (TDOS) and
according to several telecommunications companies working with the
FBI, there has been a recent surge of these attacks in the past few
weeks. The perpetrators are suspected of using automated dialing
programs and multiple accounts to overwhelm the land and cell
phone lines of their victims with thousands of calls. When the
calls are answered, the victim may hear anything from dead air
(nothing on the other end), an innocuous recorded message, an
advertisement, or even a telephone sex menu. The calls are
typically short in duration but so numerous that victims have had to
have their numbers changed to make the calls stop…….
http://newark.fbi.gov/pressrel/pressrel10/nk051110.htm
5. Fortinet ConfidentialFortinet Confidential
Cloud Attacking
• Amazon EC2 - Amazon Elastic Compute Cloud
– Complaints of rampant SIP Brute Force Attacks coming from
servers with Amazon EC2 IP Addresses cause many admins to
simply drop all Amazon EC2 traffic. Generally, SIP brute force
attacks attempt to register various peer names to a system and/or
attempt to guess passwords of known/guesses peers or endpoints.
– The complaints mentioned this weekend show an excessive
amount of traffic; with some providers claiming 6GB of traffic
dedicated to such attacks. Since we ourselves received an attack
from an Amazon hosted server, we also reported and complained
to the Amazon NOC/Abuse depts
7. Fortinet ConfidentialFortinet Confidential
• Fortinet‘s IPS is SIP aware
– SIP decode is available
• Allows attack prevention and detection with a signature database.
• Signature updates available from Fortinet‘s FortiGuard service
with a very short response time.
• Customer signatures allow service personell to write their own
prevention or detection rules
– Could be used for the quickest reaction to a sudden security threat
• SIP aware IPS customer signature example from a customer:
– F-SBID( --name "SIP.Proxy.Require.Header.Buffer.Overflow"; --protocol udp; --service SIP; --flow
from_client; --pattern "OPTIONS|20|sip|3a|"; --no_case; --context uri; --within 12,context; --pattern
"Proxy-Require|3a 20|"; --no_case; --distance 8; --within 500; --context header; --pattern !"|0a|"; --
within_abs 500; )
– This signature blocks OPTION messages with a “Proxy-Require” field.
IPS – Intrusion Prevent and Detection
8. Fortinet ConfidentialFortinet Confidential
VoIP Blacklist Project
• 2010-09-20 10:08:06 NOTICE[14155] chan_sip.c: Registration from
'"3147172873"<sip:3147172873@208.51.xxx.xxx>' failed for
'206.71.179.32' - Username/auth name mismatch
• 2010-09-20 10:08:06 NOTICE[14155] chan_sip.c: Registration from
'"thomas"<sip:thomas@208.51.xxx.xxx>' failed for '206.71.179.32' -
Username/auth name mismatch
• 2010-09-20 10:08:06 NOTICE[14155] chan_sip.c: Registration from
'"arsenal"<sip:arsenal@208.51.xxx.xxx>' failed for '206.71.179.32'
- Username/auth name mismatch
• 2010-09-20 10:08:06 NOTICE[14155] chan_sip.c: Registration from
'"monkey"<sip:monkey@208.51.xxx.xxx>' failed for '206.71.179.32' -
Username/auth name mismatch
• 2010-09-20 10:08:06 NOTICE[14155] chan_sip.c: Registration from
'"charlie"<sip:charlie@208.51.xxx.xxx>' failed for '206.71.179.32'
- Username/auth name mismatch
• .......
• and a couple 100 thousand more like this
http://www.infiltrated.net/voipabuse/logs/americanis.txt.gz
10. Fortinet ConfidentialFortinet Confidential
SPIT (SPAM over Internet Telephony)
B
Bob
Attacker
• Penetration with Ads or other UC
(Unsolicited Communication)
• SPAM is well known to everybody using email
• Up to 80% of all emails are SPAM
– Depending on how long you use the mail account
already
• Why should it be different with VoIP
• Today mainly unknown ...
• With the SPAM knowledge of the FortiMail
Fortinet is best positioned to extend the VoIP
Security with upcoming major threats of SPIT
Attacker
B
Bob
Attacker
A
Alice
11. Fortinet ConfidentialFortinet Confidential
Hacking VoIP for Scrippy Kids
Example of detailled hacking is described
Enumerating SIP Devices on a Network
Here‘s how to enumerate SIP devices on a network, step by step:
1. Download Nmap from http://insecure.org/nmap/.
2. Enter nmap on the command line (Windows) or shell (Unix) to retrieve
the syntax of the tool.
3. Enter the following nmap command on the command line/shell to
enumerate SIP User Agents and other intermediate devices.
nmap.exe -sU -p 5060 IP Address Range
4. Or, for a class B network address range on a 172.16.0.0 network, enter:
nmap.exe -sU -p 5060 172.16.0.0/16
5. Each IP address that shows open for the STATE (as shown in Figure 2-
2) is probably a SIP device. As you can see in Figure 2-2, the
addresses 172.16.1.109 and 172.16.1.244 are probably SIP devices.
etc
C:Documents and SettingsrbaiderMy DocumentsBooksAufräumenHac_VoIP.chm
12. Fortinet ConfidentialFortinet Confidential
Hacking VoIP for Scrippy Kids
Example of detailled hacking is described
Attack – UDP Flooding Attacks
Protocol (UDP) flooding is a preferred type of bandwidth flooding attack because
UDP source addresses can be easily spoofed by the attacker. Spoofing often
allows an attacker the ability to manipulate trust relationships within an
organization to bypass firewalls and other filter devices (for example, by
crafting a DoS stream to appear as a DNS response over UDP port 53).
Almost all SIP-capable devices support UDP, which makes it an effective choice of
attack transport. Many VoIP devices and operating systems can be crippled
if a raw UDP packet flood is aimed at the listening SIP port (5060) or even at
random ports.
Companion Web Site Check out our website at http://www.hackingvoip.com for our
udpflood tool. There are a variety of other UDP flooding tools freely available
for download from the following sites to test the susceptibility of your
applications and network:
http://www.foundstone.com/resources/freetooldownload.htm?file=udpfl ood.zip
http://packetstormsecurity.org/exploits/DoS/C:Documents and SettingsrbaiderMy
DocumentsBooksAufräumenMcGraw.Hill.Hacking.Exposed.VoIP.Voice.Over.IP.Se
curity.Secrets.&.Solutions.chm
14. Fortinet ConfidentialFortinet Confidential
RFC 3261 - the VoIP RFC Watch
The following graphs illustrate the enormus growing rate of RFCs
which are related to SIP or VoIP in general. www.rfc3261.net
They are regularly (once a week) updated automatically.
Thanks to Dr. Christian Stredicke who wrote the very first version of the
scripts
15. Fortinet ConfidentialFortinet Confidential
VoIP & UC Technology and its Complexity
IM
Server
Operating
Systems
Mobile
Internet
IM
Server
IVR Voice
Mail
PSTN
Gateways
App
ServerWeb
Server
FirewallsE-Mail
Server
IP-PBX
LAN
WAN
Road
Warriors
Remote
Worker
Laptops
Desktop
Directory
Server
Social
Networks
Database
Systems
Skype
Share
Point
SIP
Trunking
Presence
Server
Soft
Phones
Hard
Phones
Policy
Administration
Security
16. Fortinet ConfidentialFortinet Confidential
VoIP Protection Features Summary
• Stateful SIP tracking
• The SIP SFW tracks the SIP session over it‗s lifespan. A SIP-Session
(or SIP dialog) normally is established after the SIP INVITE procedure.
The SIP SFW then tracks this call as a „SIP session―. A Session can for
instance end by regular BYE procedure (users hang-off the phone) or
by another unexpected Signaling or Transport event.
• SIP per request method message rate limitation
• Configurable threshold for SIP message rates per request method.
Protects SIP servers from SIP overload and DoS attacks.
• SIP High Availability (HA)
• Allows to configure HA configuration (active-standby) for SIP. Supports
failover of SIP sessions in case of an active firewall instance fails.
• SIP NAT
• Various NAT policies can be defined for SIP signal sessions and RTP
sessions that are negotiated through the SIP signal session.
• RTP Pinholing
• The SIP SFW opens the respective RTP Ports as long as the SIP
session is alive and conforming with the operator security policies.
• RTP Bypass
• Supports configurations with and without RTP pin-holing. May inspect
and protect SIP signaling only.
• SIP NAT with IP address conservation
• Performs SIP and RTP aware IP Network Address translation.
Preserves the lost IP address information in the SIP/SDP info header
for later processing/debugging in the SIP server.
• SIP Transparent or NAT mode
• The SFW supports a transparent mode, where SIP messages are
inspected but not modified. Just in case of an attack or overload the
SFW becomes visible. The other mode is SIP NAT. In this mode, the
SIP header is modified with regard to translation of IP addresses.
• Support for Geographical Redundancy
• Maintains a active-standby SIP server configuration, which even
supports geographical distribution. If the active SIP server fails (missing
SIP heartbeat messages or SIP traffic) FortiOS will redirect the SIP
traffic to a secondary SIP server.
• SIP command control
• The SIP SFW can block SIP methods. SIP methods that can be
blocked are: ack, bye, cancel, info, invite, notify, options, publish, refer,
register, subscribe, update and „unknown commands―.
• SIP communication logging
• The SIP SFW supports logging to a FortiAnalyzer. The Logfiles will
show up in the „Content Archive― section under the VoIP Tab.
• Hardware accelerated RTP processing
• In cases where RTP is pin-holed by a FortiOS Carrier™ device, it
needs to be understood that RTP packets can be very small (around
100bytes or less), sensitive to processing latency, packet loss or jitter
(packet delay variation). FortiGate devices can offload RTP packet
processing to HW assistance (FortiASIC). This will greatly enhance the
overall throughput and will give the firewall device a multiple GE
wirespeed (1 Gbps) VoIP security solution.
• Media Inactivity
• In some case SIP signaling is established, but the voice bearer (RTP)
is broken. The SIP SFW supports optionally the detection of Media
Inactivity that cleans the SIP call context in the SFW once there‗s no
RTP anymore for a specific time.
• SIP over IPv6
• Supports Signaling Firewall for SIP messages using IPv6 transport.
Limited to SIP over IPv6 in SIP transparent mode (no SIP/RTP NAT of
IPv6 to IPv4)
• IP Topology Hiding
• IP topology of a network can be hidden through NAT and NAPT
manipulation of IP and SIP level addressing.
• Deep SIP header inspection
• Deep SIP header syntax inspection. Prevents from many SIP Fuzzing
attacks with malformed SIP message headers. User configurable
bypass and response message options. SIP conformance violations
can be logged with the FortiAnalyzer.
• Hosted NAT traversal
• Resolves IP address issue in SIP-SDP header due to NAT-PT in far
end firewall. Important feature for VoIP access networks.
17. Fortinet ConfidentialFortinet Confidential
Load
t
Load
t
Bad traffic
Good traffic
Ingress Egress
Normal Load
Max. Server Load
Max. SFW Load
Normal Load
Max. Server Load
Max. SFW Load
Expected counter action
Detect malicious packets and discard them
Prevent the SIP server from DoS related traffic
Do not impact the transport of “good messages”
Provide “blacklisting” of malicious IP sources
DoS attack may consist of
SIP flooding attack (sending 10,000s of messages per second)
Packet storms
Flooding with malformed packets.
Flooding with spoofed identities of random IP addresses
L3-4 Dos attacks (e.g. TCP Sync attacks, etc)
Distributed DoS (e.g from botnets)
Good traffic
Expected DoS Protection
18. Fortinet ConfidentialFortinet Confidential
Load
t
Good traffic
Overload Protection
Throttle SIP messages to specified limits of the corresponding SIP server
Requires discard of good SIP messages
Therefore discard with a drop precedence
Start with SIP messages of low importance, then higher ones.
Maintain existing SIP dialogs at highest priority
Allow server specific message throttling with a per SIP method rate limitation
Ingress
Normal Load
Max. Server Load
Max. SFW Load
Load
t
Good traffic
Egress
Normal Load
Max. Server Load
Max. SFW Load
Expected Overload Protection
19. Fortinet ConfidentialFortinet Confidential
VoIP Security – Per Method Rate Limitation
• SIP message rate limitation
• Individually configurable per
SIP method
• When threshold is hit
additional messages with this
method will be discarded
• Prevents SIP server from
getting overloaded by flash
crowds or Denial-of-Service
attacks.
• May block some methods at all
(with extra “block” option)
• Can be disabled (unlimited
rate)
SIP
INVITE
REGISTER
SUBSCRIBE
NOTIFY
REFER
UPDATE
OPTIONS
MESSAGE
ACK
PRACK
INFO
SIP
20. Fortinet ConfidentialFortinet Confidential
SIP Fuzzing attacks
Buffer overflows
Format String vulnerability
Integer Overflow
Endless loops and logical
errors
Packet Fragmentation
Firmware vulnerability
Often, VoIP Fuzzing is
combined with DoS
Expected Counter Measurement
Detect malicious messages
Discard them or
Replace the dangerous fields
VoIP Fuzzing
21. Fortinet ConfidentialFortinet Confidential
Virtual Domains
• SIP SFW policies configurable per Virtual Domain (VDOM)
• Allows individual configuration per external VoIP network
interface
• Overlapping address space within the same hardware platform
• Multiple Public/Private peers
Virtualization
Interface Route Table State Table Proxies IPS
Interface Route Table State Table Proxies IPS
Interface Route Table State Table Proxies IPS
Interface Route Table State Table Proxies IPS
Interface Route Table State Table Proxies IPS
Root Domain
VDOM-1
VDOM-2
VDOM-3
VDOM-n
.
.
.
Up to 500 VDOMs
supported per
physical
FortiCarrier
device
(250 VDOMs Max
when using full UTM)
MOBILE SECURITY
MANAGED SECURITY
VOICE SECURITY
24. Fortinet ConfidentialFortinet Confidential
VoIP Protection Features FOS 4 MR1
VoIP Features in FortiOS Carrier 4.0 MR1
Stateful SIP tracking The SIP SFW tracks the SIP session over it‗s
lifespan. A SIP-Session (or SIP dialog) normally is
established after the SIP INVITE procedure. The
SIP SFW then tracks this call as a „SIP session―. A
Session can for instance end by regular BYE
procedure (users hang-off the phone) or by another
unexpected Signaling or Transport event.
SIP per request
method message
rate limitation
Configurable threshold for SIP message rates per
request method. Protects SIP servers from SIP
overload and DoS attacks.
SIP High Availability
(HA)
Allows to configure HA configuration (active-
standby) for SIP. Supports failover of SIP sessions
in case of an active firewall instance fails.
SIP NAT Various NAT policies can be defined for SIP signal
sessions and RTP sessions that are negotiated
through the SIP signal session.
RTP Pinholing The SIP SFW opens the respective RTP Ports as
long as the SIP session is alive and conforming
with the operator security policies.
25. Fortinet ConfidentialFortinet Confidential
VoIP Protection Features FOS 4 MR1
VoIP Features in FortiOS Carrier 4.0 MR1
RTP Bypass Supports configurations with and without RTP pin-
holing. May inspect and protect SIP signaling only.
SIP NAT with IP
address
conservation
Performs SIP and RTP aware IP Network Address
translation. Preserves the lost IP address
information in the SIP/SDP info header for later
processing/debugging in the SIP server.
SIP Transparent or
NAT mode
The SFW supports a transparent mode, where SIP
messages are inspected but not modified. Just in
case of an attack or overload the SFW becomes
visible. The other mode is SIP NAT. In this mode,
the SIP header is modified with regard to
translation of IP addresses.
Support for
Geographical
Redundancy
Maintains a active-standby SIP server
configuration, which even supports geographical
distribution. If the active SIP server fails (missing
SIP heartbeat messages or SIP traffic) FortiOS will
redirect the SIP traffic to a secondary SIP server.
26. Fortinet ConfidentialFortinet Confidential
VoIP Protection Features FOS 4 MR1
VoIP Features in FortiOS Carrier 4.0 MR1
SIP command
control
The SIP SFW can block SIP methods. SIP
methods that can be blocked are:
ack, bye, cancel, info, invite, notify, options,
publish, refer, register, subscribe, update and
„unknown commands―.
SIP communication
logging
The SIP SFW supports logging to a FortiAnalyzer.
The Logfiles will show up in the „Content Archive―
section under the VoIP Tab.
Hardware
accelerated RTP
processing
In cases where RTP is pin-holed by a FortiOS
Carrier™ device, it needs to be understood that
RTP packets can be very small (around 100bytes
or less), sensitive to processing latency, packet
loss or jitter (packet delay variation). FortiGate
devices can offload RTP packet processing to HW
assistance (FortiASIC). This will greatly enhance
the overall throughput and will give the firewall
device a multiple GE wirespeed (1 Gbps) VoIP
security solution.
27. Fortinet ConfidentialFortinet Confidential
VoIP Protection Features FOS 4 MR1
VoIP Features in FortiOS Carrier 4.0 MR1
Media Inactivity In some case SIP signaling is established, but the
voice bearer (RTP) is broken.
The SIP SFW supports optionally the detection of
Media Inactivity that cleans the SIP call context in
the SFW once there‗s no RTP anymore for a
specific time.
SIP over IPv6 Supports Signaling Firewall for SIP messages
using IPv6 transport. Limited to SIP over IPv6 in
SIP transparent mode (no SIP/RTP NAT of IPv6 to
IPv4).
IP Topology Hiding IP topology of a network can be hidden through
NAT and NAPT manipulation of IP and SIP level
addressing.
28. Fortinet ConfidentialFortinet Confidential
• Fortinet‘s IPS is SIP aware
– SIP decode is available
• Allows attack prevention and detection with a signature database.
• Signature updates available from Fortinet‘s FortiGuard service
with a very short response time.
• Customer signatures allow service personell to write their own
prevention or detection rules
– Could be used for the quickest reaction to a sudden security threat
• SIP aware IPS customer signature example from a customer:
– F-SBID( --name "SIP.Proxy.Require.Header.Buffer.Overflow"; --protocol udp; --service SIP; --flow
from_client; --pattern "OPTIONS|20|sip|3a|"; --no_case; --context uri; --within 12,context; --pattern
"Proxy-Require|3a 20|"; --no_case; --distance 8; --within 500; --context header; --pattern !"|0a|"; --
within_abs 500; )
– This signature blocks OPTION messages with a “Proxy-Require” field.
IPS – Intrusion Prevent and Detection
29. Fortinet ConfidentialFortinet Confidential
Fortinet VoIP Security – HA Configuration
SIP
Server
ENET/VPL
S
Switch
(1)
ENET/VP
LS
Switch
(2)
ENET/VP
LS
Switch
(1)
ENET/VPL
S
Switch
(2)
FortiCarri
er
Active
Blade
FortiCarri
er
Standby
Blade
SIP Interconnect
primary
secondary
(optional)
GE
GE GE
GE
GEGE
Heart
beat
Floating
Mac/IP
Floating
Mac/IP
Ethernet /
VPLS
Switch
(1)
Ethernet /
VPLS
Switch
(2)
Ethernet /
VPLS
Switch
(1)
Ethernet /
VPLS
Switch
(2)
SIP
Server
FortiOS
Active
Blade
FortiOS
Standby
Blade
30. Fortinet ConfidentialFortinet Confidential
VoIP Security – Geographical Redundancy
SIP
Server
SIP
Server
Primary Server Secondary Server
SIP Heartbeat
SIP
Heartbeat
(SIP
OPTION)
SIP
SIP
SIP is forwarded to
primary SIP Server, as
long as it’s successfully
sending heartbeats
SIP
Server
SIP
Server
Primary Server Secondary Server
SIP
Heartbeat
SIP
SIP
In the case of SIP
heartbeat absence, the
SFW will forward the SIP
traffic to the secondary
SIP Server.
Failover
Failover
SIP
Signaling
Firewall
SIP
Signaling
Firewall
SIP
Server
SIP
Server
SIP
Server
SIP
Server
31. Fortinet ConfidentialFortinet Confidential
VoIP Protection Features FOS 4 MR2
New VoIP Features in FOC and FOS 4.0 MR2
FOC to FOS SIP
feature migration
The enhanced SIP protection feature set of
FortiOS Carrier will become available within
the standard FortiOS platform. This allows to
utilize a larger FortiGate product portfolio and
provide more attractive entry models with the
low and mid range FortiGate devices.
Deep SIP header
inspection
Deep SIP header syntax inspection. Prevents
from many SIP Fuzzing attacks with
malformed SIP message headers. User
configurable bypass and response message
options. SIP conformance violations can be
logged with the FortiAnalyzer.
Hosted NAT
traversal
Resolves IP address issue in SIP-SDP
header due to NAT-PT in far end firewall.
Important feature for VoIP access networks.
32. Fortinet ConfidentialFortinet Confidential
VoIP Security – Deep SIP header Inspection
FortiCarrier
Active
Blade
SIP message
Malformed SIP header
field detected
If yes: Check next
header field
If yes: Send back
corresponding negative
SIP response (e.g. 4xx or
5xx message)
If no
Discard message
Message compliant
• Considers the following SIP
header fields:
– Allow, call-id, contact, content-
length, content-type, cseq,
expires, from, max-forwards, p-
asserted-identity, rack, record-
route, route, rseq, to, via, request-
line
– SDP/ v=, o=, s=, c=, t=, a=, m=
• Configurable header and body
length checks
• Optional logging of message
violations to FortiAnalyzer
SIP
Parser
Configured:
“Pass” ?
Configured:
“Respond”
?
If no
33. Fortinet ConfidentialFortinet Confidential
Transparent Mode or
Stealth Mode
• Inspecting SIP and RTP traffic
• Does not modifies any
messages
• Visible only when trusted
network is under attack or in
overload situations
Active Mode
• Inspecting SIP and RTP traffic
• Performs Network Address
Translation (NAT) for SIP and
RTP
• Modifies SIP header and SIP
body (SDP)
• Visible as SIP Application Level
Gateway (ALG) in the network
• Optionally, NAP/T RTP/RTCP
packets
Fortinet SIP SFW – Two Modes of Operation
34. Fortinet ConfidentialFortinet Confidential
IP network address translation
• SIP NAT
• IP network topology hiding
• Mapping external IP addresses
with internal IP address ranges
• Resolves overlapping IP
address between external
and internal networks
Media Handling
• Pin-holing of RTP/RTCP
• (Police RTP/RTCP traffic)
• Open and close pin-holes
from SIP context
• Hardware acceleration
• Line rate performance
• 5 micro seconds latency
Fortinet SIP SFW – Signaling and Media