|
1
|
|
|
2
|
|
|
3
|
- VoIP—Voice over Internet Protocol (VoIP) turns your analog audio signals
(Voice) into digital data that can be easily transmitted over the Internet
Protocol (IP).
- VoIP will forever change the way telephone calls are made.
- Examples:
- Vonage — VoIP system designed to replace your standard telephone
service by using the Internet to make local and long distance phone
calls.
- SKYPE — Software version of VoIP that rides your existing Internet
connection to allow you to make calls to fellow SKYPE users anywhere in
the world at no charge from your PC.
There are over 116,000,000 SKYPE users, hence eBay’s interest in
acquiring SKYPE.
|
|
4
|
- VoIP is not very secure by default.
- VoIP is at very high risk of attack, including Eavesdropping and Denial
of Service
(DoS) attacks, as well as exploitation of CVE®s.
- Eavesdropping:
- Would you make a purchase over a VoIP connection, giving your credit
card information out over the VoIP phone? (over 10M credit card numbers stolen
over IP)
- Denial of Service:
- What happens when you need to place an emergency phone call
(E911)? Can you do it with
VoIP? Not today and not
guaranteed (without copper wire backup connection).
- CVE®s: More on that to follow…
|
|
5
|
|
|
6
|
|
|
7
|
- Footprint
- Scan
- Enumerate
- Penetrate
- Escalate
- Pillage
- Get Interactive
- Expand influence
- Cleanup
- (Denial of Service)
|
|
8
|
- In 2004 companies spent more than $100 BILLION dollars in reparations
fixing damage caused by the Hackers, Viruses and Worms listed below…
- 95% of these costs could have been prevented if companies used our
unique solution.
- Cost of Worms
- Sobig: $37.1 billion
- MyDoom: $22.6 billion
- Klez: $19.8 billion
- Mimail: $11.5 billion
- Yaha: $11.5 billion
- Swen: $10.4 billion
- Love Bug: $8.8 billion
- Bugbear: $3.9 billion
- Dumaru: $3.8 billion
- SirCam: $3 billion
|
|
9
|
|
|
10
|
|
|
11
|
- Confidentiality and Privacy
- Switch Default Password
- Classical Wiretap
- ARP Cache Poisoning
- ARP Flooding
- Web Server Flaws
- IP Phone Netmask Vulnerability
- Extension to IP Address Mapping
|
|
12
|
- CAN-2005-2181
- Summary: Cisco 7940/7960 Voice over IP (VoIP) phones do not properly
check the Call-ID, branch, and tag values in a NOTIFY message to verify
a subscription. This allows remote attackers to spoof messages such as
the "Messages waiting" message.
- CVE-2002-0835
- Summary: Preboot eXecution Environment (PXE) server allows remote
attackers to cause a denial of service (crash) via certain DHCP packets
from Voice-Over-IP (VOIP) phones.
- CAN-2002-0882
- Summary: The web server for Cisco IP Phone (VoIP) models 7910, 7940,
and 7960 allows remote attackers to cause a
denial of service (reset) and possibly read sensitive memory
via a large integer value in (1) the stream ID of the
StreamingStatistics script or (2) the port ID of the PortInformation
script.
|
|
13
|
“The PSTN [the normal telephone network] is
like a well-manicured neighborhood, while the Internet is like a
crime-ridden slum”
- - Phil Zimmermann, the Inventor of PGP
|
|
14
|
- Researchers at Symantec expect "hackers" to target VoIP
networks as not only a means of gathering information and exploiting
unsuspecting people, but also as a potential conveyance of
next-generation attacks.
- The report predicts that within 18 months, VoIP will start to be used as
a "significant" attack vector.
- Ollie Whitehouse, technical manager at Symantec's research labs, said it
was important not to underestimate the threat from the subversion of
VoIP technology. "While there are currently very few reported
attacks directed at VoIP systems," he said, "Symantec believes
it's only a matter of time before attackers target it more
intensely."
|
|
15
|
- ATA (Analog Telephone Adaptor)
- The first and easiest way to make a VoIP call is through an ATA (Analog
Telephone Adaptor), sometimes called a “Gateway.”
- ATAs let you use your existing “old fashioned” analog telephone.
- Plug your antiquated handset into the ATA and then connect the ATA to
your Internet Connection (Cable modem or sometimes directly into your
computer) and you are ready to place calls.
|
|
16
|
- IP (Internet Protocol) Telephone
- Second way to use VoIP is IP Telephone
- These telephone handsets look just like normal handsets, however, they
have an RJ45 Ethernet connector instead of the standard RJ11 connector.
- These phones are like ‘micro’ computers with all the software and
hardware built-in to put an IP address on line for making and receiving
telephone calls.
- Because they connect directly to your Internet connection, you can set
up, install, and use these phones quickly, just like an old fashioned
telephone.
|
|
17
|
- Computer to Computer VoIP
- Third way to use VoIP, as we’ve seen with Peer to Peer (P2P) systems
like SKYPE, is computer to computer VoIP.
- All you have to do is install the software, configure it properly, and
begin using a microphone/headset attached to your PC.
- SKYPE promises to be ‘free forever’ and other services are coming online
that will offer the same price—not bad.
So what is the catch?
|
|
18
|
- There’s a high probability that you’ve already made a VoIP call without
even realizing it.
- Maybe you’ve called your local bank and the branch manager who answered
the phone was on a VoIP telephone.
- Most major telephone carriers are already using VoIP to route thousands
of long distance calls through a circuit switch and into an Internet
Protocol (IP) Gateway.
- Disruptive and powerful new technologies usually catch on like wildfire.
VoIP is one of them.
|
|
19
|
- Portability with VoIP:
- Can you take your home telephone into your doctors’ office waiting room
or your accountants’ office and make a telephone call from your phone
number? Nope.
With VoIP, you can make calls from anywhere you can plug into
an Internet jack (RJ45 connection) and make calls as if you were home.
- If you are using a soft-phone (VoIP software such as SKYPE) then you
can make and receive calls wherever you run this software — if it is on
your laptop, then your phone number is now mobile — wherever you have
access to
the Internet.
|
|
20
|
- VoIP Telephone Service Features:
- Call Waiting
- Caller ID
- Call Transfer
- Repeat Dialing
- Return Last Call
- Three-Way Dialing
- Call Filtering
- Send the call directly to voicemail
- Forward the call to a particular number
- Give the caller a busy signal
- Play a "not-in-service" message
- You can even check your Voice Mail over the Internet with a Web Browser
and using E-mail.
|
|
21
|
- Lower telecommunication costs
- Streamlined communication system — instead of managing two networks (the
telephone system) and the Internet/intranet, you can manage one network
- Improved communications/ease of access to sales staff, partners,
customers, and fellow VoIP users.
- You benefit from a flatter, easier communication environment with:
- One receptionist for all calls
- Auto attendant features for all calls
- Corporate-wide Voice Mail managed from one location
- Updates to the phone system applied throughout
the organization through a single act
|
|
22
|
- Determine existing telephone equipment you are able to keep by inquiring
about compatibility of existing equipment.
- Be certain about the features the VoIP System provides as standard vs.
optional extras.
- Ensure that any company devices such as fax machines, credit card
processors, and security systems can be integrated into your new VOIP
phone system.
- Do not try to save money by buying used VOIP phone systems.
|
|
23
|
- VoMIT—Voice over Misconfigured
Internet Telephone:
- The vomit utility converts a Cisco IP phone conversation into a wave
file that can be played with ordinary sound players.
- Vomit requires a tcpdump output file.
- Example of how to run VoMIT
- $ vomit -r phone.dump | waveplay -S8000 -B16 -C1
|
|
24
|
- Encryption:
- Establish an IPsec tunnel between the VoIP phone and the call manager.
- An old 486 laptop running OpenBSD is a good fit for that task.
- You could also run opportunistic encryption with OpenSwan on Linux.
|
|
25
|
- Properly securing your Voice over IP is a complex process because VoIP
consists of the integration of data and voice into a single network.
- Your network may be subject to daily attacks by hackers, viruses, and
worms.
- Never would you have considered worrying about these types of attacks
taking place against your old-fashioned telephone system.
|
|
26
|
- Encrypt all VoIP Traffic for Privacy
- Set up a VoIP System that has an E911 Interface
- Separate your LAN from your VoIP network
- Use the same level of security precautions on your VoIP network as you
would on your LAN or Corporate network (VoIP ready Firewall, VoIP aware
IDS, etc.)
|
|
27
|
- Develop appropriate network architecture for voice & data
communications.
- Examine the risk around deploying VoIP for voice communications.
- Take special precautions to ensuring Emergency 911 (E-911) services.
- Set up physical controls, especially important in VoIP security.
- Consider additional power backup requirements to ensure continued VoIP
availability during power outages.
- Find, evaluate, and deploy VoIP-ready firewalls.
- Avoid using ‘softphone’ solutions to replace your telephone, as these
‘softphones’ are harder to manage and secure.
- If mobile devices are part of your VoIP deployment, make sure
they are secured using WPA and not WEP.
- Review regulatory requirements regarding privacy and
record retention.
|
|
28
|
|
Notes
