What is VoIP security all about? After close to ten years of hacking and bashing VoIP, Ari Takanen will finally reveal the secrets and discuss the hype around VoIP security. The discussions in this blog will draw from his book "Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures" co-authored by Peter Thermos, and published by Addison-Wesley.
Ari will answer any questions and comments you might have regarding penetration testing and fuzzing of next generation communication networks such as IP telephony.
Check out the sample chapter of the VoIP book here!
Have a look at all leading security companies today, and you see all of them launching or planning to launch solutions targeted at visualizing and collaborating over security issues. What is this about? Let's have a look at different initiatives in this area.
I am curious how people can conduct penetration tests of a complex VoIP system when they barely understand how VoIP infrastructure works. Today, security people are still stuck to auditing practices from 1990s. When asked to do a penetration test, a consultant often is only looking at past issues that can be detected using various vulnerability scanners. Very few of them know that vulnerability scanners have extremely bad coverage of vulnerabilities in VoIP solutions. And even if the tools did know VoIP, who really cares about past issues that might have been relevant several years ago.
I get questions regarding VoIP deployment all the time. Sometimes it is someone looking for simple and cheap Enterprise VoIP, who are unsure if VoIP can be deployed securely with those two parameters in the equation. More often it is the security aware people who are willing to invest almost anything to make it work, but cannot. As always, there is no silver bullet solution for either. If you look at my past opinions, I keep changing my mind between cheap that works, and secure that doesn't. What do you think? Which way should we go in VoIP?
The leap from manual tests or simple scripts into fully automated test suites makes all self-respecting test engineers just simply excited. It is difficult to see the limits to the things where test automation could be used. But hold on! Are you thinking straight? Why was it that you were looking for test automation in the first place?
Now something completely unrelated to VoIP: Reason behind all vulnerabilities in software! I read an article that explained how vulnerabilities are basically created by the fact that people tend to drift from good development principles into practices that are just simply Fun. The engineers among us know that software development can be enormously interesting, something you would happily even do in your leisure time. But can fun be converted into reliable software?
After a quick tour of some Really Talented Groups dedicated to fuzzing research, I noticed three things: 1) Most teams are focused on fuzzing VoIP 2) Most if not all VoIP devices still break with fuzzing 3) Most VoIP vendors still do not get it. The tour continues...
Based on a recent study by Gary McGraw and other well known security gurus, all major product security teams apparently use fuzzing. But most (even security specialists) still seem to misunderstand what fuzzing really is about. Enter the world of fuzzing!
Finally, some real data on the usage of fuzzing is emerging. Who is using fuzzing? How do people see fuzzing being used in the product security process? Forrester has included questions regarding use of fuzzing in to their questionnaire that they send to key industry CIOs, CSOs and CISOs. Security companies such as Cigital are publishing their findings. I have talked with these organizations and will be discussing my findings in this blog and the upcoming webinar.
Hackers (or security researchers) come with a range of rainbow colored hats. Some guys'n'gals are nice (the White Hats). They find and disclose problems in communication products using approved responsible disclosure models. Others are in the business for money, and are not satisfied by the fame they get for disclosing problems. The process can easily get close to what some would consider unethical, or even direct blackmailing.
Sidekick: The Good News & the Bad News Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Surviving Windows is easier than you think… MKS offers the power of an integrated all-in-one environment and provides you with the Power of UNIX on Windows Learn More
Brought to you by:
contests & free stuff
We have 5 copies of these two new books to give to some lucky readers. The deadline for entries is November 30, 2009.
AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.
In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases
built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC
technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability
and performance at a fraction of traditional cost.
On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.
12I like it!
Visualizing Security - The Challenge of 2009
Have a look at all leading security companies today, and you see all of them launching or planning to launch solutions targeted at visualizing and collaborating over security issues. What is this about? Let's have a look at different initiatives in this area.3I like it!
(Is There) Motivation for VoIP Fuzzing
What have we learned during these six or so years of proactive security work with VoIP fuzzing? Here is my top ten discoveries.