Security: Secrets and Hype
by Ari Takanen

The topics of this blog are in Fuzzing and VoIP security.

As the CTO of Codenomicon, the main focus of Ari's work is with security testing of various next generation communication technologies such as VoIP, WiMAX and IPTV. His latest book is focused on this topic, and is titled "Fuzzing for Software Security Testing and Quality Assurance". You can win a free copy of The Fuzzing Book from the Codenomicon web site.

What is VoIP security all about? After close to ten years of hacking and bashing VoIP, Ari Takanen will finally reveal the secrets and discuss the hype around VoIP security. The discussions in this blog will draw from his book "Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures" co-authored by Peter Thermos, and published by Addison-Wesley.

Ari will answer any questions and comments you might have regarding penetration testing and fuzzing of next generation communication networks such as IP telephony.

Check out the sample chapter of the VoIP book here!

all posts

Security Testing: It Is About Coverage

It is easy to do pentetration testing. My two year daughter can do it (well at least she broke through a screen-lock). But doing it well is the challenge. That is what coverage is about. Security test coverage, like any test coverage, is measuring how much of all the possible sensible options you cover with your testing. Let's dig into this topic a bit more, and perhaps next time someone comes offering you pentesting services, you will have a few new questions to ask the auditors.
|

Vulnerability Disclosure: Is it Blackmail, Whitemail or Bluemail

Hackers (or security researchers) come with a range of rainbow colored hats. Some guys'n'gals are nice (the White Hats). They find and disclose problems in communication products using approved responsible disclosure models. Others are in the business for money, and are not satisfied by the fame they get for disclosing problems. The process can easily get close to what some would consider unethical, or even direct blackmailing.
|
1 comment
5I like it!

What to Look in a Test Automation Product: Features or Benefits

The leap from manual tests or simple scripts into fully automated test suites makes all self-respecting test engineers just simply excited. It is difficult to see the limits to the things where test automation could be used. But hold on! Are you thinking straight? Why was it that you were looking for test automation in the first place?
|
6 comments
14I like it!

Visualizing Security - The Challenge of 2009

Have a look at all leading security companies today, and you see all of them launching or planning to launch solutions targeted at visualizing and collaborating over security issues. What is this about? Let's have a look at different initiatives in this area.
|

Fuzzing and Product Security

Finally, some real data on the usage of fuzzing is emerging. Who is using fuzzing? How do people see fuzzing being used in the product security process? Forrester has included questions regarding use of fuzzing in to their questionnaire that they send to key industry CIOs, CSOs and CISOs. Security companies such as Cigital are publishing their findings. I have talked with these organizations and will be discussing my findings in this blog and the upcoming webinar.
|

Fuzzing Is Still Widely Unknown

Based on a recent study by Gary McGraw and other well known security gurus, all major product security teams apparently use fuzzing. But most (even security specialists) still seem to misunderstand what fuzzing really is about. Enter the world of fuzzing!
|
1 comment
25I like it!

Good VoIP Deployment Guidelines (Do Not Exist?)

I get questions regarding VoIP deployment all the time. Sometimes it is someone looking for simple and cheap Enterprise VoIP, who are unsure if VoIP can be deployed securely with those two parameters in the equation. More often it is the security aware people who are willing to invest almost anything to make it work, but cannot. As always, there is no silver bullet solution for either. If you look at my past opinions, I keep changing my mind between cheap that works, and secure that doesn't. What do you think? Which way should we go in VoIP?
|

VoIP Still Not Ready For Carrier-Grade Networks

After a quick tour of some Really Talented Groups dedicated to fuzzing research, I noticed three things: 1) Most teams are focused on fuzzing VoIP 2) Most if not all VoIP devices still break with fuzzing 3) Most VoIP vendors still do not get it. The tour continues...
|

Reason Behind Vulnerabilities

Now something completely unrelated to VoIP: Reason behind all vulnerabilities in software! I read an article that explained how vulnerabilities are basically created by the fact that people tend to drift from good development principles into practices that are just simply Fun. The engineers among us know that software development can be enormously interesting, something you would happily even do in your leisure time. But can fun be converted into reliable software?
|
4 comments
4I like it!

(Is There) Motivation for VoIP Fuzzing

What have we learned during these six or so years of proactive security work with VoIP fuzzing? Here is my top ten discoveries.
|
peer-to-peer

Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers

Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal

Tom Henderson
Top Ten General Operating Systems Rants

pasmith
PS3 motion controller delayed; goes up against Project Natal

sjvn
Neolithic Windows security hole alive and well in Windows 7

claird
Perl source code comparison makes for good reading

mikelgan
Cell phones don't create stress or interrupt much

Sandra Henry-Stocker
How to: The Unix Interview

 

Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann

Join the conversation here

The Daily Tip

The Daily TipQuick, practical advice for IT pros. Made fresh daily.

Hot tips:

Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.

Newsletters

Subscribe to ITWORLD TODAY and receive the latest IT news and analysis.

I would like to receive offers via email from ITworld partners.
By clicking submit you agree to the terms and conditions outlined in ITworld's privacy policy.
Marketplace