As I've mentioned in an earlier post, VoIP is a fascinating topic for security researchers. It comes with a number of very interesting interfaces and protocols for both signaling and media. It is loaded with funny intermediary devices that do peculiar things to the communications. And finally, almost nobody knows how it all works together -- a dream for technical people that enjoy taking things apart, peeking under the hood, and poking around to see what makes it tick (or crash).
Fuzzing VoIP is exactly that: playing with complex message sequences, structures, and data types. Combining past security knowledge such as applying overflow and SQL strings to the text-based protocols and carefully constructed ASN.1 structures to the binary protocols. Sometimes this requires a bit of reverse-engineering of both the protocols and network architectures. But the result is almost always just what the researchers want: A nice, juicy zero-day vulnerability. (For more on VoIP fuzzing read "(Is There) Motivation for VoIP Fuzzing")
One would think that VoIP vendors would have learned something during these past six or seven years of VoIP fuzzing. But no, there still are people who don't really understand why these people torment them with a constant flow of crash level failures and proof-of-concept exploits. They keep on wasting huge amounts of money and resources on snake-oil solutions that don't do what the attractive marketing materials claim these security products should do.
Some people still live in a dream world of static analysis, loaded with nightmare projects of fixing false positives and and are surprised by the number of false negatives. A false positive is basically a programming construct that is definitely bad coding but does not pose any real security threat to the product. A false negative is a flaw left uncaught, and later discovered by these security researchers. To me it still seems like the security market is like a horse race. And, as always, most people are betting all their money on the wrong horse.
So what is the solution then?
A Free Fuzzing Book (no strings attached)
I promised to do a draw of my latest book on fuzzing by end of last month, but today decided to extend that by couple of days to give the readers of ITworld also a chance to win a copy. For more information, see http://www.codenomicon.com/fuzzing-book/.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Brian Proffitt
Microsoft/Novell: Breaking Down the Coupon Numbers
Esther Schindler
Drupal's Dries Buytaert on Building the Next Drupal
Tom Henderson
Top Ten General Operating Systems Rants
pasmith
PS3 motion controller delayed; goes up against Project Natal
sjvn
Neolithic Windows security hole alive and well in Windows 7
claird
Perl source code comparison makes for good reading
mikelgan
Cell phones don't create stress or interrupt much
Sandra Henry-Stocker
How to: The Unix Interview
Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
- Ubuntu advances: Why Ubuntu server installations will surge in 2010
- Social media marketing: How to make friends with benefits
- More...
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
