As I've mentioned in an earlier post, VoIP is a fascinating topic for security researchers. It comes with a number of very interesting interfaces and protocols for both signaling and media. It is loaded with funny intermediary devices that do peculiar things to the communications. And finally, almost nobody knows how it all works together -- a dream for technical people that enjoy taking things apart, peeking under the hood, and poking around to see what makes it tick (or crash).
Fuzzing VoIP is exactly that: playing with complex message sequences, structures, and data types. Combining past security knowledge such as applying overflow and SQL strings to the text-based protocols and carefully constructed ASN.1 structures to the binary protocols. Sometimes this requires a bit of reverse-engineering of both the protocols and network architectures. But the result is almost always just what the researchers want: A nice, juicy zero-day vulnerability. (For more on VoIP fuzzing read "(Is There) Motivation for VoIP Fuzzing")
One would think that VoIP vendors would have learned something during these past six or seven years of VoIP fuzzing. But no, there still are people who don't really understand why these people torment them with a constant flow of crash level failures and proof-of-concept exploits. They keep on wasting huge amounts of money and resources on snake-oil solutions that don't do what the attractive marketing materials claim these security products should do.
Some people still live in a dream world of static analysis, loaded with nightmare projects of fixing false positives and and are surprised by the number of false negatives. A false positive is basically a programming construct that is definitely bad coding but does not pose any real security threat to the product. A false negative is a flaw left uncaught, and later discovered by these security researchers. To me it still seems like the security market is like a horse race. And, as always, most people are betting all their money on the wrong horse.
So what is the solution then?
A Free Fuzzing Book (no strings attached)
I promised to do a draw of my latest book on fuzzing by end of last month, but today decided to extend that by couple of days to give the readers of ITworld also a chance to win a copy. For more information, see http://www.codenomicon.com/fuzzing-book/.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
