[SecurityRatty] tag: fire

Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Wed, 27 Aug 2008 15:53:18 +0000

Synopsis: Blue Box #82: Asterisk & Skype security vulnerabilities, new VoIP security tools, VoIP steganography, VoIP security news and much, much more...

Welcome to Blue Box: The VoIP Security Podcast #82, a 47-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was originally recorded on June 21, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Note about the production team – new special editions coming soon.
- Note about URLs for the media files
AST-2008-008 – Remote Crash Vulnerability in SIP channel driver when run in pedantic mode
AST-2008-009 – Remote crash vulnerability in ooh323 channel driver
Skype-SB-2008-003 – Skype File URI Security Bypass Code Execution Vulnerability

New version of SIPvicious

Sipflanker – tool to find SIP devices with web GUIs

Discussion about VoIP Steganography (pointed to by Craig Bowser)

Geeks Are Sexy: New Technology Hides Messages in Internet Phone Calls – and Switched: Spies to Use Skype to Send Secret Messages? – and The Register

FierceVoIP: VoIP Security and the Circle of Trust pointing to Government Computer News: Careful with the call

The Register: ‘Untraceable’ phone fraudsters eye your credit card

SearchUnifiedCommunications: Disaster and recovery in the VoIP/IPT RFP

Secure Computing: Voice tools under enemy fire

VNUnet: A good VoIP application is worth paying for

Ofcom confirms VoIP providers must provide access to 999 and 112

Bogdan Materna’s blog is live

Realtime Community: The Essentials Series:
Messaging and Web Security
Volume III

Global Knowledge: On-Demand Webinar on VoIP Security (hat tip to Thomas Lee )

SearchSecurity: The threats to telcos and how they can repel them

TMCnet: Balancing Issues in World of Telepresence

Network World: VoIP Security Buying Guide

Nortel and SecureLogix Team to Deliver Voice Security and Management Solutions to Worldwide Enterprise Market (see also this analysis )

Sipera Partner Network Arms Resellers With Comprehensive UC and VoIP Security

VIVOphone Deploys Paradial RealTunnel® to Solve NAT Traversal Challenges for VoIP Services

Audiocodes joins the ranks of SBC vendors

SearchSecurity: Securing the new network (interesting because it shows the layers of a defense in depth)

The Hindu Business News: Serious about Security

Shows:
- IP Telephony University – June 23-24, Alexandria, VA
- IPTComm 2008 – July 1-2, Heidelberg, Germany
- The Last H.O.P.E. – July 18-20, New York
- SpeechTek – August 18-20, New York
Call for papers for Hack-in-the-box Malaysia ends June 30th

SchmooCon 2008 videos available – several dealing with VoIP

No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list

Wrap-up of the show

47:09 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Warner Keynote Comment On Science Lights Up Twitter

Wed, 27 Aug 2008 03:27:00 +0000

"Just think about this: In four months, we will have an administration that actually believes in science!" said former Virginia Governor Mark Warner during his keynote speech at the 2008 Democratic National Convention. It didn't set the room on fire but Twitter was aflutter as its geek community celebrated a throwaway line.

Apple on Fire!

Wed, 13 Aug 2008 10:45:49 +0000

It’s not just sales burning in Apple’s pockets — one of the Apple buildings in Cupertino caught fire today and burned for 3 hours before being extinguished — there was considerable damage.

The incident appeared to be connected to a construction crew working in the area where the blaze started, Darron Pisciotta, captain of operations for the Santa Clara County Fire Department, told InformationWeek. The work crew was the first to report the fire. More than 60 firefighters responded to the alarms.

I have a friend who’s been contracting down there, so glad to hear that no one was hurt!
I hope this doesn’t set development on the iTablet back;)

Hey, if you have construction workers in your area, tell them to be careful, okay?

The Secret Life of CEP

Tue, 05 Aug 2008 14:32:44 +0000

Catching up on the blogs, I couldn’t help but comment on, Is CEP Mature? Or a Curious Case of Information Asymmetry by Mark Tsimelzon, President & CTO, Coral8. Mark says,

“I know for a fact that every major CEP vendor has several dozen paying customers.”

Somehow Mark, I don’t find a dozen paying customers by the top CEP vendors very impressive.

Then, as to somehow justify the lack of public reference clients, Mark takes the position of a Coral8 customer and says,

“We believe that the use of Coral8 gives us a strategic advantage over our competitors. Why would we want to clue them in?”

Naturally, the same thing could have been said about the first desktop computer, or the first back-office banking system, or the first calculator, or the first telephone, frankly speaking.

Of course, when the technology is mature, then it is “Hey we have lots of computers!” “Hey, look at my fully functional sexy iPhone!” “We have the best back office banking systems on the planet by !”

Well, all this CEP Solution Secrecy (CEPSS) might just be similar to why the government keeps many IT projects a secret; the main reason is so we don’t know how much taxpayer money they are spending!

So, folks, the debate counterpoint that there is some “Secret Life of CEP” and that the CEP solutions today are somehow changing the way C-Level executives, and corporate America, thinks is just wishful thinking.

Companies don’t need to keep their strong technical solutions a secret. Like, Wow! I am using Coral8 and it is so impressive that I have to keep it TOP SECRET. (Sorry Mark, nothing personal, you simply gave me a big red target and painted “fire when ready” on it)

Note: I happen to like Coral8, and Coral8 Studio, as an event stream processing platform.

Back on point, I consider my laptop and cellphone more indispensable than most of the first generation rule-based stream processing engines out there today, and I am sure most CEOs agree.

The Secret Life of CEP…. you just have to just love it

Security Through Visibility - Montego, Lancope and NetFlow

Wed, 30 Jul 2008 17:57:06 +0000

We've probably all heard that you can't secure what you can't see and that statement is even more profound when it comes to virtual environments. This is because it is extremely challenging to see what is going on at a micro vs. macro level within a virtual environments network. The virtualization vendors such as VMWare and Citrix have provided embedded tools into their management consoles that show a macro level of visibility but its not enough to identify security events in the environment. Take a look at the attached picture. It simply shows VMWare's ability to monitor virtual network performance statistics from a bits per second perspective.

<-Click To Enlarge

With only this level of detail how can one determine which network applications are causing spikes. Is it FTP traffic that is occuring at a high volume at an unuseal time of day? If that were occuring, could that be indicative of either a breach or some sort of problem? What if FTP isn't even an authorized service in the virtual environment but there is a high volume of it? Did someone install a rouge FTP service so they could steal information from the server at will?

These types of questions can't really be answered without a micro level of detail into the packets flowing in, out and within the virtual environment. Now, what I am highlighting is not security in the traditional sense of prevention but using visibility as a means to first identify, then pin point the source of an issue so that it can properly be mitigated. Having constant visibility can also ensure that other security products in the environment are performing as expected. What if a Montego HyperSwitch with firewalling enabled is configured with many policies but someone forgot to create an FTP block policy. One could think they are protected from rouge FTP services transmiting data out of the network, but without constant visibility monitoring, can you be certain?

Some vendors, namely Reflex Security will get you to believe that their IPS / IDS solution that is inline and running in the virtual environment is the right and only approach. Or they will tell you to hang a virtual IDS off a span port in the virtual environment and you will at least have visibility into the attacks that are taking place. Well, sure... You now have attack visibility but at the performance cost of your virtual environment. Signature matching technologies are great, I'm a huge believer; however they don't scale very well in shared computing environments such as virtual ones. IDS systems also don't typically track protocol and network service (FTP, HTTP, etc.) utilizations; which is another important part of visibility.

So, what do we do to gain visibility without the performance headache? Well, for starters its probably best to put your IDS/IPS solutions in the physical environment where performance will be less of a concern. In fact, you can span a virtual switch's traffic out to a physical NIC as easy as you can to a virtual one. So why do it virtual and have to pay a 60% CPU utilization tax? Another solution is to IDS inspect only the things you care about. Why IDS inspect SSL traffic if you know your solution can't unencrypt SSL. Its just a waste of compute cycles isnt it? Policy based switching helps you with directing only the things you care about to an IDS (attack visualization product). Montego's HyperSwitch also can help you with the traffic redirection of only the things you care about.

Another method of visibility which I tend to be a fan of is one of packet analysis (aka NetFlow). NetFlow was invented by Cisco some time ago and has gained popularity in the physical world and definately has a use in the virtual world. NetFlow is lightweight. Let me say that again, its light weight! It only sends a summation of packet detail to an analytical engine which can do some number crunching, packet comparison, etc. etc. to make some sense out of whats going on. Lancope, an Atlanta based visibility company that provides Network Visibility, Security Visibility and User Visibility has this tool on their website that is a Netflow Bandwidth calculator. You'll see from playing with this ( http://www.lancope.com/netflowcalculator.aspx ) calculator that it doesn't consume a lot of network bandwidth to transmit these network accounting records. It also doesn't cause a lot of CPU overhead to send these records to an analytical engine sitting somewhere in the network.

Lancope's analytical engines have the ability to do the following for you within your virtual environment:

Slide 3

•Monitor and Alert network behavior of VMs
•Track Vmotion movement of VMs accross physical servers
•Monitor and Alert on communication between VMs
•Identify users accessing VMs
•Identify unauthorized or rouge VMs
•Monitor and Alert when VM’s go online or offline
•Identify network services running on VMs
•Monitor Network / Application performance of VMs
Display active hosts accessing VMs

...and probably a slew of other things I'm not aware of. A screen shot of their product is bellow:

<- Click to enlarge

You'll notice from the screenshot that you are able to visualize who is talking to who, how much traffic they have sent and received and something called a concern index (not seen on this screenshot).

Now, a concern index is a number that increases as Lancopes analytical engines monitor suspicious activity on a session. A high counter can be indicative of a security problem. Its another way of identifying (visualizing) compromised hosts (virtual machines) without having to do signature matching like a heavy weight IPS engine. Example: Lets say you have a VM that has a BOT on it and is "owned". The Lancope product is monitoring this long life session. Let's say that session is established for several hours or maybe even days or months. Lets also say that the conversation appears to be mostly unidirectional from a public ip address not belonging to your enterprise. Lancope would increase a the concern index on this since this server hasn't typically had this type of behavior. Once the concern index reached a certain level it could then fire off an email, send you a text message or something saying: Warning, Warning, Danger, Danger Will Robinson!!! You're virtual server may be infected with a BOT, please investigate immediately!!!

This example is VISIBILITY which helps you with SECURITY. There are a number of other things you can do with NetFlow and Lancope products that have less to do with security and more to do with operational efficiencies. Things like, helping you answer questions of: How do I know what network applications are taking up the most bandwidth? When should I move those applications over to a server with more horsepower? When did these VM's vmotion over here and was there a traffic condition / CPU condition that caused that to occur? I could go on and on but thats a topic for another blog entry.

So, my suggestion is to take a look at what NetFlow has to offer. Montego Networks supports NetFlow transmission and Lancope supports NetFlow analytics and with both you can regain what was lost visibility.

I hope this was helpful to you all!

-John Peterson

Security Through Visibility - Montego, Lancope and NetFlow

Wed, 30 Jul 2008 17:57:06 +0000

<-Click To Enlarge

Lancope's analytical engines have the ability to do the following for you within your virtual environment:

Slide 3

???Monitor and Alert network behavior of VMs
???Track Vmotion movement of VMs accross physical servers
???Monitor and Alert on communication between VMs
???Identify users accessing VMs
???Identify unauthorized or rouge VMs
???Monitor and Alert when VM???s go online or offline
???Identify network services running on VMs
???Monitor Network / Application performance of VMs
Display active hosts accessing VMs

...and probably a slew of other things I'm not aware of. A screen shot of their product is bellow:

<- Click to enlarge

I hope this was helpful to you all!

-John Peterson

Keeping corporate secrets - the data centric security approach

Mon, 28 Jul 2008 16:13:00 +0000

Just read the eWeek summary for the new book Blown to Bits... (btw, what's up with tag lines and subheadings in books - these seem to be filling up the font page!). The authors discuss the right mix of people, process and security technology that organizations can use to prevent such breaches...

Interestingly enough, the trends they talk about are very data-centric - "Secure the message as well as the medium" and "Address data at rest, in flight and in use"...

In particular I like this paragraph...

"Even with SSL (Secure Sockets Layer) and VPN, strong passwords, fire walls and a flood of security patches, the medium (the network and the attached servers) should be considered inherently insecure. The greatest security comes from protecting the data itself. Even a gargantuan data breach will be of no real consequence if the data is undecipherable."

Could not have said it better - and I could not agree more...

CEP is to Architecture as SOA is to Architecture

Fri, 25 Jul 2008 14:38:29 +0000

I am often asked pointed questions (mostly from the stream processing crowd) like, ” What product does CEP?” Sometime it seems my answer determines the fate of that relationship, as my feet are grilled over the CEP-fire to be beat of jungle drums! The amount of money I have lost in deals that did not go through because I refused to sprinkle holy water on a vendor’s product and call it “CEP” is staggering, quite frankly.

CEP describes an architecture, just like SOA describes an architecture and just like EDA describes an architecture.

For example, you do not buy an SOA. An SOA describes an architectural style of programming via components that are involved as services in a distributed network architecture - a service-oriented, or service-based architecture.

The concept of CEP does not have “the A-word” like SOA and EDA, but none-the-less, CEP describes an architecture, not a product. Do not make the mistake of thinking in terms of “buying CEP”, just like you do not buy an SOA or an EDA. You think, plan and design in terms of CEP, just like you should do in an SOA or EDA. These are constructs, not products.

In other words, for “true CEP” you need a number of components, some of the components might be in the architectural style of SOA, others might be in the architectural style of EDA. Your solution architecture for solving a complex event processing problem might have request-reply transactions, or it might have fire-and-forget messages. You might have a Neural Networking component for analytics and a rules component for filtering, mediation and scheduling. You might even have a stream processing component performing as a high performance filter and pattern matcher on streaming data where the output is forwarded to a Bayesian Classifer for further processing.

My key message in this post is that CEP requires a number of technologies to solve complex distributed computing problems. Do not be fooled into thinking that a single product is “CEP” no more than a single product is SOA or EDA.

Yes Virginia there really are HIPAA police

Fri, 25 Jul 2008 11:58:50 +0000

One of the things that I have always not understood about HIPAA is what teeth do these regulations have and who is going to enforce them. There are plenty of firms willing to take your money and rubber stamp you HIPAA compliant, but who is going to say your not HIPAA compliant and why should you care. Finally reading this article in Security Bytes it looks like the federal government has stepped up to enforce HIPAA and have put some bite behind the bark. Providence Health in Seattle was fined 100k by US Department of Heath and Human Services for losing data containing patients information.

I say good for the HHS! A few well publicized fines where people had to pay real money will go further in getting people to take HIPAA seriously than all of the other dog barking and warnings that have taken place to date. The same goes for other regulations and statues on compliance as well. Lets hear about some financial sanctions or penalties around PCI and you will see a drastic rise in compliance there as well. Rules and regulations without enforcement serve no purpose at all and hurt more than they help.

Yes Virginia there really are HIPAA police

Fri, 25 Jul 2008 11:01:24 +0000