[SecurityRatty] tag: sync

Blue Box SE#026 - Astricon 2007 presentation on VoIP security and Asterisk

Wed, 03 Sep 2008 15:54:03 +0000

Synopsis: Blue Box Special Edition #26: Astricon 2007 presentation - "Hacking and Attacking VoIP Systems: What you need to worry about"

Welcome to Blue Box: The VoIP Security Podcast Special Edition #26, a 55-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

A year ago in September 2007, I (Dan York) spoke at Astricon 2007 in Arizona, USA, about "Hacking and Attacking VoIP Systems: What You Need To Worry About" My presentation covered a lot of the typical VoIP security threats, tools and best practices but also expanded a bit into specific security issues with Asterisk. Please do keep in mind that it has been a year since this presentation and so some of the issues I mention have been addressed. (Astricon, for those who don't know, is an annual developer conference for those who work with the Asterisk open source telephony platform. Astricon 2008 is, in fact, coming up in about 3 weeks but I will not be attending this year.)

The slides for this talk are available from Slideshare:

Hacking and Attacking VoIP Systems - What You Need To Know

View SlideShare presentation or Upload your own. (tags: voip voipsecurity)

(And yes, at some point I'll sync the audio with the slides.)

Production assistance on this Special Edition was provided by Michael Graves who had a very tough task given the poor quality of the recording that I gave to him! Kudos to Michael for getting it to sound as good as it does.

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Blue Box SE#026 - Astricon 2007 presentation on VoIP security and Asterisk

Wed, 03 Sep 2008 14:54:03 +0000

Synopsis: Blue Box Special Edition #26: Astricon 2007 presentation - "Hacking and Attacking VoIP Systems: What you need to worry about"

Welcome to Blue Box: The VoIP Security Podcast Special Edition #26, a 55-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 6MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

The slides for this talk are available from Slideshare:

Hacking and Attacking VoIP Systems - What You Need To Know

View SlideShare presentation or Upload your own. (tags: voip voipsecurity)

(And yes, at some point I'll sync the audio with the slides.)

Thank you for listening and please do let us know what you think of the show.

Cloud computing - I want my cake and eat it too

Sun, 08 Jun 2008 18:20:19 +0000

Its easy to dismiss Don Dodge's asking "Do you really want your data in the cloud" as a Microsoft guy defending their turf. Don uses some recent uptime problems at Amazon, Twitter, Disqus and Typepad to show that keeping your information in the cloud and relying on the net to deliver your applications gives you less control, less security, less scalability and less reliability.

Don has a point, even though net access and SaaS services are much more mature than they were in the past, there is always the times when it does not work. For that matter, cell phones, blackberries, and cable TV don't always work either. An indication of how vital something has become is how much we miss it if it is not available. But to the point, I remember when the personal computer first came into being. The idea of your data and the applications being "portable" to your device was revolutionary. The idea of keeping your data on those big floppy discs was so empowering. But even than, problems accessing data on a disk or an application not behaving or security problems could render you just as frustrated on your non-networked device as an Amazon or twitter being down does now.

Ultimately I think these things go in cycles and we are entering a centralized cycle now. However, I think this turn of the cycle could be different. Never before has net access been so ubiquitous. Never before have we seen the depth of optimized applications for the net. The infrastructure is finally in place to recognize the dreams of many of "thin clients" and net terminals. But I think the best model is a hybrid model. I like the Microsoft solution where I can work on stuff online and off line on my computer, than sync up later. Ultimately when it comes cloud versus local computing, I want my cake and eat it too.

Case Study: Consolidating Servers While Keeping Them in Sync with DR

Mon, 05 May 2008 09:00:00 +0000

(Source: Dell & VMWare) This VMware case study describes how a professional corporation utilizes production servers more effectively while keeping them in sync with their disaster recovery site. By using VMware® Infrastructure 3, their data center size is significantly reduced, thousands or dollars in hardware costs are saved, and availability of key services is increased.

Minneapolis Gets a Workout

Sat, 29 Mar 2008 14:19:55 +0000

My pal Julio Ojeda-Zapata walks around Minneapolis, and is relatively pleased with its network: Julio writes for the St. Paul Pioneer Press, the twin city to Minneapolis, and one that hasn't yet engaged in what was an explosion of requests for Wi-Fi networks by cities. He had a rocky start, unable to even get a splash screen, but ultimately was able to pay for a 24-hour pass ($10), and had consistent service on a laptop, albeit at half the 1 Mbps rate he was paying for. He couldn't get an iPod touch (Apple's iPhone without the phone Wi-Fi iPod) to work well on the network indoors, but had better luck outside.

The same day Julio's article appeared, his colleague Leslie Brooks Suzukamo filed an article about the challenges of leaves, something that's a big issue in Minneapolis, covered with the leafy menaces: 200,000 of the suckers that Gipper said caused pollution (as an allergy sufferer, I agree with him). Trees leaf out and reduce signal propagation, and that's something that US Internet Wireless has had to deal with. They upped their density of nodes from 26 to 42, which appears to be about the norm for both starting and ending points in muni netwrk planning.

This article goes into a little more depth about the problems with dead areas due to absent or problematic utility poles (it's always about the poles). USIW plans to install some of its own poles to fill in those areas.

Nearby, Steve Alexander notes a pioneering wireless network at the University of Minnesota has become obsolete. The U of M is replacing its 7-year-old 802.11b network with an 802.11n system. As is true in most older networks, they've got a melange of gear that's a headache to keep running and in sync. They'll spend $3.5m to cover about 40 percent of the campus with N, replacing a current similar coverage area. They may expand the network and add VoIP in the future.

The university and USIW are discussing interconnecting their networks for roaming.

SDL and Filtering

Thu, 13 Mar 2008 12:00:00 +0000

Hi, Ralph Hood here. I should probably take a minute to introduce myself since this is my first official SDL blog post. I’ve been a program manager at Microsoft for almost nine years. In past roles at Microsoft I was the lead program manager for security response in the Windows Sustained Engineering group, and in my last role I was a project manager in the Microsoft Auto group that partnered with Ford Motor Company to create the SYNC device. I joined the Security Engineering and Communications group in early November of last year as a program manager on the SDL team. My primary responsibility on the SDL team is coordinating the internal update and change process for the SDL inside of Microsoft to ensure we are always looking at new processes and technologies to further enhance the benefits of the SDL.

In the Microsoft Auto group we spent a lot of time trying to figure out what the SDL meant to our product. We knew we needed to do threat modeling, primarily because threat modeling is probably the most commonly known requirement of the SDL. Beyond threat modeling though, members of the various disciplines in our product team didn’t know what parts of the SDL applied to our product and what parts applied to technologies, platforms, or programming languages we didn’t use and thus could safely ignore. One of our program managers set out to sift through the SDL requirements and associated tools to try and determine what was applicable to our environment. While we eventually made the right decisions on what SDL requirements we needed to focus upon, we spent more time than we would have liked trying to figure it all out.

With our most recent update to the SDL at Microsoft we’ve made one significant change to try and help in this scenario. That change is to take all of the SDL requirements and plug them into a filterable framework that allows a person or a team to match requirements with specific technologies. Now, instead of being presented with a large document that covers all SDL requirements, a team is presented with a dynamic Web site that allows them to selectively filter requirements based on their product type (Client, Server, Hardware, Online Service etc), code type (Native, Managed, JavaScript etc), platform type (Win32, Win64, WinCE, Mac etc), or applies to their specific role (Program Manager, Developer, Test Engineer, Operations, etc).

This means if I’m a program manager for a Win64 Client product, I can view just the SDL requirements that apply to that criteria and the result is a clearer starting point for what you need to do to begin adopting the SDL for your project. This applicability filtering also allows product groups to more easily divide up the responsibility for ramping up on the SDL instead of overloading a single person in their group with figuring out what needs to be done. For instance, a product group could assign a person from each discipline in their team to identify which SDL requirements need to be met and at what point in the product cycle. A program manager can now more easily identify the SDL requirements that need to be thought about and met during the Requirements phase of a product, and likewise a test engineer can identify and begin working on the test collateral for SDL requirements that will be needed later in the schedule during the verification phase.

As the SDL continues to grow to address evolving security concerns and new technologies, it’s necessary for the SDL to be able to scale and have this type of filtering in place. Enhancing the functionality and depth of our tools that we use in the SDL is an ongoing process. These tools don’t always apply to every code type or product type. We have test tools that only run on native code while other tools run only against managed code, and that’s just one example. It’s important that we leverage a filterable framework like we have to address these differences and help teams understand where they need to focus their resources and what just doesn’t apply to their product or technology.

Productivity vs Security

Tue, 05 Feb 2008 08:13:00 +0000

This is a copy of a comment I posted on Rich Mogul's website. I thought that my answer clearly shows my present way of thinking about Information Security and the value thereof. I have edited my answer for this Blog Post but the essence is the same.

Rich was answering a question of Scott who assumed that as productivity goes up security goes down and vice versa and at some point there must be a sweet spot where you get the most productivity at the least cost to security. Scott uses the word "obviously"

Your (Rich and Scott) assumption is that all security controls actually decrease productivity. This may be the case in an example where passwords are used versus not used. But information security may actually increase productivity eg where spam is blocked and the user does not need to spend hours sorting email. Alternatively if browsing is restricted and time-wasting sites like facebook are blocked then productivity goes up.

My big security theory (which I wish I could put into practice) is that once companies achieve a security zen state (sorry if that is copyright) when security becomes part of the culture and is built into all systems then it actually increases productivity in a way that could actually help the bottom line.

In response to the original poster - if Information Security is at odds with the processes of the business then either the process is wrong or the information security is wrong.

If you tack on security after the fact your thinking will always be wrong.

Example:
A sales-rep is always on the road. Because he lives in the North part of town that is where his customers are. He has a list of customers and their details in his laptop. He also has their buying trends and banking details so he can confirm payment. The ISO sees all of this and almost has a heart attack. He implements a rule that the sales person can download only the clients that he is going to see that day onto his laptop and it must be done over a VPN. Sales guy also has to have his laptop encrypted and a password protected screensaver. He can, if he wants to, drive into work and download the information over the network but work is far from his house and his customers.

Man, productivity has gone to hell. He now has to dial in every day for a few minutes where in the past he didn't. He has to type in passwords every time he needs to use his PC. What a shlep.

But... if you think about the savings in terms of productivity compared to driving to work and getting the information, printing it out and then filing it away at the end of the day (another trip) - the complete system is amazing. It is saving the sales rep from making two trips a day into the office. All that needs to happen now is that it needs to be made secure and a few extra seconds each time information is needed and a few minutes at the beginning and end of each day to sync information is a pleasure compared to driving to work in rush hour traffic for no reason.

Storm-Bot stripshow analysis

Sun, 23 Dec 2007 19:06:00 +0000

Merry Christmas from the RBN. Now on a PC near you, a stripshow from Santa's helpers. Or not.
The ISC reported the expected Storm surge Christmas eve at 0000 GMT.
hxxp://merrychristmas.com/stripshow.exe (modified to protect the innocent) yields a hash of 2BBA62FBC3B9AF85C3C7D64A82E1237C. Once executed it immediately copies itself as disnisa.exe to C:\WINDOWS and adds a startup registry key for the same.

Current AV detection includes:
Kaspersky stripshow.exe - Email-Worm.Win32.Zhelatin.pd.
eTrust-Vet - Win32/Sintun.AT
Microsoft - Trojan:Win32/Tibs.gen!ldr
Symantec - Trojan.Peacomm.D

After a quick time check to Microsoft's time server, this variant switches immediately to very noisy P2P on a variety of ports. In addition to the ISC-recommended HTTP and email blocks for outbound to merrychristmasdude.com, you have to consider if you really need outbound UDP traffic above 1024. I'm a firm believer in deny all and make exceptions only via legitimate business case. If you can achieve such lockdown, even though your hosts may suffer infection, they won't be communicating with their friends and neighbors.
From API analysis we see a few interesting tidbits:

w32tm /config /update
403014 Copy(c:\malware\stripshow.exe->C:\WINDOWS\disnisa.exe)
77e6bc59 WriteFile(h=7a0)
403038 RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
40305f RegSetValueExA (disnisa)
402ba0 WinExec(w32tm /config /syncfromflags:manual /manualpeerlist:time.windows.com,time.nist.gov,100)
77e7d0b7 WaitForSingleObject(788,64)
402ba8 WinExec(w32tm /config /update,100)
40309b CreateProcessA(C:\WINDOWS\disnisa.exe,(null),0,(null))
4030df WinExec(netsh firewall set allowedprogram "C:\WINDOWS\disnisa.exe" enable,100)
71ab52c6 LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
71a5716a LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
71aa14eb GlobalAlloc()
40da1b bind(8c, port=26790)
77e7ac53 CreateRemoteThread(h=ffffffff, start=404b05)
40da1b bind(b8, port=7018)
40d9c7 listen(h=b8 )
40a262 WaitForSingleObject(d4,2710)

Nice, do a little time sync, allow ourselves through the firewall, then bind, listen, and wait.
First, add another registry entry,

0cd2d RegCreateKeyExA (HKLM\Software\Microsoft\Windows\ITStorage\Finders,)

then start connecting:

71a54cee LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
77e7ac53 CreateRemoteThread(h=ffffffff, start=71a519c4)
40d9f1 connect( 193.33.146.178:24714 )
40d9f1 connect( 74.60.173.98:3887 )
40d9f1 connect( 58.74.135.13:30843 )
40d9f1 connect( 222.119.113.135:22295 )
40d9f1 connect( 71.234.220.147:20232 )
40d9f1 connect( 76.84.231.43:14172 )
40d9f1 connect( 124.5.147.194:16544 )
40d9f1 connect( 58.8.236.130:13224 )
40d9f1 connect( 190.79.151.75:2952 )
40d9f1 connect( 58.8.122.191:29646 )

Once this little bugger hits the network, expect flood-like traffic.
My infected sandbox victim exhausted my 1.5mb DSL connection instantly, in part from a ton of inbound responses from peers being logged at my firewall:

SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=59178 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=60978 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=4987 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=6619 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=13762 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=18384 PROTO=UDP SPT=24045 DPT=26790 LEN=33
SRC=78.166.75.60 DST=192.168.0.3 LEN=53 TOS=0x00 PREC=0x00 TTL=105 ID=19891 PROTO=UDP SPT=24045 DPT=26790 LEN=33

At last, the peer list referred to by the ISC, written to C:\WINDOWS (many more entries not included):

[config]
[local]
uport=20142
[peers]
00003D6C8F338A3FDD3DF3648666F55C=0CCE03EE2BD100
0100A634122F3553A046EC451061927C=0CCEEF9C5BF700
02007E238D780D25FD5511285E2E596E=0CD9D73081A500
03001E62DC533E7AF6161729A953891B=180BB9671B4800
0400EB5EC13599373A3D544A2D6AF94F=180FAC024F7300
05004710B3440F5D2117CE555A62D04A=1810D0AE22DA00
06001471521206296D099433C93EC427=1813911C2E6100
07002D6D5B0FE3019C56B1290A564E59=1820B08043D700
0800A2417153943DC23C6C5C817C4159=18257B254F2600

There's nothing new or exciting here: SPAM component, headless P2P, seasonal social engineering, fast flux, and other pervasively annoying attributes.
User awareness, as always, is your strongest defense.
Cheers and happy holidays, except for you RBN a$$h0735.

Zune Killer App - Windows Media Center

Mon, 26 Nov 2007 18:55:40 +0000

I admit it, I did not buy a Zune last year when they were first released. I don't have a large music collection and I'm generally happy listening to the radio to get my music fix, or the digital music channels available from my cable company, if you will.

However, as some of you may realize from my previous postings (Vista Media Center Part 1, Part 2 and Part 3), I have been a fan of Media Center as a potential alternative to the recently-downgraded (don't get me started, even my wife lost what she considered *basic* features with the "standard" Comcast DVR downgrade) Comcast DVR.

The event that kicks this story of begins with a Poker game. Just after Microsoft announced the new Zune line-up in October, I won a charity poker event where the prize was a custom Zune 30. It was basically a "pearl" Zune with a special logo on the back and pre-loaded with some poker theme music that we heard during the event. I played with it a few days, loading it with some songs and even buying a couple of recent ones from the Zune marketplace.

Then ... I discovered the killer feature ... integration with my Windows Vista Media Center. Now, technically, this feature was not actually enabled when I discovered it. However, it took me all of 5 minutes to find the registry mod on the Internet and enable it. That became moot a week or so ago when the recent Zune upgrade rectified that issue, so now everyone can enjoy this feature by default. Here is the very simple set-up instructions:

Install the Zune software on your media center
Make sure you add your "Recorded TV" folder, if it is in an odd place (mine is on an external half-TByte drive).
Plug in your Zune device as a guest
Sync recorded TV shows to your heart's content

Now, let's see why this rocks...

iPod vs Zune TV Comparison

The Apple Way...

There was much ado when the Daily Show became available on iTunes for $1 per show or $9.99 for 16 episodes (roughly 3 weeks of shows). I browsed over to http://www.apple.com/itunes/store/tvshows.html just now and found this blurb:

Be a watercooler hero. For as little as $1.99, you can own the latest episode of your favorite show as early as one day after it airs, or purchase past episodes that you missed (or want to watch over and over). Choose a Season Pass and get a whole season of a TV show, past or present, at a discount. Or buy Multi-Passes for shows that air every day, like The Daily Show with Jon Stewart, and enjoy a month’s worth of episodes downloaded automatically to your computer.

Well, yahoo, yipee! Only $2 per show on your iPod, iPhone or Apple TV.

The Zune + Media Center Way ...

I record all of my favorite TV shows on my Windows Media Center. In the evening, I plug in my Zune and choose which shows to sync for mobile watching. For example, last night I chose the two latest episodes of Heroes which I had not gotten around to watching because of my recent Jury Duty and the holiday activities. The Zune software automagically converts the show to 320x240 and syncs it to my Zune.

This morning on the Connector Bus to work, I watched Heroes Season 2, Episode 7, "Out of Time" and found out the surprising identity of "Adam Monroe." I'll watch Episode 8 on the way home...

And My TV Movies Too...

And, it doesn't stop there. As I described previously, I've been building up quite a library of TV Movies, cutting out commercials, compressing them and creating my own on-demand TV Movies library. Since I got my Zune, I've switched to using MP4 compression with H.264 video and AAC3 audio, which gets added automatically to my Zune library and can be synced to the device... better together indeed!

With my Zune 30, this means I can load up about 50 kids movies and TV shows that I've previously recorded for those long road trips and vacations. In fact, I can plug my Zune into the aux-video inputs in our mini-van and play directly on the integrated DVD video screen.

And it is all so easy...

Forget the IPhone, Give me the JPhone

Wed, 25 Jul 2007 17:56:46 +0000

Phones are a lot like other products in that when you get the one you think you want, your main takeaway is to learn about what you want different on your next purchase.

My wife and I are always discussing key things we want in our next home purchase (like more garage space, for example) - though we have no plans to change houses anytime soon. That has been the iPhone for me. I knew immediately I didn't want one and knew that it wasn't going to change.

Why? The dealbreaker for me is the lack of an actual phone number pad, where you have to use softkeys to dial your number. I have that now. I hate it and will never get a phone again that doesn't have a physical number pad for dialing (except maybe a really small one that is totally voice controlled - but that seems unlikely in the near-term.)

So, in case any phone vendors are out there, or if you are influential with a phone vendor, here are my asks:

Stylish, small, form-factor. Lots of good examples of this. I like the "Chocolate" and the Sony Ericsson W600i, for example.
Physical number pad. The Nokia N series and the W600i are both good examples of having a good number pad, without a full keyboard.
NO full keyboard. I've got one and don't use it. I don't want to type email messages or IMs on my phone, but if I have to, a soft keyboard or the numberpad is good enough.
NO camera. Get rid of it, reduce my price. I have a camera and don't need a crappy one on my phone.
Outlook Mobile. I want to emphasize this by itself. The *main* reason I want to any sort of smart phone is to keep my schedule sync'd up and easy to access.
Good size screen with touch screen. I do have to say I love the screen size on the iPhone - however, I do want the phone to be compact. So, taking keyboard and screen together, I think the Nokia N73 is a good example of the right balance.
Bluetooth.

Now, in the cheapy version, that would be it. Wouldn't it be great to have that option? Of course, I do want a few other features which I think are implied. I think if the phone uses Windows Mobile, I probably get these automatically:

I want to be able to play my mobile games (e.g. bejeweled 2, poker)
I want to be able to load up and run a VOIP client and connect to my home network to accept or make calls.
I would like to be able to access the Internet to check movie times.
I would like to play my music

So, in summary, I just want a small, stylish phone, with Outlook scheduling and good Internet usability. It'd be nice if I could replace my music player with it, but I have no interest in replacing my camera or having a touch screen only.