The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoIP Security?"
•
1 like•8,911 views
Does anyone really care about VoIP security? Why should they? What are the main issues? At the 2011 Real-Time Communications Conference sponsored by the Illinois Institute of Technology (IIT), Dan York spoke about all these questions and gave a view of the overall state of the industry. A video recording of the Oct 5, 2011, session will be available and will be able to be found at http://www.voipsa.org/blog/ when it is ready.
The State of VoIP Security, a.k.a. “Does Anyone Really Give A _____ About VoIP Security?"
- 1. The State Of VoIP Security, a.k.a.! ! “Does Anyone Really Give A _____ About VoIP Security?” Dan York, CISSP! Chair, VoIP Security Alliance October 5, 2011
- 2. © 2011 VOIPSA http://www.flickr.com/photos/willpate/46488553/
- 3. Does Anyone Really ! Give A _____ About! VoIP Security? © 2011 VOIPSA
- 4. Does Anyone Really ! Give A _____ About! VoIP Unified Communications Security? © 2011 VOIPSA
- 5. Technical Solutions © 2011 VOIPSA
- 6. Widely Deployed © 2011 VOIPSA
- 7. TLS-Encrypted SIP © 2011 VOIPSA
- 8. Secure RTP (SRTP) © 2011 VOIPSA
- 9. MORE Secure! Than PSTN © 2011 VOIPSA
- 10. © 2011 VOIPSA http://www.flickr.com/photos/mattblaze/2275723713/
- 11. MORE Secure! Than Ever Before © 2011 VOIPSA
- 12. Almost All Venders! Have Support © 2011 VOIPSA
- 13. Almost All Customers! Don’t Turn It On © 2011 VOIPSA
- 14. Why Not? © 2011 VOIPSA
- 16. Fingerpointing, a.k.a. “One Throat To Choke” PSTN PBX Gateways Physical Voicemail Wiring © 2011 VOIPSA
- 17. Fingerpointing - 2011 Mobile Devices IM Application Internet Servers Networks Operating Systems PSTN IP-PBX Gateways VoIP Web IP Social Firewalls Servers Network Networks Physical Directory Voicemail Wiring Servers Desktop Email PCs Database Servers CRM Servers Systems Session Border Controllers © 2011 VOIPSA
- 20. Turn It Back On? © 2011 VOIPSA
- 21. SIP Is So Simple, Right? © 2011 VOIPSA
- 22. Riiiiiigggghhhttt… (Fingerpointing Redux) © 2011 VOIPSA
- 24. The Old Boys’ Club Carrier Carrier Carrier PSTN Carrier Carrier Carrier Carrier © 2011 VOIPSA
- 25. The Wild West… ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP PSTN ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP ITSP © 2010 VOIPSA and Owners as Marked © 2011 VOIPSA
- 26. Evolution of Attacks © 2011 VOIPSA
- 30. If 1 Is Good, Why Not 3? © 2011 VOIPSA
- 32. Internet LAN © 2011 VOIPSA
- 33. PC UC System Firewall Internet Home Firewall IP Corp HQ Phone Home © 2011 VOIPSA
- 34. Laptop UC client WiFi UC System Firewall Internet Café Router Corp HQ Mobile Data Network Mobile UC client © 2011 VOIPSA
- 35. Corporate Internet Network IVR Voicemail IM IM IM Presence Presence Presence Call Call Call Control Control Control Conferencing Corp HQ Office A Office B PSTN © 2011 VOIPSA
- 36. © 2011 VOIPSA
- 37. Աfit (for us… and for attackers) © 2011 VOIPSA
- 38. DDoS! (the old-fashioned kind)! (Asterisk & Amazon EC2, anyone?) © 2011 VOIPSA
- 39. SPIT! (“SPam for Internet Telephony”) SPAM © 2011 VOIPSA
- 41. Fingerpointing - 2011 Mobile Devices IM Application Internet Servers Networks Operating Systems PSTN IP-PBX Gateways VoIP Web IP Social Firewalls Servers Network Networks Physical Directory Voicemail Wiring Servers Desktop Email PCs Database Servers CRM Servers Systems Session Border Controllers © 2011 VOIPSA
- 42. The Device Formerly! Known As A! “Phone” © 2011 VOIPSA
- 44. RTCWEB / WebRTC © 2011 VOIPSA
- 46. Fingerpointing - 2011 Mobile Devices IM Application Internet Servers Networks Operating Systems PSTN IP-PBX Gateways VoIP Web IP Social Firewalls Servers Network Networks Physical Directory Voicemail Wiring Servers Desktop Email PCs Database Servers CRM Servers Systems Session Border Controllers © 2011 VOIPSA
- 48. “The Hitchiker’s Guide! To SIP” © 2011 VOIPSA
- 49. Forgotten! Simple Things © 2011 VOIPSA
- 50. Biggest Financial Threat? © 2011 VOIPSA
- 51. Toll Fraud © 2011 VOIPSA
- 52. IT Security 101 © 2011 VOIPSA
- 53. PIN = “1234” © 2011 VOIPSA
- 54. Password = “password” © 2011 VOIPSA
- 55. Default password list © 2011 VOIPSA
- 56. VoIP = bits © 2011 VOIPSA
- 57. IT Security 101 © 2011 VOIPSA
- 58. Does Anyone Really ! Give A _____ About! VoIP Security? © 2011 VOIPSA
- 59. WHEN Will They Care? © 2011 VOIPSA
- 61. Identity Theft © 2011 VOIPSA
- 63. Trusted Leader © 2011 VOIPSA
- 64. “VoIP Is Insecure!!!” © 2011 VOIPSA
- 65. depl oyed tupi dly S “VoIP Is Insecure!!!” ^ © 2011 VOIPSA
- 66. “VoIP Is Insecure!!!” © 2011 VOIPSA
- 67. Cover Your ____ © 2011 VOIPSA
- 69. IT Security 101 © 2011 VOIPSA
- 70. Audit, Audit, Audit © 2011 VOIPSA
- 71. Enable What You Have © 2011 VOIPSA
- 78. © 2011 VOIPSA
- 79. Secure By Default © 2011 VOIPSA
- 81. What is the Industry Doing to Help? Security Vendors VoIP Vendors “The Sky Is Falling!” “Don’t Worry, Trust Us!” (Buy our products!) (Buy our products!) © 2011 VOIPSA
- 83. Security Links • VoIP Security Alliance - http://www.voipsa.org/ – Threat Taxonomy - http://www.voipsa.org/Activities/taxonomy.php – VOIPSEC email list - http://www.voipsa.org/VOIPSEC/ – Weblog - http://www.voipsa.org/blog/ – Security Tools list - http://www.voipsa.org/Resources/tools.php – Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com • NIST SP800-58, “Security Considerations for VoIP Systems” – http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf • Network Security Tools – http://sectools.org/ • Hacking Exposed VoIP site and tools – http://www.hackingvoip.com/ • Seven Deadliest Unified Communications Attacks – http://www.7ducattacks.com/ © 2011 VOIPSA
- 84. Thank You For! Giving A _____ © 2011 VOIPSA
- 85. Thank you! Q & eh? www.voipsa.org 7ducattacks.com Dan York - dan.york@voipsa.org! +1-802-735-1624 DisruptiveTelephony.com danyork.com! blueboxpodcast.com twitter.com/danyork © 2011 VOIPSA