Tony's Blog

IMI-TechTalk: Business Continuity and Cost Cutting with Unified Communications

tony — Wed, 17 Jun 2009 16:37:00 GMT

There was some time zone confusion with the scheduled guest of the IMI-TechTalk radio show this past Sunday. I received a phone call in the middle of the show while Tom was live on the air asking me to step in and do the live show impromptu. So, I jumped on the air and host Tom D'Auria and I proceeded to discuss unified communications. Specifically, we talked about how unified communications pays for itself and can help companies save money, as well as how it fits into business continuity plans and preventing or responding to a pandemic outbreak or any other disaster.

TechTalk is broadcast on KFNX AM 1100 out of Phoenix, AZ, but you can also listen to a live stream of the show via the Web. Tune in at 6pm Eastern / 5pm Central to listen on the show live. If you miss the live show, you can check back on the IMI-TechTalk blog and find a link to the recorded MP3 to download after the fact.

Click on the 'attachment' link below to listen to the June 14 IMI-TechTalk show on cost savings and business continuity with unified communications.

Follow me on Twitter

Researchers Hack Skype and Google Voice VoIP Calls

tony — Mon, 13 Apr 2009 02:44:00 GMT

VoIP is a hot technology for enterprise communications, but it is also a hot communications technology for consumers. Vonage has been around for years. Most cable TV providers have added both broadband Internet service and VoIP phone service to their product inventory and offer bundled pricing that make it more cost effective for consumers to purchase all three from the one provider.

Of course, free is good too. Skype was one of the first to emerge as a free voice over IP communication tool. Over the years it has evolved and actually provides a pseudo-unified communications and pseudo-social networking experience in addition to the voice communication. In fact, for some small and medium organizations Skype has been embraced as a communications tool in the enterprise as well. Google got into the game more recently with Google Voice. By virtue of being Google, their product has become somewhat of an instant success as well.

Recently a researchers at Secure Science demonstrated methods they have discovered that allow them to listen to or hijack Skype and Google Voice calls. The attacks could be used to launch a 'botnet' style VoIP attack, harnessing thousands of compromised VoIP accounts to make spam telemarketing calls that can't be traced. An attacker might also be able to lure a user into surrendering sensitive information such as credit card or social security numbers. The attacks are different for Skype and Google Voice. You can learn more about the details from this PC World article.

Google responded quickly and worked with the researchers to address the weaknesses in their system and improve their authentication process to prevent the attack. Kudos to Google. The attacks spotlight some of the issues with VoIP though. I know it seems sort of 'broken record' but consumers and enterprises alike are adopting VoIP for all of the benefits it can provide with no regard for the security concerns that come with it. They take for granted the relative security that traditional phone communications have enjoyed and forget that when you move voice communications onto the data network it becomes subject to many of the same risks and threats while also creating whole new risks and threats that didn't previously exist.

What to Expect from Windows 7

tony — Sat, 04 Apr 2009 00:52:00 GMT

On March 29, 2009 I appeared as a guest on the IMI-TechTalk radio show. Tom D'Auria, CEO of Information Methods Incorporated (IMI), and I talked about Microsoft's new desktop operating system, Windows 7. We talked about what users can expect from the new operating system and some of the new features that users can look forward to. We also talked about when the new operating system is expected to be released and the various versions of Windows 7 that will be available. IMI-TechTalk is broadcast by KFNX AM 1100 out of Phoenix, AZ every Sunday. It is also available as streaming audio via the Web so you can listen to the show no matter how far you are from Phoenix.

Click on the 'attachment' link below to listen to the Microsoft Windows 7 show from March 29, 2009.

Follow me on Twitter

Attack Capable of Capturing SIP Device Password

tony — Fri, 27 Mar 2009 13:03:00 GMT

A pair of VoIP security researchers claims to have discovered a method for acquiring the password from a SIP device. The attack seems to take advantage of a weakness in SIP security controls and authentication. When a call is being terminated, the SIP UserAgent sends a 'BYE' message. Normally this would terminate the call, but with this attack a response is sent to the device of '407 Proxy Authorization Required' and the SIP UserAgent responds by transmitting the password for the SIP device (encrypted with MD5 hash).

For this attack to work demonstrates a weakness in SIP authentication. The SIP protocol should not respond to such requests from external or untrusted sources. The SIP protocol itself should be coded to ignore or drop authentication requests from unauthorized sources. VoIP vendors and organizations using vulnerable SIP devices may be able to configure security controls to mitigate the threat by blocking or dropping requests like this without allowing them through to the SIP device.

A successful attack could reveal the password for the targeted SIP device, allowing the attacker to impersonate that device. Given the IP address and password of the SIP device, the attacker could attach a rogue SIP device which the VoIP network would recognize. There may be other potential attacks that result from the ability to impersonate an authorized SIP device, but the most prevalent would be simply VoIP call fraud. Attackers can use the hijacked SIP device to place calls around the world. If that happens, the organization might be shocked when they get the next bill from their VoIP provider.

According to their blog post, the attackers feel confident they can get the password from any SIP device using this method. That is because the flaw is with the SIP protocol itself and not with any particular device. What are your thoughts? Is this a big deal or just hype? Who bears the burden to address the issue- the SIP device vendors, or should the SIP protocol itself be modified to protect the authentication and authorization exchanges?

Follow me on Twitter

Reality Check: Should you invest in IP PBX now, later or not at all?

tony — Wed, 25 Mar 2009 16:40:00 GMT

Each month TechTarget's SearchUnifiedCommunications site does a podcast on a unified communications topic titled Reality Check. I appeared as a guest on this month's podcast and was interviewed by SearchUnifiedCommunications Associate Editor Elaine Hom. We focused our discussion this month around the PBX. We talked about whether the PBX is still relevant and whether or not organizations that are implementing unified communications need to invest in a PBX or IP PBX. We also talked about the different approaches that some of the major unified communications vendors take and how their core competency in part dictates the focus of their unified communications initiatives, as well as some best practices for how to tackle implementing unified communications.

You can listen to the podcast by clicking here.

Follow me on Twitter

Talking Windows 7 on TechTalk Radio Show

tony — Sun, 22 Mar 2009 01:49:00 GMT

I will be joining host Tom D'Auria live on the IMI-TechTalk radio show this Sunday. Our topic this week will be Windows 7. We will talk about what you can expect from the upcoming new desktop operating system from Microsoft. We will also focus on some of the issues that Microsoft has had in the past when rolling out a new operating system- Vista being a recent and poignant example of those issues, as well as some of the compelling new features that could be game changers for some organizations.

Follow me on Twitter

The State of PCI Compliance

tony — Wed, 18 Mar 2009 19:38:00 GMT

As Director of Security for Evangelyze Communications my primary focus is on the security implications of VoIP and unified communications and helping our customers to understand the risks and implement effective security controls to protect their unified communications infrastructure. Another aspect of that security however is the issue of compliance. Organizations fall under a variety of regulatory mandates and industry guidelines and those compliance requirements often overlap into monitoring and retaining communications data.

Organizations need to be familiar with the mandates they are obligated to follow, whether it is SOX (Sarbanes-Oxley), HIPAA (Health Insurance Portability and Accountability Act), GLBA (Gramm-Leach-Bliley Act), PCI DSS (Payment Card Industry Data Security Standard), or others. Some organizations must comply with two or more of these depending on the industry they are in and the types of business they engage in. To achieve and maintain compliance, organizations need to understand what the requirements are for compliance regarding their communications. As it relates to unified communications, organizations have to grasp the implications of the converged communications channels. With instant messaging conversations archived in Outlook, and voicemail messages sent as file attachments via email, and email being able to be read over the phone by Microsoft Exchange using Outlook Voice Access, the lines are blurred between the types of communication and organizations have to be aware of this and put the appropriate controls in place to be compliant.

PCI Compliance has been a particular focus of mine. I was the lead author and tech editor of PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance published by Syngress in 2007. Dr. Anton Chuvakin and I are co-authoring a 2nd edition of the book to be published later this year which will contain updated information related to revisions in the PCI DSS guidelines themselves as well as reflecting new information regarding the various breaches and issues that have occurred over the past couple of years. It will also have more real-world case studies and how-to guidance to provide more actionable material for the reader rather than just a theoretical description of the PCI DSS guidelines.

This week I was the guest on a podcast recorded for BankInfoSecurity.com titled 'The State of PCI Compliance'. You can listen to the streaming audio by clicking here.

Follow me on Twitter

Forefront Security for OCS Finally Reaches RTM

tony — Wed, 18 Mar 2009 16:06:00 GMT

Forefront Client Security and other Forefront Server Security products, such as Forefront Security for Exchange Server and Forefront Security for Sharepoint, have been around for some time now. Microsoft's Forefront Security for Office Communications Server seems to have taken a painstakingly long time to get developed, make it through Beta testing, and finally now released to manufacturing (RTM). But, that day has finally arrived.

Forefront for OCS delivers valuable protection for the unified communications platform. Aside from protecting OCS 2007 and OCS 2007 R2 from malware using as many as five simultaneous antivirus scanning engines, Forefront Security for Office Communications Server also provides keyword and content filtering for instant messaging communications. Using Forefront Security for OCS, organizations can block sensitive or confidential information from being communicated via instant messaging, and certain file types- for example EXE files- can be blocked as instant messaging file attachments. Microsoft Forefront Security for Office Communications Server looks at the actual file content so it is also smart enough not to be circumvented by simply renaming the file extension.

I will be writing more about how to install, configure, and administer Forefront Security for Office Communications Server in the coming weeks. Check back to learn more about the product, how it works, and issues you may expect to encounter. Feel free to comment here or drop me an email if you have specific questions or run into problems that you would like me to explore.

Follow me on Twitter

INVITE of Death

tony — Mon, 16 Mar 2009 00:51:00 GMT

Pretty cool name, huh? If you're going to create a new VoIP or unified communications attack, you want to have one with panache and it is hard to get a name with more impact than the 'INVITE of Death'.

That said, the attack itself is not nearly as impressive as the name. SIP is one of the prevalent protocols for VoIP and unified communications. The INVITE request is a function of SIP (Session Initiation Protocol). When a call is placed, the INVITE request is sent to the device being contacted. The receiving device can respond that it is TRYING, or that it is RINGING, or with OK and establish the communications session as a few examples.

The INVITE of Death attack is simply a denial-of-service (DoS) attack and it only works against one particular open source product- OpenSBC. Directing a malformed INVITE request to a vulnerable OpenSBC server will cause the OpenSBC server to crash.

In this case, simply stripping out erroneous characters- specifically leading or trailing colons- solves the problem and protects the OpenSBC server from the INVITE of Death DoS attack. The INVITE of Death won't be bringing VoIP to its knees, but it does demonstrate the similarities between SIP and HTTP and illustrates that SIP can be vulnerable to the same types of malformed packet attacks that have plagued standard network data and Web servers for years.

Follow me on Twitter

Securing SIP Trunks

tony — Sun, 08 Mar 2009 17:57:00 GMT

SIP trunking provides organizations with a cost-effective, reliable method of connecting the internal network and telephony systems with external VoIP and traditional phone systems over the IP network. SIP tunking is quickly replacing traditional PRI and analog circuits for enterprise communications. Typically, SIP trunking involves an IP PBX, however Microsoft Office Communications Server 2007 R2 introduced the ability to do direct SIP trunking to the OCS 2007 environment and eliminate the IP PBX. Microsoft only provides direct SIP trunking with two VoIP providers, but Evangelyze Communications developed SmartSIP which lets organizations leverage their existing telephony hardware and employ direct SIP trunking with virtually any VoIP provider.

SIP trunking has many business benefits, but also introduces some additional security concerns. Internal security policies and controls will most likely differ from the security policies and controls of the SIP trunk provider. Connecting with the SIP trunk provider may involve opening ports though the firewall or NAT device, modifying the IP PBX (if present), changing private IP addressing or numbering plans, or other changes to the unified communications infrastructure. The organization must also maintain control over signaling and media secuity as well as call-routing policies.

Organizations have to understand the risks and implement appropriate security measures to ensure the availability of their unified communications network, the integrity and confidentiality of voice and data communications, and the overall compliance with regulatory requirements the organization might be subject to. Read Securing SIP Trunks to learn more about the security issues and how Evangelyze Communications, by partnering with Sipera Systems, can work with organizations to implement SIP trunking securely.

Follow me on Twitter

Metasploit Founder Introduces WarVOX Suite for Voice Penetration Testing

tony — Sun, 08 Mar 2009 04:18:00 GMT

The founder of Metasploit, HD Moore, has released a new set of tools for voice security research and penetration testing- WarVOX. Metasploit has been around for a few years and has offered security administrators and researchers a powerful and comprehensive exploit generation and penetration testing platform that is freely available. Now, HD Moore has taken that same concept or basic goal and delivered the WarVOX suite of security tools for exploring, classifying, and auditing telephone systems.

WarVOX can be used to conduct reconnaisance and penetration testing of voice networks. It is a war-dialing tool, among other things, but a war-dialing tool with a broader approach. According to the WarVOX site "Unlike normal wardialing tools, WarVOX works with the actual audio from each call and does not use a modem directly. This model allows WarVOX to find and classify a wide range of interesting lines, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders. WarVOX provides the unique ability to classify all telephone lines in a given range, not just those connected to modems, allowing for a comprehensive audit of a telephone system."

I have downloaded the WarVOX installation and plan to play around with it. Metasploit has earned a great deal of respect in the general security research arena, so I expect good things from WarVOX as well. You can check out this presentation to learn more about WarVOX and how and why it was developed.

Follow me on Twitter

Reality Check: Can you have UC without VoIP/IP PBX?

tony — Wed, 25 Feb 2009 21:21:00 GMT

Each month TechTarget's SearchUnifiedCommunications site does a podcast on a unified communications topic titled Reality Check. I appeared as a guest on this month's podcast and was interviewed by SearchUnifiedCommunications Associate Editor Elaine Hom. We talked about the general concept of unified communications, and we dove deeper into whether or not VoIP is a requirement of unified communications, as well as the recently released Office Communications Server 2007 R2 and whether or not organizations really need to have an IP PBX any longer.

You can listen to the podcast by clicking here.

Microsoft Voice and Unified Communications

tony — Mon, 23 Feb 2009 04:39:00 GMT

Joe Schurman, my friend and the Founder and CEO of Evangelyze Communications, wrote a book which just hit the shelves this week: Microsoft Voice and Unified Communications. The book is an excellent primer on unified communications combined with visionary insight on the direction and future of unified communications from someone who has been in the VoIP / unified communications trenches since they were first dug. I did a more in depth review of the book which you can read here.

There is a sample chapter available for download from WhatDoUC.com. I also highly recommend that you listen to the podcast interview Joe did with Eileen Brown for OnMicrosoft.

The Future of Unified Communications

tony — Mon, 23 Feb 2009 03:54:00 GMT

On January 18, 2009 I appeared as a guest on the IMI-TechTalk radio show. Tom D'Auria, CEO of Information Methods Incorporated (IMI), and I talked about the future of Unified Communications. I provided a brief overview of what unified communications is and what the current market looks like. We then talked about whether or not companies still need to have a PBX and some of the advantages and benefits that software-powered voice delivers. We wrapped up by talking about where unified communications is heading and discussing some of the innovative tools that Evangelyze Communications has developed to extend the functionality of Microsoft Office Communications Server. IMI-TechTalk is broadcast by KFNX AM 1100 out of Phoenix, AZ every Sunday. It is also available as streaming audio via the Web so you can listen to the show no matter how far you are from Phoenix.

Click on the 'attachment' link below to listen to the Microsoft Response Point show from January of 2009.

Microsoft Response Point

tony — Mon, 23 Feb 2009 03:29:00 GMT

On April 27, 2008 I appeared as a guest on the IMI-TechTalk radio show. Tom D'Auria, CEO of Information Methods Incorporated (IMI), and I talked about the Microsoft Response Point phone system. I provided an overview of what Microsoft Response Point is and how it enables small and medium businesses to get enterprise-class communications and features on an SMB budget. IMI-TechTalk is broadcast by KFNX AM 1100 out of Phoenix, AZ every Sunday. It is also available as streaming audio via the Web so you can listen to the show no matter how far you are from Phoenix.

Click on the 'attachment' link below to listen to the Microsoft Response Point show from April of 2008.