 |
|
|
|
|
|
|
|
|
 Blue Box Podcast #44 is now available for download. In this show, we cover the new SIP attacktools released by Mark Collier and Dave Endler, talk about the IETFmeeting, ZRTP and Phil Zimmermann’s patent disclosure, Skype securityissues, a war dialling script for Asterisk, listener comments and muchmore. Feedback is, as always, welcome. Tags: asterisk, blue box, bluebox, ietf, philzimmermann, sip, sip security, skype, skype security, voip, voip security, voipsecurity, zrtp
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 As Mark Collier wrote in a Voice of VOIPSA blog yesterday, he and and David Endler have released a new set of VoIP attack tools as part of their " Hacking VoIP Exposed" book and project. Some interesting - and potentially dangerous - tools released: - rtpinsertsound - a tool that will insert the contents of a sound file into an existing RTP stream. So if you can gain access to an RTP stream, you could use these tools to insert words or phrases into the existing RTP stream. I'd have to check with Mark and David, but I'd think that the result would be that the listener would hear the new phrase but the speaker would not. Now, if you have access to these (obviously unencrypted) RTP streams, you could obviously record someone's conversations and build up a vocabulary for that person. You could then assemble your injection phrase from that person's prior conversations and then wait for the right moment to inject it. This does, of course, require a somewhat significant amount of work, network access and the proper timing... but is obviously a possibility.
- rtpmixsound - basically the same as 'rtpinsertsound' except that it will mix in the sound with the audio stream, so you could provide, um, "interesting" background sounds for someone's conversation. Again, I think it would be without the knowledge of the speaker. ("Fred, where are you?" "Here in the office, why?" "Well why does it sound like you are at a ball game?"... (or some other more controversial location))
- redirectpoison - listens for a SIP INVITE message and then sends a redirect message so that the SIP endpoint issues an invite to that new location. Simple example might be redirecting all calls to an extension to another extension.
- spitter - turns Asterisk into a platform to generate SPIT (aka VoIP telemarketing) calls.
These tools were all publicly released through their hackingvoip.com website, so they are now out there and available. Security professionals involved with VoIP should definitely take a look. Do note that using the encryption for the signalling and voicepath provided by most enterprise VoIP phone systems would protect against the first three tools. If you don't use encryption, well... you are vulnerable. Get a better VoIP phone system that supports secure signalling and secure voicestreams. Tags: asterisk, hacking voip, security, sip, spit, voip, voip security, voipsecurity
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Interesting VON session today on open source PBX applications with folks like Mark Spencer of Digium/Asterisk and Bill Rich of Pingtel and moderated by Bill Goodman of Verizon. Good discussion and comments... interesting question around what are the reactions of the Network Equipment Providers (NEPs, i.e. the carrier suppliers). Other question about whether service providers should consider open source for the PSTN network - to which Ravi Sakaria of VoicePulse relayed that he has been saying "if you are a service provider and are NOT using open source, you are dying a slow death" and went on to offer some cogent comments on the topic. That is, of course, open to debate, but it's an interesting perspective. Many other good questions. Very worthwhile listening... hopefully I'll get a chance to write more about it. Tags: asterisk, opensource, pingtel, springvon2006, voip, von
|
|
|
|
|
|
|
|
|
|
|
|
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
