ETel2007: The Black Bag Security Review (VoIP Security)
19 likes27,893 views
This document tells the story of SysAdmin Steve and his experiences securing a company's new VoIP phone system. It describes many potential security issues like unencrypted SIP trunks allowing sensitive calls and data to be intercepted. It emphasizes that while VoIP security can be challenging, applying defense-in-depth principles like encryption, firewalls, monitoring and secure configurations can help mitigate risks. The story suggests Steve works to educate colleagues and properly secure the system, but leaves his future at the company uncertain.
ETel2007: The Black Bag Security Review (VoIP Security)
- 1. The Black Bag Security Review Dan York, CISSP Emerging Telephony 2007
- 2. The Story of SysAdmin Steve Part 1
- 3. Once upon a time...
- 4. big company
- 6. promotion
- 7. IT
- 8. phones, too!
- 10. net head
- 11. V
- 12. Voice
- 13. SIP
- 14. open standard
- 16. education
- 17. IP-PBX SIP Service Provider LAN Internet PSTN
- 18. cheap
- 19. merged
- 20. quit
- 21. ?
- 22. new IT staff
- 23. Juvenile Joe
- 24. BOFH
- 25. read e-mail
- 26. monitor
- 27. comment
- 28. playground
- 29. exploit chaos
- 30. fun
- 31. ultimate truism
- 32. voice = packets
- 33. packets = bits
- 34. bits can be manipulated
- 35. “ VoIP security tools”
- 37. voipsa.org
- 38. hackingvoip.com
- 39. sectools.org
- 41. good
- 42. evil
- 43. test/defend
- 44. attack
- 45. perspective
- 46. white hat
- 47. black hat
- 48. wireshark the tool formerly known as Ethereal
- 50. cain & abel
- 51. RTP
- 52. WAV
- 53. MP3s
- 54. iPod
- 55. 2-hour commute
- 57. personal iPod
- 59. personal iPod
- 60. (scared yet?)
- 61. conversations
- 62. PIN
- 63. voicemail PINs
- 64. banking PINs
- 65. DTMF decoder
- 66. (fun stuff, eh?)
- 67. Teleworker Ted
- 68. envy
- 69. grudge
- 70. hang up Ted
- 71. cell phone
- 72. devious
- 73. mix in new background
- 74. amusement park
- 75. screaming kids
- 76. dog
- 77. Ted’s dog
- 78. endless barking
- 79. no clue
- 80. Process Paul
- 81. new rules
- 82. worked late
- 83. wife
- 84. female
- 85. no clue
- 86. ???
- 88. family
- 89. SIP softphone
- 91. (toll fraud)
- 92. Board conf calls
- 93. revenues in the tank
- 94. acquisition
- 95. only hope
- 96. IT outsourced
- 97. job
- 98. (Uh-oh)
- 99. war
- 100. SIP trunk
- 101. unencrypted
- 102. sniff CID
- 103. lawyers
- 104. CFO
- 105. SIP Redirect
- 106. random extension
- 107. shipping
- 108. HR
- 109. labs
- 110. kitchen
- 111. ?
- 112. acquire?
- 113. @#$@?%$!
- 114. SysAdmin Steve
- 115. fix it
- 116. DoS
- 117. BYE
- 118. hang up CEO
- 119. set reload
- 121. busy
- 122. packet flood
- 123. degrade
- 124. cell phones
- 125. acquire?
- 126. @#$@?%$!
- 127. SysAdmin Steve
- 128. fix it
- 129. 3 strikes
- 130. investigation
- 131. truth
- 132. discovered
- 133. heart attack
- 134. SIP trunk
- 135. unencrypted
- 137. public Internet
- 138. clear
- 139. call records
- 140. public Internet
- 141. cleartext
- 142. (not good)
- 143. plan
- 144. Fire Joe!
- 145. defense in depth
- 146. layers
- 147. encryption
- 148. voice
- 149. call control
- 150. LAN
- 151. SIP trunk
- 152. clueless
- 153. new provider
- 154. call accounting
- 155. IP network
- 156. VLANs
- 157. IDS/IPS
- 158. monitoring
- 159. rate throttling
- 160. secure perimeter
- 161. firewall traversal
- 162. firmware
- 163. o/s patches
- 164. disable services
- 165. die, default passwords, die, die, die
- 166. layers
- 167. secure VoIP
- 168. caveat
- 169. internal
- 170. disgruntled
- 171. x%?
- 172. compromised servers
- 173. spyware
- 174. unsecured WiFi
- 175. (checked your parking lot lately?)
- 176. offline analysis
- 177. SIP trunk
- 178. $$$
- 179. security
- 180. (differentiator?)
- 181. Botnet Bob
- 182. zombies
- 183. fun
- 184. profit
- 185. Criminal Chris
- 186. espionage
- 187. identity theft
- 188. human replay attack
- 189. Spammer Sue
- 190. SPIT
- 191. 1,000s of calls
- 192. “ significant event”
- 193. Congressman
- 194. mistress
- 195. public official
- 196. porn line
- 197. identity theft
- 198. 13-yr-old
- 199. podcast
- 200. Wall Street Journal
- 201. “ VOIP IS INSECURE!”
- 202. moral
- 203. VoIP *can* be secure
- 204. work
- 205. plan
- 206. questions
- 207. education
- 208. good news
- 209. voipsa.org
- 211. VOIPSA Best Practices
- 212. VOIPSEC mailing list
- 213. blueboxpodcast.com
- 215. (if you’re not reading them, be aware the attackers ARE!)
- 216. defense in depth
- 217. layers and layers
- 218. voice
- 219. call control
- 220. SIP trunks
- 221. management interfaces / APIs
- 222. PSTN interfaces
- 223. PSTN
- 224. voip = IP + PSTN
- 225. it’s the network, stupid
- 226. IP network
- 227. voice = packets
- 228. packets = bits
- 229. bits can be manipulated
- 230. VoIP *can* be secure
- 231. work
- 232. plan
- 233. SysAdmin Steve?
- 234. happily ever after?
- 235. acquisition?
- 236. job?
- 237. CIO?
- 238. another story
- 239. To be continued...
- 240. The End (or is it the beginning?)
- 241. Please practice safe VoIP!
- 242. Q&eh? www.voipsa.org www.voipsa.org/blog www.blueboxpodcast.com www.disruptivetelephony.com www.mitel.com
- 243. Thank you (Please practice safe VoIP!)