Recent Posts

Search Blog

  • Search Blog
    Google

    WWW
    voipsecurityblog.typepad.com
Subscribe to this blog's feed

Archives

More...

Conferences

General Articles

Advisories

Skype Articles

« June 2007 | Main | August 2007 »

Another Interesting Read

Here is another discussion by Dan York on the VoIPSA Blog and Bluebox Podcast about using covert channels to tunnel data in a voice call. The research describes using 8kb (of the 64Kb) in a voice call to carry some sort of covert data or communications. This of course would require an application working at both ends to code and decode the signal, which would probably need to be encrypted or obfuscated in some way to avoid detection. I scanned the actual research paper and it looks like they are mainly using low order bits for the channel, which presumably wouldn't affect the audio. Perhaps you could also send packets with out of order sequence numbers, which if done right, would be rejected by target jitter buffers, but could be used to carry data.

Of course the real problem here is bandwidth - it would take a long time and a lot of calls to carry your average word or powerpoint document.

Here are the direct links:

http://voipsa.org/blog/2007/07/03/voice-over-voip-project-aims-to-show-use-of-covert-channels-to-tunnel-voice-inside-of-voice/

http://www.blueboxpodcast.com/2007/07/blue-box-62.html

http://voipcc.gtisc.gatech.edu/voipcc.php

July 31, 2007 in Mark Collier, SecureLogix, VoIP Security | | Comments (1)

Using CAPTCHAs for Voice SPAM/SPIT Mitigation

Here is a discussion by Martyn Davies on the VoIPSA Blog, about using CAPTCHAs to distinguish Voice SPAM/SPIT from a legitimate call. Dan York and Jonathon Zar of Bluebox Podcast discussed it and I totally agree with them, in that CAPTCHAs may be useful, but if they interfere in any significant way with the users experience, then they are likely to be more annoying than the actual voice SPAM/SPIT. I would have to be getting a lot of SPAM before I would want to subject callers to a query like this.

Here are the direct links:

http://voipsa.org/blog/2007/07/04/now-ive-captchad-your-attention/

http://www.blueboxpodcast.com/2007/07/blue-box-62.html

July 30, 2007 in Mark Collier, SecureLogix, SPIT, VoIP Security | | Comments (0)

Vulnerability With Asterisk

Here is a description of a vulnerability with the AsterDex, digital rolodex feature for Asterisk:

http://www.hoku.co.uk/advisories/asteridex.txt

July 16, 2007 in Mark Collier, SecureLogix, VoIP Security, VoIP Vulnerabilities | | Comments (0)

Graphical User Interface (GUI) For Our RTP Tools

Justin Furniss, at PrimeObsession developed a Graphical User Interface (GUI) that makes it easier to use the RTPInsertSound and RTPMixSound command-line tools we developed as part of our Hacking Exposed: VoIP book. I haven't played with the tool, but it looks like it let you find RTP steams, pick a sound file, and then insert or mix it into a stream.

Here is the direct link to the tool page:

http://primeobsession.com/content/view/19/

Note that we have developed a similar tool for a contract. I am hoping that we can release it sometime in the future.

July 09, 2007 in Mark Collier, SecureLogix, VoIP Security, VoIP Security Tools | | Comments (0)

White Paper and Presentation on VoIP Security

Gary Miliefsky, of NetClarity provided the following white paper and presentation at the latest GFIRST conference:

Download Securing-VoIP-GFIRST-2007-Whitepaper.pdf

Download SecuringVoIP-GFIRST-Miliefsky-2007-ppt.pdf

July 02, 2007 in Mark Collier, SecureLogix, VoIP Security | | Comments (0)

About

My Photo
Add me to your TypePad People list

My Articles/Quotes

VoIP Security Blogs/Links

Tools

Podcasts

Books

Interesting Documents

Interesting Presentations

SPIT/Voice SPAM

Phishing