SecureLogix put out a press release for my new book, Hacking Exposed:UC and VoIP. The press releases includes a video summarizing the book. I posted a link to the video a few weeks ago, but it is here as well.
Here is a bulletin from the FBI warning about toll free, 1-800 call pumping attacks. The basic idea (I cover this extensively in my Hacking Exposed: UC and VoIP book) is that the attacker, usually an unscrupulous service provider, generates many (perhaps millions) of calls into 1-800 numbers. They profit because they receive a piece of the 1-800 revenue, which is paid by the owner of the 1-800 number. See the bulletin below:
There are two types of attacks, one will "spray" many numbers with very short calls, in order to get a piece of the connect time revenue. Another will generate long calls, usually to a smaller number of 1-800 numbers and IVRs, in order to get a piece of the connect and per-minute charges. The latter form may require some analyis of the target 1-800 IVR, and use of tailor audio which dwells in the IVR through use of menu-looping DTMF tones or other audio.
Either type can generate a TDoS condition, if the attacker generates too many calls or if the calls target a part of an IVR or enterprise with limited bandwidth. This is especially true for calls which dwell in the IVR, because they consume more resources.
The Hacking Exposed: Unified Communications and VoIP book is finally done!!! The new revision is a great improvement and covers the primary issues that are effecting enterprise Unified Communiciation (UC) and VoIP networks.
The writing has actually been done for a few weeks and the book will be printed, bound, and available around the end of the month. You can get it off of Amazon at:
We reached a milestone on the writing for our Hacking Exposed: VoIP and UC book. All the core material is written! We are reviewing final page proofs on about half of the book (17 chapters) and have some review and edit work ahead on the remaining chapters, but we are getting very close! Thank goodness :)
This book has refreshed chapters on the gathering information phase, network attacks, and SIP/RTP attacks. With new chapters on topics such as toll fraud, calling number spoofing, harassing calls, Telephony Denial of Service (TDoS), call pumping, voice spam, voice phishing, social engineering, and emerging technologies.
This has been in the works for a bit, but I am writing a revision to the Hacking Exposed: VoIP book that I co-authored back in 2006. A lot has changed since then, so its a great time to provide an update.
Certainly the biggest change we have seen is in the area of voice/VoIP/UC application attacks, including toll fraud, harassing callers, TDoS, social engineering, etc. With the proliferation of VoIP/UC, these attacks have gotten much more common and disruptive.
The book should be out around this time next year. Back to writing :)
Here is an article from British Telecom (BT) on Toll Fraud. As I have said and BT agrees, this remains a critical issue for enterprises. It is definitely the most prevalent Voice Over IP (VoIP) security threat out there:
Over the past 5 years, we have developed a number of VoIP and SIP vulnerability assessment/testing tools. However, we didn’t release any of these tools until late 2006, when we co-authored the “Hacking Exposed: VoIP” book. To support release of the book, we developed and released several additional tools. Some of the tools that we released with the book include:
-add_registrations – adds a bogus registration for a contact
-check_sync_reboot – reboots/resets a SIP phone
-dirscan – actively scans for SIP phones
-erase_registrations – erases all registrations for a contact
-invite_flood – generates a flood of SIP INVITE requests
-redirectpoison – redirects requests
-reghijacker – hijacks a registration (combines erase and add registrations)
-rtpflood – generates a flood of RTP packets
-rtpinsertsound – inserts/replaces sound in a call
-rtpmixsound – mixes in sound in a call
These tools have been available on the Hacking Exposed: VoIP companion web site, www.hackingvoip.com. The book describes their use.
Since release of the book, we have been building new tools and enhancing several of the tools above. Some of the enhancements we made include:
-Added TCP/IP support to applicable tools
-Added digest authentication support to applicable tools
-Implemented quite a few fixes to sip_rogue to make it more reliable
We also built several new tools:
-Several new flood-based DoS tools, which generate floods using different SIP requests, including byeflood, optionsflood, regflood, and subflood. The regflood tool is certainly the most potent of the group.
-dirsniff and dirsortmerge – a passive scanner that builds a directory of valid SIP phone addresses. By using the dirsortmerge tool, you can manage results from this tool, as well as output from the dirscan active scanner.
-Call Monitor and sipsniffer – this tool provides a GUI that shows active SIP calls. The tool allows you to select a call and terminate it (via teardown) or insert/mix in audio (via rtpinsertsound or rtpmixsound). The tool allows you to define up to 10 sound files, that can be inserted/mixed in on command. The tool also streams the call audio to the XMMS player, so you can listen in and “time” when you affect the call.
The Call Monitor tool is particularly interesting. It makes using the rtpinsertsound/rtpmixsound tools a lot easier and more effective. It makes real audio manipulation possible.
We will be posting the complete set of tools to the www.securelogix.com website sometime this week. I will provide a direct link when the download page is completed. I will also post additional information on how to use the new tools.
Sipera's Viper lab has a web page with general information, vulnerabilities, attacks, and a blog. They have had this for a while, but seem to be updating it a bit more lately. Here is a link (it is also in my links list for VoIP security blogs):