[VOIPSEC] VOIP and Forensics

Mark Teicher mht3 at earthlink.net
Sun Mar 13 11:55:52 CST 2005 

Actually bringing in network security experts on diagnosing a VOIP issue is 
not always the wisest thing to do.  It is like having a PHD in Biology and 
claiming one has years of expertise in network security.  Two different 
camps of people, some telco folks will think unless the dollar amount is 
greater than the cost of service, it is nothing to worry about.  From a 
network security point of view, a discrepancy of .75 has led people to 
trace events across the internet to a internet esponiage ring. Implementing 
a PBX policy or enabling call recording to capture the issue is lot easier 
to implement than going through circular motions that end up in the same 
recommendation.

/m

At 01:20 PM 3/12/2005, Ari Takanen wrote:
>Hello all,
>
>Difficulty with VoIP should be no news to any forensics experts. It is
>yet another IP-enabled service and has all the same logs that need to
>be monitored. It is on the other hand a nightmare to your security
>policy, and system administrators, as you need to have practices in
>monitoring and updating all devices and services related to VoIP. This
>is needed for enabling forensics in any level.
>
>It means so much more than just SIP. These devices have tens of
>vulnerable interfaces such as HTTP, TFTP, DNS, SNMP, ... Maintaining
>te whole VoIP infrastructure requires good planning and good
>analysis, and knowledge about the devices you choose to use.
>
>Each of these devices, whether it is a SBC or an UA, is typically
>running a set of services on top of standard operating systems, each
>of which need to be secured if they are to be trusted, monitored and
>updated. You would be surprised where e.g. Linux OS is used
>nowadays. Is your VoIP phone running a mail server? Do you know what
>web server your UA is running? Do you know how to update that? Are you
>collecting logs from it?
>
>VoIP is a combination of two worlds. You need your telco people to
>understand call frauds and other security issues related to the telco
>world, and you need your networking and security experts to bring the
>expertice on different platforms, services and monitoring of those
>protocols. You have hardware such as memory-based hard-drives and
>means of dumping the contents of such devices in various places.
>
>Security is not a product, it is a process. A set of proactive
>processes is required, such as security policies, securing of
>operating systems and services, robustness and penetration testing of
>those services that you cannot close. You also have a set of reactive
>practices for shutting down services and systems after the eventual
>incident, collecting and dumping data from the device and analyzing
>that data.
>
>You cannot select your VoIP infrastructure based on the telco
>functionality only. Bring in your security experts into the purchase
>process and make informed decissions there. And with security experts
>I mean those technical people who end up doing the forensigs if
>everything fails.
>
>Update your VoIP devices often!
>
>Best regards,
>
>/Ari Takanen, CEO
>  Codenomicon Ltd. "Robustness Testing Tools!"
>  http://www.codenomicon.com/testtools/sip/
>  http://www.codenomicon.com/testtools/tls/
>
>
>On Fri, Mar 11, 2005 at 11:00:05PM -0600, Christopher A. Martin wrote:
> > This type of task will require correlation of many different types of logs,
> > not just VoIP, but also possibly router/firewall logs, source/destination
> > pairings, common sources (even if they are spoofed), possible tagging by
> > tools that can detect 0 day attacks...etc... It's hard in the traditional
> > world, but may be easier combined with the telephony patterns...
> >
> > Christopher A. Martin
> > P.O. Box 1264
> > Cedar Hill, Texas 75106
> > Chris at InfraVAST.com
> >
> > > -----Original Message-----
> > > From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> > > Behalf Of Mark Teicher
> > > Sent: Friday, March 11, 2005 6:16 AM
> > > To: Voipsec at voipsa.org
> > > Subject: [VOIPSEC] VOIP and Forensics
> > >
> > > Has anyone examined how to produce evidence for legal proceedings to 
> prove
> > > actual VOIP fraud?
> > > As this is question I have posed to a few companies who offer Managed
> > > Security Services for IPT and none of them provided a response .
> > > The only response I have received so far: "We have network+ certified and
> > > CCNA experts and currently scheduled for Juniper/Extreme training"
> > > Interesting that people are being trained and certified, but as I recall
> > > being trained on a product does not necessarily mean that one is 
> qualified
> > > to produce evidence to prove VOIP fraud.
> > >
> > > /mht
> > >
> > >
> > >
> > > _______________________________________________
> > > Voipsec mailing list
> > > Voipsec at voipsa.org
> > > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>--
>-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
>Ari Takanen                       Codenomicon Ltd.
>ari.takanen at codenomicon.com       Kaitovayla 1
>tel: +358-40 50 67678             FIN-90570 Oulu
>http://www.codenomicon.com        Finland
>PGP: http://www.codenomicon.com/codenomicon-key.asc
>-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

More information about the Voipsec mailing list