[VOIPSEC] Anyone at the 25th Chaos Communications Congress in Berlin and interested in doing some writeups for the VOIPSA blog?

[Johansson Olle E]

30 dec 2008 kl. 16.55 skrev Dan York:

> VOIPSEC readers,
>
> Are any of you at the 25th Chaos Communication Congress this week in  
> Berlin, Germany? http://events.ccc.de/congress/2008/
>
> If so, would you be interested in writing up any posts about some of  
> the news coming out of the event for the VOIPSA weblog at http://www.voipsa.org/blog/ 
>  ?
>
> I note that today there were announcements at 25C3 about serious  
> vulnerabilities in DECT:
>
> http://www.heise-online.co.uk/security/25C3-Serious-security-vulnerabilities-in-DECT-wireless-telephony--/news/112326
>
> And while that's not really "VoIP", per se, it is a technology that  
> is being used to provide wireless handsets into VoIP systems.  I  
> noted that earlier there were discussions around iPhone security: http://www.heise-online.co.uk/news/25C3-Cracks-in-the-iPhone-security-architecture--/112321 
>   Again, not "VoIP" exactly, but "communications security" related.
>
> Anyway, if any of you are there and interested in writing something  
> up for the VOIPSA blog, please do drop me a line.

I just heard that a group was using vulnerabilities in MD5 to crack  
SSL by using rogue certificates.

It's really high time to move away from MD5 digests in SIP - the  
problem is how to use another algorithm in the HTTP digest challenge/ 
response. And using SSL with certificates ... let's wait and see...

http://www.phreedom.org/research/rogue-ca/

We have identified a vulnerability in the Internet Public Key  
Infrastructure (PKI) used to issue digital certificates for secure  
websites. As a proof of concept we executed a practical attack  
scenario and successfully created a rogue Certification Authority (CA)  
certificate trusted by all common web browsers. This certificate  
allows us to impersonate any website on the Internet, including  
banking and e-commerce sites secured using the HTTPS protocol.

/O