Seven Deadliest Unified Communications Attacks
By Dan York
()
About this ebook
The book consists of seven chapters that cover the following: attacks against the UC ecosystem and UC endpoints; eavesdropping and modification attacks; control channel attacks; attacks on Session Initiation Protocol (SIP) trunks and public switched telephone network (PSTN) interconnection; attacks on identity; and attacks against distributed systems. Each chapter begins with an introduction to the threat along with some examples of the problem. This is followed by discussions of the anatomy, dangers, and future outlook of the threat as well as specific strategies on how to defend systems against the threat. The discussions of each threat are also organized around the themes of confidentiality, integrity, and availability.
- Knowledge is power, find out about the most dominant attacks currently waging war on computers and networks globally
- Discover the best ways to defend against these vicious attacks; step-by-step instruction shows you how
- Institute countermeasures, don’t be caught defenseless again, and learn techniques to make your computer and network impenetrable
Dan York
Dan York (CISSP) is the Best Practices Chair for the VOIP Security Alliance (VOIPSA) as well as the producer of "Blue Box: The VoIP Security Podcast" where since October 2005 he and co-host Jonathan Zar have discussed VOIP security news and interviewed people involved in the field. Dan is employed as the Director of Conversations at Voxeo Corporation heading up the company's communication through both traditional and new/social media. Previously, Dan served in Voxeo's Office of the CTO focused on analyzing/evaluating emerging technology, participating in industry standards bodies and addressing VoIP security issues. Since the mid-1980s Dan has been working with online communication technologies and helping businesses and organizations understand how to use and participate in those new media. Dan frequently presents at conferences, has authored multiple books on Linux and networking and writes extensively online at sites such as www.voipsa.org/blog and www.disruptivetelephony.com.
Related to Seven Deadliest Unified Communications Attacks
Related ebooks
Building Networks and Servers Using BeagleBone Rating: 0 out of 5 stars0 ratingsLearning iOS Security Rating: 0 out of 5 stars0 ratingsMicrosoft Windows 7 Administrator's Reference: Upgrading, Deploying, Managing, and Securing Windows 7 Rating: 0 out of 5 stars0 ratingsPerl Scripting for Windows Security: Live Response, Forensic Analysis, and Monitoring Rating: 0 out of 5 stars0 ratingsClient-Side Attacks and Defense Rating: 0 out of 5 stars0 ratingsSnort Intrusion Detection 2.0 Rating: 4 out of 5 stars4/5Operating System Forensics Rating: 4 out of 5 stars4/5Seven Deadliest Social Network Attacks Rating: 0 out of 5 stars0 ratingsAVIEN Malware Defense Guide for the Enterprise Rating: 0 out of 5 stars0 ratingsAn Introduction to Direct Access Storage Devices Rating: 0 out of 5 stars0 ratingsCyber Combat: Learn to Defend Against Cyber Attacks and Corporate Spying Rating: 0 out of 5 stars0 ratingsNetwork Processors: Architecture, Programming, and Implementation Rating: 0 out of 5 stars0 ratingsChasing Thieves: A True Story of Identity Theft, Felons, and Fighting Back Rating: 0 out of 5 stars0 ratingsForensics And Incident Response A Complete Guide - 2020 Edition Rating: 0 out of 5 stars0 ratingsWow! What a Ride!: A Quick Trip Through Early Semiconductor and Personal Computer Development Rating: 0 out of 5 stars0 ratingsAsterisk Hacking Rating: 0 out of 5 stars0 ratingsChanging Your Name in Canada Rating: 0 out of 5 stars0 ratingsDigital Media Steganography: Principles, Algorithms, and Advances Rating: 0 out of 5 stars0 ratingsMy Conversations With God AI Rating: 0 out of 5 stars0 ratingsInside Radio: An Attack and Defense Guide Rating: 0 out of 5 stars0 ratingsSeven Deadliest Wireless Technologies Attacks Rating: 0 out of 5 stars0 ratingsUNIX for OpenVMS Users Rating: 0 out of 5 stars0 ratingsStealing the Network: The Complete Series Collector's Edition, Final Chapter, and DVD Rating: 0 out of 5 stars0 ratings37 Ways To Protect Yourself From Identity Theft and What to Do if You Are a Victim Rating: 0 out of 5 stars0 ratingsVMware ThinApp 4.7 Essentials Rating: 0 out of 5 stars0 ratingsVLSI Electronics: Microstructure Science Rating: 5 out of 5 stars5/5Network Recovery: Protection and Restoration of Optical, SONET-SDH, IP, and MPLS Rating: 4 out of 5 stars4/5How to Cheat at Configuring VmWare ESX Server Rating: 0 out of 5 stars0 ratingsIT Service Root Cause Analysis Tools The Ultimate Step-By-Step Guide Rating: 0 out of 5 stars0 ratingsSimple Steps to Data Encryption: A Practical Guide to Secure Computing Rating: 0 out of 5 stars0 ratings
Information Technology For You
How to Write Effective Emails at Work Rating: 4 out of 5 stars4/5Creating Online Courses with ChatGPT | A Step-by-Step Guide with Prompt Templates Rating: 4 out of 5 stars4/5Health Informatics: Practical Guide Rating: 0 out of 5 stars0 ratingsHow To Use Chatgpt: Using Chatgpt To Make Money Online Has Never Been This Simple Rating: 0 out of 5 stars0 ratingsAgile for Non-Software Teams Rating: 5 out of 5 stars5/5AWS Certified Cloud Practitioner: Study Guide with Practice Questions and Labs Rating: 5 out of 5 stars5/5Practical Ethical Hacking from Scratch Rating: 5 out of 5 stars5/5Hacking Essentials - The Beginner's Guide To Ethical Hacking And Penetration Testing Rating: 3 out of 5 stars3/5A Practical Guide Wireshark Forensics Rating: 5 out of 5 stars5/5Data Analytics for Beginners: Introduction to Data Analytics Rating: 4 out of 5 stars4/5COMPUTER SCIENCE FOR ROOKIES Rating: 0 out of 5 stars0 ratingsData Governance For Dummies Rating: 0 out of 5 stars0 ratingsComputer Science: A Concise Introduction Rating: 4 out of 5 stars4/5Kafka Streams - Real-time Streams Processing Rating: 5 out of 5 stars5/5Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry Rating: 4 out of 5 stars4/5An Ultimate Guide to Kali Linux for Beginners Rating: 3 out of 5 stars3/5The Programmer's Brain: What every programmer needs to know about cognition Rating: 5 out of 5 stars5/5Google Cloud Platform an Architect's Guide Rating: 5 out of 5 stars5/5Just Enough R: Learn Data Analysis with R in a Day Rating: 4 out of 5 stars4/5A Civic Technologist's Practice Guide Rating: 0 out of 5 stars0 ratingsThe Certified Fintech Professional Rating: 5 out of 5 stars5/5ChatGPT: The Future of Intelligent Conversation Rating: 4 out of 5 stars4/5The iPadOS 17: The Complete User Manual to Quick Set Up and Mastering the iPadOS 17 with New Features, Pictures, Tips, and Tricks Rating: 0 out of 5 stars0 ratingsInkscape Beginner’s Guide Rating: 5 out of 5 stars5/5The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy Rating: 4 out of 5 stars4/5Computer Organization and Design: The Hardware / Software Interface Rating: 4 out of 5 stars4/5
Reviews for Seven Deadliest Unified Communications Attacks
0 ratings0 reviews
Book preview
Seven Deadliest Unified Communications Attacks - Dan York
platforms.
Introduction
INFORMATION IN THIS CHAPTER
What This Book Is About
What This Book Is Not About
Defining Unified Communications
About the Unified Communications Market
Telling the Story
And so It Begins
WHAT THIS BOOK IS ABOUT
Let’s begin with a quick glimpse into a typical day at a company:
There you are at your desk, wanting to talk with your colleague Steve in another office about a new project you need his help on. You turn to your laptop, switch to a software program, and look at Steve’s presence info. The little bubble next to Steve’s name is green, indicating he is there and available. Next to his name is also a status message that says In the office today.
Rather than calling Steve immediately, you send him an instant message (IM) with the text, Hi. Can I call you?
He replies, Sure.
You hit the Call button. The softphone on your laptop gets connected to the phone on his desk and you’re talking. He asks if you want to do video, and since you do, you both hit a Video button and you’re suddenly looking at each other. While explaining the project to him, you send him a PowerPoint slide deck through the file transfer part of your software clients. Steve mentions that the project sounds like something he worked on before and pastes the URL to his older project in your IM chat window. As the call goes on, you decide you want to show him a demo of the project and proceed to launch a screen sharing session.
Steve asks you some more questions, to which you say you’ll have to get back to him after the call. You both talk for a while more and then you end your call. You go back to your notes, dig up the answers to the questions Steve asked, and write them up in your IM chat session. He responds by thanking you and saying he’s looking forward to helping.
A fantasy, you say?
No, it’s how millions of people communicate on a daily basis today. The many people out there, perhaps including you, now have access to unified communications (UC) systems.
If you are reading this book, this kind of communication session may already be normal to you. Or this could be the vision you are being sold by a UC vendor. Regardless, let’s think for a moment about what the components of this call
were:
• Presence information showing me Steve’s status
• IM text chat before, during, and after the session
• Voice communication
• Video communication
• File transfer
• Screen sharing
• Seamless movement between and among the different modes of communication
Many different communication channels – yet from a user point of view, it was all just a simple and seamless experience. You could have also added into the scenario conferencing in a third person or interacting with a bot
or automated agent to retrieve information. There are a myriad of possibilities.
The reality is that behind all the magic, there are potentially a great number of different tools and platforms, conceivably provided by a great variety of different vendors. To provide a UC solution like this, your company might be using products and services from communications
companies like Cisco,A Avaya,B Alcatel-Lucent, C Mitel,D and more; your company might be using software from traditional technology companies like Microsoft or IBM; perhaps from business systems companies like Oracle and SAP; perhaps open-source or internally created solutions; your company might be using a newer entrant into the market like Skype; or – you might be using all of the above. Many vendors and many channels.
Adding to the fun, your communications systems might be all located in one central place, but more likely are scattered in different locations and data centers as part of a massively distributed network. Your systems might interconnect to hosted services out in the cloud
or send traffic across the public Internet. They may interact with phones on desktops and also software on mobile smartphones. And, of course, it is all running over the standard IP data network that every other software, device, and service uses.
Amidst all that chaos, the question is: How in the world do you secure such a communications infrastructure?
That is what this book is all about.
WHAT THIS BOOK IS NOT ABOUT
It may come as a surprise, but this book is NOT just about VoIP Security,
per se. Voice over IP (VoIP) is certainly one of the communication channels used in UC, but it is not the only one. Indeed, in these days voice may not even be the primary channel.
You will certainly learn about VoIP security, particularly in a couple of chapters, but that’s not the overall focus. If you want to dig deep into the details of VoIP security, there are a number of great books out there written by some outstanding security professionals. They can take you down to the packet level if you want.
This book aims to take a slightly different view to look at the intersection of the various communication technologies that make up what we call UC today. VoIP is one of those technologies, as is IM, as is presence, and as are other collaboration technologies.
DEFINING UNIFIED COMMUNICATIONS
So then, what exactly is this thing called UC?
Analyst Blair Pleasant with UC Strategies promotes this rather formal definition of UC¹:
UC is communications integrated to optimize business processes. UC integrates the necessary and appropriate real-time and non-real-time communications with business processes and requirements based on presence capabilities, presenting a consistent unified user interface and user experience across multiple devices and media types. Using rules and policies, UC supports the enterprise to manage various types of communications across multiple devices and applications, while integrating with back-office applications, systems and business processes, with the goal of improving business agility and results, leading to increased revenues, decreased costs and improved customer service.
Her definition focuses on the theme of integration, which again is what differentiates UC from simply VoIP. Blair goes on to list the components that are often found in UC systems²:
• Call control and multimodal communications: this may or may not be an IP-PBX;
• Presence: desktop, telephony, device presence, as well as rules engine to manage access to presence information;
• Messaging: instant messaging, e-mail, voice mail, unified messaging, and video messaging;
• Conferencing: audio, Web, and video;
• Collaboration tools: whiteboarding, document sharing, and so on;
• Mobility and mobile access;
• Business process integration (sometimes called Communication Enabled Business Processes [CEBP]);
• Telephony integration: PBX/IP-PBX gateways to connect to the UC voice communications elements;
• Many forms of clients and endpoints: telephones, SIP phones, softphones, wireless phones and mobile devices, soft clients (including Web and voice portals);
• Speech-recognition servers.
Your UC systems may contain some or all of those different components. Your systems may also include additional components like the following:
• Directories and directory servers, which are often the source of the contact list users have;
• Database servers, which are providing the underlying data store;
• Application servers, which are providing additional functionality into the communications sessions.
This last point about applications highlights an intriguing aspect of UC where presence systems, in particular, enable automated notification and communication to reach you in the optimal way. For instance, a calendar system integrated with UC can use your presence and availability information to determine the best way to contact you with a reminder. This might be through IM or through an automated call, but it can build off your presence information and how you want to be contacted.
Very rapidly you could see UC becoming an all-encompassing term, which is a significant challenge.
For the purpose of our discussions here in this book, a typical
UC system is thought of as being comprised of the following:
• A control channel, server, or service that is providing the overall session control;
• A unified client in the form of software running on employees’ desks;
• Presence information about each employee;
• One or more real-time communication channels, including typically
Voice
IM
Video
• Connectivity to the larger external communication network, perhaps both the public switched telephone network (PSTN) and the public IM networks, as well as the general public Internet. Your system may obviously be different but the principles will be similar.
NOTE
It is perhaps not surprising that every vendor may have a slightly different definition of UC. Some vendors slapped UC onto every product vaguely connected with telephony. Some even went a few years back and renamed all their products to have UC in the actual product names.
It is also not surprising that recently some vendors had second thoughts about this UC branding, and so you are starting to see UC get downplayed or replaced with other terms such as collaboration or unified communications and collaboration.
ABOUT THE UNIFIED COMMUNICATIONS MARKET
One note about the overall UC market: because the term UC is so all-encompassing, the UC market
has a vast number of players all engaged in a hypercompetitive battle to convince enterprises that they are the ones who can truly provide the rich collaboration that enterprises are seeking. Some of the major players in the UC space include:
• Telephony/telecommunications companies – The big players in the traditional IP telephony space including Cisco, Avaya, Siemens and the tels
– Nortel (now part of Avaya), Alcatel-Lucent, Mitel, ShoreTel, and so on. They come at it with a voice background and believe they can provide the whole solution.
• Back-office infrastructure companies – Microsoft and IBM pretty much own the enterprise back-office server infrastructure, and it is no surprise that they are coming on very strong with Microsoft Office Communications Server and IBM Lotus Sametime. They have the IM and collaboration side down pat, and see voice as just another channel.
• Business systems companies – It might not be immediately intuitive, but big companies like Oracle and SAP already provide collaboration software on the business process and customer relationship management side, so adding the communication elements is not a huge step for them.
• Cloud-based companies – The ease of launching companies in the cloud
has brought a wealth of startups that offer flexible collaboration options at attractive prices as well as increasing competition between companies providing cloud computing
platforms. Google, in particular, continues to expand its range of cloud-based services and has recently made significant improvements to Google Voice and also purchased the SIP-based Gizmo VoIP service. While not directly in UC, you could easily see them continuing to move in that direction.
• Consumer-focused companies – There is a range of companies that started out focusing more on consumers but are now moving to have business and enterprise offerings. Skype is most notable here, offering a rich collaboration experience and claiming that 35% of its usage is now business related. Facebook is another company providing some collaboration elements and seeming to want to grow to include more. As consumers use these collaboration services for their own personal usage, they begin to find ways to use them in business settings as well.
• Open source – The number of open-source options for communications continues to grow, offering options for companies that want to roll their own
solutions and have the technical savvy to do so. Digium is certainly the market leader in this space with their Asterisk PBX and associated ecosystem of partners, but other systems like FreeSWITCH and sipXecs are also out