I was extremely pleased to recently learn that the ebook of "Seven Deadliest Unified Communications Attacks" is now available DRM-free through a deal between Syngress/Elsvier and O'Reilly. As I noted in a recent podcast about DRM-free books, this allows you as the reader much more flexibility and freedom in being able to read the ebook on the platform and device of your choosing.
The great part about ordering DRM-free ebooks from O'Reilly is that you can easily get back to your ebooks and download them in multiple formats. They also alert you to updates if there are any.
Kudos to the folks at Elsevier and Syngress for making all of these ebooks available DRM-free!
Do you have an account on Goodreads? If so, there is a page for Seven Deadliest Unified Communications Attacks with a very kind review from Alan Johnston. As an author, I'd naturally like to have some more reviews as they do tend to help people understand what people think about the book.
If you found the book helpful, could you please take a moment to review (or at least "star") the book there?
Even if you don't want to post a review right now, if you are on Goodreads and can add the book to a "shelf" that would also be helpful, as others will then see that people are reading the book.
And while you're at it, if you'd like to connect on Goodreads as a fan/friend that would be welcome.
Thanks again for the continued support and for the positive comments I continue to receive about the book. I'm very pleased that people have found it helpful and that we can continue to have a healthy dialog about communications security issues.
The SC article focuses on the "Fishbowl" phones designed by the NSA and includes a number of interesting comments on the state of security implementations provided by vendors. It mentions that the NSA was looking to use SSL VPNs but due to a lack of interoperability wound up using IPSEC instead. Similarly they were looking to use DTLS-SRTP, but didn't find the implementations and so instead used "descriptions". The article has this excellent statement by Salter (my emphasis added):
Salter said the security specifications, such as those sought for the voice application, would be useful to everyone.
She urged colleagues to demand vendors improve unified communications interoperability.
“We need to send a message [about] standards, interoperability and plug and play," she said.
This need for interoperability and standards support was certainly one of the themes I tried to bring out in the book. It is indeed critical for the long term success of securing unified communications systems.
I also found it interesting that the NSA encrypts the voice twice:
Voice calls are encrypted twice in accordance with NSA policy, using IPSEC and SRTP, meaning a failure requires “two independent bad things to happen,” Salter said.
While there certainly is value in having multiple layers of security, I do wonder what this means in terms of computational overhead and/or latency. As our mobile phones have become more powerful, perhaps this is no longer a major concern.
Separate from the article, I was intrigued to read over on the NSA Mobility Program page that the first document they are releasing is the "Enterprise Mobility Architecture for Secure Voice over Internet Protocol (SVoIP)". From the page:
The first Mobility Capability document to be released is the initial draft release of the Enterprise Mobility Architecture for Secure Voice over Internet Protocol (SVoIP). It is intended to be a living reference that will be updated to keep pace with technology and policies as they change over time, as additional security products and services are developed, and as lessons learned from early adopters of this architecture are applied. As a first step, this version contains guidance on the required procedures necessary to build and implement a SVoIP capability using commercial grade cellular mobile devices. Future releases will build on this architecture and will include mobile device management and data applications; and ultimately integrate the WIFI service with an expanded list of end devices.
The 100+ page PDF file looks to be a fairly comprehensive view into what is involved with rolling out a secure mobile communications solution. It's great to see this from the NSA and it is a great contribution to the ongoing efforts to secure VoIP communications.
Does anyone really give a (insert favorite profanity) about VoIP security? That was the key question I asked in the presentation I have to the recent 2011 ITT Real-Time Communications Conference. Technically, my talk with titled "The State of VoIP Security", but I decided to have a little bit of fun with it.
It was an enjoyable session and I recorded a video that I hope that I can make the cycles to produce and upload sometime soon.
Meanwhile, the slides for my talk are now online, although given my style they really need audio or video. Still, you can get a sense of what I covered:
There's a great schedule of speakers and I'm looking forward to both giving my session and also listening to the security presentations that follow mine. If you are going to be at the event, please do say hello!
While not directly related to Unified Communications, the reality is that many UC web interfaces, particularly for mobile devices, may turn to HTML5 as a way to create a web interface that provides an excellent user interface and works across all mobile devices.
Perhaps more importantly, the work of the RTCWEB/WebRTC working groups within the IETF and W3C, which I've written about over on Voxeo's blogs, is aimed at bringing the "real-time communications" functionality directly into the web browser. In other words, you wouldn't need a browser plugin or additional program on your computer to make voice, video or chat connections… it could happen entirely within the browser.
At that point every browser potentially can become a UC endpoint… and therefore a concern for communications security.
It's a lengthy document from ENISA, but worth a read as it dives into both analysis and recommendations for greater HTML5 security.
As I note in that blog post, this wasn't a "VoIP security" attack as much as it was a social engineering attack. This group went to rather remarkable lengths to convince ITSPs that they were legitimate businesses to whom the ITSPs should extend credit... and then they abused that credit once it was given.
In the book, I talk about these issues of both fraud and social engineering. From a protection point-of-view, this latest fraud case really highlights the uncertainties in the "SIP Trunking" space (a topic I focused on in Chapter 5) and the need to perform adequate due diligence on the ITSPs from whom you are purchasing SIP connectivity. (Although, admittedly, this particular group went to such lengths that it is not surprised they duped do many companies.)
The reality is that as the market for Unified Communications and IP communications continues to grow and expand, it will only become more tempting for scammers and thieves... so I expect we'll see even more fraud cases in the time ahead.
I don't know Mario Camillen, but I definitely appreciate his taking the time to write about the book and for giving it the high rating he did.
I do know Alan Johnston and in fact recently wrote about his new fiction ebook here on this blog. I've known Alan for years through IETF and other SIP circles and will actually be seeing him next week at the SIPNOC event outside of Washington, D.C. Having said all of that, Alan certainly did not have to write the high praise he did... and I certainly do value his comments given that Alan is the author of another VoIP security book and was also heavily involved with the ZRTP protocol.
I greatly appreciate the reviews from both Mario and Alan because reviews definitely do matter ... and do influence buying behavior.
To that end, if you have read Seven Deadliest Unified Communications Attacks, would you please consider writing a review on Amazon.com? It would be great if more readers did. (Thanks in advance if you do.)
As I mentioned previously, though, I was quite surprised by one review headline entitled "Offal Is Not Awful, and the Seven Deadliest Attacks" and could honestly not even remotely figure out what my book had to do with offal (and it turned out to have nothing to do with it).
When I was down in Miami earlier this year for the ITEXPO conference, I had a chance to meet the reviewer in question, David Byrd of Broadsoft, and naturally I asked if he minded a picture being taken (he didn't):
Thanks again, David, for your kind words - and memorable headline!
To put this in perspective, SecureLogix sells solutions that monitor your network and protect your VoIP/UC systems. While that creates a fairly obvious bias for a report like this, it also means that they do have great data from literally hundreds of networks where their tools have been deployed.
They've done a nice job packaging up the data, providing very readable charts, including solution diagrams and listing all sorts of resources at the end. The report is available now from the NoJitter.com site:
You need to login to the site to download it today, but the folks I know at SecureLogix say that they will also be making it available from their own site in a few months.
Sure, you have to read the report understanding that it is written from the viewpoint of a vendor with an interest in selling security solutions... but regardless it is definitely a worthwhile document to read through. Kudos to SecureLogix for creating this report - and I look forward to seeing how it changes and evolves in the years ahead.
P.S. I found it interesting that the report talked about modems, which is something I actually didn't even touch on in the book and don't really think of as "VoIP" or "UC"... However, they certainly are components of the larger network security area of concern.