Author Archives: Dan York

European Union Security Agency Releases Report Analyzing HTML5 Security

Html5logo 200 ComputerWorld today reports that the European Network and Information Security Agency (ENISA) has released a detailed report analyzing the security of HTML5 and related web protocols.

While not directly related to Unified Communications, the reality is that many UC web interfaces, particularly for mobile devices, may turn to HTML5 as a way to create a web interface that provides an excellent user interface and works across all mobile devices.

Perhaps more importantly, the work of the RTCWEB/WebRTC working groups within the IETF and W3C, which I’ve written about over on Voxeo’s blogs, is aimed at bringing the “real-time communications” functionality directly into the web browser. In other words, you wouldn’t need a browser plugin or additional program on your computer to make voice, video or chat connections… it could happen entirely within the browser.

At that point every browser potentially can become a UC endpoint… and therefore a concern for communications security.

It’s a lengthy document from ENISA, but worth a read as it dives into both analysis and recommendations for greater HTML5 security.

FBI’s Newest VoIP Fraud Case Shows Danger of Social Engineering

Fbi 1 Over on the Voice of VOIPSA blog yesterday, I wrote about a new VoIP fraud case were a group of people stole over $4.4 million in services from a variety of Internet Telephony Service Providers (ITSPs) / carriers, including AT&T and Verizon.

As I note in that blog post, this wasn’t a “VoIP security” attack as much as it was a social engineering attack. This group went to rather remarkable lengths to convince ITSPs that they were legitimate businesses to whom the ITSPs should extend credit… and then they abused that credit once it was given.

In the book, I talk about these issues of both fraud and social engineering. From a protection point-of-view, this latest fraud case really highlights the uncertainties in the “SIP Trunking” space (a topic I focused on in Chapter 5) and the need to perform adequate due diligence on the ITSPs from whom you are purchasing SIP connectivity. (Although, admittedly, this particular group went to such lengths that it is not surprised they duped do many companies.)

The reality is that as the market for Unified Communications and IP communications continues to grow and expand, it will only become more tempting for scammers and thieves… so I expect we’ll see even more fraud cases in the time ahead.

Two New Amazon.com Reviews of Seven Deadliest Unified Communications Attacks

I’ve been very humbled and pleased to see two new reviews of Seven Deadliest Unified Communications Attacks show up on Amazon.com this month. Both are lengthy and both quite positive:

Seven Deadliest Unified Communications Attacks, by Mario Camillen on April 3, 2011
Required Reading for UC and VoIP Professionals, by Alan Johnston on April 22, 2011

I don’t know Mario Camillen, but I definitely appreciate his taking the time to write about the book and for giving it the high rating he did.

I do know Alan Johnston and in fact recently wrote about his new fiction ebook here on this blog. I’ve known Alan for years through IETF and other SIP circles and will actually be seeing him next week at the SIPNOC event outside of Washington, D.C. Having said all of that, Alan certainly did not have to write the high praise he did… and I certainly do value his comments given that Alan is the author of another VoIP security book and was also heavily involved with the ZRTP protocol.

I greatly appreciate the reviews from both Mario and Alan because reviews definitely do matter … and do influence buying behavior.

To that end, if you have read Seven Deadliest Unified Communications Attacks, would you please consider writing a review on Amazon.com? It would be great if more readers did. (Thanks in advance if you do.)

Why You Need This Book!

What is the deadliest threat to your UC system?

It is 2011 and your communications system is no longer some box screwed onto plywood in some back room with a bunch of phones connected to it. Today your “Unified Communications” system is voice, video, instant messaging, presence, collaboration… and so much more… all running on commodity operating systems and running across your data network and even potentially the public Internet.

How do you secure a system like that?

This is the primary question addressed in the “Seven Deadliest Unified Communications Attacks“. UC systems are comprised of so many components and have the potential to be globally distributed.

In such a system, what are the threats? And perhaps more importantly, what are the best strategies for protecting against those threats? And what does the future look like?

In the book you will learn all about topics such as:

UC Ecosystem Attacks
Insecure Endpoints
Eavesdropping and Modification
Control Channel Attacks: Fuzzing, DoS, SPIT and Toll Fraud
SIP Trunking and PSTN Interconnection
Identity, Spoofing and Vishing
Attacks Against Distributed System

The book is also full of links to resources where you can learn more about Unified Communications and VoIP security. This companion web site also includes more resources, a blog with updates and a link over to the companion Facebook page.

Please do explore this site, watch the video below and head on over to your favorite bookseller (such as Amazon) to pick up your copy of the Seven Deadliest Unified Communications Attacks. Make sure your UC systems are as secure as possible today!

Also available as a Kindle eBook!

To learn more, watch this video with author Dan York:

Meeting My Reviewer with the Oddest Review Headline (“Offal”)

I admit that I never get tired of meeting face-to-face with people who have read the Seven Deadliest Unified Communications Attacks and I enjoy particularly meeting with those folks who have taken the time out of their busy lives to write up a review of my book. I do read all the reviews I find about the book, figuring that I can always learn from what others say. So far I’ve been quite pleased and humbled by the positive reviews the book has received to date.

As I mentioned previously, though, I was quite surprised by one review headline entitled “Offal Is Not Awful, and the Seven Deadliest Attacks” and could honestly not even remotely figure out what my book had to do with offal (and it turned out to have nothing to do with it).

When I was down in Miami earlier this year for the ITEXPO conference, I had a chance to meet the reviewer in question, David Byrd of Broadsoft, and naturally I asked if he minded a picture being taken (he didn’t):

Davidbyrddanyork

Thanks again, David, for your kind words – and memorable headline!

SecureLogix Releases Report: Voice And Unified Communications State of Security 2011

Stateofsecurity2011 By way of the Voice of VOIPSA blog, I learned that SecureLogix had formally released their “Voice & Unified Communications: State of Security Report 2011“. I saw a preview of this report in one of the final sessions at the Enterprise Connect event at the beginning of March and the data seemed quite compelling.

To put this in perspective, SecureLogix sells solutions that monitor your network and protect your VoIP/UC systems. While that creates a fairly obvious bias for a report like this, it also means that they do have great data from literally hundreds of networks where their tools have been deployed.

They’ve done a nice job packaging up the data, providing very readable charts, including solution diagrams and listing all sorts of resources at the end. The report is available now from the NoJitter.com site:

http://www.nojitter.com/sponsoredcontent/view/cid/3900003

You need to login to the site to download it today, but the folks I know at SecureLogix say that they will also be making it available from their own site in a few months.

Sure, you have to read the report understanding that it is written from the viewpoint of a vendor with an interest in selling security solutions… but regardless it is definitely a worthwhile document to read through. Kudos to SecureLogix for creating this report – and I look forward to seeing how it changes and evolves in the years ahead.

P.S. I found it interesting that the report talked about modems, which is something I actually didn’t even touch on in the book and don’t really think of as “VoIP” or “UC”… However, they certainly are components of the larger network security area of concern.

If you enjoyed 7 Deadliest UC Attacks, you may also like the fiction book “Counting From Zero”

Counting from zero cover If you enjoyed the subject matter in my Seven Deadliest Unified Communications Attacks, you may enjoy the fiction book, Counting from Zero, written by my friend Alan Johnston. The book, available as an eBook from Amazon, Barnes & Noble, Smashwords and other sites, is not about Unified Communications or VoIP security, but rather about Internet security in general and specifically the rise of botnets and all their attendant troubles.

It’s a story… about an Internet security researcher named Mick O’Malley who recognizes the signs of an impending global “zero day” attack via a massive botnet… and how he discovers it… how the various forces out there conspire against him… how he and his allies fight back…

I don’t know how it ends, yet, as I’m only 2/3rds of the way through it, but I’m enjoying the story so far quite a good bit.

I’ve known Alan for a good number of years mainly through IETF and SIP-related connections including the SIP Forum… we routinely meet up at various conferences and these days of course connect through social networks. While Alan’s written a number of technical books related to the SIP protocol, this is his first foray into fiction and on his new blog site he explains the journey that brought him into self-publishing and the world of ebooks. I commend him on taking the leap and I look forward to seeing how it goes.

I’ve thought, too, of pursuing the fiction route myself at times… if I go back a couple of years, one of the best presentations I’ve given on VoIP security was one where I did away with all the traditional ways of talking about security and instead told a story called “The Saga of SysAdmin Steve“. The story hit all the points I would have covered anyway, but in a way that was much more engaging… was much more memorable by the attendees… and was much more fun as a presenter. The challenge, of course, is that such a presentation can take a great amount more time to create. But it’s certainly been on my mind lately to do more presentations and perhaps even some writing along those lines.

Meanwhile, I congratulate Alan on the launch of “Counting from Zero” and encourage you all to check out the book’s website and Alan’s blog and, if you are so inclined, to purchase a copy. I’m definitely enjoying the read so far.

7 Deadliest UC Attacks Mentioned at Enterprise Connect

Enterpriseconnect2011 I’ve been very pleased by the comments I’ve received from people at the Enterprise Connect show this week in Orlando who have read the book. A couple of people mentioned they’ve bought it for the Kindle while at the show. And analyst Blair Pleasant mentioned the book a couple of times in one of her sessions (Thanks, Blair!).

As an author, it’s wonderful to hear that the book is really helping people understand UC security issues.

Thanks again for all the kind words and mentions!

Meet the Author and Discuss UC Security – Next Week In Miami

As I mentioned on both the VOIPSA blog and my Disruptive Telephony site, I’ll be in Miami next week, February 2-4, speaking at the SIP Trunking Workshop and Cloud Communications Summit about Unified Communications security.

If you are there at any of the events in Miami (my schedule is online), please do say hello… and if you’d like to meet, please send me an email or contact me on Twitter.

P.S. I may have a few books with me… 😉

Amazon adds BookScan data – I can see where the last purchases were made :-)

Amazon.com recently started making book sales data from Nielsen BookScan available through their “Author Central” portal – and it yields some interesting data for those of us writing books. Now, it’s not complete data as BookScan only covers about 75% of the online and offline booksellers, and it does NOT include ebooks, Kindle editions, etc. Still, it can provide some fun facts like the fact that the last purchases of Seven Deadliest Unified Communications Attacks were in New York, Chicago and L.A.:

What’s cool for me as an author is that it also aggregates and displays data across all my books. Now… my books are not exactly NY Times Bestsellers (what? you mean the world isn’t racing to learn about UC security? 🙂 so the data isn’t as exciting as it would be for those with more mainstream books… but it’s very cool to see. Thanks to Amazon for making this data available (for free) to all of us who write books!