CyberInsecure.com

Archive for the ‘VoIP’ Category

Researchers at VoIPshield Labs have reported a wide range of denial-of-service vulnerabilities in Microsoft Communicator, the unified communications that features business-grade instant messaging, voice, and video tools.

The flaws, rated “high severity,” could cripple VoIP-powered communications on Office Communications Server 2007, Office Communicator and Windows Live Messenger.

The vulnerabilities include:

Microsoft Communicator Emoticon: By issuing instant messages to a client which contain a very large number of emoticons it is possible to cause the Microsoft Communicator to become nonresponsive for a certain period of time. During this period of time the phone does not respond to incoming invite messages and can even be forced to go into an offline state, eventually requiring the phone to reregister.

Microsoft Communicator INVITE Flood: Due to the manner in which sessions and authentication are managed it is possible to cause Microsoft Communicator to open a very large number of sessions resulting in the consumption of huge amounts of memory, potentially resulting in a Denial of Service.

Microsoft Communicator Real-time Transport Control Protocol Report Block: Using a specially crafted RTCP receiver report packet it is possible cause a Denial of Service (DoS) against Microsoft Communicator, Office Communications Server (OCS) and Windows Live Messenger.

The company said Microsoft has acknowledged the issues.

Next-generation VoIP sniffer was released on Saturday at Toorcon in San Diego by Jason Ostrom of VoIP Hopper. The tool, that might be used for attacks, should help raise awareness of the type of vulnerabilities businesses face as they adopt unified communications (UC) technology.

According to Jason, the tool, UCSniff, has two settings. One is a learning mode, sniffing all the IP traffic then mapping telephone extensions to specific addresses. By default, it is capturing all the calls and saving them to wave files.

The other setting is targeting conversations. After learning the IP addresses of the phone system, someone using UCSniff can listen to all the VoIP, or voice over Internet Protocol, conversations made by a specific user., say the CEO. That’s user mode. A second mode, conversation mode, allows someone to monitor calls made exclusively between two extensions, say only when the CEO calls the CFO.

“So it’s like dynamic ARP poisoning,” Ostrom explained, referring to Address Resolution Protocol spoofing. “The tool, on the fly, figures out how to do the ARP poisoning for you so you’re not intercepting the traffic of phones that you do not want to intercept.”

The flaw, if any, is within the structure of the system and not specific to any platform, such as that of Cisco Systems. There are two other tools and combined, the tools can allow one to create a man-in-the-middle attack on VoIP networks in an enterprise.

Some of the pieces are already available on the Internet. However, UCSniff “brings together what is lacking, what is needed to be the most effective and secure VoIP security assessment tool available.”

Security vendor FaceTime Communications has released the only security product on the market allowed to look at encrypted instant messages sent between Skype users. The upgrade to the company’s Greynet Enterprise Manager (GEM) detects harmful URLs within instant messages.

Instant messages are used by hackers that lure victims to harmful websites. Through a compromised instant-messaging account, a hacker may have access to a person’s contact list. Those contacts may think they are being sent a link by a friend, but fall victim to a social engineering trick that puts their PCs at risk.

FaceTime is the only company that has an agreement to develop security software with Skype, which is owned by eBay.

One of the most popular Voice over Internet Protocol (VoIP) applications, Skype, has posed a concern to companies due to its use of encryption for voice conversations and instant messages. Skype constantly updates the protocol to ensure privacy for its users, but Skype’s stealth is worrisome for security-minded IT managers tasked with ensuring sensitive company data doesn’t leave their networks.

A year ago FaceTime released its first product for Skype, FaceTime Internet Security Edition for Skype. The product controls who is allowed to use Skype, as well as finer-grained controls, such as whether a user can use Skype’s chat function.

The latest upgrade is part of GEM, which is available as an add-on to FaceTime’s Unified Security Gateway, an appliance for instant messaging and VoIP security, and IM Auditor, an instant messaging management appliance.