VoIP Security: Secrets and Hype
by Ari Takanen

What is VoIP security all about? After close to ten years of hacking and bashing VoIP, Ari Takanen will finally reveal the secrets and discuss the hype around VoIP security. The discussions in this blog will draw from his book "Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures" co-authored by Peter Thermos, and published by Addison-Wesley.

As the CTO of Codenomicon, the main focus of Ari's work is with security testing of various next generation communication technologies such as VoIP, WiMAX and IPTV. His latest book is focused on this topic, and is titled "Fuzzing for Software Security Testing and Quality Assurance". You can win a free copy of The Fuzzing Book from the Codenomicon web site.

Ari will answer any questions and comments you might have regarding penetration testing and fuzzing of next generation communication networks such as IP telephony.

Check out the sample chapter of the VoIP book here!

all posts
2 comments
15I like it!

VoIP security auditing is becoming more and more complex ... Not!

I am curious how people can conduct penetration tests of a complex VoIP system when they barely understand how VoIP infrastructure works. Today, security people are still stuck to auditing practices from 1990s. When asked to do a penetration test, a consultant often is only looking at past issues that can be detected using various vulnerability scanners. Very few of them know that vulnerability scanners have extremely bad coverage of vulnerabilities in VoIP solutions. And even if the tools did know VoIP, who really cares about past issues that might have been relevant several years ago.

Posted on 8/15/08 at 6:14 am | fuzzing, security, testing, tool, voip
Be the first to comment
30I like it!

Greatest Challenge in VoIP Security

The greatest challenge in VoIP security is that there are very few good example case studies available. There are some very good VoIP deployments. But try to find a white-paper with someone disclosing all the their success stories in building a perfect VoIP network. No luck! Unfortunately much of that data is hidden in confidential documents. Still, I have really loved to see VoIP security emerge and evolve from being a hindrance in VoIP deployment, into a key marketing value. Finally some of those success stories will get a chance to see daylight.

Posted on 7/16/08 at 2:08 am | information security, IP telephony, security, telecommunications, voip
3 comments
3I like it!

(Is There) Motivation for VoIP Fuzzing

What have we learned during these six or so years of proactive security work with VoIP fuzzing? Here is my top ten discoveries.

Posted on 9/4/08 at 2:06 am | fuzzing, security, telecommunications, testing, voip
Be the first to comment
2I like it!

VoIP Still Not Ready For Carrier-Grade Networks

After a quick tour of some Really Talented Groups dedicated to fuzzing research, I noticed three things: 1) Most teams are focused on fuzzing VoIP 2) Most if not all VoIP devices still break with fuzzing 3) Most VoIP vendors still do not get it. The tour continues...

Posted on 10/2/08 at 12:22 pm | book, fuzzing, security, testing, voip
Be the first to comment
5I like it!

Reason Behind Vulnerabilities

Now something completely unrelated to VoIP: Reason behind all vulnerabilities in software! I read an article that explained how vulnerabilities are basically created by the fact that people tend to drift from good development principles into practices that are just simply Fun. The engineers among us know that software development can be enormously interesting, something you would happily even do in your leisure time. But can fun be converted into reliable software?

Posted on 9/8/08 at 2:54 pm | quality assurance, security, software, testing, vulnerabilities
1 comment
25I like it!

Good VoIP Deployment Guidelines (Do Not Exist?)

I get questions regarding VoIP deployment all the time. Sometimes it is someone looking for simple and cheap Enterprise VoIP, who are unsure if VoIP can be deployed securely with those two parameters in the equation. More often it is the security aware people who are willing to invest almost anything to make it work, but cannot. As always, there is no silver bullet solution for either. If you look at my past opinions, I keep changing my mind between cheap that works, and secure that doesn't. What do you think? Which way should we go in VoIP?

Posted on 10/23/08 at 7:27 am | information security, IP telephony, security, telecommunications, voip
Free books

Build your tech library with our book giveaways.

Hacking Exposed, Sixth Edition
By Stuart McClure, Joel Scambray, George Kurtz; Published by McGraw-Hill/Osborne

The original Hacking Exposed authors rejoin forces on this tenth anniversary edition to offer completely up-to-date coverage of today's most devastating hacks and how to prevent them. Using their proven methodology, the authors reveal how to locate and patch system vulnerabilities. The book includes new coverage of ISO images, wireless and RFID attacks, Web 2.0 vulnerabilities, anonymous hacking tools, Ubuntu, Windows Server 2008, mobile devices, and more. Enter now!

Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
Marketplace