Monday, February 15, 2010

Asterisk Dialstring Injections

It's like an SQL Injection attack, trying this one now on my VoIPSec lab. Time to fix those Asterisk cookbooks guys! - Ron

[from_sip]
exten => _X.,1,Dial(SIP/${EXTEN}@testsip)
He writes: “And if ${EXTEN} = “000@testsip&SIP/333” what turns out to happen then is similar to SQL injection :-( He is exactly right. Many VoIP protocols, including IAX2 and SIP, has a very large allowed character set in the dialed extension, a character set that allows characters that are used as separators to the dial() and the queue() applications, as well as within the dialstring that these applications send to the channel drivers in Asterisk. A user can change the dial options and dial something we should not be able to dial in your system. This article describes the issue in more detail and gives you some help on how to avoid this causing trouble in your Asterisk server.
complete technical details here:  http://www.voip-forum.com/?p=241&preview=true

Sunday, February 14, 2010

CloudAudit A6 - The Audit, Assertion, Assessment, and Assurance API

CloudAudit and the Automated Audit, Assertion, Assessment, and Assurance API (A6)

The goal of CloudAudit (codename: A6) is to provide a common interface that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology.

CloudAudit is a volunteer cross-industry effort from the best minds and talent in Cloud, networking, security, audit, assurance and architecture backgrounds.

The CloudAudit/A6 Working group was officially launched in January 2010 and has the participation of many of the largest cloud computing providers, integrators and consultants. You can find out more about CloudAudit by visiting the Forums.

For someone involved in the Cloud Computing industry, information assurance and compliance, this is freakin' awesome! I would like to congratulate everyone involved, especially security guru and fellow-grappler Chris Hoff (Cisco) of rationalsurvivability.com

Find more about the A6 initiative at http://www.cloudaudit.org/ and please spread the word!

Thanks,
Ron

A playground for network security enthusiasts, innovators and early adoptors


Welcome to my blog, this is me thinking out loud about Voice over IP security (VoIP), managing and optimizing converged networks, Metasploit Framework, Cloud Computing, general security and privacy concerns, grappling adventures, and tuning my MKIV VW Jetta.

All inputs, feedbacks and violent reactions are welcome.

Packet Boy Perseus
Helping spread a positive image why we hack things.

About Me

I am an InfoSec Innovator, a Blue Ocean Seafarer and a Paul Graham Pupil.