MiKa and me held three talks at the Linuxwochen Wien 2011. The scheduled talks were „VoIP Security“ and „The Wind Chill Factor of Security“. The third talk was a review of the trust models used with X.509 certificates and issued by certificate authorities. The review was a drop-in replacement talk for a speaker who did not show up. Since the talks were held in German, I’d like to present a short summary in our blog.
VoIP has become a well-established technology in companies during the past years. Periodically we assess the security of VoIP protocols and implementations. The talk we gave was a review of the state-of-the-art focussing on SIP signalling and audio/video codecs. We discussed the basics, the SIP Digest Authentication Leak found by Sandro Gauci, SIP probes, the troubles of SIP gateway appliances (enabling LAN probing), motivations of attackers and potential business models involving VoIP abuse.
The wind chill factor is widely known from weather forecasts. Last year we tried to apply the concept of „felt security level“ in contrast to the real security level on IT topics. The talk features some examples where the felt security level is radically different from the actual security you have (due to „silent evaporation of safe-guards“). Taking a step back and re-evaluate how effective your security measures are is a crucial step. We know that you hear this mantra from every security consultant, but it is really a mantra you should repeat as often as you can.
The third talk deals with the mechanism of trust used in the widely deployed X.509 certificates and the authorities that issue them. Ever since Comodogate or the hijacked Verisign certificates the trust model has been questioned. The talk contains a review and points out that the trust model is broken, so everyone should know before relying on it.
We have also some audio files (in German) for download created with a portable recording device. The team of the Linuxwochen Wien has better recordings and will probably publish the talks along with the video recordings.