Security UPDATE--Trustworthy VoIP Needs Strong Security--August 3, 2005

1. In Focus: Trustworthy VoIP Needs Strong Security

2. Security News and Features

- Recent Security Vulnerabilities - Windows Genuine Advantage--Cracked

- The Auditor Security Collection

3. Security Toolkit

- Security Matters Blog

- FAQ

4. New and Improved

- Control Your Desktop

==== Sponsor: Diskeeper ====

Free utility: Find performance bottlenecks

Disk Performance Analyzer for Networks is a FREE utility that remotely checks your systems for disk performance bottlenecks. Locate problems today--BEFORE they become help desk calls. Download Disk Performance Analyzer for Networks now!

http://www.diskeeper.com/profile/submit-select.aspx?a=l&PId=94&ad=witpdpan8&apid=PPS0001055

==== 1. In Focus: Trustworthy VoIP Needs Strong Security ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Remember back in the mid-1990s when you could connect to Microsoft's FTP server using NetBIOS? You could actually map the FTP server as a drive on your network and copy files at will. Microsoft stopped all that activity pretty quickly after serious security questions arose.

I think Voice over IP (VoIP) is in a similar position today. People everywhere are implementing VoIP willy-nilly without thinking much, if at all, about the security implications. Meanwhile, intruders are undoubtedly banging away at their keyboards seeking cracks in popular VoIP technology that will afford them inroads. Spammers too are probably looking for ways in which they can begin flooding your VoIP client with calls, and of course scammers are wondering how they can use VoIP for their phishing scams.

Added to that potential security mess is the fact that some popular VoIP providers don't even offer data transport encryption in their products! Thus, people could be listening in to the phone conversations of those providers' customers.

Programs already exist that can capture VoIP conversations. Some even convert those conversations to portable audio files. The Voice Over Misconfigured Internet Telephones application (VOMIT--don't you just love catchy acronyms?) is designed to do exactly that. It captures G.711-based VoIP calls and converts them to Wave (.wav) files, and it's available free on the Web.

The need for decent VoIP security is clear, and multiple areas need attention to preempt the usual attacks, including spoofing, hijacking, buffer overflow, spamming, and phishing attacks. At least one organization, the Voice over IP Security Alliance (VoIPSA), is already going strong in driving protections in some of those areas, and you can become involved. Visit the VoIPSA Web site and click the "Participate in a project" link to learn how.

http://www.voipsa.org

Encrypted data transport is another focus. Remember Phil Zimmermann? He invented pretty good privacy (PGP) encryption and released it free to the world back in 1991. Since then, PGP has changed hands a couple of times, and now it's available as a commercial product from PGP Corporation. A few years after releasing PGP, Zimmermann and a team of six other engineers developed and released PGPfone, which was one of the earlier VoIP applications. Naturally, it came complete with PGP encryption. It's still available but hasn't been updated in years.

http://www.pgpi.org/products/pgpfone

Zimmermann is now working on new encryption technology for VoIP. Although the new technology doesn't have a name, some information is available as to how it might work and what it will do. Zimmermann's VoIP encryption technology uses the Diffie-Hellman public key infrastructure (PKI). The technology will tentatively exchange encryption keys on a per-call basis and will forego the need for the public key server that PKI-based designs typically use.

The initial code was developed for use in conjunction with Shtoom, an open-source cross-platform VoIP phone client based on the Session Initiation Protocol (SIP) commonly used with mainstream VoIP technology (for more information, go to the Shtoom Web site at the first URL below). Although Zimmermann's technology isn't yet available to the public in any form, Zimmermann does intend to release it for public beta testing and make it available as open-source software to the industry in hopes that it will become widely adopted. If you're interested, keep an eye on his Web site (second URL below) for possible announcements.

http://divmod.org/projects/shtoom

http://philzimmermann.com

==== Sponsor: FaxBack ====

Is Your Office Truly Fax Integrated?

Discover how to make your business more productive with easier ways for users to communicate and carry out mission-critical business processes. Download this free white paper to learn how to integrate fax with Microsoft Office and Exchange/Outlook applications. Get usage examples of Office-to-Fax integration, learn the benefits, and how fax works with Microsoft Office to deliver clear and substantial benefits to users.

http://www.windowsitpro.com/whitepapers/faxback/officefax/index.cfm?code=SecMid_803

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

Windows Genuine Advantage--Cracked

Not even a week after going live, Microsoft's Genuine Advantage program, which prevents illegal copies of Windows from downloading software (with the exception of security updates) from Microsoft's Web site, was cracked.

http://www.windowsitpro.com/Article/ArticleID/47185

The Auditor Security Collection

The free Auditor security collection is a set of security tools and utilities organized into the following categories: Footprinting, Scanning, Analyzing, Spoofing, Bluetooth, Wireless, Bruteforce, and Password cracker. Jeff Fellinge tells you all about it in this article on our Web site.

http://www.windowsitpro.com/Article/ArticleID/44648

==== Resources and Events ====

Windows Connections 2005 Conference

October 31-November 3, 2005, San Diego, CA. Microsoft, Windows, and Exchange Server experts present over 60 in-depth sessions with real-world solutions you can take back and apply today. Don't miss Mark Minasi's insightful keynote presentation "Windows Server R2, Longhorn and Beyond" and your chance to win a Harley-Davidson motorcycle! Call 800-505-1201 for more information.

http://www.winconnections.com

Continuous or Real-Time Backup Systems--Are They Right For You?

Continuous or real-time backup systems help avoid the danger of losing data if your system fails after the point of backup by providing real-time protection. In this free Web seminar, learn how to integrate them with your existing backup infrastructure, how to apply continuous protection technologies to your Windows-based servers, and more. Register now and learn how you can reduce your downtime with continuous data protection!

http://www.windowsitpro.com/seminars/continuousbackup/index.cfm?code=0803emailannc

New Cities Added--SQL Server 2005 Roadshow in a City Near You

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

http://www.windowsitpro.com/roadshows/sqlserverusa/index.cfm?code=0803emailannc

Deadline Extended--2005 Windows IT Pro Innovators Contest!

If you've used Windows technology in creative ways to devise specific, beneficial solutions to problems your business has faced, we want you! Now's your chance to get the recognition you deserve. Enter the 2005 Windows IT Pro Innovators Contest now! You could win a complimentary conference pass to Exchange Connections and Windows Connections in San Diego in late October 2005.

http://www.windowsitpro.com/awards/innovators_2005.cfm

Sort Through Sarbanes-Oxley, HIPAA Legislation, and More--Quicker And Easier!

In this free Web seminar, get the tips you've been looking for to save time and money in achieving IT security and regulatory compliance. Find out how you can simplify these manually intensive, compliance-related tasks that reduce IT efficiency. Turn these mandates into automated and cost-effective solutions. Register now!

http://www.windowsitpro.com/seminars/regulatorycompliance/index.cfm?code=0803emailannc

==== Featured White Paper ====

Enabling Mobile Sales: Putting CRM in Your Pocket

In this free white paper, find out how you can enable the latest handheld devices and smartphones to deliver scalable, real-time access to enterprise systems on today's high-bandwidth data networks--complete with enterprise-class security and NTLM authentication. Don't wait--get your free copy now and improve sales productivity and customer responsiveness by using a faster, more convenient, wireless solution.

http://www.windowsitpro.com/whitepapers/good/mobilesales/index.cfm?code=0803emailannc

==== 3. Security Toolkit ====

Security Matters Blog: Here Comes the Fuzz

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

iDEFENSE released three new tools that help find vulnerabilities. FileFuzz for Windows and notSPIKEfile and SPIKEfile for Linux are all format-fuzzing tools, which are used to look for problematic areas in file formats.

http://www.windowsitpro.com/Article/ArticleID/47186

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: How can I avoid Kerberos authentication problems that occur when Kerberos authentication uses UDP?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/47135

==== Announcements ====

(from Windows IT Pro and its partners)

Try a Sample Issue of the Windows IT Security Newsletter!

Security Administrator is now Windows IT Security. We've expanded our content to include even more fundamentals about building and maintaining a secure enterprise. Each issue also features product coverage of the best security tools available and expert advice on the best way to implement various security components. Plus, paid subscribers get online access to our entire online security article database! Sign up to try a sample issue today:

http://www.secadministrator.com/rd.cfm?code=fseu2558su

Windows IT Pro Gives IT Professionals What They Need

The August issue is a must have! Subscribe now and find out the best ways to plan for Longhorn, what you need to know about VBScripts, and how to make sense of SQL Server. If you order today, you'll also gain exclusive access to the entire Windows IT Pro online article database (over 9000 articles) and save 44% off the cover price!

http://www.windowsitpro.com/rd.cfm?code=theu2058bu

==== 4. New and Improved ====

by Renee Munshi, [email protected]

Control Your Desktop

Anfibia released Deskman SE 6.0, which features One Button Security, Kiosk Mode, mouse and key restrictions, and Start Menu replacement. The new Desktop Lock lets you lock your desktop when you're away and continue where you left off when you return. The new Kiosk Mode allows the use of one or more specific applications, while disabling access to all other system and desktop features. The new mouse and key restrictions let you disable Ctrl+Alt+Del and any other key combination. Single licenses cost $85 each; volume discounts are available. For more information, go to

http://www.anfibia-soft.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Sponsored Links ====

Professional and secure remote control from all major platforms

http://a.windowsitpro.com/RealMedia/ads/click_lx.ads/www.windowsitpro.com/1112745096/x14/Penton/WN_Danware_Aug05_NLsplink_118338/1x1.gif/1

Argent versus MOM 2005

Experts Pick the Best Windows Monitoring Solution

http://a.windowsitpro.com/RealMedia/ads/click_lx.ads/www.windowsitpro.com/TextLink/1112745096/x14/Penton/WN_Argent_Aug05_NLSplink116193/1x1.gif/1

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]