On April 18th Amazon finally responded publicly with respect to the SIP attacks recently suffered from hosts within their EC2 service. Their response comes in the form of an informational security bulletin posted to their AWS Security Center.
There have been some recent discussions about SIP brute force attacks originating from Amazon EC2. We can confirm that several users reported SIP brute force attacks originating from a small number of Amazon EC2 instances about a week ago. It appears these attacks were designed to exploit security vulnerabilities in the SIP protocol. There is nothing specific about this attack that requires Amazon EC2. It was a brute force attack that could be launched from any computer on any network.
On his VoIP Tech Chat blog Fred has documented with outstanding clarity his attempts to report the attack that he has suffered this past week, and Amazon’s rather limited response. My opinion is that Fred has done exactly as he should in his efforts to report the attack. It’s Amazon’s response that has fallen short.
Earlier this week Dan Berninger, CEO of the newly formed HDConnect trade group offered up another guest post on Jeff Pulver’s blog. In this post, entitled “Telecom Turnaround,” Dan outlines the decline in demand for traditional voice services over the past decade. He also hints at the typical arguments that nay-sayers offer against wideband telephony. It’s all good stuff.
There’s something that I’d like to add to what Dan puts forward. By whatever name it’s known, HDVoice, HD VoIP, or simply wideband telephony…improved call quality is only the beginning. When voice is just another application on an IP network there are a many advantages that can be realized. Improved call quality is just the first benefit that we’ll see (hear?), and possibly the easiest to sell both to the public and regulators.
Earlier today the DECT Forum issued a press release in response to news from last months Chaos Communications Congress (25C3) that the DECT encryption has been cracked. Their press release (PDF) is about what you’d expect. It merely asserts their willingness to work with researchers to develop new and better security provisions as part of the CAT-iQ standard that replaces DECT.
I would hope that they would not only develop a better standard, but also ensure that the encryption provisions are in fact implemented by manufacturers. To my mind the most frightful part of the DeDECTed groups work was finding that some DECT implementations were not encrypted at all. Further, that there was essentially no way for a non-technical user to know if the DECT system that they were buying was encrypted or not.
The FBI release last Friday about vishing & Asterisk touched off a bit of a fury. It now appears that they have restated their warning acknowledging Digium’s original response to the matter in question (AST-2008-003) That being, all current v1.2 and 1.4 Asterisk systems will have been patched already. Asterisk v1.6 was never effected. Digium provides further clarification as well.