Archive for April, 2007

The VoIP Toll Shift

April 24, 2007

One of the promises of VoIP is it’s cost-effectiveness. By overlaying the new breed of telephony networks on top of our existing data networks and the Internet, thereby leveraging a transport mechanism that we’re already maintaining and paying for, we rid ourselves of the high toll charges imposed on us by the traditional telephony services by allowing end-users to call each other, regardless of the distance, essentially for “free.” And not just within our corporate walled gardens either; Skype, for example, has built the core of their business around providing a basic service of free phone calls between end-user consumers.

With the traditional telephony business model, the further away from the party you are calling, the higher the toll charge to call them. Even local calling within your local geographic area carries a cost, although now days that cost is generally a monthly flat-rate. The core business is built on these toll-ridden services, and “toll-free” calls are the exception to the norm. These so-called “toll-free” calls aren’t really toll-free at all however, they are only free to the party making the call; the recipient of the call pays the premium to provide this “free service” to their callers. The bottom line is, the consumer is usually being charged something throughout the entire spectrum of services. With VoIP and the new era of telephony, this is all changing…


On Social Hacking Groups, Meetings, and AHA!

April 23, 2007

Since the early ’90s, when I first really started getting into information security and the hacking scene, I’ve always found immense value in social hacker meetings. Back then all I had was my local 2600 meeting, however today, depending on your place of residence, there may be many different types of meetings available to you ranging from black to white-hat orientations such as 2600, local-area DefCon groups, the regional *Sec groups like NoVASec and SeaSec, various security user groups like NTSUG, and independent groups like AHA!

The groups that I’ve participated in over the years which include both Dallas and Ft. Worth 2600 meetings, dc214, and AHA! have vastly contributed to my personal experience and continued success in my career and have definitely helped to get me to where I am today. Nowadays I simply won’t do without them.


Anatomy of an 0-day

April 19, 2007

Cody Pierce, a colleague of mine at TippingPoint’s DVLabs, was recently profiled in an article by Dennis Fisher over at The article basically describes how Pierce went about discovering and disclosing an 0-day vulnerability in the Internet Help Control ActiveX component last April, which resulted in a patch from Microsoft last August.

To do this, he built a custom fuzzer to test large numbers of ActiveX controls and separate the wheat from the chaff. He wrote the fuzzer using the Python and Ruby programming languages and began looking for remotely exploitable vulnerabilities that posed a serious threat to Internet users.

“There are 4,000 ActiveX controls on a typical XP machine and I looked for the ones that could be loaded in Internet Explorer,” Pierce said. “Then I looked for the ones with problems and then the ones that were critical. I wanted to see what was exploitable and what was just a denial of service.”

The article then goes on to hint at a paradigm shift in vulnerability research that targets web and hosted software, noting that as more and more software packages are provided solely on the web or by ASPs it’s increasingly difficult for 3rd party researchers to target those pieces of software. Due to the fact that such software generally isn’t available outside of the ASP or company hosting the web application for testing in a controlled environment, targeting such applications for vulnerability research can be construed as an active and malicious attack.

Kudos to Pierce and TippingPoint for the excellent press coverage!

Upcoming Conferences

April 19, 2007

In a couple of weeks I’ll be heading to Seattle for Microsoft’s internal security conference, BlueHat, and ToorCon’s invite-only conference, ToorCon Seattle (Beta).

I’ve never been to BlueHat before, but that’s not really surprising since most of my research targets, both now and in the past, have had absolutely nothing to do with Microsoft products. The primary reason I’m attending is that BlueHat takes place the two days before ToorCon Seattle and I’ll already be in town those days due to attending ToorCon Seattle and returning through Seattle from a trip to Vancouver which will get me there a few days early.

ToorCon Seattle (Beta) is the first of ToorCon’s invite-only conferences and is adopting an extremely familiar approach to structure; Basically, all speakers will have up to 20 minutes to present on research currently in progress rather than finished work, followed by a hand-full of 5 minute turbo talks toward the end of the day. It seems like I’ve seen this format somewhere before…

I’ve submitted something to speak about at ToorCon Seattle but haven’t heard back yet on whether or not I’ll get a slot, so I’ll refrain from talking about that just yet.

Black and White Ball

April 16, 2007

I’ve been invited to speak during the Black Track at the Black and White Ball this September which is being held at the Ministry of Sound in London. I’ll be presenting on some new research I’ve been working on involving VoIP and steganography. The presentation will be entitled “Real-time Steganography with RTP.”

Information Security Conferences, Workshops, and Training Calendar

April 16, 2007

I maintain a Google calendar entitled “Information Security Conferences, Workshops, and Training”, and it contains dates for conferences, workshops, training, CFP deadlines, and related events. I inadvertently announced it to the InfoSec research community by way of a response to a recent post on the Daily Dave email list asking about such a calendar. Since then I’ve had a flood of responses suggesting additional events to add as well as a lot of positive feedback from people who are now subscribed to the calendar. I believe it’s probably now the most comprehensive calendar for the subject available.  I previously maintained the calendar just for myself and a few friends’ personal use, but apparently people are finding it extremely useful.

You can view or subscribe to the calendar via HTML, iCal, or XML.

Blog Migration

April 1, 2007

Today I migrated this blog from LiveJournal over to WordPress. I regularly contribute to another blog entitled Voice of VoIPSA as part of my involvement in the VoIP Security community and it is fueled by WordPress. Having contributed to that blog for some time now I’ve come to prefer the WordPress interface and management tools over what is provided by LiveJournal. While I still like LiveJournal for many of it’s social aspects, and will continue to use it for my private and friends-only journal, those were not features centric to this blog’s purpose.

April Fools!

April 1, 2007

April Fools Day has always been a fun day for technology people, especially online. It seems to have become even more so for security people, as every April 1st the security mailing lists get hit with lots of April Fools advisories, fake tool releases, fake announcements from big projects and organizations like Metasploit and the EFF, fake RFC standards, and just an overall flood of craziness.

Of course I have to contribute, so every year I put out an April Fool’s security advisory. The one I released this year was entitled Window Transparency Information Disclosure.

Apparently, so far this year, mine is Bruce Schneier’s favorite, which he noted on his blog. Something I always try to accomplish with my April Fools advisories is to make them believable while still being fairly ridiculous. One of the comments to Schneier’s blog post by “Alex” points out the legitimacy of the vulnerability described in my advisory and calls into question whether or not it is actually an April Fool’s joke, which is exactly the reaction I always shoot for (:

You can find the definitive list of online April Fools jokes for 2007 here.