Unified Communications: Information Loss Through the Front Door

No ratings

Presented at SourceSeattle 2012 by

Rachel Engel

Jason Bubolz

What if you scanned your external network and found an open LDAP listener offering access to your corporate directory for anyone who happened to stop by? Ten years ago instant messaging entered the security spotlight when the Sarbanes-Oxley Act made everyone scramble for an answer to a problem that nobody understood. But since that time we\'ve stopped looking. Compliance is solved, and it\'s very tedious. A decade of inattention brings a lot of change, and while we were distracted by mobile devices these enterprise instant messaging systems became the backbone for a suite of communications. Microsoft, Cisco, IBM, and the telephony vendors have migrated to VoIP and offer audio, video, and application sharing products that initiate over IM connections. The public cloud is offering instant messaging between competitors in an effort to own your identity and your attention. While instant messaging has always been a fragmented array of protocols and clients the market has coalesced on SIP and XMPP as the focus changed from owning the protocol to building new features. The Defense Information Systems Agency (DISA) now defines XMPP and more specifically federated XMPP as a requirement for sales of "near-real-time, text-based messaging products" into the US Department of Defense, and vendors are following. This talk focuses on the mechanics of XMPP, XMPP server to server federation, and the surprising collection of data corporations expose as they open their unified communications systems to the world. We will complete the talk with a discussion of a practical exploitation of these weaknesses via custom tools.