Patrick McNeil

In 1905 Harry Houdini wrote his first book entitled “The Right Way to Do Wrong” wherein he divulged the lockpicking and other trade secrets of criminals. People make assumptions about how schemes work and believe them to be complicated, yet in many cases the insider knows how simple they are. Most people assume that besides tailgating and social engineering, real break-ins (or physical security testing) are all about picking locks. However, the secret is that on physical pentests it’s typically… Show more

In 1905 Harry Houdini wrote his first book entitled “The Right Way to Do Wrong” wherein he divulged the lockpicking and other trade secrets of criminals. People make assumptions about how schemes work and believe them to be complicated, yet in many cases the insider knows how simple they are. Most people assume that besides tailgating and social engineering, real break-ins (or physical security testing) are all about picking locks. However, the secret is that on physical pentests it’s typically unnecessary to do that! Some physical controls have known bypasses, and some building contractors (or even locksmiths) don't implement things correctly. Just like Houdini, I’ll be divulging the simple tricks of the trade employed by both criminals and professional physical pentesters to bypass physical controls without using lockpicks. You may be shocked and amazed by what you see, and once you leave you'll be an insider too - seeing insecurity everywhere! Show less

"Hotel security has been a hot topic being debated in the cybersecurity and privacy communities ever since the annual DEF CON hacking conference which was recently held in Las Vegas. The conference hotel security staff at Caesars Palace, conducted random hotel room searches unbeknownst to conference attendees. This caused a firestorm of criticism from conference goers but also brought attention to how we all should all think about the security and privacy of the hotel rooms we stay in. In this… Show more

"Hotel security has been a hot topic being debated in the cybersecurity and privacy communities ever since the annual DEF CON hacking conference which was recently held in Las Vegas. The conference hotel security staff at Caesars Palace, conducted random hotel room searches unbeknownst to conference attendees. This caused a firestorm of criticism from conference goers but also brought attention to how we all should all think about the security and privacy of the hotel rooms we stay in. In this episode I want to share with you some helpful tips and advice to increase your security and privacy while staying in a hotel room." - Tom Eston Show less

During the Agile revolution, the wider software development community discovered the benefits of shifting testing left. The primary benefits included reduced schedule risk, higher team confidence and reduced development costs. Additionally, developers have gotten better at writing functional code and fewer things are found late in the cycle. What if we tried the same with security? Would we see the same benefits? Absolutely! Let’s talk about how to make shift happen in your SDLC.

What… Show more

During the Agile revolution, the wider software development community discovered the benefits of shifting testing left. The primary benefits included reduced schedule risk, higher team confidence and reduced development costs. Additionally, developers have gotten better at writing functional code and fewer things are found late in the cycle. What if we tried the same with security? Would we see the same benefits? Absolutely! Let’s talk about how to make shift happen in your SDLC.

What you will learn:
1. A bit about DevOps and DevSecOps
2. Why shift didn’t happen historically
3. How to make shift happen
4. The benefits of shifting in your workplace
5. Some of the keys to building an effective DevSecOps program Show less

Application security requires more than testing for vulnerabilities. It requires thoughtful planning. Those who are reducing application risks are approaching AppSec as a program, not a tool. You must consider not just the technology aspect of the initiative, but people and process as well. This presentation will outline the typical application security journey and the elements of building a successful AppSec Program such as:
Determining your organization’s current maturity and appetite for… Show more

Application security requires more than testing for vulnerabilities. It requires thoughtful planning. Those who are reducing application risks are approaching AppSec as a program, not a tool. You must consider not just the technology aspect of the initiative, but people and process as well. This presentation will outline the typical application security journey and the elements of building a successful AppSec Program such as:
Determining your organization’s current maturity and appetite for AppSec, Gaining executive buy-in, Training and working with the development team, Creating security awareness around first-party vs open source code, Managing a program, Measuring results. Attend this session and learn: 1. Understanding of fundamental building blocks for a great AppSec program; 2. A simple maturity model to baseline and track progress; 3. The importance of tracking Open Source risk; 4. A strategy to make it all work. Show less

As technologists and hackers many of us have skills in intelligence gathering or social engineering, but we might not stop to think about how those same skills are being used against us to influence our purchasing decisions as we evaluate vendors for new projects. Now I know you're thinking, "I can spot that a mile away.". No free lunch, vendor party, or booth giveaway is going to sway ME, right? Well, I've got a confession to make - it goes way beyond that. I can be your ally, your advocate… Show more

As technologists and hackers many of us have skills in intelligence gathering or social engineering, but we might not stop to think about how those same skills are being used against us to influence our purchasing decisions as we evaluate vendors for new projects. Now I know you're thinking, "I can spot that a mile away.". No free lunch, vendor party, or booth giveaway is going to sway ME, right? Well, I've got a confession to make - it goes way beyond that. I can be your ally, your advocate, and an asset to your organization. I can also be the secret weapon of the sales team - the guy who speaks both languages - sales and tech.
Let me walk you through what happens behind the scenes during the sales cycle at a typical tech company to influence you into buying from them.

Materials available at: https://github.com/unregistered436/BSidesLV-2017 Show less

This is a presentation I delivered for OWASP DC in November 2016 and OWASP Atlanta in March 2017. It maps some common telephony security issues and fraud schemes to the relevant OWASP Top 10 2013 issues.

See publication URL for abstract. Materials also available at: https://github.com/phreakme/DerbyCon5

This talk is similar to the one Owen and I put together for DEF CON 23, but this time we rolled out a new API and Social Engineering Tool front end script for automating attacks. Preakme calls a list of numbers, plays a recording, and collects any digits pressed. Some social engineering skill is required to come up with a pretext that would be plausible. Ex: "As of 9 AM we acquired by… Show more

See publication URL for abstract. Materials also available at: https://github.com/phreakme/DerbyCon5

This talk is similar to the one Owen and I put together for DEF CON 23, but this time we rolled out a new API and Social Engineering Tool front end script for automating attacks. Preakme calls a list of numbers, plays a recording, and collects any digits pressed. Some social engineering skill is required to come up with a pretext that would be plausible. Ex: "As of 9 AM we acquired by BigBoxCo. For security purposes please enter your voicemail pin to hear an announcement from our CEO." Once a voicemail password is collected it's possible to commit some high-dollar voice fraud or use that as a foothold for more in-depth social engineering. Show less

Exploring the phone system was once the new and exciting realm of “phone phreaks,” an ancestor of today’s computer “hackers.” The first phreaks “owned” and explored the vague mysteries of the telephone network for a time until their activities drew too much attention from the phone companies and law enforcement. The phone system evolved, somewhat, in an attempt to shut them out, and phreaking became both difficult and legally dangerous. Such events paralleled a new personal computer… Show more

Exploring the phone system was once the new and exciting realm of “phone phreaks,” an ancestor of today’s computer “hackers.” The first phreaks “owned” and explored the vague mysteries of the telephone network for a time until their activities drew too much attention from the phone companies and law enforcement. The phone system evolved, somewhat, in an attempt to shut them out, and phreaking became both difficult and legally dangerous. Such events paralleled a new personal computer “revolution” wherein phone phreaks made the transition from the secret subtleties of telephony to the new and mystical frontier of personal computing. Private BBS(s) and, eventually, the Internet was not only the next logical step forward, but also provided “safer” alternatives that still allowed for the thrill of exploring the mysteries of a new modern age. Telephony, and voice security in general, became, as the years passed, something of a lost art to all but those who remember...

(see full description at: https://www.defcon.org/html/defcon-23/dc-23-speakers.html#McNeil) Show less

Exploring the phone system was once the new and exciting realm of “phone phreaks,” some of the first “hackers.” When personal computers became more pervasive, however, BBS(s) and, eventually, the Internet shifted the focus of the information and telecommunication security community. Voice security, and telephony in general, has become, over time, something of a mystery - something more akin to voodoo or black magic. Dial plans? The stuff of legend and nightmares.

In this presentation we… Show more

Exploring the phone system was once the new and exciting realm of “phone phreaks,” some of the first “hackers.” When personal computers became more pervasive, however, BBS(s) and, eventually, the Internet shifted the focus of the information and telecommunication security community. Voice security, and telephony in general, has become, over time, something of a mystery - something more akin to voodoo or black magic. Dial plans? The stuff of legend and nightmares.

In this presentation we will attempt to change that perception. Starting with a journey back in time, we will briefly take a look at telephone system evolution and the attacks early systems faced, with our journey ending at today’s "advanced" VoIP systems. Though systems have become more complex, some of the same basic attacks are still prevalent and exploitable. The transition to VoIP has created opportunities for a variety of new attack vectors as well. Come with us on an expedition through time, space, and telephony, as we explain how voice systems are targeted, how they are attacked, and how to defend them with demonstrations and practical tips along the way. Show less

Many people who deploy SIP for voice or video don't understand the potential security risks. As a result, there are lots of vulnerable SIP devices connected to the Internet that are easily compromised due to misconfiguration or lack of simple protections. This is fairly common knowledge within the security community, but what most don't realize is that you can do more than just make free phone calls - like get rich quick! In this somewhat irreverent talk I'll discuss...

How SIP… Show more

Many people who deploy SIP for voice or video don't understand the potential security risks. As a result, there are lots of vulnerable SIP devices connected to the Internet that are easily compromised due to misconfiguration or lack of simple protections. This is fairly common knowledge within the security community, but what most don't realize is that you can do more than just make free phone calls - like get rich quick! In this somewhat irreverent talk I'll discuss...

How SIP compromises occur and who the primary actors are:
- How did we get here? Why so many vulnerable devices?
- Common discovery and attack methodologies & the weaknesses exploited
- The most common attack tools used, backed up by real world data
- Where most attackers are coming from, again with real data

After a system has been compromised, top ways to make money - how and why they actually work:
- International Revenue Sharing Fraud - calling a high cost destination and splitting the profits
- Toll Bypass - using a PBX local trunk to bypass high per minute rates
- Wangiri & SMS SPAM - missed call or text message to a mobile, return call to high cost destination with profit splitting
- Extortion using a Telephony Denial of Service attack - a quickly rising trend where phone lines are tied up if demands are not met Show less

In my blog I break down the latest newsworthy security vulnerabilities for the average user, in a way that can be easily understood. I eliminate the sensationalist media soundbytes and help people understand whether the fancy logo security issue will really impact them - or how to avoid it.

Many people who deploy SIP for voice or video don't understand the potential security risks. As a result, there are lots of vulnerable SIP devices connected to the Internet that are easily compromised due to misconfiguration or lack of simple protections. This is fairly common knowledge within the security community, but what most don't realize is that you can do more than just make free phone calls - like get rich quick! In this somewhat irreverent talk I'll discuss...

How SIP… Show more

Many people who deploy SIP for voice or video don't understand the potential security risks. As a result, there are lots of vulnerable SIP devices connected to the Internet that are easily compromised due to misconfiguration or lack of simple protections. This is fairly common knowledge within the security community, but what most don't realize is that you can do more than just make free phone calls - like get rich quick! In this somewhat irreverent talk I'll discuss...

How SIP compromises occur and who the primary actors are:
- How did we get here? Why so many vulnerable devices?
- Common discovery and attack methodologies & the weaknesses exploited
- The most common attack tools used, backed up by real world data
- Where most attackers are coming from, again with real data

After a system has been compromised, top ways to make money - how and why they actually work:
- International Revenue Sharing Fraud - calling a high cost destination and splitting the profits
- Toll Bypass - using a PBX local trunk to bypass high per minute rates
- Wangiri & SMS SPAM - missed call or text message to a mobile, return call to high cost destination with profit splitting
- Extortion using a Telephony Denial of Service attack - a quickly rising trend where phone lines are tied up if demands are not met Show less

Introduction to security issues in VoIP environment.

CFCA-FIINA Joint Event, 2013 Uruguay
Identifying and differentiating between service congestion due to an organic event or a targeted Telephony Denial of Service (TDoS) attack can be difficult. Time spent analyzing the event can complicate or delay an operational teams responsive actions. Mitigation of actual attacks once they are identified can require a multi-faceted response coordinated between service providers, their peers, and enterprise operations teams. No single network component… Show more

CFCA-FIINA Joint Event, 2013 Uruguay
Identifying and differentiating between service congestion due to an organic event or a targeted Telephony Denial of Service (TDoS) attack can be difficult. Time spent analyzing the event can complicate or delay an operational teams responsive actions. Mitigation of actual attacks once they are identified can require a multi-faceted response coordinated between service providers, their peers, and enterprise operations teams. No single network component that can provide a holistic TDoS prevention solution. The best common practice when mitigating TDoS risk involves the layering of technical controls with policy enforcement points. This session covered the common challenges, tools, technical controls, and policy enforcement methods to best protect communication infrastructure from TDoS. Show less

My blog entries from 2013-2015

The Department of Homeland Security recently warned against telephony denial of service (TDoS) attacks that threaten an organization’s IP communications system. TDoS is the latest in a long list of threats and fraud scams specifically targeting communications.

- How do TDoS and other potent threats access and abuse communications systems?
- How are communications networks used to commit fraud?
- Effective steps to secure an enterprise communications network
- Debunking common… Show more

The Department of Homeland Security recently warned against telephony denial of service (TDoS) attacks that threaten an organization’s IP communications system. TDoS is the latest in a long list of threats and fraud scams specifically targeting communications.

- How do TDoS and other potent threats access and abuse communications systems?
- How are communications networks used to commit fraud?
- Effective steps to secure an enterprise communications network
- Debunking common security myths Show less

CFCA Winter Educational Event, 2013 New Orleans
This presentation was delivered at the Communications Fraud Control Association conference in Feb, 2013, and recorded in May, 2013. It does not take sophisticated hacking skills to be successful at “IP PBX hacking”. This presentation included the methods employed by SIP VoIP attackers, honeypot research results, and a real-time demo of how attackers compromise your IP-PBX. One of the keys to fraud prevention is knowledge of the tools and… Show more

CFCA Winter Educational Event, 2013 New Orleans
This presentation was delivered at the Communications Fraud Control Association conference in Feb, 2013, and recorded in May, 2013. It does not take sophisticated hacking skills to be successful at “IP PBX hacking”. This presentation included the methods employed by SIP VoIP attackers, honeypot research results, and a real-time demo of how attackers compromise your IP-PBX. One of the keys to fraud prevention is knowledge of the tools and methods employed by your attackers (Note, if using the link, a Webex player is needed). Show less

Enterprises are deploying IP-based unified communications (UC) solutions to increase productivity, improve collaboration, and reduce capital equipment and operating expenses. Conventional IP security products like firewalls and intrusion detection or prevention systems were not designed with real-time communications in mind, and leave organizations vulnerable to security threats.
When introducing UC platforms IT teams must craft new strategies and identify new security solutions to protect… Show more

Enterprises are deploying IP-based unified communications (UC) solutions to increase productivity, improve collaboration, and reduce capital equipment and operating expenses. Conventional IP security products like firewalls and intrusion detection or prevention systems were not designed with real-time communications in mind, and leave organizations vulnerable to security threats.
When introducing UC platforms IT teams must craft new strategies and identify new security solutions to protect and control real-time communications flows. Enterprise session border controllers (E-SBCs) are specifically designed to overcome the unique security challenges enterprises typically encounter when introducing unified communications solutions.

Intended for enterprise IT security professionals, this white paper reviews common unified communications security issues and describes how Acme Packet Enterprise Session Director E-SBCs, working alongside conventional data security solutions, help businesses safeguard IT assets, mitigate financial loss and legal exposure, and maintain high service levels when deploying real-time communications over IP networks. Show less

Acme Packet blog entries from 2012-2013

Presented at IAUG 2012 in Boston
- Security is definitely a hot issue in VoIP and Video
- Industry fueled by some real threats and risks, but FUD abounds
- Not all security capabilities protect against realistic threats
- The real threats vs FUD and marketing hype were discussed

This presentation was delivered at Broadsoft customer conferences in Miami and Denver
- Basics of securing the SBC management environment
- Prevention of reconnaissance scans, enumeration, password guessing, and hash cracking
- DoS/DDoS basics, and specifics for trunking and access architectures
- Response to the most common security incidents