Monthly Archives: June 2006

Phishing with a VoIP Net

The Register is reporting on a recent phishing scam targeted specifically at customers of the Santa Barbara Bank & Trust in Southern California. It’s of the variety making use of an IP PBX subscribed to a VoIP to PSTN service so that they can obtain a valid-looking DID number in Southern California. The targets of the scam are initially sent an official looking email asking them to call into the bank at the aforementioned DID number, where they are greeted with an automated voice system requesting that they enter their account number and other personal information.

Net security firm Websense notes that the recorded message does not mention the Santa Barbara Bank & Trust, a sign that the same phone line is potentially being lined up for fraudulent attacks targeting the customers of other online banks or ecommerce firms.

These types of attacks don’t require VoIP technologies to perform or succeed, however the low-cost and relatively easy procurement of both the consumer hardware, software, and VoIP service providing the indial are beginning to make this type of phishing attack much more prevalent.

Blue Box Podcast #32 – ENUM tutorial, VoIP security news and more

Blue Box Podcast #32 is now available for download.  In this show, Jonathan and I provide a tutorial about ENUM, discuss the latest VoIP security news and address a range of other comments.  If you are not aware of ENUM and how it allows regular telephone numbers to be mapped to SIP URIs, you may find this very useful.

Perfectly Secret

In VoIP Security it seems we owe a double debt to Claude Shannon.  Shannon is probably best known for the Nyquist-Shannon sampling theorem, which underlies the whole of digital sampling of analog signals.  The elevator version of this idea is that when you sample something into digital form, you have to do this at least twice the frequency of the highest frequency that you want to reproduce.  This is why CDs only have an audible frequency range of 22kHz (due to the 44 kHz sampling rate), which comfortably covers the range of frequencies that I can now hear, although perhaps not my childrens’. 

But Claude Shannon also coined the term perfect secrecy, as he did a lot of work related to cryptography.  In a nutshell, perfect secrecy means that you have no more information about the plaintext after seeing the ciphered version than you did before seeing it, i.e. it’s perfectly secret if the ciphered text gives you no clues and all plaintexts are equally probable.  I would highly recommend reading Shannon’s biography at the Wikipedia site.

Actually, reading this page made me think about Richard Feynmann (also  biog’ed at Wikipedia), one of my great heroes. 

The two men were about the same age: Shannon combined a serious academic career with juggling, unicycling and with roulette weekends in Las Vegas;  Feynmann, a brilliant physicist and educator, had hobbies of bongo drumming, painting and safe cracking.  I wonder if the two of them ever met?

VoWLAN with Smartphones

The German mobile telephony reseller eteleon has presented a new offering for a VoWLAN bundle featuring the Nokia E60, E61 and E70 smartphones with WLAN and VoIP capabilities. The offering is for use both in the GSM network as well as with Hotspots (or simply with the WLAN at home or in the office). Roaming from WLAN to GSM during a call is nevertheless not an option before the arrival of UMA (Unlicensed Mobile Access). The SIP clients of the Nokia models are delivered preconfigured for use with the VoIP service of the provider. The interesting thing about it: is already offering free SRTP encryption as part of its VoIP service. Though the Nokia SIP client doesn’t seem to support it, this is only a small step towards secure mobile VoIP. Should someone tell them?

You can find out more at heise and eteleon (both in German).

Blue Box Podcast #31 – VoIP Fraud discussion, CALEA tutorial/commentary, VoIP security news and more

Blue Box Podcast #31 is now available for download. In this show, Jonathan and I spend a block of time discussing the recent Pena/Moore VoIP fraud case and another large block of time discussing the recent FCC decision around the application of CALEA to VoIP service providers. We also have our regular discussion of VoIP security news, comments from listeners and more.

Black Hats and Evil Twins

In contrast to T-Mobile’s antipathy  towards VoIP services, I see that UK-based WiFi hotspot provider The Cloud is actually in partnership with Skype and Vonage, so clearly they see VoIP as an important component of their business. However, as has been discussed in recent weeks on our VOIPSEC list, security of VoIP is only as good as the security of the platform itself and of the network that carries the VoIP traffic.

The latest security worries for WiFi have just been aired in a Computer World article.  Some researchers will give a talk at the Black Hat conference on how to crash or hack WiFi drivers.  In particular, they have used a fuzzing technique (which David Endler wrote about recently) using a tool called LORCON to expose flaws in the WiFi driver.  The article suggests that LORCON is even a tool simple enough to use for script kiddies.

The life of WiFi has been punctuated by stories of insecurity, including Evil Twinning (where criminals impersonate a bona fide WiFi service), the use of Netstumbler to find unsecured WLANs and endless stories about the insecurity of WEP.  But as Virgil Gligor said at the recent VoIP Security Workshop, the history of computing is full of examples of new technologies that are used for a long period, perhaps ten years, before all of the related insecurities get found and fixed.

Skype to Address User-Identification Concerns

In an interestingly eerie parallel to a discussion that has recently cropped up on the VoIPSec forum regarding peer-entity authentication vs. data-origin authentication, Skype announced yesterday that it intends to address the issue of user-identification within their VoIP service.

Part of Skype’s “wish list” for further expansion into the business market is to enhance username authentication for business customers, the voice over Internet Protocol company said Wednesday.

Skype’s system currently automatically authenticates users itself, based on certificates from it’s own encrypted Public Key Infrastructure (PKI). Because it does this automatically and transparently to the user, the users themselves have no way of authenticating the identity of the person they are communicating with.

“Skype is a public key infrastructure, which means nothing if you don’t know who you are identifying at the other end,” Sauer said.

You can read more detail at

Skype security

RECON (Reverse Engineering Conference) was recently held from June 16-18 in Montreal. One of the presentations involved some in-depth Skype reverse engineering and analysis. The slides for the presentation are available in pdf format for part1 and part2. Among other things, the talk covered Skype’s crypto scheme, easter eggs, and general traffic analysis. Worth a read.

Verizon launches “VoIP Security Assessment Service”

Burton Group analyst Irwin Lazar passed along word that Verizon has launched an enhanced VoIP Security Assessment Service. From the news release:

The Verizon Business VoIP Security Assessment Service is designed to identify and address potential security vulnerabilities associated with customer premises-based VoIP and hosted IP PBX systems from any hardware and software vendor.

The vulnerabilities range from risks inherent in traditional voice and IP-based data networks, including loss of service, fraud, privacy, denial of service attacks, viruses and SPIT (spam over Internet telephony), as well as newer vulnerabilities related to the integration and interoperability of VoIP software and hardware. In addition, a host of new risk factors are created when traffic is handed off between traditional phone and next-generation VoIP networks.

The security assessment service includes a comprehensive review of customers’ security policies, as well as an analysis of local- and wide-area network architecture.

More information is available in the Verizon news release.

A Tour Through Zfone

This review of Zfone is intended for readers who would like to take a look at Zfone but are too busy to test it at the moment. The visual aids used in this article may also help readers to grasp some of the concepts (such as key continuity) behind Zfone. The complete specification of ZRTP, the key exchange protocol used by Zfone, can be found in this Internet draft. Zfone is available for Windows XP, Mac OS X and Linux, and can be downloaded for free from its official homepage.


Installing Zfone should take only a couple of minutes. You may encounter a number of warning messages presented by Windows XP along the way, but they can be ignored. Despite its name, Zfone is not a stand-alone softphone, but rather, a “bump in the cord” (as described in its homepage) that encrypts RTP packets generated by a softphone. There is not much you need to do to get Zfone up and running, assuming that your softphone works properly prior to the Zfone installation and that Zfone is launched before the softphone.

After installation, Zfone would automatically launch itself and sit in the system tray. Zfone also installs a ZRTP driver that can be verified by opening the property menu of any LAN card installed in the system. Zfone also automatically checks with a designated server to see if there is any new update available. Since I used an isolated network as my test bed, Zfone complained “Can’t connect to libzrtp server” at the bottom of the GUI.


Figure 1: Zfone control panel

The Zfone GUI looks very clean (Figure 1). In fact, what’s conspicuous about the GUI is its lack of any configuration menu. Basically there are only three things you can do when the system is idle: check for new version, read help and exit.

Continue reading