Monthly Archives: July 2006

Podcast on Skype Security

The latest episode, SKP14, of the SkypePodcast focuses on security, so may be of interest to folks here.  Sasha (the host) also gives a mention to our own Dan York and the Bluebox podcast.

Sasha quotes Skype CSO Kurt Sauer justifying why Skype jumps around different IP ports, making it hard to detect or block:  “One of the reasons Skype is difficult to find is that the people who provide the carrier services [ISPs, telcos] are in competition with Skype,”

You can find the full version of this quote in a Techworld article.

Cisco Unified CallManager Vulnerabilities

Cisco announced vulnerabilities today in Unified CallManager versions 5.x:

Cisco Unified CallManager (CUCM) 5.0 has Command Line Interface (CLI) and Session Initiation Protocol (SIP) related vulnerabilities. There are potential privilege escalation vulnerabilities in the CLI which may allow an authenticated administrator to access the base operating system with root privileges. There is also a buffer overflow vulnerability in the processing of hostnames contained in a SIP request which may result in arbitrary code execution or cause a denial of service. These vulnerabilities only affect Cisco Unified CallManager 5.0.

The remote code execution SIP vulnerability is obviously the most concerning of all of these issues.  Luckily, it looks like the issue was discovered internally, which means an exploit may not publicly emerge for a while since Cisco’s advisory lacks detail on the actual malformed SIP message required to trigger the flaw.

Blue Box Podcast #33 – Detailed VoIP fraud and CALEA discussion, VoIP security news and more

Blue Box Podcast #33 is now available for download.  With this show, we have some excellent user comments that go into some great detail around the recent Pena/Moore VoIP fraud discussion as well as the FCC’s recent decision around CALEA.  Jonathan and I also cover recent VoIP security news as well as other listener comments.  Many thanks for all the listeners who sent in their own examination of the VoIP fraud case as the combined commentary is definitely useful for helping all of us learn about this fraud case and how to prevent it on our own systems.

Newport Wobbles

News broke last week about Session Border Controller manufacturer Newport Networks, which has run into cash-flow problems waiting for deals to close.  Newport Networks was started by serial entrepreneur Sir Terry Matthews, reportedly Wales’s first billionaire, who also founded Newbridge (now part of Alcatel) and Mitel.

Last year Newport were lined up to supply their 1460 Session Border Controller to troubled equipment supplier Marconi.  Marconi themselves failed to become prime NGN suppliers to British Telecom, which ultimately resulted in the failure of the company.  The rump of Marconi has now been absorbed into Ericsson.

Newport have announced layoffs, as reported at ZDNet and in the UK Guardian Newspaper, in an attempt to reduce cash burn while waiting for the business to arrive.  It’s ironic with CALEA in the headlines and telcos rolling out NGNs that a provider of the enabling technology should have run onto the rocks.  Let’s hope the Newport investors can keep their nerve. 

“Vishing” with war-dialers?

Apparenly removing the email component and adding war-dialers to the mix warrants a new term for VoIP-enabled phishing, now called “vishing.” Secure Computing is reporting a new type of phishing attempt which utilizes war-dialers armed with pre-recorded messages replacing the use of e-mail lure and tackle. By calling unsuspecting people rather than emailing them, the attackers hope to elicit a better response to the seemingly more legitimate lure. You can read more in an article from the IT-Observer here.

66th IETF Meeting starts tomorrow in Montreal – streaming audio and video available for remote listening

FYI, the 66th IETF meeting starts tomorrow and the good news is that courtesy of the University of Oregon, you can listen/watch the sessions remotely. As noted in the IETF meeting agenda, there are a good number of sessions relating to security. One of special interest may be the RTPSEC BOF at 5:40pm (Eastern US) Monday night, where the topic of discussion will be all the various ways to securely exchange encryption keys for Secure RTP. The sessions will be streamed live, but will apparently also be available in an archive after the sessions are over.

UPDATE: There is also Jabber-based IM group chat available.  If you already have a Jabber IM account somewhere (like Jabber.org), you can join a group chat room by connecting to the Jabber server “jabber.ietf.org” and then giving the working group name as the room name.  For instance, the chat room for the ENUM session I am in right now is “enum@jabber.ietf.org”.  Just another way to stay up with what is going on at the meetings for those interested.

Homosapien Too

I sent a message the other day on ebay, and came across a new feature: to submit a message you now have to prove you are not spammer but human (these being opposites) with a Turing test or CAPTCHA.  Ok, these things are common on web systems these days, but the new slant here was that if you could not read the graphic, you could click on a link and download an audio version to listen to instead.  This is also one of the proposed strategies for dealing with SPIT (SPAM over Internet Telephony) in our VoIP systems of the future, i.e. interact with the bona fide caller or spammer and present them with some kind of test or quiz before they get put through.  This could be as simple as “Press 8 to speak to Martyn or 0 for voicemail.”

But there is also an arms race aspect to this, for the smart spammer might also employ automatic speech recognition (ASR) technology, which is increasingly cheap and effective due to increasing CPU performance and falling hardware prices.  Their ASR server could be programmed to understand digits, and so have a fair stab at giving the correct answer to the CAPTCHA. 

It interested me that on ebay, the audio file downloaded did not have a pristine recording of the digits being read out, but instead had a variety of noises in the background: white noise; some fragments of speech.  Naturally it’s quite easy for a human to extract the digits from the background noise, but this is just the kind of chaff that might confuse the enemy radar, so to speak, of the spammer’s ASR system.

Happy July 4th to those of you in the USA, and welcome back all our friends that just celebrated Canada Day.