Monthly Archives: September 2006

Hello Mom, I’m a Fake

It’s with some gloom that I look at these new services that use VoIP technology to fake your Caller ID. The first one I came across was FakeCaller, but others like Telespoof are arriving every day.

FakeCaller presents itself as a bit of fun (and ominously has a ‘pranks’ tab at the top of the welcome page, although no content there as yet). The notice at the bottom of the page suggests that you shouldn’t use it for harassment and stalking, or use foul language in the voice messages you send. But I ask you, what legitimate purpose could there be for a system that allows you to lie about your name and caller ID, and sent a computer speech message down the phone when they answer?

Telespoof think that their customer base is those who lie as part of their everyday work, even down to how you appear on the phone. I would have thought that simply restricting the display of your number (as you can on most cellular and landline systems these days by entering a code) would be enough. Perhaps that mean anonymous in a more insidious way, i.e. anonymous even to law enforcement and security forces.

I’m not sure how we got into this situation that VoIP telcos should be able to ‘opt out’ of the caller ID system, but overnight the whole concept of caller ID has become useless and unreliable. When I received a sales call from a company selling satellite TV warranties recently, they gave me the hard sell, suggesting that my Sky box was out of warranty and likely to fail at any minute. Small matter that I don’t have a box, but occasionally they must hit someone that does. Such a company could have no restraint in lying about their name and caller ID if it helped to close a sale.

This all just means more opportunities for mis-selling, phishing, faking, defrauding and otherwise messing with people, and I can’t see how anyone could be in favour of it.

Blue Box Podcast #38 available, as well as special editions on IMS Security and Netclarity

We have been a wee bit busy over at Blue Box in recent weeks, but the results are now appearing. I’ve uploaded three shows in recent days:

  • Blue Box Podcast #38 is perhaps the only place you can hear about fugitive CEOs, Phil Zimmermann, Paris Hilton, Skype security, Asterisk, SIP and the IETF all in one place!
  • Blue Box Special Edition #10 provides a great interview with Gary Miliefsky of Netclarity where we explore his views on the future of VoIP security, NIST and CVEs related to VoIP, his company’s tools and much more
  • Blue Box Special Edition #11 dives into IMS security through an interview with Morgan Stern from Lucent who had just been on a panel at Fall VON 2006 on securing IMS. We cover his views on the challenges ahead for IMS, the various standards bodies involved, how to address lawful intercept and much more. Morgan also provided a copy of his presentation and links to a webinar on IMS that he recently gave.

All that and more is available… please do give a listen and let us know what you think.

Skype preparing “enterprise-friendly” version

Skype has now indicated that they will be preparing an “enterprise-friendly” version of their product. The CIO news item does not give many details, but does offer this:

The update will allow system administrators to use standard Windows management tools to set how the Skype software connects to the Internet, or to disable any of half a dozen functions, including file transfers

It references work Skype did with Intel that involved some type of network edge proxy server that apparently allowed Skype connections to be blocked if deemed necessary.  Stay tuned for more information.

Double Ending

Martin Geddes recently reflected on the use of Skype as a tool for recording podcasts with two people in different locations.  This is a technique that is used on many podcasts now, including Blue Box, the VoIP Security Podcast.  But as Geddes says, sometimes the quality is not all it should be, and it would be useful to be able to record in top quality, and in some way transmit this out-of-band, while using the inferior, real-time audio between the two podcasters.  Sometimes this technique (called double-ending, or a “double ender”) is done manually today in podcasting and in radio: each person records their end of the conversation locally, then the files get spliced together at the end to make a broadcast quality programme.  The telephone call only needs to be good enough for the two people to understand each other while the interview is taking place.

But adding double-ending functionality in Skype has interesting possibilities, apart from the podcasting one.  In some areas human speech needs to be understood by less tolerant parties than humans, for example in the areas of automatic speech recognition, or speaker verification.  Given that VoIP streams can be of cellphone quality (or lower), it could be useful for a computer system to be able to play back a passage of speech it was having trouble with.  For example, a speaker verification system might listen to the live VoIP speech, perhaps match with a certainty of 20%, then after a few tens or hundreds of milliseconds it could try again using extra hi-fidelity information that came in while it was processing the first time.  Much better than forcing the user to re-speak their passphrase over and over until the computer figures it out.

On the subject of Dan York (of Blue Box) and Martin Geddes, you can almost see them in this photograph from Fall VON.  York is moving at speed, presumably in order to eclipse Geddes.

Schneier Honoured

Catching up on my reading, I see that Dr Dobb’s Journal honoured crypto guru Bruce Schneier in their April edition with an excellence in programming award.  I’ve been a fan of DDJ since I first came across the magazine in the 1980’s, and (with my software developer hat on) once even had the thrill of contributing to DDJ.

Congratulations, Bruce, coming from one of the World’s top-rank developer publications, I think this is an accolade to really enjoy. 

Blue Boxes of the Future

Being in Malaysia myself this week, I stumbled across this article by the Grugq in the Malaysia Star.  It’s quite a nice roundup of the coming threats in the VoIP world.  The mention of phone freakers brought back a thought I had a few weeks ago.  Before digital networks, phone phreakers were able to play tones down the phone handset (using a Blue Box), emulating the tones used by the telco themselves, and this allowed them to get free calls and mess around with the network.

With digital networks, all the signalling started to be done with SS7, carried on a parallel network dedicated to signalling traffic.  SS7 doesn’t extend to the phone handset, so suddenly phreakers were out of business.  This has been great for telcos, since the SS7 net was isolated and pretty safe from evildoers.

In some ways with VoIP, we’ve now gone back the other way.  Now all the VoIP signalling protocols, as well as the voice, go to the handset.  This allows phreakers to send any kind of message (SIP, H323 etc) they like into the net, to see what the result is.  This is a much worse proposition for the telcos, since they now need to make sure their edge switches are stable, secure, and as far as possible invulnerable to poorly formed messages, or floods of messages.  Today, it’s not a huge problem, but with Next Generation Networks (like IP Multimedia Subsystem or IMS) an awful lot of work is going to be needed to make the networks safe from attackers.

The Grucq is speaking at the HITB Security Conference in Malaysia, as is security guru Bruce Schneier.

Great overview on IPv6 security issues

While it doesn’t have much to do with VoIP security, I found this Internet Draft on IPv6 Transition Security Considerations to be a very worthwhile overview of IPv6 security issues, especially as those issues relate to the transition from IPv4 to IPv6. From the abstract:

The transition from a pure IPv4 network to a network where IPv4 and IPv6 co-exist brings a number of extra security considerations that need to be taken into account when deploying IPv6 and operating the dual-protocol network and the associated transition mechanisms. This document attempts to give an overview of the various issues grouped into three categories:
o issues due to the IPv6 protocol itself,
o issues due to transition mechanisms, and
o issues due to IPv6 deployment.