Dan Wing just released a new Internet Draft called “Disclosing Secure RTP (SRTP) Session Keys with a SIP Event Package” that merits attention and consideration. As Jonathan and I have discussed on Blue Box and as has been discussed in the VOIPSEC mailing list from time to time, there are situations where you want both the secure encryption of all voice and also the ability to record calls. However, right now this is difficult to do in any “standard” way in the world of SIP, and this new proposal is one view of how that situation might be solved. Dan is looking for feedback (and his address can be found in the document) and this document will no doubt be discussed at the upcoming IETF meeting in Prague in mid-March.
One of the highlights of 3GSM Barcelona for me was visiting NEC at their stand, and to see their demonstrations in action. There was some discussion in the VoIP and security space over the last weeks about a server technology called VoIP SEAL that NEC were to demonstrate at the show, and I was keen to see this in action. VoIP SEAL is a system that attempts to defend a VoIP system against VoIP SPAM or SPIT (SPAM over Internet Telephony).
Luckily, at the time I visited the stand, Saverio Niccolini of NEC was there. Saverio is a prominent researcher for NEC, and was a speaker at the 3rd Annual VoIP Security Workshop last year, which I attended and wrote about here. It was great to meet up with Saverio, and he showed me the VoIP SEAL demo himself.
To briefly summarize the system, VoIP SEAL combines a number of different techniques to detect a suspicious VoIP call. Each module does a test and produces a score or index, and at the end the indices are weighted and combined to give an overall score that measures how â€˜dangerousâ€™ a call might be. For example, there are modules that can apply blacklist or whitelist logic; measure SIP INVITE rates; test reputation or check that different SIP URIs are not coming from the same IP address. So, each module is dedicated to measuring for a particular exploit or security aspect, and they can be combined in different ways, with different weights.
An interesting part of VoIP SEAL is that it can apply tests in two phases: firstly before answering the call and then after picking up. In the first phase, the â€˜suspiciousness levelâ€™ of a call can be assessed, and if the level is low, the second phase can be skipped, simply connecting the call to the recipient. However, if the level passes a configured threshold, the call is diverted to a specialized answer machine that can apply further tests. Having this two-phase approach helps to minimize false positives, where genuine human callers get trapped in the system and canâ€™t get through.
In phase 2, VoIP SEAL can measure the speech energy when a greeting or outgoing message is being played. For a genuine human caller, this energy should be low, as humans tend to listen rather than talk over greetings. A bot or SPAM application will behave differently, perhaps starting to stream audio continuously as soon as the media channel is available. There are more sophisticated audio CAPTCHA tests (Turing Tests) that can also be applied to attempt to tell the difference between a human and a bot. If the call is considered suspicious, it can just be allowed to play its message into a voicemail SPAM queue, and perhaps this queue would be periodically reviewed by an administrator to make sure that the VoIP SEAL was working effectively and not trapping too many real human callers.
If you want to hear more about VoIP SEAL, I recorded an interview with Saverio where he explains it in more detail. This interview will be coming up in a future edition of the Bluebox Podcast, run by two of our VOIPSA Chairs, Dan York and Jonathan Zar.
In June last year, I attended the 3rd VoIP Security Workshop in Berlin andÂ wrote about some of it here.Â It seems there is now a successor conference (although not with the same name) to be held at Columbia University in New York in July, organized by the same committee.
The scope is broader this year, encompassing not only VoIP Security, but a range of IP and NGN related topics.Â They have just published a call for papers, so please take a look at the IPTComm site here.Â I’m sure it will be a stimulating event, as the last one was.
Perhaps it has been up for a while, but I just noticed today the new Zfone Project Home Page. Previously Phil Zimmermann had Zfone as a subset of his philzimmermann.com website, but now it’s off on its own sharp-looking site. There’s also news of a new beta for download as of February 9th. Kudos to Phil and his team for launching the new site and, as always, we’re definitely interested in hearing what people think (okay, at least I am).
Last week, in a post entitled “Skype Reads Your BIOS and Motherboard Serial Number” a developer named myria outlined how Skype was calling a file called “1.com” to read your PC’s BIOS. Predictably, this set off a Slashdot firestorm when posted there as well as numerous other mentions throughout the blogosphere and wider web. Ultimately, Skype CSO Kurt Sauer posted an explanation that this was part of the DRM component of the EasyBits framework Skype uses in their Extras Plugin Manager.
If you look at what Skype is doing with their Extras Gallery, they are very clearly making the play to be an application delivery platform – for commercial apps as well as free apps. Leaving the DRM religious war aside, the reality is that the moment you start talking commercial apps typically most vendors also start talking about some form of DRM to ensure that people aren’t just copying the commercial apps and giving them to their friends. Skype’s answer is this “EasyBits framework” and it appears that this framework was reading the BIOS to obtain a unique identifier for the PC. You can read the slashdot trail or the responses to the initial post to see various views on the intelligence of doing this, but suffice it to say that Skype owned up to the fact that this was what was going on.
Kurt Sauer also provided the simple solution – upgrade to the latest Skype 3.0 version, 184.108.40.206, where they now use a version of this framework that no longer reads the BIOS. Kudos to Skype for the quick response and to everyone who is worried about it… you can upgrade now. (Or for those really worried about Skype, just continue to not use it.)
That’s the question Dean Takahashi asks in a column in today’s San Jose Mercury News titled: Wiretapping could stifle VOIP technology. It is not entirely clear to me why Takahashi is writing this today given that there does not seem to be any real “new” news…. but with a headline like that and in the Mercury News, it is bound to get some attention over the next few days. Takahashi points out that US VoIP service providers that connect to the PSTN much comply with the FCC regulation by May 14, 2007 but that pure Internet peer-to-peer/p2p services like Skype are currently exempt. He does provide this teaser:
But it appears from its legal maneuvers that the FBI may also want to find a way to tap peer-to-peer calls, the ones that bypass the telephone system. And the FCC’s analysis of the FBI request suggests it might go along with a move to require wiretapping on any new Internet communications system.
Which leads to the obvious question of how a p2p system would actually do this… which leads to the opinion that some centralization would be required… which leads to the conclusion that this could therefore kill p2p VoIP systems in their true p2p form. The article refers people over to the Center for Democracy and Technology CALEA page where the CDT has copious amounts of info about CALEA (obviously from their point-of-view). Takahashi concludes with:
We have to balance the need to enforce laws with the need to move technology forward and at the same time protect our privacy. If we hobble technology to help law enforcement, we make ourselves vulnerable, not safer.
We faced this kind of issue in the early 1990s, when the debate was about whether to allow encryption technologies strong enough to hide data from the government. The government later decided to allow strong encryption to be used unencumbered, particularly as the technology was allowed overseas. The outcome here may be the same.
Given that VOIPSA is a global organization that encompasses a wide range of companies, people and geographic regions, its not really our place as an organization to wade into the debate of legislation in one particular country. But it is definitely a matter that does merit discussion and attention. There are very legitimate needs by law enforcement. There are also very legitimate privacy concerns – and security concerns. Where do we as nations, companies and individuals strike the balance?
Why in the world would I want to install a Skype “extra” that lets people change my inbound ringtone? i.e. they can make my version of Skype ring with a different ringtone than I have it configured for – or play annoying messages. I can only imagine working in an office and having Skype set to have a quiet non-obtrusive ring… and then suddenly someone calls me with some loud and really obnoxious ring (or profane or pornographic).
Why would I want to do this?
Scanning my personal email this morning, I had a “newsletter” from Skype encouraging me to download the latest version (which I found especially ironic given that I’m running the very latest version) and in that newsletter they highlighted several “extras” by name. One was “Ringjacker” and had this text:
Hijack your friend’s ringtone â€“ ring them up with your music.
Okay, I’m a security guy… mention something like that and yes, Skype, you have my attention. In looking at the Ringjacker page in the Extras gallery, it has this ominous text (my emphasis added):
Ringjackerâ„¢ is the next generation of ringtone released on Skype phones. It is an optional plug-in application in Skype that enables Skype callers to ring up other Skype users with a selection of songs, tracks and sound effects. Ringjackerâ„¢ is a perfect conversation starter. The free plug-in lets a caller make his or her friendsâ€™ Skype phone ring with any of a range of audio tracks, including perenial Electronica, classic seasonal songs, and various hilarious animal calls to surprise and delight the recipient. Ringjackerâ„¢ allows the user to temporarily hijack his or her friendsâ€™ Skype ringer and will be available worldwide via the Skype 3.0 distribution.
The perfect “conversation starter“? I can think of a few other choice words. Perhaps I’m just a control freak, but I don’t want anyone messing with MY phone configuration! Naturally at this point, my curiousity – and concern – was getting heightened. Was this going to make me uninstall Skype or leave it in DND mode all the time? So I went over to the Ringjacker home page to learn more about the company. Thankfully, on the help page they answered my question:
(Note: if the contact does not have Ringjacker installed, the contact will be sent a message asking the contact to install Ringjacker. Only after the contact has installed Ringjacker will you be able to make a Ringjacker call to that contact.)
Whew! So in other words the only people who will be bothered by Ringjacker’s tones are those who choose to install this extra. Which goes back to my original question – why in the world would someone want to install this extra?
Now, I’m all for experimentation and encouraging people to try out wacky ideas, but I just don’t get it. I guess that the Ringjacker folks believe this will be “fun”. Maybe I’m just being a grumpy curmudgeon who needs to drink more tea before blogging in the morning… but the only thing I can see installing this extra would do is set myself up for more annoyances! What do you think? Would any of you actually use this? Since we’re on a security blog, I’m betting no, but thought I’d ask… 🙂
P.S. Judging by the user comments in the Skype extras site, there appear to also be some technical issues, although many of those may be with Skype’s own Extras component.