Just a quick administrivia note – this site is now running the latest and greatest WordPress software at version 3.0.1. In my testing, everything looks perfectly fine, but if you see anything strange on the site in terms of display issues, please do let us know. Thanks – and thanks for continuing to read and comment here.
While it is not “VoIP security,” per se, much of the communications market is buzzing this week with news that calls made on Blackberry smartphones can be intercepted by the U.S. government. Many stories have been written, but here’s one:
While many of us in the security community have known that national governments could obtain calls on mobile devices by obtaining a warrant and working with the carrier, the article I linked to mentions the big difference with RIM:
RIM is in an unusual position of having to deal with government requests to monitor its clients because it is the only smartphone maker who manages the traffic of messages sent using its equipment. Other smartphone makers — including Apple Inc, Nokia, HTC and Motorola Corp — leave the work of managing data to the wireless carrier or the customer.
RIM’s encrypted, or scrambled, traffic is delivered through secure servers at its own data centers, based mostly in its home base of Canada. Some corporate clients choose to host BlackBerry servers at other locations.
The issue here seems to be from the articles I’ve read that the United Arab Emirates government is claiming that RIM is not granting them the same surveillance capabilities as other governments.
Not having any connection whatsoever to the situation, I can’t really comment on what all is going on… but it does continue to point out the challenges in our globally interconnected world. Here are mobile devices being used wherever… routing their email messages back through servers apparently in Canada… and desired to be read by governments around the world. All sorts of jurisdiction issues … and so much more…
If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.
If any of you will be at the SpeechTEK conference in New York August 2-4, I’ll be there and giving a presentation on Monday, August 2nd, at 4:15 about Unified Communications security. The panel abstract is:
As applications move into the multichannel and interconnected world, what are the security concerns you need to consider? Aaron Fisher enumerates the best practices for information security with speech applications and the benefits of tuning in a secure environment. Dan York, author of the bestselling book The Seven Deadliest Unified Communication Attacks, will discuss the major risk areas of unified communications, what steps you can take to mitigate/reduce those risks, a checklist of questions to consider in your implementation, and a look at the future in an increasingly interconnected and converged network.
I’ll be naturally covering some of the topics in my book and talking about overall communication security, VoIP security, cloud security, etc. Not sure if I’ll be able to make a recording of it available later, but will do so if I can. If you are going to be at the show, please do say hello. (More info on what I’m doing on the show can be found here.)
If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.
The big news circulating through the Internet right now related to Skype is that someone may have reverse-engineered part of Skype’s encryption. Two posts of note:
The comments on the TechCrunch article are particularly worth reading as a number of security-related folks have jumped into the debate – and the author of the reverse-engineered code has jumped in as well (or someone claiming to be him, anyway).
People have been trying to reverse-engineer Skype’s proprietary encryption algorithm’s for years… and there have been various presentations at conferences and much data out there. In this case now, a developer named Sean O’Neil has made code available that apparently will decrypt one layer of Skype’s encryption.
Now, the code does NOT give you access to actual Skype messages. O’Neil writes in the TechCrunch comments:
Decryption of the RC4 layer gives nothing other than the ability to check CRC-32 of the packets, mere detection of random-looking encrypted packets as Skype. Maybe some firewalls will be able to block it at last.
I interpret that to mean that this code could help differentiate Skype traffic from other network traffic. The value there is really only, as the author says, that tools could be able to block Skype traffic because it could be more easily identified.
O’Neil goes on to say he has reverse-engineered more of Skype’s protocols and will be laying it all out at the Chaos Communication Conference in Berlin in December. We’ll have to see what gets said then…
Oops. To make a long story short, the “voipsa.org” domain was set to auto-renew on a credit card that was cancelled between renewals – and email notifications went to an incorrect address. It’s all better now. Life is good…
Sorry about that – and thanks to the multiple people who pinged us about it!
As some readers may already know, Syngress has now published a book I wrote, “Seven Deadliest Unified Communications Attacks” that dives into the threats to communications systems and the strategies to protect your systems. It is part of a series of “Seven Deadliest <topic> Attacks” books that have come out over the past couple of months. (And yes, there are seven books in the series.)
As I explained in this video, my intent was not so much to write a book about “VoIP security” but rather to take a look at a slightly larger level at the overall systems that we are connecting together under the name of “unified communications”. When we have voice, video, instant messaging, presence… coming from multiple different systems and then distributed over the global IP network… how do you secure it all?
The book was really my attempt to put in print form many of the themes we have written about on this site, talked about on the Blue Box Podcast and discussed in the VOIPSEC mailing list.
I do want to thank a couple of people in the VOIPSA circles… as I noted in the Acknowledgements, Dustin D. Trammell was an outstanding technical editor – and Andy Zmolek provided some excellent comments and thoughts. Longtime friend and VOIPSA blog contributor Martyn Davies had some helpful feedback, too, as did Scott Beer over at Ingate Systems.
Anyway, the book is out there… and I’ve put up a companion web site at www.7ducattacks.com where I’ll be listing additional resources, errata, updates, etc. There is also a Facebook page for the book. Feedback is definitely welcome (and yeah, I wouldn’t be opposed if you bought a copy or two 
). I’m doing some interviews and podcasts about the book… if you are interested in interviewing me for your site or show, please contact me.
My hope with the book is that in some small way it can help encourage and spread the discussions we all have been having here… and in the end help our communications systems be a bit more secure. Thanks to all of you who have been reading posts here, commenting on them, participating in VOIPSEC and asking great questions.
P.S. If you are available tomorrow, Friday, May 20th, at 1pm US Eastern time, I’ll be interviewed live on the VoIP Users Conference call. Anyone is welcome to join in, listen, and ask questions.
Want to learn about how voice biometrics are being used today in real deployments? Want to learn what advances have been made in the technology? Want to find out how people are using it for voice authentication, identification and more?
If so, consider attending the Voice Biometrics Conference taking place next week, May 4th and 5th, in the New York City area. It’s got a packed agenda and a great list of speakers who really represent the leading edge of what people are doing with voice biometrics. (And yes, I’m one of the speakers and yes, my employer Voxeo is one of the sponsors of the event.)
The organizers of the event, Opus Research, have also really tried to focus the event on showing real-world examples of biometrics deployments. Here is a message that organizer Dan Miller sent out yesterday:
The conference agenda is now packed with use cases across many applications, verticals and government functions. Here’s the list from today’s e-mail:
T-Mobile – Deutsche Telekom’s T-Mobile is developing fast authentication to focus on building a better customer experience.
Bell Canada – The largest customer-facing deployment of voice verification with more than two million customers enrolled.
Bank Leumi (Israel) – Will present how it successfully deployed multiple applications for voice-based user authentication for customers and employees.
I DRIVE SAFELY – Hear how the company implemented a voice-based solution for enrolling students in its online drivers’ education program.
Atos Origin – IT services provider Atos Origin incorporates voice authentication into its “Help Desk” and holds promise for multiple applications inside enterprises around the world.
Centrelink – Australian social services agency who deployed a speaker verification system to authenticate access to welfare services.
Federal Government of Mexico – Learn how the federal government of Mexico has implemented a speaker identification program for use in law enforcement.
If you’re looking for a way to network with the people who have lessons to share regarding strategic, tactical, technical, organizational or even social issues that arise as they specify solutions, analyze vendors, define their projects and carry out their plans, attending Voice Biometrics 2010 will be rewarding.
If you can get to the New York area, do check out the event… registration information can be found on the event page. And if you are attending… I’ll see you there!
If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.
Remember the cyberattacks against Google and other businesses back in China? Google blogged about “A new approach to China” and it was all over the news everywhere for a while. Well, this week security firm Damballa released a detailed look into the Aurora botnet that was apparently responsible for these attacks. The 31-page PDF file goes into some great detail about what they were able to find about the botnet and provides some good information about botnets in general.
While this has nothing to do with “VoIP security”, per se, botnets in general are a concern to all of us in the security profession and we need to gain whatever understanding we can into their threat.
Now, the obvious caveat here is that Damballa is a vendor of security services so you do have to understand that the analysis is written from that perspective. Still, on my glance through the document this morning the research itself did seem of value.
If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.
Updating a story we have literally been following for years ever since it broke back in July 2006, the FBI recently issued a news release indicating that Edwin Pena pled guilty in what we have been calling the “Pena/Moore VoIP fraud case”. From the news release:
Edwin Pena, 27, a Venezuelan citizen, pleaded guilty before U.S. District Judge Susan D. Wigenton to one count of conspiracy to commit computer hacking and wire fraud and one count of wire fraud. Judge Wigenton continued Pena’s detention without bond pending his sentencing, which is scheduled for May 14.
The news release goes on to provide a summary of what Pena admitted:
At his plea hearing, Pena, who purported to be a legitimate wholesaler of these Internet-based phone services, admitted that he sold discounted service plans to his unsuspecting customers. Pena admitted that he was able to offer such low prices because he would secretly hack into the computer networks of unsuspecting VOIP providers, including one Newark-based company, to route his customers’ calls.
Through this scheme, Pena is alleged to have sold more than 10 million minutes of Internet phone service to telecom businesses at deeply discounted rates, causing a loss of more than $1.4 million in less than a year. The victimized Newark-based company, which transmits VOIP services for other telecom businesses, was billed for more than 500,000 unauthorized telephone calls routed through its calling network that were “sold” to the defendant’s unwitting customers at those deeply discounted rates.
Pena admitted that he enlisted the help of others, including a professional “hacker” in Spokane, Washington. The hacker, Robert Moore, 24, pleaded guilty before Judge Wigenton in March 2007 to federal hacking charges for assisting Pena in his scheme. Judge Wigenton sentenced Moore to 24 months in prison on July 24, 2007. At his plea hearing, Moore admitted to conspiring with Pena and to performing an exhaustive scan of computer networks of unsuspecting companies and other entities in the United States and around the world, searching for vulnerable ports to infiltrate their computer networks to use them to route calls.
Pena admitted that rather than purchase VOIP telephone routes for resale, Pena—unbeknownst to his customers—created what amounted to “free” routes by surreptitiously hacking into the computer networks of unwitting, legitimate VOIP telephone service providers and routing his customers’ calls in such a way as to avoid detection.
After receiving information from Moore, Pena reprogrammed the vulnerable computer networks to accept VOIP telephone call traffic. He then routed the VOIP calls of his customers over those networks. In this way, Pena made it appear to the VOIP telephone service providers that the calls were coming from a third party’s network.
By sending calls to the VOIP telephone service providers through the unsuspecting third parties’ networks, the VOIP telephone service providers were unable to identify the true sender of the calls for billing purposes. Consequently, individual VOIP Telecom providers incurred aggregate routing costs of up to approximately $300,000 per provider, without being able to identify and bill Pena.
According to the Complaint, in order to hide the huge profits from his hacking scheme, Pena purchased real estate, new cars, and a 40-foot motor boat, and put all of that property except for one car in the name of another individual identified in the Complaint as “A.G.”
So it looks at long last we can end this particular chapter in the story of VoIP security. I suppose we may mention whatever jail time he gets in May… but at this point he has pled guilty and admitted what he has done.
The lesson for security professionals in this whole episode really came out of the interview I participated in with Robert Moore, mostly that you need to remember “IT security 101″ and use strong passwords, ensure your systems are patched appropriately, etc., etc., so that your systems aren’t used in a scheme like this!
In any event, this particular story seems to be drawing to an end…
If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.
Olle Johansson recently alerted us that there is a “dialstring injection” vulnerability in Asterisk. As Olle notes in his post about the vulnerability, this is similar to a SQL injection attack against a database where there is not enough filtering being done on strings that are being input to the system. Olle writes:
Many VoIP protocols, including IAX2 and SIP, have a very large allowed character set in the dialed extension, a character set that allows characters that are used as separators to the dial() and the queue() applications, as well as within the dialstring that these applications send to the channel drivers in Asterisk. A user can change the dial options and dial something we should not be able to dial in your system. This article describes the issue in more detail and gives you some help on how to avoid this causing trouble in your Asterisk server.
Olle goes on to explain the issue in more detail and explain about how input from VoIP channels should be filtered before being sent to the Asterisk ‘dialplan’ for processing. He includes a plea for assistance:
We need everyone involved to pump this information out in all the veins that runs through the Asterisk eco-system. Audit your dialplans, fix this issue. And do it now. Everyone that runs a web site with dialplan examples – audit your examples, fix them. Everyone that has published books – publish errata on your web site. Please help us – and do it now.
Olle’s article goes into much more detail and offers suggestions for what you can do to protect your system. If you are an Asterisk administrator, it’s definitely an issue you should investigate and act on.
If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.
Welcome to the group weblog of the Voice over IP Security Alliance