Voice of VOIPSA

Have you received a barrage of phone calls to your number? If so, you may be in the process of being victimized, according to a Wall St. Journal article over the weekend called “Preventing a Hack Attack.” The article outlines how a cyber-theft ring that was broken up last week used automated dialing programs to tie up users’ phone lines while the attackers were raiding bank and brokerage accounts to the tune of around $70 million in losses.

Per the article, the attack had two components. First a malware program went out through email messages and attachments. Once a user clicked on it, the trojan searched the local computer for usernames and passwords for brokerage or online banking accounts and sent that info back to the attackers. Second:

At the same time, victims’ phones were tied up with a barrage of phone calls, according to the federal complaints, preventing them from contacting their bank or brokerage. Busy signals also prevented fraud monitors at the institutions from contacting victims, according to FBI officials who were interviewed before the announcement of the arrests.

…

The telephone bombardments lasted as long as a week, sometimes forcing victims to disconnect their lines or switch phone numbers, which bought the suspects time to raid their accounts.

The reality today is that our VoIP infrastructure makes these kind of automated attacks trivial to carry off – and they will only continue to grow as an attack mechanism. The equipment to carry off those attacks can simply be open source software running on servers or even virtualized into a cloud (or distributed on a botnet). Connections to VoIP providers which can then get you PSTN access are both trivial and incredibly cheap.

The article’s recommendations about how to protect yourself were the typical basic steps… use secure passwords, change them often, ideally use a separate computer for online banking (I highly doubt people will do that), use anti-virus, don’t open untrusted attachments, etc. For protection against malware, those are all certainly viable strategies.

For protection against a DoS on your phone number? Not so much. That kind of protection requires more systemic steps within the larger infrastructure – and is at odds with the fundamental aspect of the PSTN where anyone can call anyone else.

Welcome to our brave new world…

Bringing closure to a case we’ve been following literally for years since it was first reported way back in June 2006, fraudster Edwin Pena was sentenced last Friday to 10 years in prison and ordered to repay the $1 million in restitution.  It appears he also won’t be in the US after he serves his time:

In addition to his 120-month prison sentence, Pena was ordered to pay restitution of a little more than $1m. He will also be deported once he completes his time. Pena has already surrendered a large number of luxury items that were purchased using the ill-gotten profits, including a 40-foot motor boat and a 2004 BMW M3.

Back in February 2010, Pena pled guilty and provided some details into what he had done. This previous blog post provides links to additional parts of the story.

Nice to see this finally end…

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

If you use Twitter and would like to stay up on the latest news from the VOIPSA blog, one easy way you can do that is to follow us at:

twitter.com/voipsa

We promote any blog posts out to that Twitter account as well as through the usual RSS feed. If you’re on Twitter, please do check us out and follow us. Thanks!

Just a quick administrivia note – this site is now running the latest and greatest WordPress software at version 3.0.1.  In my testing, everything looks perfectly fine, but if you see anything strange on the site in terms of display issues, please do let us know.  Thanks – and thanks for continuing to read and comment here.

While it is not “VoIP security,” per se, much of the communications market is buzzing this week with news that calls made on Blackberry smartphones can be intercepted by the U.S. government. Many stories have been written, but here’s one:

U.S. authorities able to tap BlackBerry messaging

While many of us in the security community have known that national governments could obtain calls on mobile devices by obtaining a warrant and working with the carrier, the article I linked to mentions the big difference with RIM:

RIM is in an unusual position of having to deal with government requests to monitor its clients because it is the only smartphone maker who manages the traffic of messages sent using its equipment. Other smartphone makers — including Apple Inc, Nokia, HTC and Motorola Corp — leave the work of managing data to the wireless carrier or the customer.

RIM’s encrypted, or scrambled, traffic is delivered through secure servers at its own data centers, based mostly in its home base of Canada. Some corporate clients choose to host BlackBerry servers at other locations.

The issue here seems to be from the articles I’ve read that the United Arab Emirates government is claiming that RIM is not granting them the same surveillance capabilities as other governments.

Not having any connection whatsoever to the situation, I can’t really comment on what all is going on… but it does continue to point out the challenges in our globally interconnected world. Here are mobile devices being used wherever… routing their email messages back through servers apparently in Canada… and desired to be read by governments around the world. All sorts of jurisdiction issues … and so much more…

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

If any of you will be at the SpeechTEK conference in New York August 2-4, I’ll be there and giving a presentation on Monday, August 2nd, at 4:15 about Unified Communications security. The panel abstract is:

As applications move into the multichannel and interconnected world, what are the security concerns you need to consider? Aaron Fisher enumerates the best practices for information security with speech applications and the benefits of tuning in a secure environment. Dan York, author of the bestselling book The Seven Deadliest Unified Communication Attacks, will discuss the major risk areas of unified communications, what steps you can take to mitigate/reduce those risks, a checklist of questions to consider in your implementation, and a look at the future in an increasingly interconnected and converged network.

I’ll be naturally covering some of the topics in my book and talking about overall communication security, VoIP security, cloud security, etc. Not sure if I’ll be able to make a recording of it available later, but will do so if I can. If you are going to be at the show, please do say hello. (More info on what I’m doing on the show can be found here.)

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

The big news circulating through the Internet right now related to Skype is that someone may have reverse-engineered part of Skype’s encryption. Two posts of note:

• TechCrunch: Skype’s Innermost Security Layers Claimed To Be Reverse-Engineered
• Heise Security: Skype’s encryption procedure partly exposed

The comments on the TechCrunch article are particularly worth reading as a number of security-related folks have jumped into the debate – and the author of the reverse-engineered code has jumped in as well (or someone claiming to be him, anyway).

People have been trying to reverse-engineer Skype’s proprietary encryption algorithm’s for years… and there have been various presentations at conferences and much data out there. In this case now, a developer named Sean O’Neil has made code available that apparently will decrypt one layer of Skype’s encryption.

Now, the code does NOT give you access to actual Skype messages. O’Neil writes in the TechCrunch comments:

Decryption of the RC4 layer gives nothing other than the ability to check CRC-32 of the packets, mere detection of random-looking encrypted packets as Skype. Maybe some firewalls will be able to block it at last.

I interpret that to mean that this code could help differentiate Skype traffic from other network traffic. The value there is really only, as the author says, that tools could be able to block Skype traffic because it could be more easily identified.

O’Neil goes on to say he has reverse-engineered more of Skype’s protocols and will be laying it all out at the Chaos Communication Conference in Berlin in December. We’ll have to see what gets said then…

Oops. To make a long story short, the “voipsa.org” domain was set to auto-renew on a credit card that was cancelled between renewals – and email notifications went to an incorrect address. It’s all better now. Life is good…

Sorry about that – and thanks to the multiple people who pinged us about it!

As some readers may already know, Syngress has now published a book I wrote, “Seven Deadliest Unified Communications Attacks” that dives into the threats to communications systems and the strategies to protect your systems. It is part of a series of “Seven Deadliest <topic> Attacks” books that have come out over the past couple of months. (And yes, there are seven books in the series.)

As I explained in this video, my intent was not so much to write a book about “VoIP security” but rather to take a look at a slightly larger level at the overall systems that we are connecting together under the name of “unified communications”. When we have voice, video, instant messaging, presence… coming from multiple different systems and then distributed over the global IP network… how do you secure it all?

The book was really my attempt to put in print form many of the themes we have written about on this site, talked about on the Blue Box Podcast and discussed in the VOIPSEC mailing list.

I do want to thank a couple of people in the VOIPSA circles… as I noted in the Acknowledgements, Dustin D. Trammell was an outstanding technical editor – and Andy Zmolek provided some excellent comments and thoughts. Longtime friend and VOIPSA blog contributor Martyn Davies had some helpful feedback, too, as did Scott Beer over at Ingate Systems.

Anyway, the book is out there… and I’ve put up a companion web site at www.7ducattacks.com where I’ll be listing additional resources, errata, updates, etc. There is also a Facebook page for the book. Feedback is definitely welcome (and yeah, I wouldn’t be opposed if you bought a copy or two ). I’m doing some interviews and podcasts about the book… if you are interested in interviewing me for your site or show, please contact me.

My hope with the book is that in some small way it can help encourage and spread the discussions we all have been having here… and in the end help our communications systems be a bit more secure. Thanks to all of you who have been reading posts here, commenting on them, participating in VOIPSEC and asking great questions.

P.S. If you are available tomorrow, Friday, May 20th, at 1pm US Eastern time, I’ll be interviewed live on the VoIP Users Conference call. Anyone is welcome to join in, listen, and ask questions.

Want to learn about how voice biometrics are being used today in real deployments? Want to learn what advances have been made in the technology? Want to find out how people are using it for voice authentication, identification and more?

If so, consider attending the Voice Biometrics Conference taking place next week, May 4th and 5th, in the New York City area. It’s got a packed agenda and a great list of speakers who really represent the leading edge of what people are doing with voice biometrics. (And yes, I’m one of the speakers and yes, my employer Voxeo is one of the sponsors of the event.)

The organizers of the event, Opus Research, have also really tried to focus the event on showing real-world examples of biometrics deployments. Here is a message that organizer Dan Miller sent out yesterday:

The conference agenda is now packed with use cases across many applications, verticals and government functions. Here’s the list from today’s e-mail:

T-Mobile – Deutsche Telekom’s T-Mobile is developing fast authentication to focus on building a better customer experience.

Bell Canada – The largest customer-facing deployment of voice verification with more than two million customers enrolled.

Bank Leumi (Israel) – Will present how it successfully deployed multiple applications for voice-based user authentication for customers and employees.

I DRIVE SAFELY – Hear how the company implemented a voice-based solution for enrolling students in its online drivers’ education program.

Atos Origin – IT services provider Atos Origin incorporates voice authentication into its “Help Desk” and holds promise for multiple applications inside enterprises around the world.

Centrelink – Australian social services agency who deployed a speaker verification system to authenticate access to welfare services.

Federal Government of Mexico – Learn how the federal government of Mexico has implemented a speaker identification program for use in law enforcement.

If you’re looking for a way to network with the people who have lessons to share regarding strategic, tactical, technical, organizational or even social issues that arise as they specify solutions, analyze vendors, define their projects and carry out their plans, attending Voice Biometrics 2010 will be rewarding.

If you can get to the New York area, do check out the event… registration information can be found on the event page. And if you are attending… I’ll see you there!

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.