Voice of VOIPSA

The unauthorized surveillance and recording of VoIP calls has been discussed time and time again, but what happens when the surveillance of your call is being done at the endpoint by one of the participating parties? What if the surveillance was being done to analyze one of the caller’s stress levels and detect them lying, in real-time?

Apparently, Skype is set to provide a new feature application to it’s customers, the KishKish Lie Detector, which analyzes audio stream data in real-time, supposedly indicating the stress level of the person it’s analyzing. This makes me wonder, what if both parties are analyzing each other? Could mutual suspicions cause an escalating stress readout as each party gets more and more nervous by the indicated stress levels of the other party?

From the KishKish Lie Dectector website:

Voice Stress Analysis (VSA) is a type of lie detector which measures stress in a person’s voice. The use of Voice Stress Analysis (VSA) as a lie detector became popular in the late 1970s and 80s. In the 90s the first Computerized VSA (CVSA) systems came to out to the market. The CVSAT is now the truth verification device of choice in the law enforcement community as the number of law enforcement agencies utilizing the CVSAT continues to grow dramatically, proving the viability of the system for twenty-first century crime detection. The CVSAT is also being utilized by the US Military in the global war on terrorism.

Now KishKish Lie detector offers you a tool to detect the stress level of the person you communicate with over Skype. With the use of KishKish Lie detector you can monitor in real-time the stress level of the person you talked with. This allows you to gage the level of stress and modify your questions in real time. You could also use our KishKish SAM VSA that allows you to record the call and analyze the stress level off-line.

Did I miss the part where law enforcement and Dept. of Homeland Security began interrogating people via Skype? Perhaps the call recording feature could be used by responsible and patriotic citizens when fear-mongered into believing that they could be talking to potential terrorists AT ANY GIVEN MOMENT. Or perhaps I’m giving this way too much thought and people are generally just distrustful of each other and want the data points to back up that gut feeling.

Various “Click to Call” services have begun to emerge recently, bringing with them some very interesting and questionable service behavior. In a nut-shell, Click-to-Call provides a website user with a button that they can click to initiate a voice session with the website or business, such as a customer service department. Most of these types of services work in a similar way with only minor variations; when a user clicks on the click-to-call button or link, the user is asked for their phone number. The “called” party’s phone system or click-to-call provider then essentially initiates a 3-way call, first calling the website user at the number they provided, then once the user answers, connecting that call to the number of the business or website owner. In most cases these sysetms spoof the Caller-ID of the called party toward the user and may or may not spoof the Caller-ID of the user toward the callee.

(more…)

According to an article posted yesterday over on SearchVoIP.com, VoIP security isn’t all that difficult after all, and a lot of the necessary tools and tricks to lock down and secure a voice network are there already. From the article:

“It’s not an add-on,” Kevin Flynn, senior manager of unified communications for Cisco, said about VoIP security. “It’s built into the network already or in the VoIP products themselves.”

According to Flynn, pretty much every facet of VoIP security should already be part of the data network, so finding ways to apply them to VoIP should be a breeze.

“These are things a company ought to be doing anyway,” he said. “They ought to be doing antivirus in the network, access control and IDS. It’s stuff they already own.”

That’s fine when you view the problem entirely from a data network perspective, and from that perspective he’s mostly correct. Unfortunately that’s only viewing half of the problem. It’s true that VoIP is essentially a collection of network applications and as such inherit all of the security issues that come along with the data network, many of which can be addressed as he suggests. What he’s not considering however is that it’s also an extremely complex set of applications in and of itself with many security threats and issues that are extremely specific to what the applications do and how they behave, which cannot be easily addressed by network security and controls alone. (more…)

SpoofCard.com, a company that sells “enhanced” calling cards providing the ever-so-popular Caller-ID spoofing feature, has recently terminated Paris Hilton’s and 50 other customer’s accounts due to said customers abusing the Caller-ID spoofing feature (go figure) to break into other people’s voice-mail accounts, listen to messages, and even change the targeted users’s greetings:

SpoofCard.com confirmed that Paris Hilton was among the terminated customers, and that Lindsay Lohan was among those whose voicemail accounts were broken into. SpoofCard has put software controls on its network so that customers can no longer use its service to break into the voicemail boxes of Miss Lohan or the other victims it has identified.

Not only is this a poor way to address the security issue, it’s not really even addressing the problem; it’s addressing the symptoms, and in an extremely limited way by only blocking access from their customers to a list of specific users’ voice-mail accounts that have already been targeted. In SpoofCard’s defense however, it probably is the best they can do; It really is the cellular carrier’s problem because they allow users to disable the passcode required to access their voice-mail services, which then defaults to using only Caller-ID information to authenticate the user.

It’s pretty telling of the state of user trust in today’s global telephony system when there are so many businesses that have sprung up around what is essentially a lack of integrity of calling-party information that has been introduced into the system by VoIP and the VoIP-to-PSTN interfaces that they feed their information through. There are still VoIP-to-PSTN service providers that will honor Caller-ID information passed to them by their users and forward it into the PSTN, and there are any number of companies like SpoofCard.com that will provide this service for the average, non-technical consumer.

It’s sad that the general populace can really no longer trust the Caller-ID information that shows up on their phone. Telephony service providers, credit card distribution verification services, banks, and other companies need to realize this as well and stop using Caller-ID information to identify or authenticate their users, and really never should have been in the first place.

New Scientist is reporting today that German company Infineon has recently filed for two patents (1,2) for technology that deliberately interferes with VoIP technology.

The application doesn’t expand on why it would be used. But it could conceivably come in handy for any company that operates both phone and internet services and would like to protect their phone business from the growing popularity of VoIP.

The first of the techniques monitors network traffic to identify voice packets, then injects additional “pseudo-packets” into the communications stream. These packets appear to be part of the media stream but in reality contain nothing useful. The device then creates an artificial bottleneck for packets that it earlier labeled as voice, essentially rate-limiting the mix of real voice packets and “pseudo-packets”, while allowing normal data packets to traverse the device unhindered. The real kicker with this method is that then, the “pseudo-packets” can be filtered back out before the voice traffic exits the device, leaving little indication to external troubleshooters as to what is actually causing the media degredation.

The second of the techniques covers methods of degrading speech sent via a WiFi hot spot.

Repeatedly, Skype has claimed that their protocol and service needs to be stealthy because large service providers who provide both Internet services and traditional telephony services see the Skype service as a threat to their telephony business and regularly try to block the Skype traffic. Also recently, multiple other companies have developed and provided VoIP filtering technologies to Chinese service providers.

If these service providers begin to employ techniques like the ones described above against not just Skype traffic but all VoIP traffic, stealthy protocols like Skype’s may have an advantage over standards-based or community developed protocols, and may begin to foster an arms race between proprietary VoIP products and services and the traditional Telcos.

It would seem that Microsoft and Yahoo! have decided to work together and create an inter-operable messaging platform that will support both the Microsoft Live Messenger and Yahoo Instant Messanger clients and protocols, and combining their separate user-bases into one that is close to 350 million users strong, easily eclipsing the 100 million that Skype boasts.

With a clear road map to VoIP services and to adding IM services to mobile phones, both of which Yahoo!’s service already offers via it’s service, as well as the ability to make PC to PSTN calls via Yahoo!’s “Phone Out” service, it’s clear that the target is being drawn squarely on Skype. It will be interesting to see if the security aspect of Skype’s closed product approach or the apparent lack of strong encryption in the Microsoft or Yahoo! protocols (at least in their default configurations) will play any part in the upcoming shootout for subscribers.

The new unified platform is currently in beta and is available for trial.

Could this be the beginning of a new version of CALEA tailored for Internet communications? CNet News is reporting that the FBI is drafting new legislation intended to expand CALEA which will require ISPs to wiretap conversations and force makers of networking gear to provide hardware that can accommodate that capability. This legislation is set to be introduced by Sen. Mike DeWine (R. Ohio).

The 1994 Communications Assistance for Law Enforcement Act (CALEA) was originally drafted to apply to traditional telephony equipment and services and has since been viewed by figureheads in the Internet Telephony industry as inadequate or difficult to apply to Internet-based communications. This new legislation could potentially address those issues, however it may also eliminate safeguards that the original legislation provided.

The article published by CNet identifies four major points from the report. First, network infrastructure manufacturers will be required to upgrade their equipment to support Internet wiretapping. Second, law enforcement will have the ability to expand the reach of wiretapping beyond VoIP to other Internet communications such as Instant Messaging. Third, ISPs will have to monitor customer’s network traffic to identify only VoIP calls, and fourth, the legislation would eliminate the current CALEA requirement that the Justice Department must annually publish a public notice of the number of communication interceptions that have taken place.

Apparenly removing the email component and adding war-dialers to the mix warrants a new term for VoIP-enabled phishing, now called “vishing.” Secure Computing is reporting a new type of phishing attempt which utilizes war-dialers armed with pre-recorded messages replacing the use of e-mail lure and tackle. By calling unsuspecting people rather than emailing them, the attackers hope to elicit a better response to the seemingly more legitimate lure. You can read more in an article from the IT-Observer here.

The Register is reporting on a recent phishing scam targeted specifically at customers of the Santa Barbara Bank & Trust in Southern California. It’s of the variety making use of an IP PBX subscribed to a VoIP to PSTN service so that they can obtain a valid-looking DID number in Southern California. The targets of the scam are initially sent an official looking email asking them to call into the bank at the aforementioned DID number, where they are greeted with an automated voice system requesting that they enter their account number and other personal information.

Net security firm Websense notes that the recorded message does not mention the Santa Barbara Bank & Trust, a sign that the same phone line is potentially being lined up for fraudulent attacks targeting the customers of other online banks or ecommerce firms.

These types of attacks don’t require VoIP technologies to perform or succeed, however the low-cost and relatively easy procurement of both the consumer hardware, software, and VoIP service providing the indial are beginning to make this type of phishing attack much more prevalent.

In an interestingly eerie parallel to a discussion that has recently cropped up on the VoIPSec forum regarding peer-entity authentication vs. data-origin authentication, Skype announced yesterday that it intends to address the issue of user-identification within their VoIP service.

Part of Skype’s “wish list” for further expansion into the business market is to enhance username authentication for business customers, the voice over Internet Protocol company said Wednesday.

Skype’s system currently automatically authenticates users itself, based on certificates from it’s own encrypted Public Key Infrastructure (PKI). Because it does this automatically and transparently to the user, the users themselves have no way of authenticating the identity of the person they are communicating with.

“Skype is a public key infrastructure, which means nothing if you don’t know who you are identifying at the other end,” Sauer said.

You can read more detail at News.com.com.