Voice of VOIPSA

The Register is reporting on a recent phishing scam targeted specifically at customers of the Santa Barbara Bank & Trust in Southern California. It’s of the variety making use of an IP PBX subscribed to a VoIP to PSTN service so that they can obtain a valid-looking DID number in Southern California. The targets of the scam are initially sent an official looking email asking them to call into the bank at the aforementioned DID number, where they are greeted with an automated voice system requesting that they enter their account number and other personal information.

Net security firm Websense notes that the recorded message does not mention the Santa Barbara Bank & Trust, a sign that the same phone line is potentially being lined up for fraudulent attacks targeting the customers of other online banks or ecommerce firms.

These types of attacks don’t require VoIP technologies to perform or succeed, however the low-cost and relatively easy procurement of both the consumer hardware, software, and VoIP service providing the indial are beginning to make this type of phishing attack much more prevalent.

In an interestingly eerie parallel to a discussion that has recently cropped up on the VoIPSec forum regarding peer-entity authentication vs. data-origin authentication, Skype announced yesterday that it intends to address the issue of user-identification within their VoIP service.

Part of Skype’s “wish list” for further expansion into the business market is to enhance username authentication for business customers, the voice over Internet Protocol company said Wednesday.

Skype’s system currently automatically authenticates users itself, based on certificates from it’s own encrypted Public Key Infrastructure (PKI). Because it does this automatically and transparently to the user, the users themselves have no way of authenticating the identity of the person they are communicating with.

“Skype is a public key infrastructure, which means nothing if you don’t know who you are identifying at the other end,” Sauer said.

You can read more detail at News.com.com.

Core Security released two advisories on the 9th (1, 2) covering buffer overflow vulnerabilities related to short UDP packets in two vulnerable applications, the Asterisk Open Source IPBX, and applications making use of the IAX client library which provides an IAX/IAX2 protocol stack for 3rd party applications. Both vulnerabilities center around the IAX2 protocol and truncated UDP frames.

A press release from yesterday which summarizes the advisories from Core can be found here.

Updated software releases and/or patches have been released, which are the same patches that David Endler posted about earlier this week.

One of the current hot-button issues in the VoIP Security industry is the argument between end-to-end media encryption versus hop-by-hop media encryption. The folks on the hop-by-hop side of the argument have been making the case that end-to-end media encryption schemes like ZRTP are just not feasable for use in a business environment due to the requirement for law enforcement to be able to lawfully intercept or wire-tap VoIP Calls as is similarly required by the Communications Assistance for Law Enforcement Act (CALEA) for traditional telephony providers. It seems that a recent court ruling may have just backed those folks argument. ComputerWorld has coverage on a recent court ruling on the subject. From the article:

“The U.S. Court of Appeals for the District of Columbia upheld the FCC’s August 2004 ruling saying interconnected VoIP providers must allow wiretapping by May 14, 2007.”

“The FCC ruling requires VoIP providers that offer a substitute service for traditional telephone service to comply with a 1994 telephone wiretapping law called the Communications Assistance for Law Enforcement Act (CALEA). The U.S. Department of Justice and the FBI, in requesting the ruling, argued that their surveillance efforts are “compromised” without CALEA rules for VoIP.”

Thanks to Brian Honan for sending the referenced article to the VoIPSec e-mail forum.

A patent filed by Nintendo for a “messaging service” in the US was discovered yesterday, which may provide clues into what Nintendo may be up to with VoIP and messaging systems between their gaming consoles. The patent describes an IM type environment using presence information and user activity information, such as which game the user is currently playing. IGN writes: “Will we be sending messages and chatting during games of Bonk’s Adventure? Or more impressively, does this mean a DS user on the go could text- or voice-chat with a friend at home playing Wii? What about DS-to-DS communication? Nintendo seems to have wide ambitions here, and the possibilities are striking.” As with most new VoIP implementations the security implications should be interesting, especially considering that the Wii when connected to broadband Internet service will be “always on.”