Voice of VOIPSA

According to an article posted yesterday over on SearchVoIP.com, VoIP security isn’t all that difficult after all, and a lot of the necessary tools and tricks to lock down and secure a voice network are there already. From the article:

“It’s not an add-on,” Kevin Flynn, senior manager of unified communications for Cisco, said about VoIP security. “It’s built into the network already or in the VoIP products themselves.”

According to Flynn, pretty much every facet of VoIP security should already be part of the data network, so finding ways to apply them to VoIP should be a breeze.

“These are things a company ought to be doing anyway,” he said. “They ought to be doing antivirus in the network, access control and IDS. It’s stuff they already own.”

That’s fine when you view the problem entirely from a data network perspective, and from that perspective he’s mostly correct. Unfortunately that’s only viewing half of the problem. It’s true that VoIP is essentially a collection of network applications and as such inherit all of the security issues that come along with the data network, many of which can be addressed as he suggests. What he’s not considering however is that it’s also an extremely complex set of applications in and of itself with many security threats and issues that are extremely specific to what the applications do and how they behave, which cannot be easily addressed by network security and controls alone. (more…)

SpoofCard.com, a company that sells “enhanced” calling cards providing the ever-so-popular Caller-ID spoofing feature, has recently terminated Paris Hilton’s and 50 other customer’s accounts due to said customers abusing the Caller-ID spoofing feature (go figure) to break into other people’s voice-mail accounts, listen to messages, and even change the targeted users’s greetings:

SpoofCard.com confirmed that Paris Hilton was among the terminated customers, and that Lindsay Lohan was among those whose voicemail accounts were broken into. SpoofCard has put software controls on its network so that customers can no longer use its service to break into the voicemail boxes of Miss Lohan or the other victims it has identified.

Not only is this a poor way to address the security issue, it’s not really even addressing the problem; it’s addressing the symptoms, and in an extremely limited way by only blocking access from their customers to a list of specific users’ voice-mail accounts that have already been targeted. In SpoofCard’s defense however, it probably is the best they can do; It really is the cellular carrier’s problem because they allow users to disable the passcode required to access their voice-mail services, which then defaults to using only Caller-ID information to authenticate the user.

It’s pretty telling of the state of user trust in today’s global telephony system when there are so many businesses that have sprung up around what is essentially a lack of integrity of calling-party information that has been introduced into the system by VoIP and the VoIP-to-PSTN interfaces that they feed their information through. There are still VoIP-to-PSTN service providers that will honor Caller-ID information passed to them by their users and forward it into the PSTN, and there are any number of companies like SpoofCard.com that will provide this service for the average, non-technical consumer.

It’s sad that the general populace can really no longer trust the Caller-ID information that shows up on their phone. Telephony service providers, credit card distribution verification services, banks, and other companies need to realize this as well and stop using Caller-ID information to identify or authenticate their users, and really never should have been in the first place.

New Scientist is reporting today that German company Infineon has recently filed for two patents (1,2) for technology that deliberately interferes with VoIP technology.

The application doesn’t expand on why it would be used. But it could conceivably come in handy for any company that operates both phone and internet services and would like to protect their phone business from the growing popularity of VoIP.

The first of the techniques monitors network traffic to identify voice packets, then injects additional “pseudo-packets” into the communications stream. These packets appear to be part of the media stream but in reality contain nothing useful. The device then creates an artificial bottleneck for packets that it earlier labeled as voice, essentially rate-limiting the mix of real voice packets and “pseudo-packets”, while allowing normal data packets to traverse the device unhindered. The real kicker with this method is that then, the “pseudo-packets” can be filtered back out before the voice traffic exits the device, leaving little indication to external troubleshooters as to what is actually causing the media degredation.

The second of the techniques covers methods of degrading speech sent via a WiFi hot spot.

Repeatedly, Skype has claimed that their protocol and service needs to be stealthy because large service providers who provide both Internet services and traditional telephony services see the Skype service as a threat to their telephony business and regularly try to block the Skype traffic. Also recently, multiple other companies have developed and provided VoIP filtering technologies to Chinese service providers.

If these service providers begin to employ techniques like the ones described above against not just Skype traffic but all VoIP traffic, stealthy protocols like Skype’s may have an advantage over standards-based or community developed protocols, and may begin to foster an arms race between proprietary VoIP products and services and the traditional Telcos.

It would seem that Microsoft and Yahoo! have decided to work together and create an inter-operable messaging platform that will support both the Microsoft Live Messenger and Yahoo Instant Messanger clients and protocols, and combining their separate user-bases into one that is close to 350 million users strong, easily eclipsing the 100 million that Skype boasts.

With a clear road map to VoIP services and to adding IM services to mobile phones, both of which Yahoo!’s service already offers via it’s service, as well as the ability to make PC to PSTN calls via Yahoo!’s “Phone Out” service, it’s clear that the target is being drawn squarely on Skype. It will be interesting to see if the security aspect of Skype’s closed product approach or the apparent lack of strong encryption in the Microsoft or Yahoo! protocols (at least in their default configurations) will play any part in the upcoming shootout for subscribers.

The new unified platform is currently in beta and is available for trial.

Could this be the beginning of a new version of CALEA tailored for Internet communications? CNet News is reporting that the FBI is drafting new legislation intended to expand CALEA which will require ISPs to wiretap conversations and force makers of networking gear to provide hardware that can accommodate that capability. This legislation is set to be introduced by Sen. Mike DeWine (R. Ohio).

The 1994 Communications Assistance for Law Enforcement Act (CALEA) was originally drafted to apply to traditional telephony equipment and services and has since been viewed by figureheads in the Internet Telephony industry as inadequate or difficult to apply to Internet-based communications. This new legislation could potentially address those issues, however it may also eliminate safeguards that the original legislation provided.

The article published by CNet identifies four major points from the report. First, network infrastructure manufacturers will be required to upgrade their equipment to support Internet wiretapping. Second, law enforcement will have the ability to expand the reach of wiretapping beyond VoIP to other Internet communications such as Instant Messaging. Third, ISPs will have to monitor customer’s network traffic to identify only VoIP calls, and fourth, the legislation would eliminate the current CALEA requirement that the Justice Department must annually publish a public notice of the number of communication interceptions that have taken place.

Apparenly removing the email component and adding war-dialers to the mix warrants a new term for VoIP-enabled phishing, now called “vishing.” Secure Computing is reporting a new type of phishing attempt which utilizes war-dialers armed with pre-recorded messages replacing the use of e-mail lure and tackle. By calling unsuspecting people rather than emailing them, the attackers hope to elicit a better response to the seemingly more legitimate lure. You can read more in an article from the IT-Observer here.

The Register is reporting on a recent phishing scam targeted specifically at customers of the Santa Barbara Bank & Trust in Southern California. It’s of the variety making use of an IP PBX subscribed to a VoIP to PSTN service so that they can obtain a valid-looking DID number in Southern California. The targets of the scam are initially sent an official looking email asking them to call into the bank at the aforementioned DID number, where they are greeted with an automated voice system requesting that they enter their account number and other personal information.

Net security firm Websense notes that the recorded message does not mention the Santa Barbara Bank & Trust, a sign that the same phone line is potentially being lined up for fraudulent attacks targeting the customers of other online banks or ecommerce firms.

These types of attacks don’t require VoIP technologies to perform or succeed, however the low-cost and relatively easy procurement of both the consumer hardware, software, and VoIP service providing the indial are beginning to make this type of phishing attack much more prevalent.

In an interestingly eerie parallel to a discussion that has recently cropped up on the VoIPSec forum regarding peer-entity authentication vs. data-origin authentication, Skype announced yesterday that it intends to address the issue of user-identification within their VoIP service.

Part of Skype’s “wish list” for further expansion into the business market is to enhance username authentication for business customers, the voice over Internet Protocol company said Wednesday.

Skype’s system currently automatically authenticates users itself, based on certificates from it’s own encrypted Public Key Infrastructure (PKI). Because it does this automatically and transparently to the user, the users themselves have no way of authenticating the identity of the person they are communicating with.

“Skype is a public key infrastructure, which means nothing if you don’t know who you are identifying at the other end,” Sauer said.

You can read more detail at News.com.com.

Core Security released two advisories on the 9th (1, 2) covering buffer overflow vulnerabilities related to short UDP packets in two vulnerable applications, the Asterisk Open Source IPBX, and applications making use of the IAX client library which provides an IAX/IAX2 protocol stack for 3rd party applications. Both vulnerabilities center around the IAX2 protocol and truncated UDP frames.

A press release from yesterday which summarizes the advisories from Core can be found here.

Updated software releases and/or patches have been released, which are the same patches that David Endler posted about earlier this week.

One of the current hot-button issues in the VoIP Security industry is the argument between end-to-end media encryption versus hop-by-hop media encryption. The folks on the hop-by-hop side of the argument have been making the case that end-to-end media encryption schemes like ZRTP are just not feasable for use in a business environment due to the requirement for law enforcement to be able to lawfully intercept or wire-tap VoIP Calls as is similarly required by the Communications Assistance for Law Enforcement Act (CALEA) for traditional telephony providers. It seems that a recent court ruling may have just backed those folks argument. ComputerWorld has coverage on a recent court ruling on the subject. From the article:

“The U.S. Court of Appeals for the District of Columbia upheld the FCC’s August 2004 ruling saying interconnected VoIP providers must allow wiretapping by May 14, 2007.”

“The FCC ruling requires VoIP providers that offer a substitute service for traditional telephone service to comply with a 1994 telephone wiretapping law called the Communications Assistance for Law Enforcement Act (CALEA). The U.S. Department of Justice and the FBI, in requesting the ruling, argued that their surveillance efforts are “compromised” without CALEA rules for VoIP.”

Thanks to Brian Honan for sending the referenced article to the VoIPSec e-mail forum.