Author Archives: Martyn Davies

About Martyn Davies

Martyn is Principal Consultant for Weird Crater, a telecom and software consultancy.

Security: A Question of Balance

According to Silicon.com, Ivan Krstić, Director of Security Architecture for the One Laptop Per Child project, used a keynote speech at AusCERT 2007 to criticize the architecture of modern operating systems, which allow every application to run with maximum access rights to the machine.

This is of course a topic that exercises many security managers these days, since there are so many things that a multimedia PC can do today, including playing, recording and editing music & video; creating and editing images and text; phoning, instant messaging and video calling. What is more there are vast numbers of applications that can be rapidly bought and downloaded from the Internet, giving near instant on-demand installation of nearly any type of application. For convenience, most users run in administrator mode all the time, as it avoids answering pesky questions when we want to install and gratify our need for new software.

Many VoIP users run softphones on their PCs. Softphones are cheap, and can be extremely convenient to use. They also create new possibilities, like being able to record calls or teleconferences without spending a lot of money on recording hardware and software. From a security point-of-view, of course, this is a risk, since the softphone can control all the facilities of your PC, has access to the disk drive, and could potentially record audio, or perhaps even all LAN traffic, without you knowing. From a LAN architectural point of view, some experts say that you should use VLANs, so that VoIP phone handsets and PCs cannot interact with each others’ traffic. This would avoid a PC being able to initiate SIP calls (if, say, a malicious user wanted to run some SIP scanning software on a machine), but if you want the convenience of running softphones, then the PCs must be able to make SIP calls, so really VLANs are out.

So once again it really comes down to security versus convenience. We can lock down PCs completely and make them “safe”, but then you could argue that users will be less productive, if the IS department must get involved whenever any new thing will be installed. At the other end of the scale, letting users install everything they want, from wherever, whenever they feel like it, is a recipe for a security disaster. It’s a balance, and that is one of the reasons that security is a difficult area.

To talk about the One Laptop Per Child project for a moment, this is an effort to build a $100 laptop (the XO) that can be made in the millions to provide to school children everywhere. If you haven’t heard of this before, I strongly recommend that you watch the video from TED 2006 where Nicholas Negroponte explains what they are trying to do. A very worthwhile project and this video is 18 minutes of gold dust. Describing one of their pilot projects in a remote village Cambodia, Negroponte says of the children with their laptops: “They only know Skype, they’ve never heard of telephony.”

How to be a Spook

MI5, the UK’s Security Service, wants more geeks, according to The Daily Telegraph, and will be advertising on the Tube (London Underground) in the next few weeks to try to boost recruitment. Would be’s imagining the life of James Bond, Harry Palmer or really even Austin Powers need not apply, though, since they are most likely in MI6 anyway.  The job-in-hand here is intelligence analysis, lawful interception in foreign languages and network security.  Their online jobs page can be found here.

It’s only a few years ago that MI5 were first allowed to openly advertise jobs (which makes you wonder what the recruitment process was before), but now they have a pretty nice website, which makes it much easier to see what the whole setup is about.

Skype with a ‘Z’

IP Softphone specialists CounterPath recently announced that they will license Phil Zimmermann’s ZRTP (Zfone) technology for use in their client products, namely eyeBeam and X-Lite, joining other publicly announced licencees Borderware, PGP Corp, Ripcord and TiVi.

As you may know, ZRTP has done very well in terms of acceptance in the last few months. Zimmermann has many friends in the security community, but also has great credentials in the open source world. ZRTP is an openly published protocol, but also is available as source code, thereby making it possible to test in all kinds of ways, not only closed-box (black box) testing but also in terms of working through the algorithm and even unit testing the code.

At the recent IETF meeting, methods of key exchange were discussed, as subscribers to the Voipsec list (from the VOIPSA site) cannot have failed to miss. The IETF have gone from a list of thirteen proposals down to a final two, and ZRTP is one of those, despite being considered by some as a latecomer.  Many organizations and people that I have come across trust in Zimmermann and believe that ZRTP is the answer.

If we go to the opposite end of the trust scale, we find Skype.  Poor old Skype are still getting weekly batterings from press critics on the security front.  A lot of the same criticisms are brought up time and time again, and in fairness Skype have countered a lot of the concerns, by allowing features to be switched off, changes to the package and so on.  We don’t need to rehearse all those issues here once again.

However, the issues that keep coming up, and which Skype have not argued away are those of security by obscurity and the secrecy of the protocols they use for encryption and key exchange. Famously, Skype hired security expert Tom Berson to write a report based on a long evaluation of Skype’s security provisions, but most academics still desire transparency, and the ability to evaluate the algorithms for themselves.

Academics and commercial security experts both say that simply using a secret algorithm is no guarantee of safety. Furthermore, the fact that it is secret merely means that when someone does compromise Skype, the detection and mitigation of the problem will be slowed down or prevented. Skype at that point becomes a dangerous ‘bot’ sitting behind thousands of firewalls.

What better time, then, for Skype to embrace ZRTP? Licensing ZRTP can hardly be a problem for Skype and its Ebay parent, and there is so much to gain from this. A large community of security and VoIP specialists already believe in ZRTP; the IETF likes it; commercial acceptance exists in licencees in the Softphone and Session Border Controller market. IT Managers, I’m sure, would be happier with Skype usage in the workplace if they were allowed to detect and control it, and (who knows with key escrow) in some way to log and record from it.

Come on, Skype, grab the nettle. The tools are in your hands to silence your critics.

Gold on VoIP Security

Over on his blog Steve Gold laments the lack of focus on VoIP Security at the recent VoIP for Business event in London, and also talks about the failure of Ofcom (the Office of Communications in the UK) to take on the issue in their recently published VoIP service provider regulations. 

For those that don’t know the name, Gold is a security consultant of some pedigree: he was famously prosecuted by the UK government back in the 1980’s for compromising accounts in the Prestel system, a videotex system that was one of the world’s first online networks.  The failure of this prosecution led to the drafting of the Computer Misuse Act in the UK.

New Hacking for Traditional Networks

I was intrigued by a talk advertised for the upcoming Black Hat Europe 2007 conference about hacking SS7.  Philippe Langlois will talk about SCTPscan – Finding entry points to SS7 Networks & Telecommunication Backbones, and as he says:

“SCTP is the protocol used to carry all telecom signalling information on IP according to the SIGTRAN protocol suite. It’s the foundation, as TCP is the foundation for the web and email.”

SS7 has been largely a secret world, a private network of networks for signaling voice calls across all the world’s cellcos and telcos.  In traditional SS7, all the links are achieved with T1 or E1 pipes, and there’s no opportunity to get access to this signalling backbone. 

However, SIGTRAN effectively uses an IP network as a transport system for signalling, doing away with the need for T1/E1 links and specialized hardware.  SCTP is a protocol that is used instead of TCP or UDP for this purpose.  So from a hacker point of view, SCTP is a pipe that can be exploited and scanned in order to get access to telco resources.

Increasingly, with NGNs being interconnected with traditional networks, tools like SIGTRAN will be used to allow different IP architectures to co-exist, so as Langlois implies, a hacker can write special tools that spoof higher protocol layers like M3UA, ISUP and TCAP to explore or interfere with the operation of SS7.  This is a potential danger because normally a high degree of trust exists between different SS7 network operators, and when they interconnect they do so in the understanding that each party will “behave nicely”.

In the Internet world, of course, there is no guarantee of “niceness”, and SIGTRAN links need to be locked down with tools like firewalls.  In an ideal world, SCTP would be only protocol allowed through on SIGTRAN links, and furthermore each party should have checks on the source addresses that are allowed to send messages and interact with SS7 service elements.  You would normally expect that SIGTRAN links (into SS7 backbones) could not be accessed or routed to from anywhere on the public network, but of course routing and Ethernet switching errors can occur, accidentally connecting segments that should not be.

However, SS7 has some advantages on its side in this war.  Firstly, it is a complex set of protocols, and most hackers will not have any “hands-on” experience that will help them find weaknesses in the network.  Also, SS7 networks in practice use a system called global title addressing, which means that co-operating networks can use each others’ services without needing to know the internal construction of the network.  This will work to defeat outsiders from understanding how a network is put together.

Whatever the pros and cons, we should not be complacent, and I’m sure the traditional telcos will not be, since money is at stake. We can be sure in the Internet that anything that can be hacked, someone will try to hack it.  

 

Combatting Voice SPAM with VoIP SEAL

One of the highlights of 3GSM Barcelona for me was visiting NEC at their stand, and to see their demonstrations in action. There was some discussion in the VoIP and security space over the last weeks about a server technology called VoIP SEAL that NEC were to demonstrate at the show, and I was keen to see this in action. VoIP SEAL is a system that attempts to defend a VoIP system against VoIP SPAM or SPIT (SPAM over Internet Telephony).

Luckily, at the time I visited the stand, Saverio Niccolini of NEC was there. Saverio is a prominent researcher for NEC, and was a speaker at the 3rd Annual VoIP Security Workshop last year, which I attended and wrote about here. It was great to meet up with Saverio, and he showed me the VoIP SEAL demo himself.

To briefly summarize the system, VoIP SEAL combines a number of different techniques to detect a suspicious VoIP call. Each module does a test and produces a score or index, and at the end the indices are weighted and combined to give an overall score that measures how ‘dangerous’ a call might be. For example, there are modules that can apply blacklist or whitelist logic; measure SIP INVITE rates; test reputation or check that different SIP URIs are not coming from the same IP address. So, each module is dedicated to measuring for a particular exploit or security aspect, and they can be combined in different ways, with different weights.

An interesting part of VoIP SEAL is that it can apply tests in two phases: firstly before answering the call and then after picking up. In the first phase, the ‘suspiciousness level’ of a call can be assessed, and if the level is low, the second phase can be skipped, simply connecting the call to the recipient. However, if the level passes a configured threshold, the call is diverted to a specialized answer machine that can apply further tests. Having this two-phase approach helps to minimize false positives, where genuine human callers get trapped in the system and can’t get through.

In phase 2, VoIP SEAL can measure the speech energy when a greeting or outgoing message is being played. For a genuine human caller, this energy should be low, as humans tend to listen rather than talk over greetings. A bot or SPAM application will behave differently, perhaps starting to stream audio continuously as soon as the media channel is available. There are more sophisticated audio CAPTCHA tests (Turing Tests) that can also be applied to attempt to tell the difference between a human and a bot. If the call is considered suspicious, it can just be allowed to play its message into a voicemail SPAM queue, and perhaps this queue would be periodically reviewed by an administrator to make sure that the VoIP SEAL was working effectively and not trapping too many real human callers.

If you want to hear more about VoIP SEAL, I recorded an interview with Saverio where he explains it in more detail. This interview will be coming up in a future edition of the Bluebox Podcast, run by two of our VOIPSA Chairs, Dan York and Jonathan Zar.

IPTComm Call for Papers

In June last year, I attended the 3rd VoIP Security Workshop in Berlin and wrote about some of it here.  It seems there is now a successor conference (although not with the same name) to be held at Columbia University in New York in July, organized by the same committee.

The scope is broader this year, encompassing not only VoIP Security, but a range of IP and NGN related topics.  They have just published a call for papers, so please take a look at the IPTComm site here.  I’m sure it will be a stimulating event, as the last one was.

 

Lawful Intercept and Crocodile Clips

Those interested in the topic of Lawful Intercept (LI) and CALEA might be interested in a new blog over on the TMC site.  Scott Coleman of SS8 is writing a new column called Demystifying Lawful Intercept and CALEA.  The cunningly-named SS8 market a number of products including LI solutions. And no, LI is not done with crocodile clips.

Learning to Distrust Steve

In a recent Rich Tehrani blog entry, he touched on the subject of a type of email phishing attack termed Spear Phishing.  For those that have not heard the term before, Rich describes it:

“In a recent US example, a phisher bluffed his way into the network of a port authority by spoofing an internal email address. Once on the inside, with an apparently genuine email identity, he was able to fool employees into revealing passwords for applications.

This sort of attack has been termed ‘spear’ phishing, designed to bamboozle unsuspecting ‘colleagues’ into revealing information that will give the perpetrator access into secure areas of corporate networks. “

This type of attack is possible because many email services either don’t insist on any kind of authentication, or because they do not look the ‘from’ email address you specify and check that it is consistent with your actual service-provided email address.  This is one of the weaknesses of today’s email system that makes life so easy for spammers.

Unfortunately, Spear Phishing also applies to VoIP, since in many cases VoIP services can be fooled into using and displaying a false caller ID number.  So you can imagine the scenario:  You are sitting at your office desk, and a call comes in to your desk phone.  The number on the display is 400, and that this is the extension you normally call to reach the IT help desk.  It’s definitely not an ‘outside’ number.  You pick-up and although you didn’t know that the IT help desk now has a technician called ‘Steve’, perhaps if he knows one other bit of corroborating information, this will be enough to make to accept that he is bona fide.  In the conversation that follows, he might tell you that Mike from Sales called him, can you tell him where Mike is?  Of course, if he knows that Mike sits near you, you might be tempted to believe that Steve is for real.  Bingo.  Now maybe you’re ready to tell him something secret?

Of course this kind of confidence trick is nothing new, but just using new tools to achieve the same goal.  The defence?  Well if you have the slightest doubt of someone’s veracity, you could offer to call them back, and do not use any information they have given you to do it.  For example, call someone else you know in the help desk, and ask them about ‘Steve’.  “Steve who?”