Over on VoIP News there’s a piece about some of the VoIP threats and possible responses to them. John Edwards talks about Denial of Service; Toll Fraud; VoIP Spam and Phishing.
Author Archives: Martyn Davies
Voice SPAM – the Fightback Begins
Voice SPAM is increasingly a problem, as the cost of making calls gets lower and lower in real terms. I was interested to see that GrandCentral are taking steps to block Voice SPAM for their customers. If you haven’t come across GrandCentral yet, they have an interesting product offering that alows you to have one telephone number from them, and have a single voicemail system and the ability to have inbound calls follow you to whatever fixed or mobile devices you are using at any moment. They also have a lot of advanced features like color ringback (CRBT), call screening, and control via a web interface.Â
We’ve talked here before about caller ID spoofing, i.e. that using various services you can lie about your source telephone number. GrandCentral say on their blog that they know the caller’s number even if the caller ID is not displayed: I presume this means they’re using some good, old-fashioned SS7 signalling technology (rather than IP and SIP). It will be interesting to see if a blacklisting approach works in the long term, since in the future spammers using VoIP technology to initiate SPAM will not be connected directly to today’s digital telephone networks, but instead will be using some kind of gateway to cross from VoIP to traditional networks. Presumably once such a VoIP gateway gets blacklisted, the spammers will simply move to the next gateway with a change of IP address.
Â
Building a VoIP Network
Dean Elwood, one of the founders of voipuser.org (a free VoIP service provider and online magazine) recently wrote an interesting article called “How To Build A Voip Network: 7 rules for the VoIP entrepreneur in 2007.“ It’s a great read from someone with experience of creating value from a VoIP service, rather than the usual marketing “talking head”. It also raises some interesting VoIP security questions, including Session Border Controllers, Lawful Intercept, Denial of Service and confidentiality.
Tell Me Your PIN, So I Can Go Shopping
Martin Geddes of at Telepocalypse raises an interesting point that has bothered me also, which comes back to the security of phones, and the ability for hackers to pass themselves off as legitimate organisations, such as your own bank. Today, the problem is that there is no way an inbound call can ever be secure, because any Caller ID number you receive could be faked, and many outbound call centres withhold the number anyway. Also, with technology like Asterisk servers and IVRs with synthesized speech, it is quite possible to build a reasonable facsimile of your bank at a very low cost.
I have a card that I usually service online, and it is very rare that I ever need to call-up one of the call centres to speak to anyone. So recently when I received a call out-of-the-blue on my cellphone, I was surprised to be addressed by a synthesized voice. Knowing, as I do, that such things can cheaply be rigged-up using a regular PC (and perhaps Asterisk), I was not inclined to trust the call, or enter any of the bank security details it was asking for. I hung up on it, whereupon it called back a number of times before I drove into a GSM blackspot, which for the purposes of this discussion we can call Vermont. The repeated calls did nothing to reduce my suspicions.
Like Martin Geddes, when (a couple of days later) I did finally call the number suggested in the synthesized announcement, the operator I spoke to wanted to take security details from me. I explained, as I do in those situations, that this would not be a safe thing to do, as I have just called an unfamiliar number suggested by an automated voice on an inbound call. Fortunately, at least this bank have an answer to that question: there is a telephone number written on the back of the card itself, and he suggested I call that number. Now I can be pretty sure that I’m talking to who I think.
In the long run, I think banks will have to realise that they need to authenticate themselves too, and perhaps we will be able to test callers by getting them to tell us a password too.  Phishing attacks can only increase in the future due to the accessibility of VoIP technology, and part of the counter attack is to teach people how to authenticate callers, before giving up vital security information.
Securing the WLAN Link
At the IET Secure Mobile conference last week, Dr Philip Nobles from Cranfield University in the UK spoke about the subject of wireless LAN security. He showed the output of a tool running on his laptop on a 40 mile train ride into London. He had captured a large number of WLANs on the way, of which perhaps 60% were completely unsecured. In addition, you could see that many were using factory default settings, for example SSIDs (LAN identifier) of ‘netgear’. So all these sites can be compromised in terms of network sniffing, router hijhacking and theft of bandwidth.
Dr Nobles also spoke about WEP (Wired Equivalent Privacy), the first attempt to introduce encryption to WiFi networks. I had known that WEP was compromised at least in an academic sense, but I was surprised that practical tools exist for breaking WEP in a very short time. “My router gave up its key in 3 minutes”, Nobles said of his own home router.
In view of this, here are a few ideas for securing your WLAN in the home or the office:
1. Use WPA encryption (WiFi Protected Access) if this is available on your router/client setup. If not, use WEP in preference to leaving the router ‘open’. Use keys (passphrases) that will not be easy to guess.
2. Most routers have an option to hide the SSID, i.e. not broadcast the name. This means that the clients have to know the name explicitly. This is is good idea to switch on, and makes you look much less interesting on the Netstumbler display.
3. Don’t use the default SSID, and it is better to use a name that will not be vulnerable to dictionary attack, and one that doesn’t hint at your physical location.
4. Similarly, set an admin password on your router, again one difficult to guess or get by dictionary attack. For example, at one time I used “astro0cosmo0.”
5. Often you can block admin logon to the router from the Internet side, which is a good idea if you don’t need to remote manage it.
6. Some routers have the facility to “lock down” access to the router by only accepting connections from specific MAC addresses. In my experience this can be inconvenient to manage (for example if a WiFi card is replaced, or if a friend comes to visit with his machine), but it does limit the options for attackers.
7. Similarly, with some routers you can assign IP addresses to specific MAC addresses, and use the firewall to block unknown IP clients. As above, this can be inconvenient to manage, but it does limit access.
Security through Obscurity
The other day at the IET Secure Mobile conference in London, Steve Babbage, Vodafone’s Group Chief Crypographer (great job title) gave the keynote, and I was fortunate to speak to him afterwards about his ideas.  One interesting area was “security through obscurityâ€, where he maintained that in some situations it makes sense to make an attacker’s job as difficult as possible through the use of secret algorithms.  I hope I can do the argument justice here.Â
The World has changed today, and generally governments do not try to interfere in the issues of what crypto gets used in commercial mobile networks. However, when GSM was born, 40bit encryption was a (rather weak) standard that governments agreed should be used.  In this environment, Steve Babbage maintains, the cellcos would have been mad to release all the details of the algorithm to the public, since the added obscurity would make it even harder for an attacker to get a foothold.  In the context of SIM attacks (being physically in contact with the SIM to decrypt it,  a so-called “side-channel attackâ€), sometimes attackers can gain knowledge about the secret key by measuring the power usage of the chip under attack.  On the other hand, if the algorithm is secret, then it is impossible for an attacker to map power fluctuations against a model, since all he has is a seemingly patternless output from an engine of unknown design.Â
The use of secret algorithms is generally thought of these days as a “bad thingâ€, since if the algorithm is openly published it means that academics and researchers can test the thing to death and publish vulnerabilities that they find.  This should result in better algorithms and fewer defects in the long term.  Babbage doesn’t argue in favour of “cobbling something together in secretâ€, but rather he is saying that if you take a proven good thing like AES/Rijndael, and then add a further secret component to the algorithm, then the intellectual rigour is still there, with an added component to defeat foes. Â
What do you think about security via obscurity?
NSA Warrantless Wire-Tapping To Be Investigated
CBS reports here that investigators have been given the go ahead to look at the NSA’s wire-tapping programme.
Â
Security Meets Flexibility
Clearing up around my desk the other day I found a printout of Marcus Ranum’s article, The Six Dumbest Ideas in Computer Security. It does me good to re-read this from time-to-time, and never fails to give new ideas. I’ve been thinking recently about viruses and spyware, and what a pain all that stuff is, so this paragraph jumped out at me:
Another place where “Default Permit” crops up is in how we typically approach code execution on our systems. The default is to permit anything on your machine to execute if you click on it, unless its execution is denied by something like an antivirus program or a spyware blocker. If you think about that for a few seconds, you’ll realize what a dumb idea that is. On my computer here I run about 15 different applications on a regular basis. There are probably another 20 or 30 installed that I use every couple of months or so. I still don’t understand why operating systems are so dumb that they let any old virus or piece of spyware execute without even asking me. That’s “Default Permit.”
This sounds perfectly sensible, doesn’t it? Only let the good stuff run? Of course the reason we don’t do it is that in order to select which is “the good stuff” and which is “bad”, we need a human to make a decision. As PC users, we enjoy the flexibility to download and install anything we like, whenever we like. I have a number of different soft-phones (Skype, SJ-Phone, Messenger, etc) that I have elected to install on my machine, and no-one else in the company was involved in the decision to do it. Even supposing I install software from CD (for example installing firmware that comes with a VoIP phone), it is not unheard of for mass-produced software CDs to get shipped with viruses or trojans on board. As a user, I don’t know that any particular package is “safe”, so I have to either take a risk or do without the functionality I want.
In the 1970’s there used to be a thing called the application backlog in IT which basically meant that users that wanted some kind of processing had to wait weeks, months or longer until the owners of the corporate mainframe could approve, budget, source and install some new software to solve the user need. The PC brought with it the ability for users to solve their own problems in a timely manner, bypassing the Data Processing Manager and his domain. However, the cost of that freedom is the risk that any package we install might include some threat which might not be apparent on day one of the install.
With PCs now being equipped for multimedia, with broadband or wireless Internet, there are more and more tempting software packages becoming available every day, ranging from mapping and route planning, to audio and movie studio software, telephony, IM and presence products. There are many great productivity tools, offering everything from greater travel efficiency to better ways to interact with your customers.Â
Of course you can lock down corporate PCs, and prevent users from installing their own software, but by using this level of control you also lose the ability for users to solve their own IT problems, and once again you are back in the world of the application backlog.
Â
Â
100 Top Voices of IP Communications
The October edition of Internet Telephony Magazine (free download can be found on the TMC website) names the 100 Top Voices of IP Communications. A nice list of industry thought leaders, including VOIPSA Chairman, David Endler.
The same issue also has an article about CALEA, if that floats your boat.Â
Â
Looking To The Past
Nothing to do with VoIP, but security minded people might be interested in this. At the Victoria & Albert Museum (V&A) in London, I saw this mechanical indicator lock:
This device has two counters integrated into the lock: one is a dummy, and the other counts the number of times that the lock has been opened, allowing you to carefully monitor access to your piles of gold, kidnapped princesses, battle plans, and other precious posessions.
It’s very easy to fall into the conceit of thinking that security is a modern concern, but devices like this have been around for centuries.