Voice of VOIPSA

I’m not sure what to make of this story.  Apparently some Russians are in the game to crack and clone the Skype client, which follows earlier news from Charlie Paglee about the Chinese cloning Skype.

It’s with some gloom that I look at these new services that use VoIP technology to fake your Caller ID. The first one I came across was FakeCaller, but others like Telespoof are arriving every day.

FakeCaller presents itself as a bit of fun (and ominously has a ‘pranks’ tab at the top of the welcome page, although no content there as yet). The notice at the bottom of the page suggests that you shouldn’t use it for harassment and stalking, or use foul language in the voice messages you send. But I ask you, what legitimate purpose could there be for a system that allows you to lie about your name and caller ID, and sent a computer speech message down the phone when they answer?

Telespoof think that their customer base is those who lie as part of their everyday work, even down to how you appear on the phone. I would have thought that simply restricting the display of your number (as you can on most cellular and landline systems these days by entering a code) would be enough. Perhaps that mean anonymous in a more insidious way, i.e. anonymous even to law enforcement and security forces.

I’m not sure how we got into this situation that VoIP telcos should be able to ‘opt out’ of the caller ID system, but overnight the whole concept of caller ID has become useless and unreliable. When I received a sales call from a company selling satellite TV warranties recently, they gave me the hard sell, suggesting that my Sky box was out of warranty and likely to fail at any minute. Small matter that I don’t have a box, but occasionally they must hit someone that does. Such a company could have no restraint in lying about their name and caller ID if it helped to close a sale.

This all just means more opportunities for mis-selling, phishing, faking, defrauding and otherwise messing with people, and I can’t see how anyone could be in favour of it.

Martin Geddes recently reflected on the use of Skype as a tool for recording podcasts with two people in different locations.  This is a technique that is used on many podcasts now, including Blue Box, the VoIP Security Podcast.  But as Geddes says, sometimes the quality is not all it should be, and it would be useful to be able to record in top quality, and in some way transmit this out-of-band, while using the inferior, real-time audio between the two podcasters.  Sometimes this technique (called double-ending, or a “double ender”) is done manually today in podcasting and in radio: each person records their end of the conversation locally, then the files get spliced together at the end to make a broadcast quality programme.  The telephone call only needs to be good enough for the two people to understand each other while the interview is taking place.

But adding double-ending functionality in Skype has interesting possibilities, apart from the podcasting one.  In some areas human speech needs to be understood by less tolerant parties than humans, for example in the areas of automatic speech recognition, or speaker verification.  Given that VoIP streams can be of cellphone quality (or lower), it could be useful for a computer system to be able to play back a passage of speech it was having trouble with.  For example, a speaker verification system might listen to the live VoIP speech, perhaps match with a certainty of 20%, then after a few tens or hundreds of milliseconds it could try again using extra hi-fidelity information that came in while it was processing the first time.  Much better than forcing the user to re-speak their passphrase over and over until the computer figures it out.

On the subject of Dan York (of Blue Box) and Martin Geddes, you can almost see them in this photograph from Fall VON.  York is moving at speed, presumably in order to eclipse Geddes.

Telephony online are running a series of articles about business continuity, including this one: VoIP changing business continuity, which talks about Avaya and using VoIP to carry on working in the face of physical disasters.

Edwin Pena, the man facing charges over a VoIP fraud, discussed here some months back, has fled, violating his bail conditions.  Information Week has the story here. 

Catching up on my reading, I see that Dr Dobb’s Journal honoured crypto guru Bruce Schneier in their April edition with an excellence in programming award.  I’ve been a fan of DDJ since I first came across the magazine in the 1980’s, and (with my software developer hat on) once even had the thrill of contributing to DDJ.

Congratulations, Bruce, coming from one of the World’s top-rank developer publications, I think this is an accolade to really enjoy. 

Being in Malaysia myself this week, I stumbled across this article by the Grugq in the Malaysia Star.  It’s quite a nice roundup of the coming threats in the VoIP world.  The mention of phone freakers brought back a thought I had a few weeks ago.  Before digital networks, phone phreakers were able to play tones down the phone handset (using a Blue Box), emulating the tones used by the telco themselves, and this allowed them to get free calls and mess around with the network.

With digital networks, all the signalling started to be done with SS7, carried on a parallel network dedicated to signalling traffic.  SS7 doesn’t extend to the phone handset, so suddenly phreakers were out of business.  This has been great for telcos, since the SS7 net was isolated and pretty safe from evildoers.

In some ways with VoIP, we’ve now gone back the other way.  Now all the VoIP signalling protocols, as well as the voice, go to the handset.  This allows phreakers to send any kind of message (SIP, H323 etc) they like into the net, to see what the result is.  This is a much worse proposition for the telcos, since they now need to make sure their edge switches are stable, secure, and as far as possible invulnerable to poorly formed messages, or floods of messages.  Today, it’s not a huge problem, but with Next Generation Networks (like IP Multimedia Subsystem or IMS) an awful lot of work is going to be needed to make the networks safe from attackers.

The Grucq is speaking at the HITB Security Conference in Malaysia, as is security guru Bruce Schneier.

I see that the British Computer Society (BCS) now has a section on their site dedicated to security.  I enjoyed this article by Ian Kennedy, about computer forensics and the Trojan defence.

 

 

Presentations from the recent Black Hat conference in Las Vegas are online and can be downloaded from here.

A lot of interesting stuff, including the Hacking VoIP Exposed presentation from our own David Endler and Mark Collier and Henrik Scholz on SIP Fingerprinting.

Insecurity of wireless has been much in the news.  Reading reports from the recent Black Hat conference and Defcon, there was a demonstration of how to compromise wireless devices by crashing the drivers, and also news about how easy it is to compromise RFID devices, for example cloning new, hi-tech passports that use the technology.  Flipping open the pages of the August PC World USA, (yes, paper magazines do still exist!), I see a report about the “10 Biggest Security Risks You Don’t Know About”, and this includes a report about how Bluetooth devices can be infected by malicious Bluetooth apps that are passing by, perhaps a metre away. They also talk about viruses that travel via SMS messages.

It’s a gloomy picture.  Whatever platform we choose to carry around with us for our calendar/agenda or communications needs, it seems that they can be compromised in some way, even without anyone touching the thing.  As we have noted in this blog before on a few occasions, a key way to compromise VoIP is to compromise the platform that you use to host it.  But I guess it all comes back to the same point: we love Bluetooth because it’s so damn convenient, but convenience is the enemy of security.  When we get lazy, other people out there get busy, trying to find ways to mess things up for us.

Which brings me very much to today’s situation with the current terror plot (that Tom Keating talks about here): I’m travelling back to the UK today, and thankfully the restrictions this end aren’t too bad tonight: I can’t carry a bottle of water onboard, but at least I can get home with all my precious tech gadgets intact.  Back in London, people are checking in their laptops, PDAs, Skype headsets and smartphones as hold baggage, and who knows how that stuff will look when the bags are unzipped tomorrow after the airline baggage handlers have had a go at them.  Life is about to get much harder for travellers, as we confront the reality that eternal vigilance is the price of safety.