Author Archives: Martyn Davies

About Martyn Davies

Martyn is Principal Consultant for Weird Crater, a telecom and software consultancy.

Podcast on Skype Security

The latest episode, SKP14, of the SkypePodcast focuses on security, so may be of interest to folks here.  Sasha (the host) also gives a mention to our own Dan York and the Bluebox podcast.

Sasha quotes Skype CSO Kurt Sauer justifying why Skype jumps around different IP ports, making it hard to detect or block:  “One of the reasons Skype is difficult to find is that the people who provide the carrier services [ISPs, telcos] are in competition with Skype,”

You can find the full version of this quote in a Techworld article.

Newport Wobbles

News broke last week about Session Border Controller manufacturer Newport Networks, which has run into cash-flow problems waiting for deals to close.  Newport Networks was started by serial entrepreneur Sir Terry Matthews, reportedly Wales’s first billionaire, who also founded Newbridge (now part of Alcatel) and Mitel.

Last year Newport were lined up to supply their 1460 Session Border Controller to troubled equipment supplier Marconi.  Marconi themselves failed to become prime NGN suppliers to British Telecom, which ultimately resulted in the failure of the company.  The rump of Marconi has now been absorbed into Ericsson.

Newport have announced layoffs, as reported at ZDNet and in the UK Guardian Newspaper, in an attempt to reduce cash burn while waiting for the business to arrive.  It’s ironic with CALEA in the headlines and telcos rolling out NGNs that a provider of the enabling technology should have run onto the rocks.  Let’s hope the Newport investors can keep their nerve. 

Homosapien Too

I sent a message the other day on ebay, and came across a new feature: to submit a message you now have to prove you are not spammer but human (these being opposites) with a Turing test or CAPTCHA.  Ok, these things are common on web systems these days, but the new slant here was that if you could not read the graphic, you could click on a link and download an audio version to listen to instead.  This is also one of the proposed strategies for dealing with SPIT (SPAM over Internet Telephony) in our VoIP systems of the future, i.e. interact with the bona fide caller or spammer and present them with some kind of test or quiz before they get put through.  This could be as simple as “Press 8 to speak to Martyn or 0 for voicemail.”

But there is also an arms race aspect to this, for the smart spammer might also employ automatic speech recognition (ASR) technology, which is increasingly cheap and effective due to increasing CPU performance and falling hardware prices.  Their ASR server could be programmed to understand digits, and so have a fair stab at giving the correct answer to the CAPTCHA. 

It interested me that on ebay, the audio file downloaded did not have a pristine recording of the digits being read out, but instead had a variety of noises in the background: white noise; some fragments of speech.  Naturally it’s quite easy for a human to extract the digits from the background noise, but this is just the kind of chaff that might confuse the enemy radar, so to speak, of the spammer’s ASR system.

Happy July 4th to those of you in the USA, and welcome back all our friends that just celebrated Canada Day.

Perfectly Secret

In VoIP Security it seems we owe a double debt to Claude Shannon.  Shannon is probably best known for the Nyquist-Shannon sampling theorem, which underlies the whole of digital sampling of analog signals.  The elevator version of this idea is that when you sample something into digital form, you have to do this at least twice the frequency of the highest frequency that you want to reproduce.  This is why CDs only have an audible frequency range of 22kHz (due to the 44 kHz sampling rate), which comfortably covers the range of frequencies that I can now hear, although perhaps not my childrens’. 

But Claude Shannon also coined the term perfect secrecy, as he did a lot of work related to cryptography.  In a nutshell, perfect secrecy means that you have no more information about the plaintext after seeing the ciphered version than you did before seeing it, i.e. it’s perfectly secret if the ciphered text gives you no clues and all plaintexts are equally probable.  I would highly recommend reading Shannon’s biography at the Wikipedia site.

Actually, reading this page made me think about Richard Feynmann (also  biog’ed at Wikipedia), one of my great heroes. 

The two men were about the same age: Shannon combined a serious academic career with juggling, unicycling and with roulette weekends in Las Vegas;  Feynmann, a brilliant physicist and educator, had hobbies of bongo drumming, painting and safe cracking.  I wonder if the two of them ever met?

Black Hats and Evil Twins

In contrast to T-Mobile’s antipathy  towards VoIP services, I see that UK-based WiFi hotspot provider The Cloud is actually in partnership with Skype and Vonage, so clearly they see VoIP as an important component of their business. However, as has been discussed in recent weeks on our VOIPSEC list, security of VoIP is only as good as the security of the platform itself and of the network that carries the VoIP traffic.

The latest security worries for WiFi have just been aired in a Computer World article.  Some researchers will give a talk at the Black Hat conference on how to crash or hack WiFi drivers.  In particular, they have used a fuzzing technique (which David Endler wrote about recently) using a tool called LORCON to expose flaws in the WiFi driver.  The article suggests that LORCON is even a tool simple enough to use for script kiddies.

The life of WiFi has been punctuated by stories of insecurity, including Evil Twinning (where criminals impersonate a bona fide WiFi service), the use of Netstumbler to find unsecured WLANs and endless stories about the insecurity of WEP.  But as Virgil Gligor said at the recent VoIP Security Workshop, the history of computing is full of examples of new technologies that are used for a long period, perhaps ten years, before all of the related insecurities get found and fixed.

Not Just SPIT but SPOG and SPOM

Looking at David Piscitello’s Blog  the other day, I saw that in addition to all the various SPxxx words we use, he has coined the term SPOG for SPAM on Online Games.  Like all these low-cost ways of getting messages to would-be buyers, SPOG will curse gamers as SPAM now curses all email users.  Perhaps we could also add SPOM to the list (SPAM over Myspace), for a new way to SPAM the teenage market.

In the world of junk-mail a 1% return would be considered exceptionally successful, and the economics of mass-mailing with poor targeting works on this basis of poor returns.  I think it was Bruce Schneier that said that SPAM is basically an economic problem, because the costs of mass-emailing are so low that the low success rate is not a problem, and actually if one person in 100,000 turns into a sales prospect, then SPAM has become a legitimate marketing tool.  So as frustrating as most of us find it, those few who say “yes” will mean that we continue to receive an unending flow of material about drugs and loans.

SPIT is not a really problem in the wild today.  This is partly because VoIP largely exists in islands  today, and not in a fully interconnected network.  It’s also partly because would-be SPITters have not yet come across the technology.  As with SPAM, this will be attractive to some, because it will be possible automate calling, and because the technical barriers are low, and the cost per call negligible, it will be economical to make thousands of calls per day.  And if a small percentage of those calls actually succeed in closing some sales, then once again it has become a legitimate marketing technique.

SPIT was discussed quite a bit at the recent VoIP Security Workshop, and it seems researchers have already created an impressive array and anti-SPIT techniques, although with the caveat that they have no actual real-world SPIT data to test their techniques against.  Some of these techniques are economic and some are technical, but we can well imagine combinations of these techniques giving us very high anti-SPIT coverage in the future.  For the remaining few calls that get through, please let’s all hang up on them, and for goodness sake don’t buy anything.

That’s One Way to Secure VoIP

There was an interesting story at Reg Hardware about cellco T-Mobile in the UK, and their response to VoIP.   T-Mobile’s Web ‘n’ Walk is a data service aimed at business people, with a flat-topped monthly tariff, however they do not want you to use VoIP or IM with this service, and it is explicitly forbidden.  To quote from T-Mobile’s own webpage:

Use of Voice over Internet Protocol and Messaging over Internet Protocol is prohibited by T-Mobile. If use of either or both of these services is detected T-Mobile may terminate all contracts with the customer and disconnect any SIM cards and/or web ‘n’ walk cards from the T-Mobile network. 

Of course this brings many questions to mind, including “why?”; presumably so that VoIP use does not threaten the normal call revenue.  Another important question is “how?”, since much business traffic is secured by VPN and so it would be impossible for T-Mobile to tell email from VoIP, IM or anything else.  Researchers have documented that the Skype client uses random TCP port numbers, and that the line protocol has been deliberately  obfuscated in order to conceal how it works.  In short detection of Skype traffic is not trivial.

All in all it’s a very interesting example of how the collision of Internet and mobile technology is causing discomfort to telcos.

eBay Developers Conference 2006

The Ebay Devcon starts today at the Mandalay Bay, Las Vegas. For the first time this year, there are also sessions on Skype and the Skype API. One session that certainly seems to capture the zeitgeist (judging by this week’s discussions on the Voipsec mailing list) is that of using Skype in the enterprise.

Ebay are certainly trying some new things with their conference, firstly by running it over the weekend from Saturday to Monday, but secondly with the Unconference. The idea of the Unconference is to hand over the conference agenda to the attendees; for some weeks they have been running a Wiki where people can suggest their own topics, and once again I see that someone has nominated Skype for a roundtable discussion on Monday.

Day 2 of the VoIP Security Workshop in Berlin.

Many good sessions today including Christian Stredicke, CEO of VoIP phone specialist SNOM, and Bogdan Materna
(VOIPSA member and VoIPShield Systems’ CEO). Stredicke’s talk was on the subject of securing VoIP media.  To summarize to the barebones, he said that it’s done and dusted for most aspects: securing signalling means TLS; securing streams means SRTP and key exchange will likely use Sdescriptions (SDES).  Well, perhaps not so simple as that in the area of key exchange, he cited 11 proposals
still on the table, including 5 variants of MIKEY and 2 of SDES.  Also Phil Zimmerman’s ZRTP technology Stredicke cited as interesting, but “too late”.  Stredicke said that if ZRTP had arrived two years ago, it would for sure be a leading contender, but many implementations of SDES already exist.

The day closed with an excellent panel discussion chaired by Dorgham Siselem, and featuring panellists Christian Stredicke,
Micheal Haberler (Enum.at), Saverio Niccolini (NEC) and Hannes Tschofening (Siemens).  They tackled a wide range of subjects including “Is Legal Intercept Evil?” and “Will we dial numbers in 10 years time, or SIP URIs?”.  I also saw Niccolini’s presentation yesterday, where he referred to the Threat Taxonomy project at VOIPSA, so nice to see our work being used in practice.

Final thoughts: Nice social crowd, interesting sessions and well orgnanized.  Altogether a very worthwhile event, I’m looking forward to the next one.