Voice of VOIPSA

Blue Box Podcast #36 is now available for download. In this super-sized show, we discuss the voice security talks given at Black Hat 2006 last week in Las Vegas. There is an interview with David Endler and Mark Collier about the VoIP security tools they released, an interview with Ofir Arkin about his talk on NAC and involvment with VOIPSA, and many other news items coming out of the conference.

On the Infoworld Zero Day Security page, Garza talks a little about the VoIP Phreaking session at the Black Hat conference, which is on right now in Las Vegas.  I’m looking forward to the promised podcast with The Grugg, who led that class.

On the Black Hat website is an archive of presentations from previous conferences, and the ones from the current conference should pop-up there in the coming weeks. 

FYI, the 66th IETF meeting starts tomorrow and the good news is that courtesy of the University of Oregon, you can listen/watch the sessions remotely. As noted in the IETF meeting agenda, there are a good number of sessions relating to security. One of special interest may be the RTPSEC BOF at 5:40pm (Eastern US) Monday night, where the topic of discussion will be all the various ways to securely exchange encryption keys for Secure RTP. The sessions will be streamed live, but will apparently also be available in an archive after the sessions are over.

UPDATE: There is also Jabber-based IM group chat available.  If you already have a Jabber IM account somewhere (like Jabber.org), you can join a group chat room by connecting to the Jabber server “jabber.ietf.org” and then giving the working group name as the room name.  For instance, the chat room for the ENUM session I am in right now is “enum@jabber.ietf.org”.  Just another way to stay up with what is going on at the meetings for those interested.

In contrast to T-Mobile’s antipathy  towards VoIP services, I see that UK-based WiFi hotspot provider The Cloud is actually in partnership with Skype and Vonage, so clearly they see VoIP as an important component of their business. However, as has been discussed in recent weeks on our VOIPSEC list, security of VoIP is only as good as the security of the platform itself and of the network that carries the VoIP traffic.

The latest security worries for WiFi have just been aired in a Computer World article.  Some researchers will give a talk at the Black Hat conference on how to crash or hack WiFi drivers.  In particular, they have used a fuzzing technique (which David Endler wrote about recently) using a tool called LORCON to expose flaws in the WiFi driver.  The article suggests that LORCON is even a tool simple enough to use for script kiddies.

The life of WiFi has been punctuated by stories of insecurity, including Evil Twinning (where criminals impersonate a bona fide WiFi service), the use of Netstumbler to find unsecured WLANs and endless stories about the insecurity of WEP.  But as Virgil Gligor said at the recent VoIP Security Workshop, the history of computing is full of examples of new technologies that are used for a long period, perhaps ten years, before all of the related insecurities get found and fixed.

Looking at David Piscitello’s Blog  the other day, I saw that in addition to all the various SPxxx words we use, he has coined the term SPOG for SPAM on Online Games.  Like all these low-cost ways of getting messages to would-be buyers, SPOG will curse gamers as SPAM now curses all email users.  Perhaps we could also add SPOM to the list (SPAM over Myspace), for a new way to SPAM the teenage market.

In the world of junk-mail a 1% return would be considered exceptionally successful, and the economics of mass-mailing with poor targeting works on this basis of poor returns.  I think it was Bruce Schneier that said that SPAM is basically an economic problem, because the costs of mass-emailing are so low that the low success rate is not a problem, and actually if one person in 100,000 turns into a sales prospect, then SPAM has become a legitimate marketing tool.  So as frustrating as most of us find it, those few who say “yes” will mean that we continue to receive an unending flow of material about drugs and loans.

SPIT is not a really problem in the wild today.  This is partly because VoIP largely exists in islands  today, and not in a fully interconnected network.  It’s also partly because would-be SPITters have not yet come across the technology.  As with SPAM, this will be attractive to some, because it will be possible automate calling, and because the technical barriers are low, and the cost per call negligible, it will be economical to make thousands of calls per day.  And if a small percentage of those calls actually succeed in closing some sales, then once again it has become a legitimate marketing technique.

SPIT was discussed quite a bit at the recent VoIP Security Workshop, and it seems researchers have already created an impressive array and anti-SPIT techniques, although with the caveat that they have no actual real-world SPIT data to test their techniques against.  Some of these techniques are economic and some are technical, but we can well imagine combinations of these techniques giving us very high anti-SPIT coverage in the future.  For the remaining few calls that get through, please let’s all hang up on them, and for goodness sake don’t buy anything.

The Ebay Devcon starts today at the Mandalay Bay, Las Vegas. For the first time this year, there are also sessions on Skype and the Skype API. One session that certainly seems to capture the zeitgeist (judging by this week’s discussions on the Voipsec mailing list) is that of using Skype in the enterprise.

Ebay are certainly trying some new things with their conference, firstly by running it over the weekend from Saturday to Monday, but secondly with the Unconference. The idea of the Unconference is to hand over the conference agenda to the attendees; for some weeks they have been running a Wiki where people can suggest their own topics, and once again I see that someone has nominated Skype for a roundtable discussion on Monday.

The presentations from last week’s Berlin VoIP Security Workshop are now online.  You can download all the presentations in one file, or you can go to the main conference page and click on Program to see the conference programme with clickable links to download individual presentations.

There’s an excellent turnout, and Fraunhofer Fokus are doing a great job of hosting, with free WLAN (hence this blog entry) and everything you would expect from a well-run conference.

The keynote speech today was provided by Virgil Gligor of the University of Maryland, on the subject Adversary Models; in other words it is necessary to define the adversary before we can decide what ‘secure’ means. Prof. Gligor was the 2006 recipient of the prestigious National Security Award, and he also has the distinction of being the first person ever to write a paper about Denial of Service attacks

In a wide-ranging talk, Prof Gligor pointed out that in the history of computing there has often been a 10 or more year gap between the use of technology and the addressing of security issues that arise from it. This of course also true today of VoIP and VoIP security, and he assures us that at least this means we will all have jobs for life.

One of the key messages of his talk was that “Perfect is the Enemy of the Good”, or in other words, we can secure a system 100%, but end up with a completely unworkable system. On the other hand we can engineer systems that work, but only detect perhaps 70% of intrusions and other security problems. There is no such thing as a completely secure system.

I can see that the VoIP Developer conference in August has a couple of sessions led by VOIPSA members, namely Andrew Graydon and Bogdan Materna. I’m looking forward to this conference, should have some excellent material.

On the subject of conferences: as Dan York mentioned, the Berlin VoIP Security Workshop starts tomorrow; I’ll be attending, so I hope I bump into a few fellow VOIPSA people over the next couple of days. Stay tuned for a brief conference report here, and also an audio report on Dan’s Bluebox podcast.

If you are not aware of it, the Third Annual VoIP Security Workshop starts tomorrow, June 1, in Berlin, Germany. The program looks to be quite an interesting one and I personally would have loved to attend. Unfortunately, it did not work with my travel schedule but I look forward to seeing about attending the Fourth workshop, wherever that will be held. If any of you are attending and want to post some reports on what went on at the workshop, we would certainly love to have them. (Just leave a comment here or email me directly.)