Voice of VOIPSA

To most in the security industry these words bring to mind attack and defense of the electronic communications and control of military assets and sensitive government institutions and information. Government vs. government. The US government recognizes this as a developing threat and has undertaken steps to prepare for possible cyber war scenarios. But recent press coverage has been filled with what can be best described as a cyber war between a foreign government and a US commercial business – China and Google. Google’s belief it has the right to do business as it sees fit has come into conflict with a government that does not share this view and apparently has taken action. Most hacking incidents we read about involve criminal activity and easily understood motives – money. Businesses understand this too and are diligent to prevent and minimize this. There are means (at times) to legally redress criminal breaches, minimize and recoup losses – but what of this incident? As large and savvy as Google appears as a business they seem to be on their own against an even larger and capable foreign government and the vast resources it can bring to bear in the electronic arena. A frightening position indeed. Who does Google turn to and for what result? Is this the opening shot of ever increasing and blatant ideological (based on national interests) ‘hacktivism’ by governments as they take action not against governments, but the business and economic assets of countries with differing views?

Do you accept the definition of cyber war presented here? How would you define and what would you call the recent exchange between China and Google? Cyber war to me seems a little extreme and hacktivism a little light.

Google attacked
http://www.npr.org/templates/story/story.php?storyId=122703950

Yahoo and others too?
http://www.bloomberg.com/apps/news?pid=20601204&sid=aRCof4o1aj5Y

Law firm a victim
http://www.securityfocus.com/brief/1062

China’s position
http://www.reuters.com/article/idUSTRE60D0CA20100114

Hacktivism
http://www.sophos.com/blogs/gc/g/2010/01/12/baidu-chinas-largest-search-engine-defaced-iranian-cyber-army/

US Cyber Command
http://www.defense.gov/news/newsarticle.aspx?id=54890

Interesting piece over on CNET today about “Why Obama’s cell phone calls will always go through“. Here is a snippet:

It may sound a bit like a storyline from the West Wing, but there actually is a branch of the government called the National Communications System tasked with ensuring that telecommunications related to “national security” remain intact and ready to use. President Kennedy created NCS in 1963, and its mandate has expanded to include high-priority Internet and mobile phone calls too.

While I assumed these agencies and systems were in place, I admit I did not know of their names. Browsing through the NCS website, it’s interesting to see the information that is publicly available. And yes, their advisory about the impending inauguration is probably right on… I imagine that cell phone traffic will just be a wee bit elevated over the next few days down in DC!

Technorati Tags:
ncs, government, obama, wireless

McAfee recently published their top ten threat predictions for 2008. Among the other threats, attacks against VoIP systems were predicted to rise by 50% in 2008:

VoIP attacks should increase by 50 percent in 2008. More than twice the number of VoIP-related vulnerabilities were reported in 2007 versus the previous year – several high-profile “vishing” attacks, and a criminal phreaking (or fraud) conviction – so it’s clear that VoIP threats have arrived and there’s no sign of a slowdown.

The unauthorized surveillance and recording of VoIP calls has been discussed time and time again, but what happens when the surveillance of your call is being done at the endpoint by one of the participating parties? What if the surveillance was being done to analyze one of the caller’s stress levels and detect them lying, in real-time?

Apparently, Skype is set to provide a new feature application to it’s customers, the KishKish Lie Detector, which analyzes audio stream data in real-time, supposedly indicating the stress level of the person it’s analyzing. This makes me wonder, what if both parties are analyzing each other? Could mutual suspicions cause an escalating stress readout as each party gets more and more nervous by the indicated stress levels of the other party?

From the KishKish Lie Dectector website:

Voice Stress Analysis (VSA) is a type of lie detector which measures stress in a person’s voice. The use of Voice Stress Analysis (VSA) as a lie detector became popular in the late 1970s and 80s. In the 90s the first Computerized VSA (CVSA) systems came to out to the market. The CVSAT is now the truth verification device of choice in the law enforcement community as the number of law enforcement agencies utilizing the CVSAT continues to grow dramatically, proving the viability of the system for twenty-first century crime detection. The CVSAT is also being utilized by the US Military in the global war on terrorism.

Now KishKish Lie detector offers you a tool to detect the stress level of the person you communicate with over Skype. With the use of KishKish Lie detector you can monitor in real-time the stress level of the person you talked with. This allows you to gage the level of stress and modify your questions in real time. You could also use our KishKish SAM VSA that allows you to record the call and analyze the stress level off-line.

Did I miss the part where law enforcement and Dept. of Homeland Security began interrogating people via Skype? Perhaps the call recording feature could be used by responsible and patriotic citizens when fear-mongered into believing that they could be talking to potential terrorists AT ANY GIVEN MOMENT. Or perhaps I’m giving this way too much thought and people are generally just distrustful of each other and want the data points to back up that gut feeling.

The October edition of Internet Telephony Magazine (free download can be found on the TMC website) names the 100 Top Voices of IP Communications.  A nice list of industry thought leaders, including VOIPSA Chairman, David Endler.

The same issue also has an article about CALEA, if that floats your boat. 

 

Nothing to do with VoIP, but security minded people might be interested in this.  At the Victoria & Albert Museum (V&A) in London, I saw this mechanical indicator lock:

This device has two counters integrated into the lock: one is a dummy, and the other counts the number of times that the lock has been opened, allowing you to carefully monitor access to your piles of gold, kidnapped princesses, battle plans, and other precious posessions.

It’s very easy to fall into the conceit of thinking that security is a modern concern, but devices like this have been around for centuries.

I see that the British Computer Society (BCS) now has a section on their site dedicated to security.  I enjoyed this article by Ian Kennedy, about computer forensics and the Trojan defence.

 

 

Clearing out some old papers, I came across an old copy of Byte magazine from 1990, celebrating 15 years of Byte, looking back to the birth of the microcomputer revolution, and on into the future. 

At the time, Windows 3.0 was starting to erode DOS as the OS of choice for PCs, and IBM’s OS/2 was making its attempt for the title too.  It was also the time of word processor wars, spreadsheet wars and development tool wars, all categories where Microsoft was the eventual winner.

TCP/IP had yet to make its mark.  Hard to remember now, but Novell were the kings of the enterprise LAN, with their proprietary IPX protocol.  Banyan Vines and IBM’s Netbios were alternatives, but whichever way you looked, you found companies reluctant to bring in the IP alternative.  One of the news stories in this Byte was the release of an add-on TCP/IP for OS/2.  I remember myself the struggles adding the optional TCP/IP stack to Windows 3.0 instead of the default IPX and Netbios.  Although email was well established within enterprises, the idea of routinely exchanging emails with just anyone was alien.  Some thought that X.400 was going to interconnect the world, before SMTP and POP jumped up to take centre stage. 

In the Byte Summit, they gathered a panel of experts to guess at the future of computer systems.  Names like Bill Gates, Chuck Peddle, Tony Hoare, Grace Hopper, Danny Hillis and Philippe Kahn.  They came out with some great predictions, including flat panel displays and CD-ROMs on all machines.  They underestimated the pace of change, of course, imagining a minimum hard disk requirement of only 100 Mb. 

The significance of networks attracted less comment, but I guess the idea of a universal Internet was too big a step of the imagination at that point.  The Internet idea was too distant, so Voice over IP was inconceivable.  As the saying goes “The past is another country, they do things differently there”, and by the same token, the future is so different we cannot imagine how things will be done there.  Anyone care to make some predictions for the computers of 2020?

Ted Shelton makes a very good case in in VoIP Magazine as to why Skype should open up their protocol to other partners.  From what I see, Skype have had great success attracting development partners to using their API, and surely opening up the protocol is just a logical extension of that?  It’s just that while the API allows applications to do a lot of things, there are some areas that it cannot address. 

I meet people that want to do just what Ted Shelton is talking about, and actually implement alternative Skype client software.  Some want to create Skype gateways, for example tromboning Skype calls to other VoIP or TDM calls under their control.  Some want to use Skype’s IM and presence information as part of a larger VoIP platform.  I use and like the Skype client software, but I can see that Skype’s power is not in the software; it is in the number of desktops they own.  Skype’s would-be partners want to touch that user base too. 

Antonio Nucci, CTO of software firm Narus writes here about the Challenges In Detection of Skype Traffic.  Of course don’t expect them to give away too much detail on trade secrets, but the general approach described is not to decode or reverse-engineer the protocol, but rather to profile traffic using a heuristic approach. 

Firstly, he talks about signature analysis of the TCP, UDP packets, and then about analyzing/profiling the behaviour, for example traffic patterns.  How this can be done in a way that is CPU-efficient and with a low rate of false positives, he does not say.

Narus is one of the companies that has been linked with the Shanghai Telecom story, regarding the blocking of VoIP traffic.  It is not clear whether Shanghai have in fact bought Narus’ Skype-blocking module.