Voice of VOIPSA

McAfee recently published their top ten threat predictions for 2008. Among the other threats, attacks against VoIP systems were predicted to rise by 50% in 2008:

VoIP attacks should increase by 50 percent in 2008. More than twice the number of VoIP-related vulnerabilities were reported in 2007 versus the previous year - several high-profile “vishing” attacks, and a criminal phreaking (or fraud) conviction - so it’s clear that VoIP threats have arrived and there’s no sign of a slowdown.

The unauthorized surveillance and recording of VoIP calls has been discussed time and time again, but what happens when the surveillance of your call is being done at the endpoint by one of the participating parties? What if the surveillance was being done to analyze one of the caller’s stress levels and detect them lying, in real-time?

Apparently, Skype is set to provide a new feature application to it’s customers, the KishKish Lie Detector, which analyzes audio stream data in real-time, supposedly indicating the stress level of the person it’s analyzing. This makes me wonder, what if both parties are analyzing each other? Could mutual suspicions cause an escalating stress readout as each party gets more and more nervous by the indicated stress levels of the other party?

From the KishKish Lie Dectector website:

Voice Stress Analysis (VSA) is a type of lie detector which measures stress in a person’s voice. The use of Voice Stress Analysis (VSA) as a lie detector became popular in the late 1970s and 80s. In the 90s the first Computerized VSA (CVSA) systems came to out to the market. The CVSAT is now the truth verification device of choice in the law enforcement community as the number of law enforcement agencies utilizing the CVSAT continues to grow dramatically, proving the viability of the system for twenty-first century crime detection. The CVSAT is also being utilized by the US Military in the global war on terrorism.

Now KishKish Lie detector offers you a tool to detect the stress level of the person you communicate with over Skype. With the use of KishKish Lie detector you can monitor in real-time the stress level of the person you talked with. This allows you to gage the level of stress and modify your questions in real time. You could also use our KishKish SAM VSA that allows you to record the call and analyze the stress level off-line.

Did I miss the part where law enforcement and Dept. of Homeland Security began interrogating people via Skype? Perhaps the call recording feature could be used by responsible and patriotic citizens when fear-mongered into believing that they could be talking to potential terrorists AT ANY GIVEN MOMENT. Or perhaps I’m giving this way too much thought and people are generally just distrustful of each other and want the data points to back up that gut feeling.

The October edition of Internet Telephony Magazine (free download can be found on the TMC website) names the 100 Top Voices of IP Communications.  A nice list of industry thought leaders, including VOIPSA Chairman, David Endler.

The same issue also has an article about CALEA, if that floats your boat. 

 

Nothing to do with VoIP, but security minded people might be interested in this.  At the Victoria & Albert Museum (V&A) in London, I saw this mechanical indicator lock:

This device has two counters integrated into the lock: one is a dummy, and the other counts the number of times that the lock has been opened, allowing you to carefully monitor access to your piles of gold, kidnapped princesses, battle plans, and other precious posessions.

It’s very easy to fall into the conceit of thinking that security is a modern concern, but devices like this have been around for centuries.

I see that the British Computer Society (BCS) now has a section on their site dedicated to security.  I enjoyed this article by Ian Kennedy, about computer forensics and the Trojan defence.

 

 

Clearing out some old papers, I came across an old copy of Byte magazine from 1990, celebrating 15 years of Byte, looking back to the birth of the microcomputer revolution, and on into the future. 

At the time, Windows 3.0 was starting to erode DOS as the OS of choice for PCs, and IBM’s OS/2 was making its attempt for the title too.  It was also the time of word processor wars, spreadsheet wars and development tool wars, all categories where Microsoft was the eventual winner.

TCP/IP had yet to make its mark.  Hard to remember now, but Novell were the kings of the enterprise LAN, with their proprietary IPX protocol.  Banyan Vines and IBM’s Netbios were alternatives, but whichever way you looked, you found companies reluctant to bring in the IP alternative.  One of the news stories in this Byte was the release of an add-on TCP/IP for OS/2.  I remember myself the struggles adding the optional TCP/IP stack to Windows 3.0 instead of the default IPX and Netbios.  Although email was well established within enterprises, the idea of routinely exchanging emails with just anyone was alien.  Some thought that X.400 was going to interconnect the world, before SMTP and POP jumped up to take centre stage. 

In the Byte Summit, they gathered a panel of experts to guess at the future of computer systems.  Names like Bill Gates, Chuck Peddle, Tony Hoare, Grace Hopper, Danny Hillis and Philippe Kahn.  They came out with some great predictions, including flat panel displays and CD-ROMs on all machines.  They underestimated the pace of change, of course, imagining a minimum hard disk requirement of only 100 Mb. 

The significance of networks attracted less comment, but I guess the idea of a universal Internet was too big a step of the imagination at that point.  The Internet idea was too distant, so Voice over IP was inconceivable.  As the saying goes “The past is another country, they do things differently there”, and by the same token, the future is so different we cannot imagine how things will be done there.  Anyone care to make some predictions for the computers of 2020?

Ted Shelton makes a very good case in in VoIP Magazine as to why Skype should open up their protocol to other partners.  From what I see, Skype have had great success attracting development partners to using their API, and surely opening up the protocol is just a logical extension of that?  It’s just that while the API allows applications to do a lot of things, there are some areas that it cannot address. 

I meet people that want to do just what Ted Shelton is talking about, and actually implement alternative Skype client software.  Some want to create Skype gateways, for example tromboning Skype calls to other VoIP or TDM calls under their control.  Some want to use Skype’s IM and presence information as part of a larger VoIP platform.  I use and like the Skype client software, but I can see that Skype’s power is not in the software; it is in the number of desktops they own.  Skype’s would-be partners want to touch that user base too. 

Antonio Nucci, CTO of software firm Narus writes here about the Challenges In Detection of Skype Traffic.  Of course don’t expect them to give away too much detail on trade secrets, but the general approach described is not to decode or reverse-engineer the protocol, but rather to profile traffic using a heuristic approach. 

Firstly, he talks about signature analysis of the TCP, UDP packets, and then about analyzing/profiling the behaviour, for example traffic patterns.  How this can be done in a way that is CPU-efficient and with a low rate of false positives, he does not say.

Narus is one of the companies that has been linked with the Shanghai Telecom story, regarding the blocking of VoIP traffic.  It is not clear whether Shanghai have in fact bought Narus’ Skype-blocking module.

It would seem that Microsoft and Yahoo! have decided to work together and create an inter-operable messaging platform that will support both the Microsoft Live Messenger and Yahoo Instant Messanger clients and protocols, and combining their separate user-bases into one that is close to 350 million users strong, easily eclipsing the 100 million that Skype boasts.

With a clear road map to VoIP services and to adding IM services to mobile phones, both of which Yahoo!’s service already offers via it’s service, as well as the ability to make PC to PSTN calls via Yahoo!’s “Phone Out” service, it’s clear that the target is being drawn squarely on Skype. It will be interesting to see if the security aspect of Skype’s closed product approach or the apparent lack of strong encryption in the Microsoft or Yahoo! protocols (at least in their default configurations) will play any part in the upcoming shootout for subscribers.

The new unified platform is currently in beta and is available for trial.

The latest episode, SKP14, of the SkypePodcast focuses on security, so may be of interest to folks here.  Sasha (the host) also gives a mention to our own Dan York and the Bluebox podcast.

Sasha quotes Skype CSO Kurt Sauer justifying why Skype jumps around different IP ports, making it hard to detect or block:  “One of the reasons Skype is difficult to find is that the people who provide the carrier services [ISPs, telcos] are in competition with Skype,”

You can find the full version of this quote in a Techworld article.