[VOIPSEC] VOIP for free??

Ammar Alammar ammar.alammar at gmail.com
Wed Apr 13 02:02:29 CDT 2005 

I must agree.

Furthermore, mobile (cell in US) phones do not guarantee 000 (911 in US) 
calls simply due to local signal reception interference as well as Coverage. 
This seems to be widely accepted and understood without legal ramifications. 
So, what makes other voice-based services any different?

I believe that the answer lies in 'what an organisation claims or provides 
the impression of selling'. For instance, a Telco in Australia can be sued 
for breaching a 'Trade Practices Act' (similar to anti-trust but with 
consumer extensions) if it sells a 'life-line' service but can not deliver 
on it.

However, if a Telco sells a 'social-telephony VoIP' and clearly positions 
the voice service as a non-life-line service, then there should be no 
problem - although I am not a lawyer !

Regards,
Ammar

On 4/13/05, Scott Keagy <Scott.Keagy at webex.com> wrote:
> 
> Actually, it's not very difficult to get in the middle. Here are a variety
> of points of vulnerability that enable someone to get in the middle:
> 
> DNS (modify entries to point all traffic to a hacker's machine)
> DHCP (make all traffic go to hackers machine as default gateway, or change
> DNS entry to point at hacker's machine so all names resolve to hacker's IP
> addr)
> ARP (reply with hacker's MAC address, gratuitous ARPs or regular ARP
> replies)
> Flood CAM tables in switches to destroy existing MAC addr/port 
> associations
> so all traffic is broadcast out every port, and then use ARP attacks)
> Routing protocols (change routing such that traffic physically passes
> through a router/machine controlled by hacker)
> Spanning tree attacks to change layer 2 forwarding topology
> Various control protocols that switches use such as VTP
> Physical insertion (e.g. PC with dual NIC cards)
> 
> These are just some of the mechanisms to become a man-in-the-middle.
> 
> Each of these can be performed in most Fortune500 companies today with
> relative anonymity (just need to have access to the network as a 
> disgruntled
> employee or through social engineering). There are a variety of solutions
> proposed or recently available, but they are far from widely deployed.
> Example technologies that could thwart many of these attacks: DNSSEC,
> authenticated routing protocols, 802.1x, 802.11i (applied to wired 
> ethernet
> to authenticate every Ethernet frame), port-based ACLs on layer 2 
> switches,
> and various specific fixes in layer 2 switches to harden against control
> protocols and restrict the forwarding of unnecessary traffic.
> 
> Regards,
> Scott
> 
> 
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Diana Cionoiu
> Sent: Monday, April 11, 2005 7:59 AM
> To: Michael Shields
> Cc: Smith, Donald; voipsec at voipsa.org; securityrequirements at voipsa.org
> Subject: Re: [VOIPSEC] VOIP for free??
> 
> Hello Michael,
> 
> I was refering on the fact that you have to be in the middle (as in man in
> the middle), which is far more complicated then you may think.
> 
> Diana
> 
> > Diana Cionoiu wrote:
> > > RTP is not trivial to be listen,
> > > and anyway who can listen you phone calls also can see your yahoo,
> > > icq, msn,irc messages, so i think first we should solve those
> > > things and then go after plain VoIP.
> >
> > I am not sure why you say this. For over two years, Ethereal has been
> > able to decode RTP streams and save the audio into a file. This only
> > takes a few clicks, and with a little time you could automate it
> completely.
> >
> > It is true that other more widely used protocols also have
> > vulnerabilities, including DNS, SMTP, and HTTP. However, work on VOIP
> > security does not block work on other protocols, so that is no reason
> > to put VOIP security work on hold. It is easier to fix problems now
> > while the protocols are still in relatively limited deployment.
> >
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 



-- 
Regards,
Ammar
_____________________________________
Free yourself, Open new doors ... OpenSource
www.OpenSource.com <http://www.OpenSource.com>

More information about the Voipsec mailing list