[VOIPSEC] VoIP and Banking Security

Andrew Graydon securityrequirements at voipsa.org
Fri Jun 24 10:34:10 CDT 2005 

I think there has been a lot of very good discussion on this point and it
does prove that as an industry we do not have all the answers. SRTP should
solve these issues, but in itself is always possible to circumvent to a
skilled and dedicated hacker. The issue of putting SRTP on every stream also
raises issues for implementation, both CALEA and enterprise/SP deployments
will have to deal with this encrypted information.

If we look at the current voice implementations on the phone systems, this
level of security is not implemented and it's been working for a while ! On
the IP side, while there are provisions for encryption of email traffic,
widespread usage of such encryption systems is not in use due to the
implementation and usage issues. For regulatory issues in some industries it
is used, but mainly email is sent as the base clear text system is was
originally setup to do.

We have to be careful as an industry to try to balance the security issues
we see from a technical standpoint and the implementation and usage issues
from a provider and end user point of view.

These issues will be addressed in the projects starting in the Security
Requirements Committee and anyone interested in participating should look on
the VOIPSA website for information on participation.


Andrew 


_____

Andrew Graydon

Chair Security Requirements Committee 
VOIPSA

agraydon at voipsa.org
http://www.voipsa.org
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Michael Stauffer
Sent: June 23, 2005 7:33 AM
To: Voipsec at voipsa.org
Subject: [VOIPSEC] VoIP and Banking Security

Al,

Is being able to sniff DTMF Digits not in line with your wishes?  :)

Looks like a RFC 2833 dissector to me, available in Ethereal.  
So can anyone sniff these packets?  Well, in a properly configured, switched
environment, it's not something that's done without effort, but a malicious
agent with sufficient motivation and skill can capture these, yes.  (The
previous discussions from this list on the relative ease of capturing in a
switched environment acknowledged).  I could be wrong, but I believe SRTP
would take care of this.  Thoughts?

Mike Stauffer
BAH
VoIP Security 









Greetings,

New here, and yes, I did check the archives first.

I just finished a session with my bank using the touch pad on my phone.
When finished I dumped the packets captured during the transaction (using
ethereal).  I was a little dismayed and a lot alarmed to see wherever the
protocol was RTP EVE that the numbers I pressed on the phone were visible in
the info field:

     Payload type=RTP Event, DTMF Eight 8

I'm guessing that if I can sniff these packets, so can anyone else.

Anyone have any comments to calm my nerves?

Thanks,

Al


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list