[VOIPSEC] VoIP and Banking Security

Brian Rosen br at brianrosen.net
Fri Jun 24 15:59:37 CDT 2005 

This is at the heart of what the real big gorilla problem is with VoIP and
security:

We have an adequate set of tools available now to provide a service that is
secure enough for most personal and commercial applications

There is no consumer/customer and therefore carrier, and therefore vendor
demand for such a secure service.

All of the work on taxonomy and requirements and whatever else we are doing
fail to come to terms with the basic problem = no one cares.

If they cared, all the phones and proxies would have the tools we have today
implemented.  Security is very low on vendor priority lists because it is
low to non existent on customer priority lists.

Yeah, I know all about PKI problems.  There are adequate solutions for VoIP
carrier and enterprise deployments reasonably available right now.

Perfect?  Not at all; but very, very reasonable security.

THERE IS NO DEMAND

Without it, better tools aren't useful.

Brian

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Andrew Graydon
Sent: Friday, June 24, 2005 11:34 AM
To: 'Michael Stauffer'; Voipsec at voipsa.org
Subject: RE: [VOIPSEC] VoIP and Banking Security

I think there has been a lot of very good discussion on this point and it
does prove that as an industry we do not have all the answers. SRTP should
solve these issues, but in itself is always possible to circumvent to a
skilled and dedicated hacker. The issue of putting SRTP on every stream also
raises issues for implementation, both CALEA and enterprise/SP deployments
will have to deal with this encrypted information.

If we look at the current voice implementations on the phone systems, this
level of security is not implemented and it's been working for a while ! On
the IP side, while there are provisions for encryption of email traffic,
widespread usage of such encryption systems is not in use due to the
implementation and usage issues. For regulatory issues in some industries it
is used, but mainly email is sent as the base clear text system is was
originally setup to do.

We have to be careful as an industry to try to balance the security issues
we see from a technical standpoint and the implementation and usage issues
from a provider and end user point of view.

These issues will be addressed in the projects starting in the Security
Requirements Committee and anyone interested in participating should look on
the VOIPSA website for information on participation.


Andrew 


_____

Andrew Graydon

Chair Security Requirements Committee 
VOIPSA

agraydon at voipsa.org
http://www.voipsa.org
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Michael Stauffer
Sent: June 23, 2005 7:33 AM
To: Voipsec at voipsa.org
Subject: [VOIPSEC] VoIP and Banking Security

Al,

Is being able to sniff DTMF Digits not in line with your wishes?  :)

Looks like a RFC 2833 dissector to me, available in Ethereal.  
So can anyone sniff these packets?  Well, in a properly configured, switched
environment, it's not something that's done without effort, but a malicious
agent with sufficient motivation and skill can capture these, yes.  (The
previous discussions from this list on the relative ease of capturing in a
switched environment acknowledged).  I could be wrong, but I believe SRTP
would take care of this.  Thoughts?

Mike Stauffer
BAH
VoIP Security 









Greetings,

New here, and yes, I did check the archives first.

I just finished a session with my bank using the touch pad on my phone.
When finished I dumped the packets captured during the transaction (using
ethereal).  I was a little dismayed and a lot alarmed to see wherever the
protocol was RTP EVE that the numbers I pressed on the phone were visible in
the info field:

     Payload type=RTP Event, DTMF Eight 8

I'm guessing that if I can sniff these packets, so can anyone else.

Anyone have any comments to calm my nerves?

Thanks,

Al


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org





_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list