[VOIPSEC] VoIP and Banking Security
Thomas Howe
howethomas at aol.com
Tue Jun 28 21:08:08 BST 2005
Hi John and others -
Thanks for your e-mail. Yes, that's for sure - I suppose I should have
been more clear in my e-mail. Yes, all customers expect a certain level
of security - that goes without saying. They aren't asking for any more
than we give, which seems to be up to do today's standards.
But, here's the point I was trying to make : I think the sort of
security threats that we will be facing in two or three years will be
very different from those experienced today. Yes, there will be lots of
SIP endpoints, and as individual islands, they need to be secured. I am
looking at the larger security issues in the core of the network,
where an organized group of hackers will be attacking for political or
monetary reasons. How many times does that happen in telephony today? I
don't think it's very common. I might be wrong (as I often am) - anyone
got data that says differently?
I agree with you - with IMS providing the architecture of hosted
services, there's going to be an explosion in handsets. But there's
going to be an explosion in hosted services, too. And, if I wanted to
illegally remove money from a carrier, I wouldn't start with a single
handset. I would go right to the host platform, and start with that. Is
there any real numbers that quantify the risk to carriers as a function
of handset security? I would love to know that.
Tom
DePietro, John wrote on 6/28/05, 7:35 AM:
> Hi Brian et. All,
>
> I just wanted to voice my opinion regarding the importance of address
> SIP/VoIP security. I have spoken to many European, Asian and US
> Wireless carriers and this topic always runs at the top of list.
>
> Many Wireless carrier will be rolling out IMS/MMD (3GPP/3GPP2
> standards based on SIP/VoIP IETF standards) over the next 5 years.
> They are also working through business models to converge 3G, Fixed
> and Fixed Mobile networks. IMS/MMD is opening up an opportunity for
> Wireless carriers to expand new business models to hosted Enterprise
> multimedia services. This means that in the next 2 years 10s of
> millions of IMS/MMD SIP/VoIP clients will be roaming the planet on
> smart phones, which have widely open OSes with ample processing power
> to entice any hackers and deviants. This puts SIP/VoIP security front
> and center.
>
> The reality is that Security was never intended to make anyone money,
> but to prevent from loosing money (e.g. free VoIP call over EVDO),
> protecting privacy (e.g. Mobile financial transactions) or limiting a
> market opportunity (e.g. offer VPN hosted to Enterprise customers). I
> view Security as a key enabler for SIP/VoIP and part of doing business
> in IP telephony.
>
> These discussion and this forum are a good thing. I would like to see
> some more dialogue with regards to Wireless related (3G and WLAN)
> security concerns and general comments of proposed security
> architecture for IMS/MMD. Interestingly enough, ETSI TISPAN has
> embraced IMS so now we have Wireless/Wireline standards body convergence.
>
> John
>
>
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]On
> Behalf Of Thomas Howe
> Sent: Monday, June 27, 2005 1:39 PM
> To: Brian Rosen
> Cc: 'Michael Stauffer'; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] VoIP and Banking Security
>
>
> Brian,
>
> Working for a vendor myself, I agree with you on one level - there are
> adaquate solutions for VoIP carrier and enterprise deployments - our
> customers are not hounding us to make them stronger. I would bet that
> yours aren't either. Why? Simply put, there's no money they are losing
> because of the current level of security - and no money they could make
> if they had stronger security.
>
> But, the world of VoIP security is bigger than this. Carriers will lose
> money if they are the target of a DOS attack. Carriers will lose money
> if some unauthorized carrier piggy backs on their network. I've actually
> SEEN that one happen; the money gets big quick.
>
> My personal view is that there is a tipping point, where carriers and
> enterprises will have enough money at stake where some "evil doer" (this
> is not an endorsement of our President) will try to get some for
> himself. I mean, can you name a single time in the history of man where
> big money was made, and criminals didn't try to go after some for
> themselves? This is one of the times where trying to guess at the right
> answer like the ITU might be a bit better then waiting for the bombshell
> to hit and describe how it got solved like the IETF. (and this is not an
> endorsement of the ITU. I'm not a Geneva fan.)
>
> One other thing - and I can't verify this. If you were SBC, and you
> were getting hit up for VoIP extortion money, would you advertise it? I
> bet you wouldn't.
>
> Tom
>
>
> Brian Rosen wrote on 6/24/05, 4:59 PM:
>
> > This is at the heart of what the real big gorilla problem is with VoIP
> > and
> > security:
> >
> > We have an adequate set of tools available now to provide a service
> > that is
> > secure enough for most personal and commercial applications
> >
> > There is no consumer/customer and therefore carrier, and therefore
> vendor
> > demand for such a secure service.
> >
> > All of the work on taxonomy and requirements and whatever else we are
> > doing
> > fail to come to terms with the basic problem = no one cares.
> >
> > If they cared, all the phones and proxies would have the tools we have
> > today
> > implemented. Security is very low on vendor priority lists because
> it is
> > low to non existent on customer priority lists.
> >
> > Yeah, I know all about PKI problems. There are adequate solutions for
> > VoIP
> > carrier and enterprise deployments reasonably available right now.
> >
> > Perfect? Not at all; but very, very reasonable security.
> >
> > THERE IS NO DEMAND
> >
> > Without it, better tools aren't useful.
> >
> > Brian
> >
> > -----Original Message-----
> > From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> > Behalf Of Andrew Graydon
> > Sent: Friday, June 24, 2005 11:34 AM
> > To: 'Michael Stauffer'; Voipsec at voipsa.org
> > Subject: RE: [VOIPSEC] VoIP and Banking Security
> >
> > I think there has been a lot of very good discussion on this point
> and it
> > does prove that as an industry we do not have all the answers. SRTP
> > should
> > solve these issues, but in itself is always possible to circumvent to a
> > skilled and dedicated hacker. The issue of putting SRTP on every
> > stream also
> > raises issues for implementation, both CALEA and enterprise/SP
> > deployments
> > will have to deal with this encrypted information.
> >
> > If we look at the current voice implementations on the phone systems,
> > this
> > level of security is not implemented and it's been working for a while
> > ! On
> > the IP side, while there are provisions for encryption of email
> traffic,
> > widespread usage of such encryption systems is not in use due to the
> > implementation and usage issues. For regulatory issues in some
> > industries it
> > is used, but mainly email is sent as the base clear text system is was
> > originally setup to do.
> >
> > We have to be careful as an industry to try to balance the security
> > issues
> > we see from a technical standpoint and the implementation and usage
> > issues
> > from a provider and end user point of view.
> >
> > These issues will be addressed in the projects starting in the Security
> > Requirements Committee and anyone interested in participating should
> > look on
> > the VOIPSA website for information on participation.
> >
> >
> > Andrew
> >
> >
> > _____
> >
> > Andrew Graydon
> >
> > Chair Security Requirements Committee
> > VOIPSA
> >
> > agraydon at voipsa.org
> > http://www.voipsa.org
> > -----Original Message-----
> > From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> > Behalf Of Michael Stauffer
> > Sent: June 23, 2005 7:33 AM
> > To: Voipsec at voipsa.org
> > Subject: [VOIPSEC] VoIP and Banking Security
> >
> > Al,
> >
> > Is being able to sniff DTMF Digits not in line with your wishes? :)
> >
> > Looks like a RFC 2833 dissector to me, available in Ethereal.
> > So can anyone sniff these packets? Well, in a properly configured,
> > switched
> > environment, it's not something that's done without effort, but a
> > malicious
> > agent with sufficient motivation and skill can capture these, yes.
> (The
> > previous discussions from this list on the relative ease of capturing
> > in a
> > switched environment acknowledged). I could be wrong, but I believe
> SRTP
> > would take care of this. Thoughts?
> >
> > Mike Stauffer
> > BAH
> > VoIP Security
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Greetings,
> >
> > New here, and yes, I did check the archives first.
> >
> > I just finished a session with my bank using the touch pad on my phone.
> > When finished I dumped the packets captured during the transaction
> (using
> > ethereal). I was a little dismayed and a lot alarmed to see
> wherever the
> > protocol was RTP EVE that the numbers I pressed on the phone were
> > visible in
> > the info field:
> >
> > Payload type=RTP Event, DTMF Eight 8
> >
> > I'm guessing that if I can sniff these packets, so can anyone else.
> >
> > Anyone have any comments to calm my nerves?
> >
> > Thanks,
> >
> > Al
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> >
> >
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
More information about the Voipsec
mailing list