[VOIPSEC] Voipsec Digest, Vol 12, Issue 24

Mark Baugher mbaugher at cisco.com
Tue Jan 3 14:27:09 PST 2006


Dan
   All of this information is good to know, but I would not call this  
slide set a security analysis unless we want to consider Skype's DRM  
technical protection measures along with system security.  I don't  
quite see how Skype's customers are necessarily affected by  
counterfeit Skype implementations.  If that is in fact an attack that  
the mechanism is there to stop (though obfuscation and tamper  
resistance typically won't stop anything).  This attack may or may  
not be of interest to an enterprise or user.

What I expect is of interest to an enterprise is how authorization is  
done and how outsiders might get access to their networks.  I expect  
that a user might want to know how call signaling is kept as private  
as the call data payloads.  It's true, the slideset describes the  
cryptographic mechanisms like payload encryption, but little about  
cryptographic protocols such as the key management. In fact, nothing  
about key management.  And nothing about risks to user privacy,  
enterprise networks or even Skype copyright for that matter.  I think  
it's necessary to at least describe the attacks that the mechanisms  
are there to protect against.

cheers, Mark

On Jan 3, 2006, at 1:32 PM, dan_york at Mitel.com wrote:

>
> Mark,
>
> Another Skype security analysis I found useful is at:
>
>   http://www.ossir.org/windows/supports/2005/2005-11-07/EADS- 
> CCR_Fabrice_Skype.pdf
>
> Regards,
> Dan
>
> P.S. I will note that recent list contributor Rodney Thayer also  
> has his Skype security analysis online at http://www.canola- 
> jones.com/material/candj-phreaknic2005.pdf
>
> -- 
> Dan York, CISSP
> Dir of IP Technology, Office of the CTO
> Mitel Corp.     http://www.mitel.com
> dan_york at mitel.com +1-613-592-2122
> PGP key (F7E3C3B4) available for
> secure communication
>
>
>
> "Henry Sinnreich" <henry at pulver.com>
> Sent by: Voipsec-bounces at voipsa.org
> 01/02/2006 11:21 AM
> Please respond to henry
>
>
>         To:        "'Mark Baugher'" <mbaugher at cisco.com>
>         cc:        Voipsec at voipsa.org
>         Subject:        Re: [VOIPSEC] Voipsec Digest, Vol 12, Issue 24
>
>
>
> Hi Mark and Happy New Year!
>
> You may have seen the security evaluation for Skype:
> http://www.skype.com/security/files/2005-031%20security% 
> 20evaluation.pdf
>
> It would be very interesting for someone who disagrees to take up this
> evaluation, item by item and provide arguments to the contrary. I  
> have not
> not seen any arguments to the contrary, but just people who either  
> like
> Skype and some who don't.
>
> There is a test report though from a credible lab:
>
> http://www.networkworld.com/reviews/2005/121205-skype-test.html
>
> In this light, Skype is probably more useful in the enterprise than  
> the
> hypothetical risks it may represent. Are Windows and its  
> applications less
> risky?
>
> Actuallly, Skype can significantly increase productivity IMHO and  
> should be
> encouraged by IT untill a similar well designed application based  
> on SIP
> will emerge. Instead of griping about Skype, I would like IETF- 
> minded folks
> to work on a better-than-Skype P2P SIP product.
>
> Thanks, Henry
>
>
>
> -----Original Message-----
> From: Mark Baugher [mailto:mbaugher at cisco.com]
> Sent: Monday, January 02, 2006 9:33 AM
> To: henry at pulver.com
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Voipsec Digest, Vol 12, Issue 24
>
> hi Henry,
>
> On Dec 28, 2005, at 7:05 AM, Henry Sinnreich wrote:
>
> >> You can't sell expensive phones or nobody will be your customer
> >
> >
> >
> > Check out the Skype phones, (or the Nimcat/Avaya or Peerio PBX
> > phones).
> >
> > There is no central call routing and the phones are both secure and
> > affordable.
>
> I have not found a public description of Skype security and for that
> reason would not claim that they are secure.  In fact, what I have
> read about Skype security leads me to conclude that there is too much
> that is hidden from the user for Skype to be considered secure.
>
> Mark
> >
> >
> >
> > Both the business models and the platforms (no VoIP infrastructure)
> > are
> > different though from the "carrier" model, and this changes the
> > security
> > model and cost in a fundamental way.
> >
> >
> >
> > Let the flames come! :-)
> >
> >
> >
> > Thanks, Henry
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Voipsec-bounces at voipsa.org [mailto:Voipsec-
> > bounces at voipsa.org] On
> > Behalf Of Voipsec-request at voipsa.org
> > Sent: Wednesday, December 28, 2005 6:00 AM
> > To: Voipsec at voipsa.org
> > Subject: Voipsec Digest, Vol 12, Issue 24
> >
> >
> >
> > Send Voipsec mailing list submissions to
> >
> >       Voipsec at voipsa.org
> >
> >
> >
> > To subscribe or unsubscribe via the World Wide Web, visit
> >
> >       http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> > or, via email, send a message with subject or body 'help' to
> >
> >       Voipsec-request at voipsa.org
> >
> >
> >
> > You can reach the person managing the list at
> >
> >       Voipsec-owner at voipsa.org
> >
> >
> >
> > When replying, please edit your Subject line so it is more specific
> >
> > than "Re: Contents of Voipsec digest..."
> >
> >
> >
> >
> >
> > Today's Topics:
> >
> >
> >
> >    1.  VoIP vulnerabilities summarization (david.castro)
> >
> >
> >
> >
> >
> >  
> ----------------------------------------------------------------------
> >
> >
> >
> > Message: 1
> >
> > Date: Tue, 27 Dec 2005 16:12:14 +0100
> >
> > From: "david.castro" <david.castro at adianta.net>
> >
> > Subject: [VOIPSEC]  VoIP vulnerabilities summarization
> >
> > To: Voipsec at voipsa.org
> >
> > Message-ID: <43B159CE.8030706 at adianta.net>
> >
> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >
> >
> >
> > Hello, I'm David.
> >
> > I've just read your interesting "chat", and I learned a lot, but I'd
> >
> > like make a question about SIP.
> >
> > Let's imagine you are making an IP phone-operator. You have a  
> central
> >
> > access point (server SIP and gateway to PSTN), or several access
> > points
> >
> > across internet. You can sell to your customers a IP-phone, so they
> >
> > don't have a computer run to chat on the phone. You can't sell
> >
> > expensives phones or nobody will be your customer, so the phones
> > hasn't
> >
> > TLS, IPSEC or proxy SIP, because they are connecting direct to
> > access point.
> >
> > How do you protect this scenario?
> >
> > I'm using login/password in register request, but in other request I
> >
> > can't by the phones. What would you do?
> >
> > Thanks
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ------------------------------
> >
> >
> >
> > _______________________________________________
> >
> > Voipsec mailing list
> >
> > Voipsec at voipsa.org
> >
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> >
> >
> >
> >
> > End of Voipsec Digest, Vol 12, Issue 24
> >
> > ***************************************
> >
> >
> >
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>




More information about the Voipsec mailing list