Monthly Archives: August 2006

Paris Hilton, hacker extraordinaire?

SpoofCard.com, a company that sells “enhanced” calling cards providing the ever-so-popular Caller-ID spoofing feature, has recently terminated Paris Hilton’s and 50 other customer’s accounts due to said customers abusing the Caller-ID spoofing feature (go figure) to break into other people’s voice-mail accounts, listen to messages, and even change the targeted users’s greetings:

SpoofCard.com confirmed that Paris Hilton was among the terminated customers, and that Lindsay Lohan was among those whose voicemail accounts were broken into. SpoofCard has put software controls on its network so that customers can no longer use its service to break into the voicemail boxes of Miss Lohan or the other victims it has identified.

Not only is this a poor way to address the security issue, it’s not really even addressing the problem; it’s addressing the symptoms, and in an extremely limited way by only blocking access from their customers to a list of specific users’ voice-mail accounts that have already been targeted. In SpoofCard’s defense however, it probably is the best they can do; It really is the cellular carrier’s problem because they allow users to disable the passcode required to access their voice-mail services, which then defaults to using only Caller-ID information to authenticate the user.

It’s pretty telling of the state of user trust in today’s global telephony system when there are so many businesses that have sprung up around what is essentially a lack of integrity of calling-party information that has been introduced into the system by VoIP and the VoIP-to-PSTN interfaces that they feed their information through. There are still VoIP-to-PSTN service providers that will honor Caller-ID information passed to them by their users and forward it into the PSTN, and there are any number of companies like SpoofCard.com that will provide this service for the average, non-technical consumer.

It’s sad that the general populace can really no longer trust the Caller-ID information that shows up on their phone. Telephony service providers, credit card distribution verification services, banks, and other companies need to realize this as well and stop using Caller-ID information to identify or authenticate their users, and really never should have been in the first place.

Cisco responds to Black Hat 0-Day SIP

Cisco today responded to the zero-day exploit released at the Black Hat conference earlier this month essentially saying that they were unable to reproduce the announced vulnerability. They have been working with Hendrik Sholz, the presenter at Black Hat who announced the issue, but so far seem to be unable to duplicate his work. They will continue to update the advisory as they investigate further.

VOIP Asia/ME 2006 Event – August 28th and 29th

UNI of Singapore has organized an excellent regional event on VoIP for August 28th and 29th. VOIPSA will be joining speakers at this event from:

Asia Media and Information Center, Avaya, BT, Cisco, IDT, Korea Telcom, Lucent, Nextone, Nortel, Malaysian Communications and Multimedia Commission, MERA and other international and regional leaders. Please see the session at 14:20 on Day 1 and join us if you can.

download: http://www.pingalo.com/eventcalendar/28Aug06_29Aug06_UNI.pdf

Topics will include Mobile VoIP, Fixed Mobile Convergence, and Quadruple Play

Event: VOIP Asia / Middle East 2006
Dates 28th – 29th August 2006
Venue JW Marriott Kuala Lumpur, Malaysia
Phone +65 6825 9579

Email is invited from anyone wishing to contribute issues or content on the topics. VOIPSA endeavors to provide acknowledgment and attribution to contributors.

Remote Control

Insecurity of wireless has been much in the news.  Reading reports from the recent Black Hat conference and Defcon, there was a demonstration of how to compromise wireless devices by crashing the drivers, and also news about how easy it is to compromise RFID devices, for example cloning new, hi-tech passports that use the technology.  Flipping open the pages of the August PC World USA, (yes, paper magazines do still exist!), I see a report about the “10 Biggest Security Risks You Don’t Know About”, and this includes a report about how Bluetooth devices can be infected by malicious Bluetooth apps that are passing by, perhaps a metre away. They also talk about viruses that travel via SMS messages.

It’s a gloomy picture.  Whatever platform we choose to carry around with us for our calendar/agenda or communications needs, it seems that they can be compromised in some way, even without anyone touching the thing.  As we have noted in this blog before on a few occasions, a key way to compromise VoIP is to compromise the platform that you use to host it.  But I guess it all comes back to the same point: we love Bluetooth because it’s so damn convenient, but convenience is the enemy of security.  When we get lazy, other people out there get busy, trying to find ways to mess things up for us.

Which brings me very much to today’s situation with the current terror plot (that Tom Keating talks about here): I’m travelling back to the UK today, and thankfully the restrictions this end aren’t too bad tonight: I can’t carry a bottle of water onboard, but at least I can get home with all my precious tech gadgets intact.  Back in London, people are checking in their laptops, PDAs, Skype headsets and smartphones as hold baggage, and who knows how that stuff will look when the bags are unzipped tomorrow after the airline baggage handlers have had a go at them.  Life is about to get much harder for travellers, as we confront the reality that eternal vigilance is the price of safety.

 

Minutes available for RTPSEC BOF in Montreal on SRTP key exchange

Dan Wing announced that draft minutes of the RTPSEC BOF in Montreal are now available.  This session at the IETF 66 meeting was to discuss the various ways of securing the key exhange for SRTP and to see if we could move the requirements along and reduce the 13 or so proposals down to a more workable number.  As noted in the minutes, there was significant progress made on deciding various requirements.  The next step will be to see what comes out in terms of refined proposals to address those requirements.

Blue Box Podcast #36 – Black Hat super-sized edition focusing on voice security talks

Blue Box Podcast #36 is now available for download. In this super-sized show, we discuss the voice security talks given at Black Hat 2006 last week in Las Vegas. There is an interview with David Endler and Mark Collier about the VoIP security tools they released, an interview with Ofir Arkin about his talk on NAC and involvment with VOIPSA, and many other news items coming out of the conference.

The Past Is Another Country

Clearing out some old papers, I came across an old copy of Byte magazine from 1990, celebrating 15 years of Byte, looking back to the birth of the microcomputer revolution, and on into the future. 

At the time, Windows 3.0 was starting to erode DOS as the OS of choice for PCs, and IBM’s OS/2 was making its attempt for the title too.  It was also the time of word processor wars, spreadsheet wars and development tool wars, all categories where Microsoft was the eventual winner.

TCP/IP had yet to make its mark.  Hard to remember now, but Novell were the kings of the enterprise LAN, with their proprietary IPX protocol.  Banyan Vines and IBM’s Netbios were alternatives, but whichever way you looked, you found companies reluctant to bring in the IP alternative.  One of the news stories in this Byte was the release of an add-on TCP/IP for OS/2.  I remember myself the struggles adding the optional TCP/IP stack to Windows 3.0 instead of the default IPX and Netbios.  Although email was well established within enterprises, the idea of routinely exchanging emails with just anyone was alien.  Some thought that X.400 was going to interconnect the world, before SMTP and POP jumped up to take centre stage. 

In the Byte Summit, they gathered a panel of experts to guess at the future of computer systems.  Names like Bill Gates, Chuck Peddle, Tony Hoare, Grace Hopper, Danny Hillis and Philippe Kahn.  They came out with some great predictions, including flat panel displays and CD-ROMs on all machines.  They underestimated the pace of change, of course, imagining a minimum hard disk requirement of only 100 Mb. 

The significance of networks attracted less comment, but I guess the idea of a universal Internet was too big a step of the imagination at that point.  The Internet idea was too distant, so Voice over IP was inconceivable.  As the saying goes “The past is another country, they do things differently there”, and by the same token, the future is so different we cannot imagine how things will be done there.  Anyone care to make some predictions for the computers of 2020?

If you are at the Black Hat USA Briefing this week…

If any of you are heading out to Las Vegas for the 2006 Black Hat Briefing tomorrow and Thursday, please do drop me a note as I’d love to connect with podcast listeners, blog readers and others. There will actually be several of us out there including Jonathan Zar, David Endler and Mark Collier, largely because of the “voice security” section to the conference schedule.