Monthly Archives: December 2006

Jon Arnold interviews me for Pulver podcasts

Another podcast to note… Canadian analyst Jon Arnold interviewed me for his Canadian thought leaders podcast series all about… gee… VoIP security! (Yes, okay, so I no longer live in Canada, but I did live there for most of 5 years and I still work for a Canadian company.) We had a great chat about VoIPSA, Blue Box, VoIP security in general and my views on some of the current vulnerabilities to VoIP. It runs about 19 minutes or so and you can get it from the link on Jon’s blog.

Blue Box #47: Deflating VoIP security hype, SANS and the need for better VoIP security training, India moves to block Skype and other VoIP, Skype security, tutorials, listener comments and more…

Blue Box Podcast #47 is now available for download. In this show, Jonathan and I talk about some of the recent articles and reports hyping VoIP security, recent comments from SANS about the need for better VoIP security training, moves by the Indian government to block Skype and other VoIP services and much, much more. Tons of listener comments in this show… probably the most we’ve ever had. See the show notes for all the links and info.

Skype, an Essential Tool for Interrogation

The unauthorized surveillance and recording of VoIP calls has been discussed time and time again, but what happens when the surveillance of your call is being done at the endpoint by one of the participating parties? What if the surveillance was being done to analyze one of the caller’s stress levels and detect them lying, in real-time?

Apparently, Skype is set to provide a new feature application to it’s customers, the KishKish Lie Detector, which analyzes audio stream data in real-time, supposedly indicating the stress level of the person it’s analyzing. This makes me wonder, what if both parties are analyzing each other? Could mutual suspicions cause an escalating stress readout as each party gets more and more nervous by the indicated stress levels of the other party?

From the KishKish Lie Dectector website:

Voice Stress Analysis (VSA) is a type of lie detector which measures stress in a person’s voice. The use of Voice Stress Analysis (VSA) as a lie detector became popular in the late 1970s and 80s. In the 90s the first Computerized VSA (CVSA) systems came to out to the market. The CVSAT is now the truth verification device of choice in the law enforcement community as the number of law enforcement agencies utilizing the CVSAT continues to grow dramatically, proving the viability of the system for twenty-first century crime detection. The CVSAT is also being utilized by the US Military in the global war on terrorism.

Now KishKish Lie detector offers you a tool to detect the stress level of the person you communicate with over Skype. With the use of KishKish Lie detector you can monitor in real-time the stress level of the person you talked with. This allows you to gage the level of stress and modify your questions in real time. You could also use our KishKish SAM VSA that allows you to record the call and analyze the stress level off-line.

Did I miss the part where law enforcement and Dept. of Homeland Security began interrogating people via Skype? Perhaps the call recording feature could be used by responsible and patriotic citizens when fear-mongered into believing that they could be talking to potential terrorists AT ANY GIVEN MOMENT. Or perhaps I’m giving this way too much thought and people are generally just distrustful of each other and want the data points to back up that gut feeling.

Tell Me Your PIN, So I Can Go Shopping

Martin Geddes of at Telepocalypse raises an interesting point that has bothered me also, which comes back to the security of phones, and the ability for hackers to pass themselves off as legitimate organisations, such as your own bank. Today, the problem is that there is no way an inbound call can ever be secure, because any Caller ID number you receive could be faked, and many outbound call centres withhold the number anyway.  Also, with technology like Asterisk servers and IVRs with synthesized speech, it is quite possible to build a reasonable facsimile of your bank at a very low cost.

I have a card that I usually service online, and it is very rare that I ever need to call-up one of the call centres to speak to anyone. So recently when I received a call out-of-the-blue on my cellphone, I was surprised to be addressed by a synthesized voice. Knowing, as I do, that such things can cheaply be rigged-up using a regular PC (and perhaps Asterisk), I was not inclined to trust the call, or enter any of the bank security details it was asking for. I hung up on it, whereupon it called back a number of times before I drove into a GSM blackspot, which for the purposes of this discussion we can call Vermont. The repeated calls did nothing to reduce my suspicions.

Like Martin Geddes, when (a couple of days later) I did finally call the number suggested in the synthesized announcement, the operator I spoke to wanted to take security details from me. I explained, as I do in those situations, that this would not be a safe thing to do, as I have just called an unfamiliar number suggested by an automated voice on an inbound call. Fortunately, at least this bank have an answer to that question: there is a telephone number written on the back of the card itself, and he suggested I call that number. Now I can be pretty sure that I’m talking to who I think.

In the long run, I think banks will have to realise that they need to authenticate themselves too, and perhaps we will be able to test callers by getting them to tell us a password too.  Phishing attacks can only increase in the future due to the accessibility of VoIP technology, and part of the counter attack is to teach people how to authenticate callers, before giving up vital security information.

Securing the WLAN Link

At the IET Secure Mobile conference last week, Dr Philip Nobles from Cranfield University in the UK spoke about the subject of wireless LAN security.  He showed the output of a tool running on his laptop on a 40 mile train ride into London.  He had captured a large number of WLANs on the way, of which perhaps 60% were completely unsecured.  In addition, you could see that many were using factory default settings, for example SSIDs (LAN identifier) of ‘netgear’.  So all these sites can be compromised in terms of network sniffing, router hijhacking and theft of bandwidth.

Dr Nobles also spoke about WEP (Wired Equivalent Privacy), the first attempt to introduce encryption to WiFi networks.  I had known that WEP was compromised at least in an academic sense, but I was surprised that practical tools exist for breaking WEP in a very short time. “My router gave up its key in 3 minutes”, Nobles said of his own home router.

In view of this, here are a few ideas for securing your WLAN in the home or the office:

1. Use WPA encryption (WiFi Protected Access) if this is available on your router/client setup.  If not, use WEP in preference to leaving the router ‘open’.  Use keys (passphrases) that will not be easy to guess.

2. Most routers have an option to hide the SSID, i.e. not broadcast the name.  This means that the clients have to know the name explicitly.  This is is good idea to switch on, and makes you look much less interesting on the Netstumbler display.

3. Don’t use the default SSID, and it is better to use a name that will not be vulnerable to dictionary attack, and one that doesn’t hint at your physical location.

4. Similarly, set an admin password on your router, again one difficult to guess or get by dictionary attack.  For example, at one time I used “astro0cosmo0.”

5. Often you can block admin logon to the router from the Internet side, which is a good idea if you don’t need to remote manage it.

6. Some routers have the facility to “lock down” access to the router by only accepting connections from specific MAC addresses.  In my experience this can be inconvenient to manage (for example if a WiFi card is replaced, or if a friend comes to visit with his machine), but it does limit the options for attackers.

7. Similarly, with some routers you can assign IP addresses to specific MAC addresses, and use the firewall to block unknown IP clients.  As above, this can be inconvenient to manage, but it does limit access.

Security through Obscurity

The other day at the IET Secure Mobile conference in London, Steve Babbage, Vodafone’s Group Chief Crypographer (great job title) gave the keynote, and I was fortunate to speak to him afterwards about his ideas.  One interesting area was “security through obscurity”, where he maintained that in some situations it makes sense to make an attacker’s job as difficult as possible through the use of secret algorithms.  I hope I can do the argument justice here. 

The World has changed today, and generally governments do not try to interfere in the issues of what crypto gets used in commercial mobile networks.  However, when GSM was born, 40bit encryption was a (rather weak) standard that governments agreed should be used.  In this environment, Steve Babbage maintains, the cellcos would have been mad to release all the details of the algorithm to the public, since the added obscurity would make it even harder for an attacker to get a foothold.  In the context of SIM attacks (being physically in contact with the SIM to decrypt it,  a so-called “side-channel attack”), sometimes attackers can gain knowledge about the secret key by measuring the power usage of the chip under attack.  On the other hand, if the algorithm is secret, then it is impossible for an attacker to map power fluctuations against a model, since all he has is a seemingly patternless output from an engine of unknown design. 

The use of secret algorithms is generally thought of these days as a “bad thing”, since if the algorithm is openly published it means that academics and researchers can test the thing to death and publish vulnerabilities that they find.  This should result in better algorithms and fewer defects in the long term.  Babbage doesn’t argue in favour of “cobbling something together in secret”, but rather he is saying that if you take a proven good thing like AES/Rijndael, and then add a further secret component to the algorithm, then the intellectual rigour is still there, with an added component to defeat foes.  

What do you think about security via obscurity?