Monthly Archives: January 2007

Truth in Caller ID Act of 2007

In case anyone missed it, the Truth in Caller ID Act (now of 2007!) was re-introduced in the House as HR 251 on January 5th. The Senate’s version of the previous bill never passed during the 109th Congress, so here we go again… While re-reading through the bill however, I noticed something interesting that I hadn’t noticed before:

`(1) IN GENERAL- It shall be unlawful for any person within the United States, in connection with any telecommunications service or VOIP service, to cause any caller identification service to transmit misleading or inaccurate caller identification information, with the intent to defraud or cause harm.

By specifically naming VoIP service separately from other telecommunications services, and then subsequently defining what a VoIP “service” is:

`(C) VOIP SERVICE- The term `VOIP service’ means a service that–

`(i) provides real-time voice communications transmitted through end user equipment using TCP/IP protocol, or a successor protocol, for a fee or without a fee;

This ammendment seems to very specifically preclude any communications that take place on the Internet or any other “non-telecomunications” network that isn’t transmitted via both IP and TCP, or any successor protocols of IP and TCP used in conjuction that may follow them.

Now, I’m no lawyer by any stretch of the imagination, but that seems fairly clear to me. If true, that precludes Caller-ID information transmitted via any other transport protocol running within IP, or otherwise, from being affected by this law. Does that mean that if my signaling traffic happens to be UDP, as many of the protocols either are or allow, that it is then not subject to this law? I wonder if the tech-savvy, or lack thereof, of the U.S. Legislature may be introducing a nice convienient loophole for an attacker’s attorney to exploit when going to trial… birds of a feather after all.

Series of tubes, indeed.

Lawful Intercept and Crocodile Clips

Those interested in the topic of Lawful Intercept (LI) and CALEA might be interested in a new blog over on the TMC site.  Scott Coleman of SS8 is writing a new column called Demystifying Lawful Intercept and CALEA.  The cunningly-named SS8 market a number of products including LI solutions. And no, LI is not done with crocodile clips.

VOIPSA Best Practices – LAST CALL for comment on document structure

Over on the Best Practices mailing list, I have now issued a last call for comments on the structure of the document. The document structure question is outlined on the Development Process page in the VOIPSA wiki. Right now all signs point to a near-consensus on using proposal #2 to structure the document around functional areas… but I asked yesterday for any final comments.  Barring any last-minute cascade of outrage and desire for another structure, I’ll make the decision tomorrow morning and we’ll get down to work.  Comments can be left here on the blog, if you want, but the best place to probably route them is the mailing list.  Thanks.

Learning to Distrust Steve

In a recent Rich Tehrani blog entry, he touched on the subject of a type of email phishing attack termed Spear Phishing.  For those that have not heard the term before, Rich describes it:

“In a recent US example, a phisher bluffed his way into the network of a port authority by spoofing an internal email address. Once on the inside, with an apparently genuine email identity, he was able to fool employees into revealing passwords for applications.

This sort of attack has been termed ‘spear’ phishing, designed to bamboozle unsuspecting ‘colleagues’ into revealing information that will give the perpetrator access into secure areas of corporate networks. “

This type of attack is possible because many email services either don’t insist on any kind of authentication, or because they do not look the ‘from’ email address you specify and check that it is consistent with your actual service-provided email address.  This is one of the weaknesses of today’s email system that makes life so easy for spammers.

Unfortunately, Spear Phishing also applies to VoIP, since in many cases VoIP services can be fooled into using and displaying a false caller ID number.  So you can imagine the scenario:  You are sitting at your office desk, and a call comes in to your desk phone.  The number on the display is 400, and that this is the extension you normally call to reach the IT help desk.  It’s definitely not an ‘outside’ number.  You pick-up and although you didn’t know that the IT help desk now has a technician called ‘Steve’, perhaps if he knows one other bit of corroborating information, this will be enough to make to accept that he is bona fide.  In the conversation that follows, he might tell you that Mike from Sales called him, can you tell him where Mike is?  Of course, if he knows that Mike sits near you, you might be tempted to believe that Steve is for real.  Bingo.  Now maybe you’re ready to tell him something secret?

Of course this kind of confidence trick is nothing new, but just using new tools to achieve the same goal.  The defence?  Well if you have the slightest doubt of someone’s veracity, you could offer to call them back, and do not use any information they have given you to do it.  For example, call someone else you know in the help desk, and ask them about ‘Steve’.  “Steve who?”

 

 

 

Skype Security Blog – Deploying Skype in a Windows domain – and looking for feedback

For those of you out there looking at Skype, Skype CSO Kurt Sauer has written post over on the Skype Security Blog titled “Deploying Skype in a Windows domain – Skype Security Blog” where he talks about the changes Skype has made to give administrators some degree of greater control over Skype.  He also includes these questions and an invitation for feedback:

However, there remains much work to be done. Some of the key questions I have for the future are:

  • What’s the best way to manage non-Windows devices (Macs and Linux) in a way that can be federated or managed in an enforceable way?
  • Should we support some kind of policy broadcast mechanism, to require and/or suggest that itinerant users on networks to follow certain policies, such as the use of a specific outbound proxy?

There is a lot of work ahead for us — not just in the policy area but in security as a whole. Policy management is just one part of the process, but it is an important part. Feel free to send your thoughts to us at security@skype.com or make reply comments to this posting.

So for those of you wanting to provide feedback to Skype… they are looking for it.

(Tip of the hat to Irwin Lazar who posted about this and blogged his feedback.)

Speaking in Norwalk, CT, on January 18th about VoIP security

UPDATE:  The event has been postponed, so I won’t be in CT this week.
FYI, if any readers happen to be in the Norwalk, CT, (USA) area next Thursday, January 18th, I’m going to be speaking at a VoIP Security Awareness Seminar sponsored by a Mitel reseller. Obviously I’m speaking there wearing a Mitel versus VOIPSA hat, but if you’d like to hear that perspective, you’re welcome to attend. If you are a blog reader or Blue Box listener and do attend, please do identify yourself… I definitely like meeting people who listen to the show or read these blogs.

Voice SPAM – the Fightback Begins

Voice SPAM is increasingly a problem, as the cost of making calls gets lower and lower in real terms.  I was interested to see that GrandCentral are taking steps to block Voice SPAM for their customers.  If you haven’t come across GrandCentral yet, they have an interesting product offering that alows you to have one telephone number from them, and have a single voicemail system and the ability to have inbound calls follow you to whatever fixed or mobile devices you are using at any moment.  They also have a lot of advanced features like color ringback (CRBT), call screening, and control via a web interface. 

We’ve talked here before about caller ID spoofing, i.e. that using various services you can lie about your source telephone number.  GrandCentral say on their blog that they know the caller’s number even if the caller ID is not displayed: I presume this means they’re using some good, old-fashioned SS7 signalling technology (rather than IP and SIP).  It will be interesting to see if a blacklisting approach works in the long term, since in the future spammers using VoIP technology to initiate SPAM will not be connected directly to today’s digital telephone networks, but instead will be using some kind of gateway to cross from VoIP to traditional networks.  Presumably once such a VoIP gateway gets blacklisted, the spammers will simply move to the next gateway with a change of IP address.

 

Building a VoIP Network

Dean Elwood, one of the founders of voipuser.org (a free VoIP service provider and online magazine) recently wrote an interesting article called “How To Build A Voip Network: 7 rules for the VoIP entrepreneur in 2007.“  It’s a great read from someone with experience of creating value from a VoIP service, rather than the usual marketing “talking head”.  It also raises some interesting VoIP security questions, including Session Border Controllers, Lawful Intercept, Denial of Service and confidentiality.

VoIP News gets it basically right with “How Secure Are Your VoIP Calls?”

Yesterday the VoIP News web site posted a feature article: How Secure Are Your VoIP Calls? It includes quotes from both Jonathan and myself and generally makes the points we’ve made both here and on Blue Box around VoIP security. Overall a good article with only a few minor nits to pick:

  • The question I would generally suggest customers ask their enterprise vendor is “What do you do to secure voice communication over the LAN?
  • I don’t know that I would have said enterprise phone systems were “enterprise stuff” but hey, you get the idea.
  • In the second bullet at the end, the point is to ensure that call control is encrypted or otherwise protected. Many people first think of encrypting voice because eavesdropping is something easy to understand – and they don’t think about call control. Yet you could argue that call control is perhaps more important because far more devious things can be done if you can corrupt call control.
  • Unless he’s holding out on us, Mark Collier does not write the VoIP Lowdown blog that had this list of VoIP security challenges. In fact, if you note, Mark commented on the article (and perhaps because he was the last commenter someone assumed he wrote the blog). Mark actually writes over at www.voipsecurityblog.com (where I note he has a nice new header image and picture) as well as here on this blog once in a while. He actually has a post on his blog pointing over to this list on VoIP Lowdown.
  • It’s actually not entirely clear from the post who did write that list at VoIP Lowdown, but on this page it states that the writer was Pushpa Sathish, who is also the person now having a byline on all the new posts since that time (which is good because it will save them this attribution issue in the future).

Again, relatively minor details in the grand scheme of things (although Pushpa Sathish may not appreciate the attribution going to Mark) and a good contribution to the overall conversation on VoIP security.

Thanks, VoIP News, for running the feature story!