Monthly Archives: April 2007

Rampant Italian Wiretapping Spurs Consumer Encryption Use

According to the New York Times, it appears as if consumers in Italy are rapidly moving toward encryption for voice technologies due to rampant publication of private conversations, both due to leaked conversations that were a result of government wiretaps as well as conversations recorded through private means. From the article:

What has spurred encryption sales is not so much the legal wiretapping authorized by Italian magistrates–though information about those calls is also frequently leaked to the press–but the widespread availability of wiretapping technology over the Internet, which has created a growing pool of amateur eavesdroppers. Those snoops have a ready market in the Italian media for filched celebrity conversations.

It would seem that in Italy, it’s fairly common to take someone’s private conversations straight to the press… Even the national telco’s head of Security was in on the game:

This year, Bonini’s name was among thousands that surfaced in an illegal-wiretapping scandal involving employees of Telecom Italia, the Italian phone company.

Twenty people were arrested, including the former chief of Telecom Italia security, in what investigators say was an attempt to use the intercepted phone conversations to blackmail Italian public figures.

Many of the cell-phone encryption products mentioned in the article that are being marketed to Italian consumers sound a lot like Zfone, essentially providing end-to-end encryption for the audio between two devices that run the encryption software in advance of the call.

Blue Box Podcast #56 – Voice encryption tutorial, Skype worm, ZFone and PKI, VoIP security news and more

Blue Box Podcast #56 was posted yesterday with a look at the recent Skype worm, a comparison of ZFone and PKI, McAfee’s Sage Journal, VoIP security news and more. With this show, Jonathan and I also began a series of mini-tutorials we will be doing on VoIP security issues. In this episode we talked about voice encryption – why it is important and what the major methods are. Next time we’ll talk about call signaling encryption. See the detailed show notes for a full description of what was discussed.

FYI – VOIPSA member blogs now listed in the right sidebar

Careful observers of this site may have noticed a new sidebar block titled “VOIPSA Member Blogs”.  This is something we decided to do for members of the VOIPSA Technical Board of Advisors and other folks involved with VOIPSA.  Please do check out those other weblogs, and if you are a TBA member with a blog who missed my original message about this sidebar, please do contact me and we’ll be glad to add your weblog.

VOIPSEC mailing list issues – we’re looking into it

UPDATE: The list has been fixed. There was a server connectivity issue that caused the software to think a number of addresses were no longer reachable. All users have now been re-subscribed so you can safely ignore that message.

If any of you are subscribers to the VOIPSEC mailing list, you may have received a message this morning indicating that your subscription has been disabled due to excessive bounces and providing a link you could go to in order to re-enable your subscription… which didn’t work.We are aware of the issue and are looking into what is happening. We’ll post here when we have an update. (And no, we don’t think it had anything to do with the Blackberry outage! 😉

Blue Box Podcast #55: IP phone vulnerabilities, ZRTP and IETF, Skype security, listener comments and more

Blue Box Podcast #55 was posted today with a look at recent vulnerabilities in IP phones, VoIP security news and a feature section about the IETF meeting and the discussion there around SRTP key exchange, ZRTP, etc.  A great amount of listener comments and much more.  See the detailed show notes for a full description of what was discussed.

Skype with a ‘Z’

IP Softphone specialists CounterPath recently announced that they will license Phil Zimmermann’s ZRTP (Zfone) technology for use in their client products, namely eyeBeam and X-Lite, joining other publicly announced licencees Borderware, PGP Corp, Ripcord and TiVi.

As you may know, ZRTP has done very well in terms of acceptance in the last few months. Zimmermann has many friends in the security community, but also has great credentials in the open source world. ZRTP is an openly published protocol, but also is available as source code, thereby making it possible to test in all kinds of ways, not only closed-box (black box) testing but also in terms of working through the algorithm and even unit testing the code.

At the recent IETF meeting, methods of key exchange were discussed, as subscribers to the Voipsec list (from the VOIPSA site) cannot have failed to miss. The IETF have gone from a list of thirteen proposals down to a final two, and ZRTP is one of those, despite being considered by some as a latecomer.  Many organizations and people that I have come across trust in Zimmermann and believe that ZRTP is the answer.

If we go to the opposite end of the trust scale, we find Skype.  Poor old Skype are still getting weekly batterings from press critics on the security front.  A lot of the same criticisms are brought up time and time again, and in fairness Skype have countered a lot of the concerns, by allowing features to be switched off, changes to the package and so on.  We don’t need to rehearse all those issues here once again.

However, the issues that keep coming up, and which Skype have not argued away are those of security by obscurity and the secrecy of the protocols they use for encryption and key exchange. Famously, Skype hired security expert Tom Berson to write a report based on a long evaluation of Skype’s security provisions, but most academics still desire transparency, and the ability to evaluate the algorithms for themselves.

Academics and commercial security experts both say that simply using a secret algorithm is no guarantee of safety. Furthermore, the fact that it is secret merely means that when someone does compromise Skype, the detection and mitigation of the problem will be slowed down or prevented. Skype at that point becomes a dangerous ‘bot’ sitting behind thousands of firewalls.

What better time, then, for Skype to embrace ZRTP? Licensing ZRTP can hardly be a problem for Skype and its Ebay parent, and there is so much to gain from this. A large community of security and VoIP specialists already believe in ZRTP; the IETF likes it; commercial acceptance exists in licencees in the Softphone and Session Border Controller market. IT Managers, I’m sure, would be happier with Skype usage in the workplace if they were allowed to detect and control it, and (who knows with key escrow) in some way to log and record from it.

Come on, Skype, grab the nettle. The tools are in your hands to silence your critics.

Voice of VOIPSA is part of the “Security Bloggers Network”

A comment to one of Shawn’s recent posts made me realize that I hadn’t mentioned here that some time ago this blog was added to the “Security Bloggers Network“, which is a Feedburner “network” of blogs. If you follow the previous link, you’ll see links to the 68 blogs currently part of the network. You can read the blogs, subscribe to their individual feeds, or, if you want, you can subscribe to the network feed to get all posts across all network blogs. We glad to be a part of the network and getting news about VoIP security out to an even broader network. We encourage you to check out the network home page and explore many other great blogs out there on security.

Gold on VoIP Security

Over on his blog Steve Gold laments the lack of focus on VoIP Security at the recent VoIP for Business event in London, and also talks about the failure of Ofcom (the Office of Communications in the UK) to take on the issue in their recently published VoIP service provider regulations. 

For those that don’t know the name, Gold is a security consultant of some pedigree: he was famously prosecuted by the UK government back in the 1980’s for compromising accounts in the Prestel system, a videotex system that was one of the world’s first online networks.  The failure of this prosecution led to the drafting of the Computer Misuse Act in the UK.