Monthly Archives: April 2009

New Threats, Old Friends

On a lightning visit to the Infosec show in London, I chanced to meet with Ari Takanen of Codenomicon (fuzzing and quality assurance experts). Ari has a new book out: “Fuzzing for Software Security Testing and Quality Assurance”, from Artech House, available at Amazon.com and (as they say) all good bookstores. Of course, just because there’s a credit crunch doesn’t mean that security is any less of a problem, and it doesn’t mean that software defects are any the better. It sounds like Codenomicon have a pretty good market niche.

Enigma Machine

Facetime were talking about their new Unfied Security Gateway. This appliance goes beyond URL blocking and reporting, and implements reporting for VoIP and Skype, and the whole range of IM and P2P applications. In addition they have some pretty granular tools for finding out what the usage of social sites like Facebook (FB) and Myspace, and the resulting bandwidth usage might be. You can even drill down into the subsections being used (apps, music etc), which will be useful as increasingly FB is used for legitimate messaging and networking purposes in business. Facetime’s “special guest” on the stand was an original Engima encryption device, brought down from Bletchley Park (a.k.a “Station X”), the UK’s premier code-breaking museum. This is a refurbished and fully working Enigma, and on the Facetime stand they were even allowing us to have a go. I can report that it is satisfyingly mechanical to use.

AEP were also there showing some high-grade encryption equipment for enabling remote sites with access to secure systems. Law enforcement and government customers have a legal duty to protect the data that they handle, which and even remote users (or temporary sites) must protect data from snooping. Data at rest is a particular risk, and UK government agencies have embarrassingly lost large numbers of laptops and pen drives in recent years. It’s safer to leave the data in the secure site (rather than the USB stick) and access it over secure links when needed. The AEP solution fits into a laptop bag, and enables a team of people to share secure data and VoIP links to a central site, routed over any convenient satellite, 3G or WAN links.

The Infosec show is still on today and tomorrow at Earls Court exhibition centre in London.

Annual breach reports, is anyone listening?

Verizon recently released its data breach report for 2009. I was interested in reading this as I still have the 2008 report. What better way to educate yourself on trends, good or bad, then comparing historical data when someone else is taking the time to do the work for you? Quickly comparing the two reports I was surprised to find very little appears to have changed. I was hoping to see improvements in increased awareness, improved processes mitigating attacks and possible new attack vectors due to this vigilance, but unfortunately this was not the case. The most telling was the section regarding attack difficulty. In 2008 approximately 55% of attacks required no skill or that of a ‘script kiddie’. In 2009 this total number decreased to 52% but surprisingly there was an increase in the ‘no skill’ needed – from 3% to 10%. Based on this report it appears that security professionals are not getting the message across regarding the basics of securing systems. Now I understand that this is one report from one vendor but Verizon is a known name as a provider. You have to assume they respond to and investigate claims by customers with their service offerings and the report should carry some weight regarding security threats and trends. One wonders if this report opens a window to the current state of VoIP security. Even during difficult economic times it appears VoIP deployments are maintaining a good pace. The expense to deploy VoIP when measured over the operating expense ROI (using the existing ip network for interoffice calls, SIP Trunking, unified communications to streamline business processes) is still attractive. Regarding a VoIP security focus are we in the industry doing enough to emphasizing the need to secure VoIP? What can we do to improve getting the message across?

Making Phones Theft-Proof

Of course you can’t stop criminals from stealing mobile phones; they’re small, they’re expensive and there are many channels (online and offline) for selling the handsets on. However, it should be possible to make the things useless once stolen, to make resale difficult or impossible, ultimately reducing the demand for theft.

The Design Council in the UK are currently running a competition to generate ideas to make mobile phones safer, with the best idea receiving support to the tune of £100,000 to develop the idea further. This seems to me a whole lot better way to raise money than appearing on Dragons Den for a ritual butt-kicking and dilution of your share capital.

As I discovered to my cost at the recent Mobile World Congress in Barcelona, mobile phone crime is rife, and a barbarian horde of dark ages proportions is seemingly there working the city for February. I heard tales of muggings, crews targetting group dinners in restaurants, and of course pickpockets. One friend of mine had an experience in the Metro with one guy blocking his way, while another tried to slip a hand into his pocket from the other side. My friend is over 2m tall, and looks more like an international rugby player than a telco geek, and probably could have wiped the floor with both of them at the same time. Some of these teams have no fear.

In my case, my Nokia smartphone disappeared never to return. They got no satisfaction from the SIM card (which was PIN-locked), but sadly I had disabled coded locking on the handset itself, making it a useful asset, possibly worth £70 on Ebay. Just look for smartphones with no cables, no charger, no manual; guess where they came from?

Incidentally, my phone was marked with a label from yougetitback.com, a worthwhile property registration and return service. Sadly in this case, the phone didn’t fall into the hands of “friendlies”, but rather those of WeHaveNickedYourPhone.com.

Of course with smartphones the problems don’t stop with your cellco contract being exposed to call fraud, or the sale of the handset itself. The phone also contains signup information in applications, and the data itself. In my case, several applications were installed including Skype, Truphone and Gizmo. A lot of VoIP apps have the capability to connect out to the PSTN using some kind of pre-pay balance, which of course could also be at the mercy of a crim once he gets his hands on your smartphone.

With the proliferation of app-stores, many handsets may also be ready to provide “free” downloads to the enterprising criminal. In general, there is a lot of industry work going into making mobile phones into “wallets” that can be used for a whole variety of micro-payments, for example car parking fees. In addition there maybe DRM-locked content that is in the handset when stolen; it has a monetary value, and yet is difficult claim on insurance.

Smartphones can potentially have a lot of different apps loaded, and if we are lazy we mght have them setup (for our own convenience) to logon automatically to countless online systems. The risk is not only financial, but also opening you to impersonation and data theft, via a variety of online services that you access from your phone.

We certainly need to think hard about the way we use services and the way we buy using our mobile handsets. PIN-codes, passwords, time-locks and encryption are tools that we should have enabled, even though it means more inconvenience for us to make calls, lookup our location and so on. I hope the £100K Design Council bursary generates some good ideas, and for my barbarian friends that visit Barcelona each February, let me wish you failure and humiliation in your every venture.

Amusingly, at the time my phone was stolen, I was running a number of location applications including Palringo, Buddycloud and I think also Google Latitude (and yes, it does run hot with all the apps running!). A friend suggested that we go and look-up where the handset travelled to, and then put the Police on to them! Sadly, in this case the crim was not so dumb, and had already powered-off the phone. That would have been sweet revenge indeed.

European legislation will force usage of encrypted VoIP

Last year Sweden effectuated a law giving the Powers That Be the right to listen in on all Internet traffic passing the border of the country. Sweden was just the first country to put such legislation into play. When I was visiting the CeBIT fair in Hannover earlier this year, I learned the Germany also are putting such legislation in place and that other EU countries will follow suit.

The really grave issue here is that the Powers That Be can monitor and intercept such traffic without needing a court order. Yes – you read this correctly. It is no joke.

So what does this have to do with your legal VoIP traffic?

The huge problem with this scenario is that you will have low-level clerks listen in on your business conversation. In theory, the VoIP packets passing through the wire will never get into the hands of a 3rd party modulo the person monitoring your conversation. In certain parts of the business world the climate is so harsh that corporate espionage is more the rule than the exception. The easiest way to get to information is to pay someone to leak that information to you. So what you really need is access to the right one of those low-level clerks and just pay enough money to get hold of your information.

Do not get me wrong – I am not saying that every people on the planet is corrupt, but it would be sticking your head in the sand if you do not believe that corruption does exist. Even in, what appears to be, more open European countries corruption exist. It would thus be very strange if a low paid clerk would not give away information to the wrong people.

Also, if a clerk is approached by a company from their own country and is asked to “help out with the foreign competitors” – this may be deemed morally acceptable. After all – who does not want to help their own kind. In fact, this is really nothing new and it is not uncommon that this is even done pro bono. From time to time we read about Powers That Be handing over secret information to domestic companies regarding their foreign competitors.

Especially in a country like Germany people are not happy. People from the former East Germany still have the workings of the Stasi fresh in their mind. Most Germans seems to be very weary to issues regarding monitoring and signal interception.

The current legislation’s in the various countries regarding signal interception is still too new to have had any negative impact on law abiding citizens. However, it is only a matter of time before we are going to read in the press about company secrets being spilled by persons close to, or working in, the Powers That Be. When this happens the press will have a field day.

The net result is that when this happens, many more people will actively begin to seek encryption capabilities for their business communication. First out will be email. Second out will be VoIP traffic. Telephony is still a very important business tool

A very interesting observation so far is that European VoIP equipment manufacturers are putting readily available encryption schemes into their offerings – this to a bigger extent than their American counterparts. This may have to do with what the market wants. A recent BBC Digital Plantet podcast outlined the same view: It seems that in Europe we are much more concerned about privacy than elsewhere.

Currently there are a slew of providers offering encrypted telephony solution and there are even a few that do encrypted VoIP. If the offering is done right these companies will become the heroes of 2010.

After reading this article you should really ask both your equipment vendor and your service provider if they are planning to offer encrypted VoIP. My guess is that they will probably look at you with blank eyes and not understand what you are asking.

New voices coming soon to “Voice of VOIPSA”…

I’m very pleased to say that the response has been great to my request for new contributors to this site and over the past few days I’ve given author credentials to nine new authors. They represent a great range in experience and geography. A couple are seasoned VoIP/communication security professionals who have been around VOIPSA circles for a while and in a couple of cases have written books on the topic. (Some I’ve written about here or interviewed on Blue Box.) Others have been involved in security or VoIP but haven’t really had a profile in “VoIP security”, per se. And there are a couple who are brand new to the field but have some great passion to contribute.

I’m also pleased that we’ve added a couple of Europeans so that Martyn Davies is no longer holding down the fort as the only non-US regular contributor. We’ve also added our first contributor from India (or for that matter anywhere in Asia). While the vast majority of VoIP security issues have no relation to geography, there are of course laws and regulations that come up in different regions, as well as regional news items, and so it is nice to have a wider geographical distribution.

Thanks again to all who responded (and we’re still open to others) and we look forward to the additional posts they may bring over time.

Our whole goal with this site is to create conversations around VoIP / communications / UC / SIP security regarding what the issues are, what the “real” dangers are (as opposed to those sometimes hyped in the mainstream media), what the solutions are, etc. so that in the end we will all have safer and more secure communication systems.

Thanks to all of you – both writing and reading – for joining in that conversation.

If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.

You can now follow VOIPSA on Twitter

Yes, indeed, the VoIP Security Alliance has joined the Twittersphere with:

http://twitter.com/voipsa

Feel free to follow us there if you are a Twitter user. The primary reason we are on Twitter is so that Twitter users can follow whatever blog posts we post here on the Voice of VOIPSA blog. We’ve noticed over time on other sites (and in our own actions) that some folks prefer to be notified of new blog posts via Twitter versus a RSS feed. So now you have that choice. Subscribe via RSS or via Twitter. We’ll respond to tweets as well, of course, but our primary goal is to provide another way to consume VOIPSA content.

If you are on Twitter, please do feel free to follow us. Thanks.

Looking for a few good VoIP security writers…

Are you interesting in writing about VoIP security? In providing updates on security news? Product reviews? Threat analyses? Notes about recent security advisories?

Would you like your writing to appear on this blog?

As you have probably noticed, the frequency of our posting here in recent months has dropped a bit. It’s definitely not for lack of content… anyone subscribing to a Google Alert on “voip security” or subscribing to the VOIPSEC mailing list will know that there are definitely ongoing VoIP security issues. But we collectively haven’t been writing all that often about those issues here on this blog. Many reasons… but mostly that those of us who have been writing for the three years since we started this blog have just been finding ourselves insanely busy and not able to make the time to write here frequently. A couple of folks have moved into roles where they no longer work directly with VoIP security. Others have started their own blogs or just gone on to other things.

So we are looking to recharge the “Voice of VOIPSA” writing corps a bit. Our goal all along has been to make this site a portal for news and analysis about “VoIP security” in whatever form that may take. We are looking for people who might be willing to write short notes about news stories related to security of VoIP, Unified Communications, etc. We are also looking for people interested in writing longer pieces like some of the deep analyses we have posted here in the past.

VOIPSA’s overall mission is to raise the level of discussion about communication security issues in the IP space – and we’re looking for anyone who would like to help us in doing that through this blog.

The only major requirement we have for writers here is that any pieces must be vendor-neutral, i.e. we are not looking for people to write here about how their company’s product will solve all your security woes. We’re not a marketing site for either VoIP or security vendors. However, we do welcome posts from people at those companies that talk about the general state of the industry. We also welcome posts from folks who may not be at any company in the space but are just passionately interested in the topic.

If you are interested in writing for Voice of VOIPSA, please send me an email expressing your interest and providing some background about your connection to VoIP security. If you write at an existing weblog, even on a completely different topic, it would be helpful if you sent along that link as well.

Thanks for continuing to follow this site and after three years of blogging, we’re looking forward to continuing to provide you information and analysis about VoIP/communication security for the next three years… and beyond!

Technorati Tags:
, , , , ,