Archive for the ‘VoIP Security’ Category
Is someone using your VoIP phone to eavesdrop on you?
A leading member of the Jericho Forum has criticised the security of voice-over-IP technology after security researchers revealed that it was possible to eavesdrop on VoIP conversations.
An eavesdropping vulnerability was revealed on the popular Full Disclosure mailing list on Wednesday. Vulnerability researchers Humberto Abdelnur, Radu State and Olivier Festor claimed the exploit could allow a remote attacker to turn a VoIP phone into an eavesdropping device, citing a Grandstream SIP phone as an example.
The Jericho Forum is an international group of leading corporate security professionals, academics and vendors, and promotes the development of secure software architectures, among other IT security interests.
As a follow-up to our story from last year, the VoIP hacker who made a million stealing VoIP service has an interview with InformationWeek:
Convicted hacker Robert Moore, who is set to go to federal prison this week, says breaking into 15 telecommunications companies and hundreds of businesses worldwide was incredibly easy because simple IT mistakes left gaping technical holes.
Moore, 23, of Spokane, Wash., pleaded guilty to conspiracy to commit computer fraud and is slated to begin his two-year sentence on Thursday for his part in a scheme to steal voice over IP services and sell them through a separate company. While prosecutors call co-conspirator Edwin Pena the mastermind of the operation, Moore acted as the hacker, admittedly scanning and breaking into telecom companies and other corporations around the world.
"It’s so easy. It’s so easy a caveman can do it," Moore told InformationWeek, laughing. "When you’ve got that many computers at your fingertips, you’d be surprised how many are insecure."
Interesting demonstration of "tapping" optical cables carrying voice or data:
Optical fibre is a lot easier to tap than most people imagine. There is no need to break or splice the fibre now — a relatively shallow bend can be enough.
The technique works because the light in the cable propagates by bouncing off the insides of the fibre. Unsheath the cable, and a detector can pick up the tiny amount of light that escapes through the fibre’s coating, explained Thomas Meier, the CEO of Swiss company Infoguard.
He demonstrated the technique on a fibre carrying a VOIP phone call over Gigabit Ethernet. A section of fibre from inside a junction box was looped into a photodetector called a bend coupler, and the call was recorded and then played back on a laptop.
"People claim optical fibre is harder to tap than copper, but the opposite is true — you don’t even have to break the insulation, as you would with copper," Meier said. "You can read through the fibre’s cladding with as little as half a dB signal loss."
As demonstrated by last year’s (alleged) HP corporate espionage scandal, businesses will go to great lengths to get the edge on their competition. It has even been reported that some foreign governments eavesdrop on business communications (phone calls, e-mails) to give domestic companies an advantage.
Aside from the typical benefits of VoIP, including cost savings and flexibility, business VoIP solutions can also provide extra security for phone calls against eavesdropping. High value targets might be calls between top executives, discussions of confidential sales strategies, mergers and acquisitions, or the development or launch of a new product.
Companies should already be requiring employees to use an encrypted VPN (virtual private network) to gain access to the corporate intranet. For enterprise VoIP or other in-house implementations, this makes VoIP security easy: Internet phone calls that your employees make from the road are already protected at least back to your company’s network. This, of course, assumes that you have a secure VPN service running that uses strong encryption, such as AES.
Smaller companies using a hosted VoIP solution should check with their providers. If the company doesn’t have any offers, an add-on such as Phil Zimmermann’s zFone might be useful.
While some argue that Skype 
is a good option because it makes use of encryption, others argue that the encryption is used to protect Skype secrets (it’s not open source) and allow it to pass through filters more easily. Without a professional, independent evaluation of the security features, while Skype offers a good VoIP product, we cannot assume anything about its security.
And don’t forget that phone calls are just one part of the equation. Physical security, shredding documents before discarding them, etc., are as important as ever.
And there are plenty of stories of airline passengers being lucky enough to sit next to a competitor on the way to a sales presentation - a competitor who works with confidential sales materials in plain sight. Listening to Internet phone calls seems like a lot of hassle when presented with this kind of gift!
Post your VoIP security questions below and we’ll answer them in a future story.
Not VoIP service related, but an article on Slashdot has the details of a government initiative to use Full Disk Encryption (FDE) on all government-owned computers. The mandate came about in the wake of lost or stolen laptops with personal information stored on their hard drives.
We’re posting it to nudge companies in this direction as well - protect the security of your data when your employees are traveling by FDE. We’ve covered VoIP security in the past, and will have more to say in the next week.
Phil Zimmermann has launched a new Web site for Zfone, his VoIP encryption product. Still a little light on the content, but the new site demonstrates that he’s committed to Internet phone security.
The Georgia Tech Information Security Center (GTISC) today announced it is creating a partnership with BellSouth (NYSE:BLS) and Internet Security Systems (NASDAQ: ISSX) to explore security surrounding the emerging Voice over Internet Protocol (VoIP) technology. As communication services migrate to Internet-based platforms, it is important that the security and dependability users expect in the current public switched networks be maintained with these new converged technologies. At the GTISC VoIP Security Summit held in April 2005, GTISC initiated a dialogue with security and telecommunications industry leaders, including ISS and BellSouth, to proactively address security associated with this emerging technology.
“At GTISC, we feel strongly that security should not be an after-thought with VoIP,” said Mustaque Ahamad, principal investigator and director of GTISC. “By partnering with proven industry leaders ISS and BellSouth, GTISC will be able to lead the research efforts necessary to better understand VoIP threats and explore techniques that are well suited for securing VoIP devices, protocols and services.”
Internet Security Systems and BellSouth have committed to a two-year research program totaling $300,000. This funding will enable GTISC faculty and graduate students to work with ISS and BellSouth technologists to develop and evaluate solutions that address VoIP security. In return, BellSouth and ISS will have access to the resulting intellectual property.
“Internet Security Systems was one of the first security companies to provide coverage for VoIP protocols in our products,” said Christopher Rouland, chief technology officer at Internet Security Systems. “We look forward to working with experts at GTISC and BellSouth to further our understanding of VoIP vulnerabilities and how best to mitigate them for our customers.”
“BellSouth is committed to ensuring security is an integral component in all our products and services and working with GTISC and ISS is one way to continue that focus with next generation products such as VoIP” said John Heveran, VP-Chief Information Security Officer, BellSouth.
BorderWare Technologies Inc., and PGP (Pretty Good Privacy) founder Phil Zimmermann, industry leaders in IP communications security, privacy and compliance solutions, today announced an agreement to make BorderWare the first commercial licensee of Zfone, secure VoIP media encryption software, created by Zimmermann. This agreement tightly integrates Zfone with BorderWare’s SIPassure VoIP Security Gateway, bringing a new level of security and ease of use to VoIP systems.
VoIP and related real-time communication applications, such as video conferencing and instant messaging, continue to attract considerable interest worldwide, with millions of active private and business VoIP users today. Carriers and enterprises are increasingly seeing the benefits of VoIP services that allow voice messaging and video conferencing to be conducted securely, like email, as communications are transferred freely over traditional phone networks and the Internet.
Interesting article as a follow-up to the hacking scheme:
“It was a 100-percent margin business,” mused Seshu Madhavapeddy, CEO of Sipera Systems, a Richardson, Texas-based VoIP security company.
But in a telephone interview with TMCnet, Madhavapeddy on Thursday cautioned that the breaches are no laughing matter and the highly publicized incident might even inspire copycat to resort to criminal activity like intrusion, spoofing or spamming – techniques that aren’t entirely insurmountable but vexing nonetheless.
“There are a lot of guys out there that are looking at these guys as role models,” Madhavapeddy warned.
The security breakdown actually occurred at two points in the communication system and is the best illustration to date of the embryonic state of VoIP firewalling – i.e. enabling VoIP traffic to traverse the pinholes of a corporate firewall, the security expert explained. Because the firewall has grown to be a reliable (and in some cases is the only) security layer in the data realm, enterprises have turned to NAT traversal as a “best-practices” method for voice packets to travel through the network.
Yet that alone isn’t enough. Enterprises also need to account for intrusion detection (worms, Trojans, etc.) and direct attacks (spam, Distributed denial-of-service, etc.) to safeguard against malicious hackers.
“In order to assemble a security system for an enterprise today, you use multiple products,” Madhavapeddy told TMCnet.
VoIP service providers need to improve their security:
A Miami businessman helped by a professional hacker penetrated the networks of Internet phone providers to connect hundreds of thousands of free calls, federal prosecutors alleged Wednesday.
After obtaining free access to the networks, Edwin Andres Pena charged customers more than $1 million to route calls for them, according to FBI complaints made public with Pena’s arrest in Florida.
Pena paid $20,000 to hacker Robert Moore, of Spokane, Wash., according to court papers.
Pena, 23, who had a court appearance Wednesday in Miami, could not be reached for comment. Moore, 22, was to surrender to federal agents in Spokane. A message left at his address was not immediately returned. The names of their lawyers were not yet known.
At least 15 Internet phone companies were victimized, with one suffering as much as $300,000 in lost fees, prosecutors said.
Pena allegedly was able to secretly route 500,000 calls through a Newark-based provider identified in the complaint as "N.T.P.," which appears to be Net2Phone. Messages seeking comment from the company, and its corporate parent, IDT Corp., were not immediately returned Wednesday.
Authorities said that to hide profits from his scheme, which ran from November 2004 to May 2006, Pena bought real estate, three luxury vehicles and a 40-foot motorboat. On Wednesday, federal agents seized one of the cars, a customized 2004 BMW M3.
Pena operated two telecommunications companies, Fortes Telecom Inc. and Miami Tech & Consulting Inc., according to federal prosecutors. The companies, acting as wholesalers, sold more than 10 million minutes of Internet telephone service for as little as 0.4 cents a minute.
