Archive for the ‘VoIP Security’ Category
Is someone using your VoIP phone to eavesdrop on you?
A leading member of the Jericho Forum has criticised the security of voice-over-IP technology after security researchers revealed that it was possible to eavesdrop on VoIP conversations.
An eavesdropping vulnerability was revealed on the popular Full Disclosure mailing list on Wednesday. Vulnerability researchers Humberto Abdelnur, Radu State and Olivier Festor claimed the exploit could allow a remote attacker to turn a VoIP phone into an eavesdropping device, citing a Grandstream SIP phone as an example.
The Jericho Forum is an international group of leading corporate security professionals, academics and vendors, and promotes the development of secure software architectures, among other IT security interests.
As demonstrated by last year’s (alleged) HP corporate espionage scandal, businesses will go to great lengths to get the edge on their competition. It has even been reported that some foreign governments eavesdrop on business communications (phone calls, e-mails) to give domestic companies an advantage.
Aside from the typical benefits of VoIP, including cost savings and flexibility, business VoIP solutions can also provide extra security for phone calls against eavesdropping. High value targets might be calls between top executives, discussions of confidential sales strategies, mergers and acquisitions, or the development or launch of a new product.
Companies should already be requiring employees to use an encrypted VPN (virtual private network) to gain access to the corporate intranet. For enterprise VoIP or other in-house implementations, this makes VoIP security easy: Internet phone calls that your employees make from the road are already protected at least back to your company’s network. This, of course, assumes that you have a secure VPN service running that uses strong encryption, such as AES.
Smaller companies using a hosted VoIP solution should check with their providers. If the company doesn’t have any offers, an add-on such as Phil Zimmermann’s zFone might be useful.
While some argue that Skype 
is a good option because it makes use of encryption, others argue that the encryption is used to protect Skype secrets (it’s not open source) and allow it to pass through filters more easily. Without a professional, independent evaluation of the security features, while Skype offers a good VoIP product, we cannot assume anything about its security.
And don’t forget that phone calls are just one part of the equation. Physical security, shredding documents before discarding them, etc., are as important as ever.
And there are plenty of stories of airline passengers being lucky enough to sit next to a competitor on the way to a sales presentation – a competitor who works with confidential sales materials in plain sight. Listening to Internet phone calls seems like a lot of hassle when presented with this kind of gift!
Post your VoIP security questions below and we’ll answer them in a future story.
Not VoIP service related, but an article on Slashdot has the details of a government initiative to use Full Disk Encryption (FDE) on all government-owned computers. The mandate came about in the wake of lost or stolen laptops with personal information stored on their hard drives.
We’re posting it to nudge companies in this direction as well – protect the security of your data when your employees are traveling by FDE. We’ve covered VoIP security in the past, and will have more to say in the next week.
Phil Zimmermann has launched a new Web site for Zfone, his VoIP encryption product. Still a little light on the content, but the new site demonstrates that he’s committed to Internet phone security.
The Georgia Tech Information Security Center (GTISC) today announced it is creating a partnership with BellSouth (NYSE:BLS) and Internet Security Systems (NASDAQ: ISSX) to explore security surrounding the emerging Voice over Internet Protocol (VoIP) technology. As communication services migrate to Internet-based platforms, it is important that the security and dependability users expect in the current public switched networks be maintained with these new converged technologies. At the GTISC VoIP Security Summit held in April 2005, GTISC initiated a dialogue with security and telecommunications industry leaders, including ISS and BellSouth, to proactively address security associated with this emerging technology.
“At GTISC, we feel strongly that security should not be an after-thought with VoIP,” said Mustaque Ahamad, principal investigator and director of GTISC. “By partnering with proven industry leaders ISS and BellSouth, GTISC will be able to lead the research efforts necessary to better understand VoIP threats and explore techniques that are well suited for securing VoIP devices, protocols and services.”
Internet Security Systems and BellSouth have committed to a two-year research program totaling $300,000. This funding will enable GTISC faculty and graduate students to work with ISS and BellSouth technologists to develop and evaluate solutions that address VoIP security. In return, BellSouth and ISS will have access to the resulting intellectual property.
“Internet Security Systems was one of the first security companies to provide coverage for VoIP protocols in our products,” said Christopher Rouland, chief technology officer at Internet Security Systems. “We look forward to working with experts at GTISC and BellSouth to further our understanding of VoIP vulnerabilities and how best to mitigate them for our customers.”
“BellSouth is committed to ensuring security is an integral component in all our products and services and working with GTISC and ISS is one way to continue that focus with next generation products such as VoIP” said John Heveran, VP-Chief Information Security Officer, BellSouth.
BorderWare Technologies Inc., and PGP (Pretty Good Privacy) founder Phil Zimmermann, industry leaders in IP communications security, privacy and compliance solutions, today announced an agreement to make BorderWare the first commercial licensee of Zfone, secure VoIP media encryption software, created by Zimmermann. This agreement tightly integrates Zfone with BorderWare’s SIPassure VoIP Security Gateway, bringing a new level of security and ease of use to VoIP systems.
VoIP and related real-time communication applications, such as video conferencing and instant messaging, continue to attract considerable interest worldwide, with millions of active private and business VoIP users today. Carriers and enterprises are increasingly seeing the benefits of VoIP services that allow voice messaging and video conferencing to be conducted securely, like email, as communications are transferred freely over traditional phone networks and the Internet.
Interesting article as a follow-up to the hacking scheme:
“It was a 100-percent margin business,” mused Seshu Madhavapeddy, CEO of Sipera Systems, a Richardson, Texas-based VoIP security company.
But in a telephone interview with TMCnet, Madhavapeddy on Thursday cautioned that the breaches are no laughing matter and the highly publicized incident might even inspire copycat to resort to criminal activity like intrusion, spoofing or spamming – techniques that aren’t entirely insurmountable but vexing nonetheless.
“There are a lot of guys out there that are looking at these guys as role models,” Madhavapeddy warned.
The security breakdown actually occurred at two points in the communication system and is the best illustration to date of the embryonic state of VoIP firewalling – i.e. enabling VoIP traffic to traverse the pinholes of a corporate firewall, the security expert explained. Because the firewall has grown to be a reliable (and in some cases is the only) security layer in the data realm, enterprises have turned to NAT traversal as a “best-practices” method for voice packets to travel through the network.
Yet that alone isn’t enough. Enterprises also need to account for intrusion detection (worms, Trojans, etc.) and direct attacks (spam, Distributed denial-of-service, etc.) to safeguard against malicious hackers.
“In order to assemble a security system for an enterprise today, you use multiple products,” Madhavapeddy told TMCnet.
VoIP service providers need to improve their security:
A Miami businessman helped by a professional hacker penetrated the networks of Internet phone providers to connect hundreds of thousands of free calls, federal prosecutors alleged Wednesday.
After obtaining free access to the networks, Edwin Andres Pena charged customers more than $1 million to route calls for them, according to FBI complaints made public with Pena’s arrest in Florida.
Pena paid $20,000 to hacker Robert Moore, of Spokane, Wash., according to court papers.
Pena, 23, who had a court appearance Wednesday in Miami, could not be reached for comment. Moore, 22, was to surrender to federal agents in Spokane. A message left at his address was not immediately returned. The names of their lawyers were not yet known.
At least 15 Internet phone companies were victimized, with one suffering as much as $300,000 in lost fees, prosecutors said.
Pena allegedly was able to secretly route 500,000 calls through a Newark-based provider identified in the complaint as "N.T.P.," which appears to be Net2Phone. Messages seeking comment from the company, and its corporate parent, IDT Corp., were not immediately returned Wednesday.
Authorities said that to hide profits from his scheme, which ran from November 2004 to May 2006, Pena bought real estate, three luxury vehicles and a 40-foot motorboat. On Wednesday, federal agents seized one of the cars, a customized 2004 BMW M3.
Pena operated two telecommunications companies, Fortes Telecom Inc. and Miami Tech & Consulting Inc., according to federal prosecutors. The companies, acting as wholesalers, sold more than 10 million minutes of Internet telephone service for as little as 0.4 cents a minute.
The long-awaited release of Phil Zimmermann’s, the creator of PGP, Windows version of Zfone, the VoIP encryption software has finally arrived. The Mac version was out last month.
The bottom line: fast setup, easy to use.
Background
Zfone uses a new VoIP encryption protocol called ZRTP to secure Internet telephone calls. The protocol provides a high level of security because it doesn’t rely on public key infrastructure (PKI), key certification, trust models or certificate authorities. ZRTP does the key agreement process on a peer-to-peer basis, using a new key for each telephone call. It also provides defenses against "man-in-the-middle" attacks. It also provides other layers of security, which are described in further detail on Zimmermann’s Web site, linked to above.
Review, Plus How to Get Started With Zfone
The new Zfone client for Windows was surprisingly easy to use. First, install a compatible VoIP client. We used the Gizmo client available from the free VoIP service SIPphone. Next, download and install Zfone. These two steps take about 5 – 10 minutes, including download times and the time it takes to set up a free account with SIPphone.
One thing you must do is configure your Gizmo client to use SIP port number 5060 in the "advanced" part of the Options function. Also, be sure to run Zfone before starting Gizmo.
Next all you have to do is contact your friend or associate on his SIPphone account. Unfortunately, you can’t call a landline using Zfone. Your contact must also be running Zfone on his side.
When the call is started it shows up in the Zfone window. Simply click "secure" and Zfone does the rest. It displays a string of characters for you to verify against the string that friend sees on his end. If the two are the same, then you’ve got a secure call.
With a setup time of less than 10 minutes and no glitches, Zfone worked out great. It provides strong VoIP encryption and is easy enough for even non-tech literate people to use.
Give it a try and report your comments back here. Zfone has not been extensively tested with Vonage, so Vonage Zfone testers, we’re particularly interested in your experiences.
Skype users: note that Zfone does not work with Skype (Skype has its own, arguably insecure, encryption).
Phil Zimmermann, upsetting the government again:
Now he is again inviting government scrutiny. On Sunday, he released a free Windows software program, Zfone, that encrypts a computer-to-computer voice conversation so both parties can be confident that no one is listening in. It became available earlier this year to Macintosh and Linux users of the system known as voice-over-Internet protocol, or VoIP.
What sets Zfone apart from comparable systems is that it does not require a web of computers to hold the keys, or long numbers, used in most encryption schemes. Instead, it performs the key exchange inside the digital voice channel while the call is being set up, so no third party has the keys.
Zfone’s introduction comes as reports continue to emerge about the government’s electronic surveillance efforts. A lawsuit by the Electronic Frontier Foundation, a privacy rights group, contends that AT&T has given the National Security Agency real-time access to Internet communications.
In the wake of 9/11, there were calls for the government to institute new barriers to cryptography, to avoid its use in communications by enemies of the United States. Easily accessible cryptography for Internet calling may intensify that debate.
"I’m afraid it will put front and center an issue that had been resolved in the individual’s favor in the 1990’s," said James X. Dempsey, policy director for the Center for Democracy and Technology, a Washington-based public policy group.
The Federal Communications Commission has begun adopting regulations that would force Internet service providers and VoIP companies to adopt the technology that permits law enforcement officials to monitor conventional telephone calls. But for now, at least, F.C.C. regulation exempts programs that operate directly between computers, not through a hub.
"From the F.C.C.’s perspective you can’t regulate point-to-point communications, which I think will let Phil off the hook," said Marc Rotenberg, director of the Electronic Privacy Information Center, an advocacy group in Washington.
Zfone may face more of a challenge in Europe, where the British government is preparing to give the police the legal authority to compel both organizations and individuals to disclose encryption keys.
