Security
You are currently browsing the articles from the VoIP Digest matching the category Security.
NIST (National Institute of Standards and Technology) reports that a "Highly Critical" vulnerability exists in the Apple QuickTime handling of rtsp:// URLs. The exploit causes a stack-based buffer overflow that can lead to remote arbitrary code execution. The vulnerability affects both the Windows and Apple OS X versions.
This should be of key [...]
Written by Russell Shaw on January 4th, 2007 with no comments.
Read more articles on General and Security and Apple.
In a post I put up on Friday about the applicability of "phone song" lyrics to current telecom tech, I noted one song where the singer seems to be thinking about asking the operator to interrupt a call.
Then, I started to think to myself about the long history of such actions on analog lines. [...]
Written by Russell Shaw on November 28th, 2006 with no comments.
Read more articles on General and Security.
Well, it was inevitable. The hackers, wherever on the planet they may be, look to be spoofing YouTube to send me to a site where some very friendly young women are not hesitant to show off their physicalities.
I certainly have no problem with such visages, but not when they come from spammers who manage to [...]
Written by Russell Shaw on November 23rd, 2006 with no comments.
Read more articles on General and Security and YouTube.
Fellow blogger PhoneBoy offers a detailed but quite comprehensible explanation of why the decidely improved NAT (Network Address Translation) capability of Internet calling proivder SightSpeed's SightSpeed 5.0 (shown above) is so noteworthy.
First, he defines NAT, which is a technology that lets hosts transparently talk to each other with mutually agreeable addresses. He correctly mentions [...]
Written by Russell Shaw on October 17th, 2006 with no comments.
Read more articles on General and Software and Security and Research.
Written by Skype Journal on October 7th, 2006 with no comments.
Read more articles on Security and Life and Life.
GNU Telephony has released the open source framework for the development of applications that use secure RTP profile for VoIP. The organization, which is committed to the development and promotion of free telephony software, timed this announcement with the release of the GNU RTP Stack which can be directly embedded in new VoIP applications.
Secure call features in the GNU RTP Stack allow the development of communication solutions for GNU/Linux hosted applications and applications on Mac OS/X, Windows and embedded systems. According to GNU Telephony, these features will soon feature in Linux kernel-powered mobile phones and handheld devices.
The first softphone software to harness the power of the RTP Stack is Twinkle, which supports both SRTP and ZRTP, and is also the first VoIP client that provides native support for the ZRTP protocol.
Follow this link for free downloads from GNU Telephony.
Written by pushpa27 on October 6th, 2006 with no comments.
Read more articles on Security.
Around the world, every country and culture has a different way of
answering the telephone. If someone calls me, I say "hello" and who I
am. If I call somewhere and the person does not say who they are, if I
don't know them I ask, "who am I speaking to?". But it got me to
thinking about VoIP, which is appears to be rapidly spreading in use,
at least individually if not by business. Let's fast-forward to the end
of this decade, when VoIP market penetration will undoubtedly be huge.
In fact, video calling
might even become ubquitous (although that's what they said at the
World's Fair in the 1960s). Identifying who you are talking to would of
course be easier with video calling.
In the future, identification
might not be an issue, but right now, how is that we know who really is
calling us? Sure, some soft phones reveal IP addresses, and you might
have a list of contacts from email. But if you work online like some
people (like myself), you often "meet" people yet never meet them in
person. How do you guarantee that the person you met through, say,
comments on a website or at an online forum is really the person they
say they are? Consider how many false profiles are set up on social
networking sites. Then there's the vishers. Not everyone is going to be who they say.
I don't have any answers, just reflecting. IP media will change our lives, including the way we interact with each other online.
Written by ewriter on October 5th, 2006 with no comments.
Read more articles on Security.
Want to check in on your home while you're at work or somewhere?
Worried that men in black will be visiting your place to plant bugs?
Create your own inexpensive home security by turning to Skype for
essentially free home monitoring. All you need is a webcam, two Skype
accounts, and a broadband connection. Run one Skype video window at home, set to automatic answer, and another wherever you are. More details at VoIP-Sol.
Of course, unless you keep both Skype windows going, you will not have constant monitoring. You can do the same thing with Sightspeed, which some people, including myself, think has better quality video calling.
Now while you basically have your own CCTV (Closed Circuit TV) system this way, you might still want something like InnovAlarm or Alarm.com to actually warn the authorities if you have an invader. Unless it's them paying your place a visit.
Written by ewriter on October 4th, 2006 with no comments.
Read more articles on Skype and Software and Security and Residential VoIP.
Written by Skype Journal on October 4th, 2006 with no comments.
Read more articles on Uncategorized and Skype and VoIP and Security and ebay and Privacy and skypejournal and Life and Life and Competitors and freedom.
Along with cell phone worms, VoIP fraud is among the top 10 security threats to watch next year, according to a panel of experts assembled by the SANS Institute. The report predicts that this will because hackers have begun penetrating VoIP servers and selling dial tone as if they were a phone company.
"The hackers collect the money from the people that use it, while the company operating the servers gets the bill,†said SANS Director of Research, Alan Paller. The fact that calls can be hijacked without either party's knowledge anywhere along the route over the net that connects the call also makes things easier.
This vulnerability and other security holes will be exploited as soon as VoIP becomes the norm. We know that VoIP is being marketed aggressively - especially to medium-sized companies who are only looking at the cost benefits and end up not doing much about security. The more it expands the more hackers turn their attention to VoIP - now that's only logical don't you think?
While VoIP is growing and soon replacing traditional phone systems around the world but the way systems are being setup and managed also need to be examined. VoIP vendors argue that these security flaws are hard to exploit but you can find more than 20 freely available tools specific to attacking VoIP, according to this Wired News article.
In addition to cell phone viruses and VoIP attacks, other trends SANS predicts for 2007 in the Technewsworld article include the following:
- Targeted attacks will be more prevalent, in particular on government agencies.
- Spyware will continue to be a huge and growing issue.
- Zero-day vulnerabilities will result in major outbreaks resulting in many thousands of PCs being infected worldwide.
- The majority of bots will be bundled with rootkits and
- Network Access Control will become common and will grow in sophistication to name a few.
Written by Garrett Smith on October 4th, 2006 with no comments.
Read more articles on Security.
In spillover activity spurred on by the recent Hewlett-Packard "phonegate" scandal, Verizon is suing 20 data brokers
for fraudulent activity re pretexting. Pretexting is where someone
pretends to be someone else so that they can access their phone
records. Interestingly, the president and vice chair of Verizon is on
the HP board of directors. Verizon says it has spent $100,000
investigate the pretexting fraud.
In related news, Democrats in the US House of Representatives, controlled by the Republicans, stalled a bill
to make pretexting illegal. The activity is illegal in some states,
including California, where the alleged activities took place. As part
of an US House of Representatives probe into the pretexting scandal, five private investigators and at least two HP executives have been subpoenaed. HP is also under investigation in California.
Written by ewriter on October 3rd, 2006 with no comments.
Read more articles on Security and Business and Regulation and Privacy.
If you have a busy company that gets a lot of calls during the day, you
know that there can be some peak times when your telephony system can
barely handle the load. You may have a trickle of callers one moment,
and a flash crowd of callers the next. Then there's the potential that
maybe someone is running a DDoS (Distributed Denial of Service) attack
on your system, to compromise it. How does a VoIP system tell the
difference? The VoIPSec site has a thread that points to VoIP sercurity company Vodasec,
who are researching this very issue. They are working on detecting
system overloading prior to its happening, as well as distinguishing
between the two types of overloading.
Their technology is patent pending, but they do give a brief description
of how their model works. The sample graphs they display show a
distinct difference between the two types of overloading. This could
definitely be useful for the next generation of load-balancing VoIP systems, and for ensuring quality of service.
The essential principle, I'm assuming, is to study long-term behaviour
of both types of overloading and refine both behaviour models as new
data is collected. In fact, statistical analysis using MMAs (Multiple
Moving Averages), or some other trend indicator, could probably deduce
the diference. But these are not the kind of models you really want to
advertise online, or you'll have another generation of smart vishers.
Written by ewriter on October 3rd, 2006 with no comments.
Read more articles on Software and Security and Standards and Networks.
IT Week has an article that says a number of VoIP providers are
claiming vendors like Cisco are misleading enterprise customers about
their ability to deliver all of a package of network-related
infrastructure functionality including voice and data transmissions.
Cisco is saying that they cannot guarantee the performance or quality of VoIP calls.
Now I'm not going to defend Cisco, but I'm using this as a jumping off point for a reflection about VoIP call quality. My research the past few months points to something very odd regarding the way that some VoIP software might be delivering calls. Computers use two different protocols known as UDP (User Datagram Protocol) and TCP
(Transmission Control Protocol) to send information over a network.
Without getting into a deep discussion about either one, let me just
summarize their behaviors. UDP chops up data into packets and sends it
out over a network without much regard to the order the packets arrive
in. TCP chops up data but sequences packets in their natural order.
Now I am not an expert on how various VoIP services
function internally, but some article I read, which is lurking in the
corner of my mind, suggests that some of them may actually use UDP
instead of TCP. This would be absurd because what a person is saying
would be scrambled. The only way that that could work is if a "code"
packet went first, and acted as a map to know which arriving UDP
packets should be sequenced and how. That would cause a lag in
conversation over a great distance but not over short distances. This
is because the receiving decoder would have to wait for an entire set
of packets to arrive before they can be sequenced properly and
delivered to their final destination.
At least theoretically.
However, if the "map" packet some how got messed up itself during
transmission, the call or parts of it would be undecipherable. Which
could explain some call quality issues, whether due to sabotage or not,
I don't know. This does not mean that VoIP services using TCP could not
also be scrambled up, though. So both types of transmission are
susceptible to problems.
My point may be moot, as there may not
actually be any VoIP services using UDP. I cannot see any benefits of
doing so, besides for adding an extra layer of voice data encryption at
the expense of suffering a bigger time lag than for TCP. However,
having never written or looked at the innards of VoIP software, I can't
say one way or the other. But in summary, call quality can be affected
by many factors, and each contributes to the whole experience. PSTN lines have had the benefit of a hundred years of innovation and improvement, as someone said recently.
Written by ewriter on October 2nd, 2006 with no comments.
Read more articles on Software and Security and Networks.
With security issues rearing their ugly head time and again with startling regularity in the beautiful world of VoIP, it’s no wonder that researchers are turning their brains to addressing the vulnerabilities in this Internet technology. The latest to join this bandwagon is the Georgia Tech Information Security Center (GTISC); the institute is teaming up with BellSouth and Internet Security Systems (ISS) to probe the security aspect of VoIP technology.
The seeds for the endeavor were sown at the GTISC VoIP Security Summit held in April last year. ISS and BellSouth have promised support towards a $300,000, two-year research program that will enable GTISC staff and graduate students to work in tandem with them to develop and test solutions for VoIP security.
The issues under consideration will include VoIP authentication for voice spam, modeling of VoIP traffic and device behavior, mobile phone security, and security of VoIP applications running on user agents.
Written by pushpa27 on September 30th, 2006 with no comments.
Read more articles on Security.
Most experts agree that VoIP is good for the enterprise, but Skype hasn't typically been considered ready for enterprise despite setting their sights on business use earlier this year. Now, apparently they are working on an enterprise version
of Skype, possibly available in a few weeks. System administrators will
have control over what features employees can use. Though Ted Wallingford
doesn't think it'll go over well if the enterprise version costs money.
Why? Primarily because the product is not open source and companies are
not going to trust Skype to handle all the security without revealing
details, as well as having to pay for it.
A Computer World
piece (also linked above) says that 30% of Skype's 100M+ users use the
soft phone for business. That's far, far higher than I would have
expected, given corporate firewalls and all. As Ken Camp points out, many system administrators are wary of Skype, particularly in terms of network security.
(Even Intel was concerned when some of their employees installed it.)
That's because of the proprietary communications protocols it uses
(despite claims of Skype being cloned). There's also the bandwidth
issue, which is one of the problems that SJSU (San Jose State
University) was concerned about, and for which they had planned to ban
Skype. (Most universities are in fact run like corporations; some even
are incorporated. So it's understandable that they would want to watch
their bottom line.)
Though with some universities picking
Linux-based open source IP telephony systems such as Asterisk, I think
that Skype is missing out on a huge opportunity if they don't address
these problems. If they're listening, they should also consider the
college and university market. There is, of course, Pika Technologies
offering, which bridges Skype and Asterisk for enterprise use. However, there are likely still bandwidth and network security
issues,
at least in the eyes of sysadmins. As my colleagues are pointing out,
if sysadmins cannot monitor and measure activity over their networks,
then they are not going to be comfortable with Skype as a campus (or
enterprise) VoIP solution.
There are other enterprise issues
such as wholesale recording of conversations, which is probably
unnecessary for the university market. But aside from that, there is a
lot of overlap in IP telephony functionality for both markets. And
maybe, just maybe, the security requirements Skype has just satisfied
for Intel will satisfy the rest of the corporate market and the
university/ college market.
Written by ewriter on September 28th, 2006 with no comments.
Read more articles on Skype and Security and Business VoIP and Networks.
Cutting back on costs by switching to VoIP phone systems could end up costing you dear, warns The Grugq. The independent security researcher known only by his unusual penname voiced his concerns over the security of VoIP systems at the Hack In The Box Security Conference (HITB) in Kuala Lumpur, Malaysia.
He predicted that VoIP phishing attacks where hackers steal personal data are set to rise by the end of this year. He also threw a challenge at security managers, claiming that they were powerless to even detect such attacks, leave alone prevent them. VoIP hackers have an easy task, according to The Grugq; all they need by way of tools of the trade are a softphone or PBX software.
The Grugq used the platform to allow a sneak peek into the alpha code for SIPhallis, an application that he claims will allow security managers to create, send and monitor VoIP packets.
Written by pushpa27 on September 28th, 2006 with no comments.
Read more articles on Security.
Georgia Tech, long known as a very innovative university in
technology-related research, has partnered up with BellSouth Corp and
ISS (Internet Security Systems Inc.) to look into security for VoIP
technology. Both companies will invest a total of US$300K for the
two-year research program involving faculty, grad students and
technologists (from BellSouth and ISS). [via Atlanta Business Chronicle]
Researchers
at Georgia Tech have previously worked on, amongst other things, new
mathematical techniques for compressing images - something that has
definite applications for video over IP clients such as Sightspeed, as
well as video phones.
SJSU (San Jose State University), on the other hand, recently banned Skype on campus, then reversed their decision
after holding a conference call with eBay's government affairs dept.
SJSU's main concerns were over-use of bandwdith as well as security
issues. Maybe the should Skype Georgia Tech? Have your people VoIP my
people.
Written by ewriter on September 27th, 2006 with no comments.
Read more articles on Skype and Software and Security.
The US House of Representatives has been busy subpoenaing people, including five private investigators and at least two HP executives, for the House probe into the Hewlett-Packard scandal.
The whole mess was precipitated by now-former Chair Patricia Dunn when
she had PIs access the private phone records of some board members.
Her actions were outside of any legal action such as CALEA. In fact, records were obtained by pretexting,
an illegal method that involves having people impersonate someone else
to access records. (I've had something similar happen to me. A now
ex-friend impersonated me just over ten years ago and convinced my
phone company at the time to transfer yet another person's phone bill
to my phone. After a shouting match with the company, who denied they'd
ever do such a thing - despite my friend's confession - I switched to
cell phones, and now VoIP, and have not owned a landline since.)
Written by ewriter on September 27th, 2006 with no comments.
Read more articles on Security and Regulation and Privacy.
Skype Journal’s Phil Wolff posts that after lots of brouhaha, San Jose State University’s Computing and Telecommunications department (SJSU UCAT) have said they will not ban Skype.
Apparently, a Monday meeting between SJSU officials and Skype-owner eBay’s governmental relations team did the trick.
Although Phil was not in on that meeting, he recommends that any [...]
Written by Russell Shaw on September 27th, 2006 with no comments.
Read more articles on Skype and General and Regulatory and Security and Softphones.
Here's a quick roundup of what other VoIP/ IP media bloggers are talking about for IP communications ....
Om Malik at GigaOm says that VoIP loves small business but that maybe too many new VoIP startups are focusing on SMBs as their customers.
Cameron Sturdevant and the gang at eWeek Labs have been able to prove that VoIP can coexist with server security such as SSL (Secure Sockets Layer). Which I think means that businesses (and universities)
can implement soft VoIP without the same concern for security as they
might have had. Andrew Garcia, also at eWeek, offers an option for IT
managers at SMBs who want to use VoIP but don't want to replace
hardware: virtual PBXes. When you finish that, look at Garcia's article about some new VoIP gear from D-Link, including routers aimed at the small business market.
I have no previous knowledge of QQ is, but Phil Wolff at Skype Journal is speculating on a merger between them and Skype (as well as something eBay China being purchased by Tom.com, a Skype partner). Wolff also wonders
if Skype could be like Mercora's IMRadio service, allowing you to build
and broadcast your own Internet radio station. The technology's in
Skype already. Hey, I've already watched Japanese TV from Skype.
Speaking of Skype, The VoIP Girl gives the lowdown
on the meaning of all those shiny little icons in the Skype interface.
She also throws in a list of VoIP services for Canadians, to supplement
the ones Canadian tech blogger Mark Evans listed.
Written by ewriter on September 26th, 2006 with no comments.
Read more articles on Skype and Security and Business.
After the arrest of five foreign nationals in Namibia providing VoIP service
without a license, as well as goings on in various Asian and African
countries in regards to VoIP, you might be wondering if VoIP is under
attack there. Marcelo Rodriguez takes a crtical look [Voxilla] at what Russell Shaw [ZD Net] and Rich Tehrani [TMC Net] are saying.
Rodriguez
points out that both Shaw and Tehrani mention "Third World" countries
as locales where VoIP seems to be under attack, possibly due to
affiliations between the government and the traditional telecoms, but
that they leave out the US as being in a similar category. (Examples: Korea and the UAE blocking Skype.) He then goes on to reveal several examples of lobbying, campaign contributions, and all-expense golf vacations.
The
Voxilla piece is very revealing and extremely politically charged. I'm
going to take my cue to up the voltage. Let's take a few separate
scenarios. First scenario, conspiracy: the entire telephony system in
North America is fully wiretapped and all calls are monitored either by
humans or machines, for whatever political purpose the real men with
power wield. Second scenario: the first scenario is crock, but phone
calls are a valuable commodity and thus extremely lucrative. Third
scenario: a combination of both the first and second scenarios.
Choose your scenario. Either way, VoIP threatens the status quo, and hence spawns acts like CALEA, possibly attacks on Vonage's share price, and debates like neutrality vs tiered Internet
service. Everything that is happening politically in telephony
satisfies one of those three scenarios. Let's face it: VoiP is a threat
no matter how you slice your political pie.
Written by ewriter on September 25th, 2006 with no comments.
Read more articles on Security and Networks and Regulation and Privacy.
In what strikes me as both a paranoid and Luddite move, San Jose State University is seeking to block the use of Skype on campus.The issue first came to light in last Monday's Spartan Daily, when reporter Stefanie Chase wrote that Don Baker, interim associate vice president of university computing and telecommunications, who alluded to the memo [...]
Written by Russell Shaw on September 23rd, 2006 with no comments.
Read more articles on Skype and News and General and Security.
Not too long ago, 23 year old Edwin Pena and his accomplice Robert Moore were arrested for stealing and reselling 10M minutes of VoIP service. Pena recently went on the run and is being sought by authorities for skipping bail.
Now five Asian men have been arrested in Namibia for selling VoIP
without a license, based on the country's 1992 Postal and
Telecommunication Act.
Bail was set at N$3,000 each and was
paid. But the group will have to return to court at the end of October
and may face jail time. This seems way out of whack. Wouldn't a fine be
sufficient? Skype had been told by the Korean government recently that
they did not have the appropriate license. No fine was levied, and Skype stopped taking new memberships from Korean citizens.
The
primary difference in crime between Pena/ Moore and the five foreign
nationals in Namibia is that the former group stole service from other
VoIP providers. But they went to great technical lengths to do so, and
got away with it for quite a while. The Nambian five were caught when
they tried to sell VoIP service to a member of the public.
Additional sources: VoIP News Australia, All Africa, TMC Net.
Written by ewriter on September 22nd, 2006 with no comments.
Read more articles on Security and Services and Business and Regulation.
Written by Skype Journal on September 21st, 2006 with no comments.
Read more articles on Skype and VoIP and Security and Business and skypejournal and Life and Life and Strategy and North America.
Some experts are saying that VoIP in the enterprise represents serious security risks [CIO], making a company vulnerable to vishing
(phishing via VoIP) attacks. One anonymous security researcher claims
that bank networks will be subject to penetration and the phone lines
to hijacking - thus leading to the theft of credit card numbers and
bank account data.
Now I'm not a VoIP security
expert, but I can make an educated guess, based on my many years of
computer experience, that this guy, who goes by the pseudonym "The
Grugg", is grossly exaggerating the security issues,
potentially to gain some attention. It's absurd to think that banks,
who have been dealing with electronic security issues for several
decades now, would even think to put their data and VoIP networks on
the same lines. Besides telecoms, I've worked at a big mutual fund
company. Even they had backup and redundant networks, with firewalled access to account information.
While
it's likely true that little technology exists at present to filter out
vishing attacks, there's nothing that says a bank's data network has to
run on a VoIP network. And just because a bank's telecom system is
converted to IP telephony doesn't mean the data network is suddenly at
risk. In fact, if someone wanted to mount a vishing attack on a bank,
they could do so already using an existing VoIP system (sorry, not
going to tell you how). And they wouldn't have any more or less success
than if the bank had a VoIP network or not. (On the other hand, a VoIP
phone system could potentially be taken offline by a DDoS (Distributed Denial of Service) attack if a load balancing system is not in place.)
Despite
what The Grugg (give me a break) is saying, I'm not so sure that bank
data networks are at risk. Of course, I could be proven wrong, but
let's hope I'm not, as this expert is saying that vishing attacks on
banks will probably start later this year. I wonder how he knows this.
Written by ewriter on September 20th, 2006 with no comments.
Read more articles on Security and Networks and Business.
While some cellular providers are outright banning VoIP on their data networks, Vodafone
is allowing it via 3G laptop data cards. They are, however, monitor
activity because they don't want their network used as a gateway. [via CBR Online]
I'm not sure what this means, precisely, but at least they aren't banning VoIP
like T-Mobile and others. I think, basically, the primary issue brought
up previously is that cellular data networks just cannot handle VoIP
calls en masse. There just isn't enough bandwidth.
For completely different reasons, Skype Journal notes that San Jose State University (SJSU) in California may ban Skype use on campus. They have their reasons
(PDF, 2 pgs), and while some of them may seem legit, others seem
misinformed or plain contradictory. Skype Journal notes that Oxford
University recently lifted their ban on Skype.
Written by ewriter on September 19th, 2006 with no comments.
Read more articles on Skype and Security and Networks.
Steal VoIP, go to jail. Or if you're Edwin Pena, barely out of his teens, you go on the lam, possibly using your 40-foot speed boat, which was paid for by resold stolen VoIP service.
Pena was arrested by Miami police a few months back, along with his
buddy hacker. They supposedly stole and resold around 10 M minutes of
VoIP service and were facing up to 35 years on a couple of charges.
Pena skipped bail and is suspected of heading somewhere from where he
can't be extradited. Time to bring in the CSI: Miami crew, though I'm
not sure they've covered any telecom crimes to date.
These
two guys are obviously bright minds, given the way they engineered
their whole set up. Had they thought just a bit further, they could
have been doing VoIP security consulting and making good money, instead
of doing time. Given the shortage of skilled workers in the IP telecom
industry, it's a waste. A good mind is a terrible thing to waste; a
good VoIP mind even more so.
Written by ewriter on September 18th, 2006 with no comments.
Read more articles on Security and Networks and Services and Business.
This is a bit off my beat, but newsworthy enough to report, IMHO.It seems that in the last several days, an inordinate ratio of spam seems to be seeping thru to my Gmail Inbox. Most are still being caught in Google's spam filter, but as a percentage, more of this crap seems to be getting [...]
Written by Russell Shaw on September 16th, 2006 with no comments.
Read more articles on General and Security and Google.
That's a 40-foot SeaRay. (Hmm, sure would be nice to win Powerball).But according to the Feds, Edwin Pena, 23, was able to pay for the SeaRay as well as three luxury autos by acting as a fraudulent wholesaler of VoIP services. The Feds believe that the Miami resident and a hacker conspirator, Robert Moore of [...]
Written by Russell Shaw on September 16th, 2006 with no comments.
Read more articles on General and Regulatory and Security.
President Asks For Warrantless Wiretaps
US president George
Bush is asking for warrantless wiretaps, particularly in relation to
prisoners held at Guantanamo Bay. [via CNBC TV] Recently, US District
Court Judge Anna Diggs Taylor ordered a halt to the wiretapping
program, concluding in her report that warrantless wiretapping is unconstitutional. CALEA
allows a backdoor for law enforcement agencies to wiretap calls if
public security is threaten. However, the wiretapping program in
question was secretly signed by President Bush in 2001.
Telus Corp Wins 5-Yr Telecom Contract
The
government of the Province of Ontario (Canada) awarded Telus Corp
(second-largest Canadian phone company) a five-year, Cdn$140 M contract
to manage and supply various network services, including IP
communication. [via CNW] Telus recently announced that they were converting to an income trust.
Yahoo Messenger Plugins: Pandaf Sudoku Battle
Not sick of the immensely popular Sudoku number puzzles? The Pandaf Sudoku Battle plugin for Yahoo! Messenger 8
lets you battle against an opponent. I assume you race to finish first.
This is of course quite the variation on the puzzle, as it's
traditionally a one-player challenge.
Stratus Techologies Acquires Emergent
Stratus Technologies announced the US$10 M buyout of Emergent Network Solutions [Extreme VoIP], a VoIP infrastructure company.
Written by ewriter on September 15th, 2006 with no comments.
Read more articles on Software and Security and Networks and Business and Privacy.
Internet users in the UAE and overseas have expressed their anger, frustration and surprise at what appears to be the recent tightening of VoIP restrictions in the UAE. Recently published 'Windows Middle East - Electronic Edition' detailed the Internet voice communication services that no longer work in the UAE sparked a huge public response.
Windows Middle East's editorial team has been flooded with huge number of reader responses. One UAE reader reminded that consumer pressure had overturned a previous Skype block in Saudi Arabia. The same reader also outlines his dismay that VoIP technology seems to be okay for users, but the authority seems to have reservations about it.
Read my previous post titled "Consumer VoIP in the Workplace" to know more about consumer VoIP.
Written by Sagar on September 14th, 2006 with no comments.
Read more articles on Security.
Jupiter Web is giving away free copies of the Avaya edition of VoIP
Security for Dummies eBook (PDF, 68 pages) in consideration for people
joining the Avaya developer community. The link was sent to me in a
regular Jupiter Web email, so I cannot guarantee you'll be able to use
it, but I don't see why not.
The ebook is pretty "dummy-ish", in
the sense that they've simplied a wide range of IP telephony security
issues and summed each of them up in a few short paragraphs. It even
mentions privacy issues such as CALEA (Communications Assistance for Law Enforcement Agencies) and a number of US govt regulations that add up to considering why you should record VoIP calls in your company.
This
is certainly not a book you would use to actually implement VoIP
security measures, but it's not a bad place to start if you feel you
don't know enough about the issues, or don't know where to start
reading about them. (The book is of course geared towards discussing
Avaya solutions, so it's not exactly vendor-neutral.) You can sign up
free (just your name, email, and job function) at this Jupiter Web page and download your copy.
Written by ewriter on September 13th, 2006 with no comments.
Read more articles on Security and Regulation and Privacy.
Your company has sensitive information and you think that one of your
high-profile board members - not employees - is leaking details to the
media. What do you do? If you're Hewlett-Packard's Chairwoman Patricia
Dunn, you hire private investigators and obtain phone records
[CRN] for the suspects. Problem is, those investigators used illegal
means to acquire those phone records. Now, the California attorney
general is investigating the whole mess.
Acts like Sarbanes-Oxley
(aka Sarbox) were designed to protect investors by instituting a number
of measures that would ensure transparency in accounting procedures of
public companies. The act might even be interpreted in such a manner
that a company would decide to record all employee conversations for Sarbox and even CALEA
reasons. In this case, however, the records of home and cell phone
calls of board member George A Keyworth were obtained, which I'm
assuming is out of the scope of both Sarbox and CALEA.
In light of this, I'm wondering if soft VoIP calls stand a chance of not
being put under the domain of CALEA. Soft VoIP does not yet have a
backdoor (for law enforcement) for recording calls, but some
politicians are pushing for it, for dubious reasons.
Written by ewriter on September 6th, 2006 with no comments.
Read more articles on Security and Regulation and Privacy.
Recently, I had written a post titled "Attack on VoIP Security" about the security attacks on VoIP. It has been noticed that although VoIP is gaining momentum in almost every sector, many companies haven't taken the necessary steps to toughen up security on their VoIP systems. It could make them vulnerable to hacking. One of the main weak links in VoIP security is the tendency for organizations to leave phones exposed to the Internet. It enables attackers to use search engines to discover information about the network that they can use in subsequent exploits. To counter this threat, companies need to boost the security on VoIP phones by disabling services that are not needed or restricting access to the specific location.
Written by Sagar on August 29th, 2006 with no comments.
Read more articles on Security.
New software designed for laptops, intended for Army and medical
personnel in Iraq, translates English-Arabic audio conversations in
near real time. The software, called IraqComm, records spoken words,
translates them, and plays the translations. The process takes a few
seconds. The predecessor to IraqComm was a handheld device called
Phraselator. [via Technology Review]
While
IraqComm is currently for military evaluation only, it is also intended
for a variety of other users. It shows the potential market for
automated language translation tools. It certainly would be nice to have something like this for Skype which, to my knowledge, only has something like ULRTMT, that translates text nearly on the fly.
Written by ewriter on August 24th, 2006 with no comments.
Read more articles on Software and Security and Solutions and Lingo.
It's always nice to see VoIP being used in unique new ways, and that's exactly what InnovAlarm
is doing. Imagine home and security alarm systems, but which use Skype
or another soft client instead of regular phone lines. The service is
in pre-beta. [via Read/Write Web]
The
only drawback with this application is that your computer has to be
turned on. I'm wondering if there's a market for a similar solution
using phone2phone with a VoIP bridge, using hardware such as Digifone's plug'n'play adapter. Phone2phone VoIP calls generally seem to have better quality.
There's
obviously a perception that there is a market for InnovAlarm's method.
In fact, Read/Write Web reports that the company will be getting $10 M
of venture cap in Q4 2006.
Written by ewriter on August 17th, 2006 with no comments.
Read more articles on Skype and Software and Security and Services and Solutions.
CALEA,
or Communcations Assistance for Law Enforcement Act, has a lot of
misconceptions surrounding it in terms of its applicability to VoIP, as
well as security issues. The IT Association of America (ITAA) has isued a report (PDF, 21 pgs) to educate VoIP service providers. [source: TMC Net]
The
deadline for CALEA compliance for VoIP providers is May 14, 2007, and
the ITAA questions the ability of smaller providers to comply in time,
due to the expected financial cost. Amongst other things, they also
question whether standards can be developed for CALEA for VoIP because
of all the different VoIP types. The ITAA paper includes Vinton Cerf of Google as an author.
Another group, GLIIF (Global Lawful Interception Industry Forum) issued a rebuttal (PDF, 8 pages) with pretty much the exact same title as the ITAA document.
My
pure gut instinct says that the GLIIF report sounds like a bunch of
companies protecting their own investment in future CALEA solutions,
because my educated guess indicates that their main rebuttal points are
in turn refutable. In fact, from the glance I had at the GLIIF
document, it contradicts the opinions and public statements about CALEA
made by many well-known Internet experts earlier this year.
However,
that's just my feeling, and without reading both documents thoroughly,
I'm not make any definitive declarations. Ultimately, whether I support
it or not, I think all types of VoIP calls will be wiretapped -
maybe not immediately because of technical issues, but eventually. It's
been that way for decades with PSTN lines, and governments are just not
going to give up that kind of surveillance power. (Having worked for
telcos, I've heard things that worry me, but things aren't going to
change, especially in the current climate of fear.)
Written by ewriter on August 15th, 2006 with no comments.
Read more articles on Security and Regulation and Privacy.
So you’re switching to a VoIP connection as an alternative to your traditional landline in an effort to cut back on communications costs! What happens if the network that provides your VoIP service fails for some reason or the other? Simple – your entire phone system is taken down with the network.
E-security director at Computerlinks, distributor of IT security and Internet technology solutions, David Ellis, has raised a vital question for VoIP service providers to ponder. He stresses that resellers offering voice services must either develop their own security skills or tie up with firms that offer such services for the transfer of the combination of voice and data.
Ellis reiterates that security is of utmost importance when voice and data networks converge, a sentiment that John Fox, business development director at voice reseller ATCSterry, seconds. Fox adds as an aside that it’s the larger providers who need to concentrate on the security aspect for their always-on networks, and not smaller operators who use a virtual LAN to run operations.
Written by pushpa27 on August 12th, 2006 with no comments.
Read more articles on Security.
The VoIP market has been growing steadily as customers begin to accept the benefits of converging their voice, data and video networks in favor of a single infrastructure. However, both vendors and users have begun voicing their concerns over the security implications of switching to such a system. The rise in reliability levels have persuaded companies to begin investing in VoIP to take advantage of the benefits that the technology brings.
If you are a vendor and want to enter the VoIP security space, you must work closely with end-user focus groups. You will notice that it will calm down the irate customers. It will also give you an opportunity to impress potential clients with their knowledge of the VoIP security space.
Written by Sagar on August 8th, 2006 with no comments.
Read more articles on Security.
Hackers-cum-researchers performed an interesting security-testing
experiment earlier this year using VoIP phone numbers and Internet
social networks. They presented their findings recently at Defcon.
Their
primary plan was to determine if secret signals could be passed right
out in the open, from enemy agencies to their agents. They theorized
that the use of social networks to transmit carrier messages might
increase the noise ratio so that it would be harder for "unauthorized
parties" to decode the secret but publicly-transmitted messages.
This is in fact a technique already used covertly by intelligence agencies. However, they use shortwave numbers stations, and all governments have denied such operations. The general technique is to broadcast streams of seemingly nonsensical numbers or words, often in a female or child's voice. Of course, the stream represents a code, and only a few parties have the cipher to decode it.
Strom
Carlson, a security researcher, and the hackers collective Project Evil
teamed up to see if someone could do the same thing using the Internet,
particularly using any of the abundant social networks out there. What
they did was set up their own numbers stations. But instead of using
shortwave transmissions, they used VoIP phone numbers and recordings.
If you called such a number, you would hear a stream of code words.
They advertised the existence of the VoIP numbers stations using
Craigslist pages, using fake messages, to see if anyone would
participate.
In short, they were successful getting others with
a cryptographic interest to participate and decode messages using a
one-time key. They figure enemy forces could be too. This is something
proponents of CALEA
may want to take note of: if hostile parties want to use VoIP, they are
not necessarily going to use unencoded messages. (On the other hand,
this experiment by Carlson might just give CALEA proponents more
fodder.)
CALEA stands for Communications Assistance for Law Enforcement Act,
and, in short, gives any Law Enforcement agency the right to wiretap
communications networks, including the Internet and VoIP, in special
circumstances. Although to date, it's not on the agenda to tap soft VoIP calls using clients such as GoogleTalk and Skype.
Of
course, there are those people that believe that email spam is being
used as numbers stations for intelligence communications. Although who
is behind it is hard to say. (I particularly notice some interesting
word patterns in the spam in my university alumni email account.) Public key cryptography
concepts date back centuries, and the Internet is a perfect
distribution vehicle. Just never thought VoIP could be used as a
supplementary broadcasting outlet.
Additional sources: Slashdot, Homeland Stupidity, Defcon.
Written by ewriter on August 8th, 2006 with no comments.
Read more articles on Security and Networks and Privacy.
While new technology allows greater freedom, law enforcement agencies smell something wrong and get into action. Now it is happening with VoIP. The police and intelligence agencies are planning to ask the government for the power to listen to and identify VoIP callers. The security agencies believe that fraudsters can exploit the VoIP communication system to carry out their illegal activities. At present, law enforcement agencies have great difficulty in tracing the origin of VoIP calls. This poses serious threat to society. Once the security agencies get the power to track and monitor VoIP calls, your VoIP calls will no longer remain confidential.
Written by Sagar on July 31st, 2006 with no comments.
Read more articles on Security.
Now the VoIP users must beware! According to a recent report, VoIP services such as Skype are on the hit list of spammers. Web security firm MessageLabs has conducted a thorough research and found that attackers are switching their targets from email inboxes to social networking sites and voice communication system. For them, VoIP is an easy target, as it does not have any concrete security shield. The increase in phishing attacks in the recent days, has raised a concern in the VoIP industry. Phishers have turned their attentions to new platforms and VoIP fully fits into their plan.
Written by Sagar on July 30th, 2006 with no comments.
Read more articles on Security.
« Older articles
No newer articles