Spit Will Be Worse Than Spam

KentuckyFC writes "A team of German computer scientists has developed a program that reproduces all the known forms of spit (spam over internet telephony) attack. Their plan is to make the spitting software available to computer security experts wanting to test antispit strategies. Developing these won't be easy. There are various antispit techniques, such as white lists that allow only calls from predetermined callers, Turing tests such as audio CAPTCHAs that make a caller prove he or she is human and payment-at-risk services where the caller makes a small payment in advance and is refunded immediately if the receiver acknowledges the call as legitimate. But all have weaknesses, say the researchers. The main difference between junk calls and junk email is that the email arrives at your mail server before you access it. This gives the server time to analyze its content and filter out the junk before it gets to you. Not so with internet telephony, which is why radically different strategies are needed."

#1 question

Can this get to my regular phone or cell phone?

If yes, then this is a problem.

If no, then this is not that big of a problem.

If yes, but only if the spammers (spitters?) pay for cell minutes or something, then this is not a problem at all.

Re:#1 question

What if VOIP is your regular phone? Then it is a big problem.

Few people use VOIP as their home phone, and problems like this will keep it that way.

Re:#1 question

Actually there are a lot of people that DO use VOIP. Most of the people I know that do, use it because their main form of communication is their cell phone. They have no need for a full service (fee) home number as well.

Re:#1 question

Well, actually, more than 2 million people in the USA alone use VoIP as their home phone.

On to the topic at hand however...

VoIP actually is uniquely structured as to easily be able to prevent SPIT. You see, unlike a cell phone or land line, incoming calls DO get sent through a server, like e-mail, and contracry to the articles ideas.

For big business, running in-house VoIP systems, there is a central server, which has built in software in most cases for call screening and filtering (ShoreTel's system does, I'm sure others do). For home users, Vonage, Time Warner, and others can easily filter calls from their central systems, blocking numbers from known SPITers and from those who spoof caller ID.

A big idea with SPIT is to get you to answer, claim to be someone you are not, demand a payment, and make money. If someone answers the call, it's an issue. Pestering rings at 4AM are a problem, but personally, I disable the VoIP box through a router rule at night, so I simply don't get calls at 4AM (though a voicemail will bounce to my computer and if it;s from a whitelist caller, my computer wakes me, as it's likely a family medical issue.

White lists are one thing, simply not answering blocked calls is another. What I do is a bit of both: I don't ansewr blocked calls, and any calls I get from caller ID where I don't have a name record (I save every phone number I can identify into my phone, and calerID with name fills in the blanks). Calls from unknown local numbers that are important end up either leaving a voicemail, or I call them back. ALL calls from 800, 866, and other likely business extensions, I simply call them back to verify their identity, unless I'm expecting their call, since they rarely leave voicemail...
I also know what companies I do and do not do business with, and since I have a stirct No Telemarketing policy in my house, calls from any business I don't already do business with get a stern request to have me removed from their list (and I track who I spoke to and go after the ones that call back).

All of this is very easy to do with a VoIP system, and much of it can be automated for businesses, or by Vonage or another VoiP Provider. Cell phones and land lines offer no such luxuries, so you;d have to do it all like I do, the hard way...

Re:#1 question

I doubt you'll every see that level of activity. Remember, VoIP calls to a person have to be placed through a central service, and that service does NOT provide free toll charges to businesses the way it does to people.

Folks on Skype, and other non-centralized VoIP (direct IP to IP calling) may be suceptable to this, but since SSkype can't support e-911, it;s not really an issue... IP to Vonage calls, for example, in part run across telco networks, and those incur charges. The SPITers won;t be able to make good on their investment.

Besides, the Teloc netowkrs and VOIP networks would not be able to handle that volume. e-mail gets bogged down due to Spam, but calls either work or not. If this becomes an issue, the FCC will be on it lightning fast and with great ferocity. Each call is a trunk line, not a few packets...

A PC can't really just CALL a Voip line... The softphone, even for the very small percentage of people who use them as opposed to most people on VOIP havoing a hardware device, is a proprietary program, and on the back end is interfacing with an authentication system. Some random virus is not going to be able to interface with Vonage to make calls that way...

Like I said, Skype might be a hackable system, but business voip is all inter-office (VPN tunnels) not open internet calls. Businesses using VOIP use PRI or BRI trunks and traditionsal call networks to place person to person calls (except intra/inter office over secure systems). SPITing on a business extention means placing a call through a terrestrial phone company. Those can be traced, and blocked, if abused.

If SPITing was potentially that successful, I'd be getting 100 calls a day at my home line already.

Also, a Drone infrected PC that was SPITing, how many calls a day do you think it would be making? and how many calls a day (or at a TIME!) is it reasonable for a human to make? It should be easy for phone companies to identify drone VOIP machines and shut them down... Calling habbits for a household are easy to model, and since even a telemarketer working from home has to have a business class phone license, they'll be easy to identify and eliminate false positive screenings. (most home telemarketers run through VPN to a central switch anyway).

This really isn't a big deal. If they ever figure out HOW to make it a big deal, expect strict and sweeping legislation. Attacks on the US phone system are considdered terrorist activity, unlike spam which is just a civil, not even criminal, in most cases offence. Also, VoIP is easy to trace, since it;s clearly a 2 way communication requirement, unlike spam.

DDoS is a possible abuse, but even that should not effect centralized VoIP providers and their customers (100 calls in 3 minutes? block it. Done.)

Re:#1 question

Vonage, Skype, and MagicJack. There are plenty of people out there who use these as their "regular phone."

Re:#1 question

Can this get to my regular phone or cell phone?

That's called telemarketing. This isn't.

This has the potential to be as bad as (or worse) than spam. Think about it - if you were telemarketing, you'd have to hire a bunch of people to work in a call center. This costs money (rent, phone lines, people).

But over VoIP, all you need is an internet connection. Said internet connection just has to connect to a VoIP phone over some standard protocol (Skype, SIP, what have you), and blast the message away. You can convert a botnet from sending spam to sending spam via VoIP quite easily - just change the spam-mailer to a spam-over-voip thing. If your endpoint is a regular phone line to act like a POTS line, well, get a bigger answering machine. It costs little to "spit" millions of VoIP phones, and they'll be sure to try "calling" multiple times in the hopes you pick up (or someone picks up).

It's like why the spam problem is worse than junk mail - sender has to invest in sending junk mail, while spam costs just bandwidth and botnet fees. It probably won't reach normal landlines since things like SkypeOut etc. cost money.

About the only solution would be to ensure that whoever's calling you has a real phone number at the other end and not just an arbitrary IP address. Not sure how foolproof that is, though or if it could be faked. Nor am I sure whether or not things like Vonage will be affected (do they allow calls from non-Vonage (IP-only) and non-incoming line (landline/cell/etc) people?).

Re:#1 question

That's called telemarketing. This isn't.

What's the difference?

This has the potential to be as bad as (or worse) than spam. Think about it - if you were telemarketing, you'd have to hire a bunch of people to work in a call center. This costs money (rent, phone lines, people).

So the difference is how many people you need to do it? Then it's just a matter of degree, and not a fundamental difference. VOIP spam is only worse than telemarketing because there's more of it.

It's like why the spam problem is worse than junk mail - sender has to invest in sending junk mail, while spam costs just bandwidth and botnet fees. It probably won't reach normal landlines since things like SkypeOut etc. cost money.

Funny thing is, I get a lot more paper spam than email spam. From where I stand, paper spam is a worse problem. It certainly kills a lot more trees. And I can't set up a filter for my paper spam.

Re:#1 question

This has the potential to be as bad as (or worse) than spam. Think about it - if you were telemarketing, you'd have to hire a bunch of people to work in a call center. This costs money (rent, phone lines, people).

What about all those pre-recorded calls I get telling me to vote for Hillary Clinton or whoever?

(Disclaimer: That was not a jibe at Hillary. I actually got a call from a real live person working for the Hillary campaign when my state's primaries were looming. She just started talking, so I actually thought she was a recording. I was joking with my wife about "Hillary Clinton" showing up on the caller ID and said, "I told Hill not to call me at home! I wonder if Bill knows how much she calls me? I guess what's good for the goose..." That's when the lady said, "excuse me?" I then realized she was a real person.)

Data is data.

By 'Cell' I mean using Cell for traditional voice, as opposed to using the towers for data.

If you're talking the current (3rd generation) of digital phones, there really isn't a difference between "voice" and "data" as it gets to your cell phone.

Colour of bits in the packet

there really isn't a difference between "voice" and "data" as it gets to your cell phone.

But once it gets to your bill, there's a difference.

Re:Colour of bits in the packet

actually, VOIP works very well. and this is despite the lack of proper QoS management in the internet's infrastructure. however, on a large scale, VOIP only really works in a full managed environment where you can keep voice and data traffic on separate networks, so that the low latency/low jitter needs of VOIP - which doesn't need much bandwidth - won't conflict with the uncritical high bandwidth data hog.

Re:#1 question

If the spammers/spitters pay for the minutes, it's not a problem? Are you sure? I got 1,981 spams last night

If the spitters pay for the minutes, you won't get 1,981 of them.

Call Screening

Seems about the only way to avoid junk calls. I never answer if I don't recognize the number, and certainly not if it's private. Pisses the bank off if I forget about a payment or something, but they'll usually send postcards too. If it's a legit call and they can't be bothered to leave a message, then I can't be bothered to call them back.

Of course, once the spam bots start leaving ads in my voicemail, then I'm getting violent.

Re:Call Screening

Dad,

Your son at college asking for money is not a "spam bot."

-Jim

Spit?

The name leaves a bad taste in my mouth.

(Sorry.)

Spam? Spit? What's next?

Spam? Spit? What's next? Spam in Everday Reading Material?

"I'm getting sick of the SPERM in the morning paper."

Re:Spam? Spit? What's next?

How about Spam in Object-Oriented Graphics Engines?

"Parents! Don't let your kids buy GTA V, its graphics include SPOOGE!"
"Okay Mr. Thompson, it's time for your meds."

(Alright, alright, kind of strained)

Old Turing Test

Play a Special Information Tone [wikipedia.org] before the phone starts to ring. Most autodialers won't waste their time and hang up. Humans will realize it's a fake tone and stay on the line. I don't know if it works with VoIP though.

How is this different than now?

The rapid increase of telemarketing on land lines generically has spawned a whole host of solutions to this "problem", from the only marginally effective legislative angle (the US Gov'ts "Do Not Call" registry) to the completely effective technical ones like Caller ID Whitelisting services offered by the telephone companies.

Ultimately, since most of the VoIP services that have any leverage just extend the PSTN to a network connected voice terminal, the solutions remain the same. Don't accept uninvited sessions from unknown hosts at the terminal. Don't ring the phone for an unknown caller ID. Direct the caller to an IVR asking them for their name, and then give the caller the opportunity to accept or reject the call.

Lastly, perhaps the most effective "anti-spam" measure for voice spam of any kind (be it conventional telemarketers or some new-fangled network-enabled approach) is the simple auto attendant. Even though I don't have numbers in the do-not-call registry (and I see suspect calls hit my Asterisk system all the time) I _NEVER_ get any spam calls. My autoattendant has a voicemail default route and no route for 0 or 1.. this leave s about 99.999% of all junk calls dead in the water.

Anecdote

We had a dialer call through our company last year. It was pretty interesting. All of the phones in our company are on the same trunk. You could tell the dialer was just calling every possible number on the trunk in sequence because a wave of rings went through the office (it's normally pretty quiet). Everyone discovered they had a voicemail from "the job hotline" a little while later. The Attorney General eventually caught the guy and shut him down.

The paper is stupid

They setup a scenario where every call gives the callee a small payment, then find this weakness in it:

"Let us even assume, that Payment at Risk is used for every call. Even In that case an attacker could circumvent it, by impersonating as another user, so that he can establish calls and shift the costs on to ânormalâ customers."

Umm, if they could do that, wouldn't it be more profitable just to impersonate others and call yourself, collecting all their money?

It's a Scheme to Sell Spitware to End Users

As someone that runs a VOIP server, I can speak from limited experience.

1. Unlike email, The offender needs a block of voip numbers to do any meaningful spitting. Those blocks aren't as costless as sending spam. Let's argue for a minute they don't need blocks. The VOIP server should not be allowed to process more than ~2 calls out per number. That's a configuration issue. On proprietary voip server software, I don't know if that's possible, but on openser it is.

2. This _should_ be the responsibility of the VOIP host, except we know that most current providers won't do it for free. It can, and should be automated. ex. *69 reports the call as spam. Even if the call is coming from a peering host, the source can be halted swiftly.

3. DB queries on call volume should identify the offender within 30 minutes anyway.

The article is an advertisement disguised as news.

Yeah, let's captcha the entire Internet

Want to view a web page? Count the super-distorted kitties in this sequence of letters, numbers & symbols on the Stargate chevrons.
Want to leave a comment? Decrypt this email address that's worse than slashdot's email address obfuscation system, where you spend more time decrypting it than sending in a message.
Want to create an account? Play this java applet where you have to click on the moving bunny.

Ah, what a utopia. A whole internet that doesn't know if you are a dog, but will quiz you to make sure you are not a robot construct, or some farmer in India.

Re:Server first

The point is that the contents of the communication cannot be analysed in advance. The system doesn't know what the caller will say until the conversation has started and you have already been disturbed.