U.S. Government Issues Report on VoIP Security Holes 112
ranson writes "PC World is reporting on VoIP technology's threat of being manipulated by hackers, through call interception and DoS attacks on users' internet connections. While these threats are nothing new, the article cites an interesting government report on the topic, as well as its author, who believes a VoIP user's best protection is security by obscurity."
VOIP calls aren't encrypted? (Score:5, Insightful)
Re:VOIP calls aren't encrypted? (Score:5, Informative)
The calls... are highly secure with end-to-end encryption. [skype.com]
Whether their scheme is snake oil or for real, I don't know, as I can't find any documentation on it, much less source code.
Re:VOIP calls aren't encrypted? (Score:5, Insightful)
Anyway, it is hard to imagine the FBI allowing ordinary consumers to have encryption they cannot break on their telephone calls. Moderately easy to break, but obscure, encryption is exactly what they would be looking for. 99% of criminals will be too dumb to break it, and the other 1% are needed to justify the homeland security budget.
Re:VOIP calls aren't encrypted? (Score:5, Insightful)
Re:VOIP calls aren't encrypted? (Score:1)
Re:VOIP calls aren't encrypted? (Score:3, Interesting)
Key escrow? (Score:1)
Re:VOIP calls aren't encrypted? (Score:2)
Maybe I can tell you a little secret? WORLD does not equal USA. And VOIP is not a US-only thing.
So FBI can scream all they want. We can still have encryption in the FREE world.
Re:VOIP calls aren't encrypted? (Score:2)
As for citizens of other countries, they are subject to various degrees of US influence....
Re:VOIP calls aren't encrypted? (Score:2)
sorry
Re:VOIP calls aren't encrypted? (Score:2)
Re:VOIP calls aren't encrypted? (Score:1)
There is more difficulty than you assume in the process intercepting RTP/RTSP traffic and playing back the audio data.
Re:VOIP calls aren't encrypted? (Score:5, Informative)
Re:VOIP calls aren't encrypted? (Score:4, Informative)
Calls between Skype software users (PC-to-PC calls) are secure and encrypted. Calls to standard telephone or mobile numbers are encrypted until they reach public switched telephone network. Note that in a conference call where one participant is a PSTN (regular telephone or mobile phone) number/phone number, the padlock icon will not appear indicating that the call is not encrypted.
Re:VOIP calls aren't encrypted? (Score:2, Interesting)
Latency issues?! (Score:3, Informative)
I'd imagine stream compression would be a harder problem than stream encryption.
Of course you've still got to do some sort of shared key or PK exchange, but that's call setup latency so it's no big deal.
Re:VOIP calls aren't encrypted? (Score:3, Interesting)
But for the record, calea has nothing to do with VOIP/SIP being encrypted or not. It was more about keeping it simple. Then you are free to add encryption at a lower layer. Much easier to add encryption just prior to the net.
My VoIP calls are secure. (Score:4, Funny)
Re:VOIP calls aren't encrypted? (Score:3, Informative)
Re:VOIP calls aren't encrypted? (Score:5, Informative)
"ENCRYPTION- A telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."
Which in my first glance at this means that VoIP can be encrypted, though if the carrier handles too much of the private key generation, which would be necessary for any non-technical user, the carrier must keep the key for law enforcement use. (I'm thinking that a standalone VoIP phone would need a factory generated key on EEPROM, though software VoIP could use your average PC to generate a key itself.) But then again I'm not even sure if this applies to VoIP since this isn't exactly a service I'm currently familiar with. I'll note though that this is the only place "encryption" came up in a search of the law itself, so there's not much more to look at than the above quote. However, what the FBI and FCC have done in regulations may be a totally different matter. Can anyone clear this up more or is it just a regulatory mess?
Re:VOIP calls aren't encrypted? (Score:3, Interesting)
6-8 weeks ago I exchanged email with Vonage on this very subject. What security protocols do they follow for protecting signaling/bearer traffic? big black hole getting meaningful information - but was _assured_ they used 256 bit encryption with a xx bit nonce. Now I read a Vonage representative is asserting they do not perform encryption? Somebody was not telling the truth.
Regarding CALEA: when you make a phone call (UMTS,GSM,VoIP- doesn't matter), your connection is routed via a switch.
Re:VOIP calls aren't encrypted? (Score:2)
Perhaps they were discussing digest authentication used for signaling? (It's not strong by any means -- requests can be read and modified in flight even though the password is protected from interception; it's literally the exact same mechanism used for HTTP Digest authentication).
Re:VOIP calls aren't encrypted? (Score:1)
I can't imagine why it would. All you need to do is add a little "lock" icon in the lower right-hand corner of the screen. That's - what? 100 pixels of overhead? Practically nothing.
Re:VOIP calls aren't encrypted? (Score:1)
Don't assume that the difficult part of the "encryption" requires the plaintext. All you really need (and this is what GSM/UMTS does) is a way to "agree" on a psuedo-random number sequence. You can pre-generate that sequence (within certain constraints) and apply it by an xor to the plaintext. The receiving end does the same.
How do you agree on a psuedo random sequence? You run AES (or any block cipher) in one of its feedback/chaining modes. A
Discussed on the Vonage VoIP Forum (Score:5, Informative)
"Slashdot" attack. (Score:2)
You have attempted an unknown attack on this site."
99 Pages, and a bitch aint one (Score:4, Funny)
Maybe... (Score:2)
Sunrocket is in trouble? (Score:1)
Re:Obscurity (Score:1, Troll)
And in spite of your obscurity,
Funny thing is, It does not matter if you live in the states or not.
Ignorance is soooooo bliss.
Re:Obscurity (Score:2, Insightful)
Re:Obscurity (Score:1)
Security through obscurity indeed!
not true (Score:2)
also, making it obscure means someone will have to be rooting around which gives you an opportunity to catch them.
stop the presses! (Score:4, Funny)
it's easy to see he's an expert. i mean, who else could come up with such an idea? the very premise of it is far-fetched to the point of hillarity. to think that as a product becomes more widely used it is targeted by a larger population...craziness.
Damned if you do, damned if you don't (Score:3, Insightful)
Re:Damned if you do, damned if you don't (Score:1)
Re:Damned if you do, damned if you don't (Score:2)
VOIP nope not for me (Score:3, Insightful)
Big buisness is who wants VOIP cause they want to get rid of the expensive telcom infrastructure and gain a higher degree of control.
Re:VOIP nope not for me (Score:3, Insightful)
Give it time. VoIP will become every bit as protected. There's already too much money flowing in the biz to let it go by the wayside now.
What I think WILL happen is a mass consolidation of most of the current small VoIP companies. Then, of course, prices will rise.
Re:VOIP nope not for me (Score:2)
Re:VOIP nope not for me (Score:2)
It's an opinion, but I really do think it'll happen.
Remember when there was a real choice or ISPs, other than the Bells and Cable? I'm talking regional ISPs. I started on a small, county-wide ISP that went through three purchases before it became part of Covad'soperations.
Right now I see the VoIP industry in the same place. You get a fairly large choice as far as who your provider can be, but, as things start to get more regulated, the bottom line's only going to get tighter
Re:VOIP nope not for me (Score:3, Interesting)
I have switched to VoIP and have 1 copper line incoming for only failover during power outages.
VoIP, at least from a decent provider can be awesome as soon as you plop an Asterisk box in front of it. ( the crappy providers will not let you use Asterisk so be sure to ask before you buy)
This gives me services that no phone company on the planet can offer. my phones do not ring after 10pm unless the callerID matches a number in the important list. telemarketers never get thr
Re:VOIP nope not for me (Score:2)
My provider - Broadvoice - definitely allows you to use an asterisk system, or any other, for that matter, under their BYOD plans. They provide pretty detailed instructions to get you up and running, too. The fact that they don't hide their setup information was the main reason I went with them.
Re:VOIP nope not for me (Score:2)
I want them to get their act together, because noone else comes close on price/features when combined with Asterisk.
Re:VOIP nope not for me (Score:1)
Re:VOIP nope not for me (Score:1)
woulda been nice to know it was PDF ... (Score:3, Insightful)
Imagine this, you're far, far away in some distant, lost, Internet cafe. You are deeply in the backwoods of the third world. Your cellular 911, for some reason, isn't working. You see a
1) Is the system locked up?
2) How much is this going to cost now?
3) Is that MODEM actually starting to smoke?
IMHO, PDFs or links, especially unlabelled ones, are less than professional. Please, just say no.
How to Decrease PDF Load Time (Score:3, Informative)
1. Install Adobe Reader 6.0 and notice where it is installed.
2. Navigate to that folder in Explorer, locate the plug_ins subfolder and rename this folder to plug_ins_disabled.
3. Create a new plug_ins folder.
4. Move the files EWH32.api, printme.api and search.api from plug_ins_disabled to plug_ins.
From http://www.mozilla.org/support/firefox/faq#acrobat [mozilla.org]
Re:woulda been nice to know it was PDF ... (Score:2, Informative)
I would highly recommend Firefox plugin/extension TargetAlert [bolinfest.com]. This extension places a small icon next to links to indicate the type of link it is, including a small PDF icon for PDF files, a Word icon for Word files etc.
I knew it was a PDF link :-)
Re:woulda been nice to know it was PDF ... (Score:1)
Re:woulda been nice to know it was PDF ... (Score:2, Funny)
Re:woulda been nice to know it was PDF ... (Score:1)
Might be helpful to you too.
Re:woulda been nice to know it was PDF ... (Score:2)
If you are so &*%# worried about it... (Score:2)
IMHO, PDFs or links, especially unlabelled ones, are less than professional.
Yes, it certainly is unprofessional for a
Look Sparky, if you are so &*%# worried about it, then - before you click on the link - place the mouse pointer (the li'l thingie that you move around the screen to click stuff)
Re:If you are so &*%# worried about it... (Score:2)
http://www.g4tv.com/screensavers/features/45796/P D F_Usability_Crimes.html [g4tv.com]
"I hate PDF..."
http://wired-vig.wired.com/news/politics/0,1283,64 346,00.html?tw=wn_tophead_1 [wired.com]
PDFs suck, people!
http://www.garethjmsaunders.co.uk/pc/computer/pdf- suckweb.txt [garethjmsaunders.co.uk]
WHY PDFS SUCK
http://jessey.net/archive/2005/02/16/pdfs-suck/ [jessey.net]
I guess I'm really not to surprised that so many people can't or won't get the whole "PDF" issue. PDFs are not web pages, plain and simple. The use of PDFs for other than
Re:If you are so &*%# worried about it... (Score:2)
I guess I'm really not to surprised that so many people can't or won't get the whole "PDF" issue. PDFs are not web pages, plain and simple.
Neither are MPGs, JPGs, MOVs and myriad other files with links pointing to them.
The use of PDFs for other than for their intended purpose is, yes, less than professional.
The point of PDF is to allow people to view the same document in the same way on many different platforms. I suppose you have a different definition of "intended purpose", but that makes no d
Re:If you are so &*%# worried about it... (Score:2)
Sure, and all the issues and problems that have come with them. Sure we use them, but usually only until an open standard becomes widespread.
The point of PDF is to allow people to view the same document in the same way on many different platforms. I suppose you have a different definition of "intended purpose", but that makes no difference: see what the vendor has to say about it.
Actually, the intention was to allow printi
Gun in a field (Score:5, Insightful)
Imagine every person in the world standing in a gigantic field. In the direct center of everyone is a rifle pointed at the sky.
When the rifle fires, the bullet will go up and then come down and hit some poor sap. But if one were standing in that crowd one could virtually count one's self out as being crowned that sap.
Virtually, but not completely.
That's the problem with security by obscurity. Sure it lowers the chances of being hit. But it's not really security at all.
Is it?
Re:Gun in a field (Score:2)
Re:Gun in a field (Score:2)
Re:Gun in a field (Score:1)
Of course, the more people who stand on the field, the more likely that SOMEONE will be hit increases.
Re:Gun in a field (Score:3, Insightful)
Each individual looks at the situation and determines that their own costs are very, very low--while getting hacked/shot is annoying, the odds of it happening a pretty outside. Taking the "cost" as being the actual cost of an incident times the likelihood of an incident, and you get a pretty low number.
But considering the same question from a group point-of-view, it's not a question of w
Your analogy is bad. (Score:2)
A better analogy of security through obscurity is you have a guy standing on a tower in the middle of a field with a rifle and one bullet. If you're the only guy in the field, it's going to be you. By filling the field with other people, you virually guarantee you won't be the one who gets shot.
Of course, that doesn't mean
Re:Gun in a field (Score:2)
If the hunter is a "good guy", his bullets will be true and strike you with deadly justice and accuracy.
If the hunter is a "bad guy", he'd just as likely miss the whole herd...
Re:Gun in a field (Score:4, Interesting)
Erm, isnt our current knowledge of encryption technology based much on secret numbers? Well, it is 1 in 2^128 or 2^256 or some huge number, but is this teh similar analogy you use?
Well, first off security CAN be improved, but it uses the same techniques I use for software protections.
There should be no meta-data telling what encrypted the data, what encryption schemes, or whatever to even start off. You should consider these to be the first 'shared secrets'. This has a side benefit as when a 3'rd party attempts to decrypt it, it just gives garbage in which SOMETHING has to interpet. It should not be as simple as "GPG v3.2 Diffie-Helman 4096 bit key" does not match
Next off, all decrption attempts should go through. What would you rather do: scan the encrypted files for headers in which to try dictionaries OR be forced to try all types of encryption to try to guess which one does what (if you can).
The next, for network security, is 'knock knock' scripts. Whats safer: login/passwd prompt on ssh OR 10 timed packets aimed at different ports (that change on time of day) that then proceeds to open ssh until disconnect?
I know what I'd choose if it was my security depended on hiding, firewalling THEN login/passwords.
The whole point is OBFUSCATION is a valid security mechanism, not that is the end-all be-all or anything, but it does have its places.
Re:Gun in a field (Score:2)
What happens if a bear attacks us?
The old guy responds, "We run".
The kid says, "but there's no way you can outrun a charging bear."
The old man stops, turns to the kid and says, "I don't have to outrun a charging bear; I only have to outrun you."
So it's not just a matter of standing in a field catching bullets; it's also a matter of
Re:Gun in a field (Score:2)
When the rifle fires, the bullet will go up and then come down and hit some poor sap.
I always wondered where did this notion of bullet fired up, coming back and killing someone come from.
You realize that falling bullet will come to constant speed relatively fast due to air resistance, right? Right?
Security through Obscenity (Score:1)
Re:Gun in a field (Score:1)
Security rarely (never?) means 100% secure against all possible attacks. Rather, we consider what attackers are likely to do, what they are motivated to do, what they are capable of doing.
If someone out there decides I, personally, need to die, and they are motivated and capable of putting serious effort int
BSD? (Score:1, Informative)
How easy is it to tap VOIP? (Score:1)
US government reports on security holes? (Score:1)
So what was I supposed to learn? (Score:3, Insightful)
Ok so they can DOS your network connection and kill your VOIP. Uhhh, if you're being succesfully DOS'ed you've got bigger problems than your VOIP not working.
Oh and the other horror? They can listen to your calls? As the article points out this is currently trivial with the POTS, and again if someone can succesfully listen in on your full network connection you've got bigger problems than your VOIP not working.
So why should I be scared again? Sounds like anti-VOIP F.U.D. to me.
What about Skype? (Score:1)
Bah! (Score:3, Informative)
Convincing all the SIP implementations to support SRTP is the Right Thing as a long-term solution -- heck, just implementing SRTP support for Asterisk would be a big improvement. As an immediate-term solution (particularly for companies using VoIP to connect with remote users or branch offices), running over a VPN (particularly with IAX trunking if you're connecting branch offices,
FUD from government (Score:2, Funny)
In this world only the paranoid survive.
We need dedicated boxes (Score:5, Insightful)
VOIP is actually more physically secure then PSTN. You can't just hook a speaker up to a DSL line and hear the conversation on it. The problem is, your computer, and every router between you and your VOIP provider, is a general purpose device. Other people and services have access to it for all kinds of legitimate reasons; each of these provides places where people/programs can input data that can potentially directly effect your voice communications or get privilage escilation on the device and indirectly effect it. ANY security person knows to be wary of input! And think of all the ways of getting input to (and theoretically compromising) a PC. What we need is a dedicated physical console for VOIP (a small linksys network device running OpenBSD or Linux and asterix sounds good). The actual VOIP data should be sent through an SSH tunnel or some kind of VPN.
FYI speakfreely (Score:1)
http://www.speakfreely.org/ [speakfreely.org]
How hard can it be to encrypt packets? How hard can it be to tunnel the VoIP through an SSH tunnel?
So, my free solution here would be to install OpenSSH (yes there is one for windows and its free) and putty. Then you just redirect the port of the VoIP thing and that's it. You just have another setup like that in the other end.
http://sshwindows.sourceforge.net [sourceforge.net]
http://www.chiark.gre [greenend.org.uk]
Re:FYI speakfreely (Score:1)
Perhaps a better solution would be something like x.509 certs. End points identify each other(could elimate caller id spoofing) and the end points generate a couple of random keys to use to encrypt the traffic. Hell, if you don't care about identifying the end-points
Re:FYI speakfreely (Score:1)
Ain't No Magic, here. (Score:3, Insightful)
On the other hand, IPv6 will solve all our problems, right?
The big problem with VOIP (Score:4, Funny)
These dipshits sell the customer on thsese solutions and then when it doesn't work (routing probs or dropouts from no QOS) they call us in to sell the customer a couple thousand dollars worth of services and hardware to sell the problem. I don't mind the business but working with a customer who is on the brink of becoming an axe murderer isn't pleasant.
The government has a good reason to say this... (Score:3, Insightful)
VoIP is much tougher to tap by comparison. Remember kids, "Terrorism" is the new "Communism"(tm)
Re:The government has a good reason to say this... (Score:1)
Wow. Are the terrorists really on track to kill 100 Million people this century?
US Gov fears VoIP encryption will defeat wiretaps. (Score:1)
"Please, continue to use your local telco, your cell phones, and especially text messaging and email.", some random official might say. "Watching for terrorists has never been so easy!"
no it won't (Score:2)
no, the will install software that intercepts your voice from your pc.
what it will stop, is random selection of conversations and storing conversations on a giant database to be scan 'just in case'.
Re:no it won't (Score:1)
Internet telephony who to choose. (Score:1)