Security: Lack of response from customercare...

Posts: 482 · Posted: Mon Mar 28, 2005 12:50 pm Post subject:

I don't think anyone is saying don't be concerned about privacy or security in general. But this specific fear--that someone will be able to capture your Voip packets, reassemble all of your calls and extract your credit card numbers from those conversations--probably belongs at the bottom of any practical list of privacy/security concerns.

Posts: 448 · Posted: Mon Mar 28, 2005 9:23 pm Post subject:

ToddlerTN wrote:

I don't think anyone is saying don't be concerned about privacy or security in general. But this specific fear--that someone will be able to capture your Voip packets, reassemble all of your calls and extract your credit card numbers from those conversations--probably belongs at the bottom of any practical list of privacy/security concerns.

It depends who you ask, and it's not just credit card info. It's any subject considered private. Personal matters, banking information, business plans-- pretty much anything you wouldn't stand on the street corner and tell the world. This whole issue is fairly easy to fix, because encrypting network traffic is trivially easy. HTTPS. SFTP. VPN. SSH. RDP-- these are secure protocols we use every day. Run Voip traffic over SRTP instead of RTP, and voila, problem solved and everybody's happy.

Posts: 292 · Vonage Forum Master Joined: Oct 08, 2004 Posts: 292

Industry group sets out to make Voip secure
Stephen Lawson, IDG News Service

29/03/2005 13:14:49

A group formed to head off Voip (voice over Internet Protocol) security problems laid out its first set of priorities on Monday: setting up a taxonomy to classify threats and establishing the requirements for making Voip secure.

The Voip Security Alliance (VOIPSA), which was established last month and includes Verizon Communications, Nortel Networks, VeriSign, PricewaterhouseCoopers and about 50 other vendors and service providers, also announced its first board of directors.

Initially, the group will set up two committees, according to David Endler, VOIPSA chairman and director of security research at Tipping Point, a 3Com company that sells intrusion prevention gear. One committee will figure out a way to classify threats and the other will define security requirements for Voip equipment and security components, as well as for network architecture and management and user authentication. Armed with the results of these committees, VOIPSA will move on to defining best practices, developing test methodologies, driving research into vulnerabilities and educating the industry and public, Endler said. VOIPSA is not intended as a standards organization but as a vendor-independent resource for the industry, he said.

VOIPSA aims to prevent a common problem with popular new technologies, such as Wi-Fi wireless LANs, in which the technology is quickly adopted and only later does the industry find and address security problems, Endler said.

Potential dangers to Voip include DDOS (distributed denial of service) attacks, voice spam and a form of phishing in which attackers could spoof the phone number of a legitimate caller on a caller ID display, Endler said. The threats are only beginning to emerge, but over time they're likely to proliferate, even getting into the hands of inexperienced hackers known as "script kiddies," he said.

"The same security threats that plague data networks today are inherited by VOIP," Endler said. But the addition of Voip as an application on the network makes those threats even more dangerous, he added. For example, a DDOS attack may slow down someone browsing the Web, but on a Voip network it could prevent 911 calls, he said. "By adding Voip components to your data network, you're also adding new security requirements."

Though the group has a broad roster of equipment vendors, service providers and security companies, major Voip names such as Cisco Systems, Vonage Holdings and chip maker Texas Instruments are not yet members. Those companies all have been invited, Endler said.

Cisco declined the invitation because it's already working on enhancing Voip security through standards organizations such as the Internet Engineering Task Force, International Telecommunication Union and SIP (Session Initiation Protocol) Forum, said Roger Farnsworth, a Cisco product marketing manager. Cisco believes it ships secure Voip systems today and has published its own set of guidelines for implementing secure IP telephony as part of the Cisco SAFE Blueprint series, he said.

"We thought it would be redundant to join another group that is addressing these problems," Farnsworth said. "If they specify activities that are in the interests of the industry and aligned with Cisco's interests, we'll be the first to line up," he added.

IDC Voip analyst William Stofega is cautiously optimistic about the alliance.

"I think they have enough critical mass between carriers and vendors that it should provide enough momentum to solve some of the outstanding problems," Stofega said. However, the addition of more service providers and a dominant company such as Cisco or Microsoft Corp. would help, he added.

Other major threats to Voip networks include spam calling, tapping into calls and denial of service, Stofega said.

One frequently overlooked area that should be addressed in VOIPSA's guidelines is physical security for server rooms, Stofega said. An attacker who gets access to a server can wreak havoc, and the results could be especially devastating if that server is running a company's phone calls, he said.
http://www.computerworld.com.au/pp.php?id=126733506&fp=16&fpid=0

Posts: 34 · Vonage Forum Junior Joined: Apr 05, 2005 Posts: 34

Just because there is a low statistical chance of it happening, doesn't mean that Voip carriers shouldn't perform Due Diligence when deciding security policies.

Being a technology security consultant for the financial industry, I deal with these kind of issues every day. It is absolutely scary to see how many companies take lackadaisical approaches to information security. It is cheaper to recover from a few exposures than to invest in preventing it. It is an awful policy.

Consumers are given a false sense of security due to advertisements where a company uses security buzz words to describe its offerings.

Unfortunately, no Voip provider is going to invest in secure communication until people demand it. So if everyone demands it and talks about it often, they will look at the market demand and act accordingly.

Doug

Posts: 1 · New Forum Member Joined: Apr 22, 2005 Posts: 1

Just a side note to the lack of security. Okay one does not give out credit card or other account numbers on the phone but just idle chatter. How often have you talked about going some where and for how long. Mention you just bought something.

How often has your child talked on the phone and told their friends what they are wearing and where they are going. All seems none interesting.

Now what can someone do with such information. Well if you are planning a weekend away and you call to tell some one you will be away for the weekend. Someone may find that your house is now vacant and when you come back your house will be empty.

Or something that concerns me, a daughter says se is going to the park for the day and she is wearing her favorite shirt that says kiss me. And some one finds the phone number and then checks the address and then goes to the park and then the police come and visit my house when she doesn't return.

Idle chatter can be just as dangerous and just because it is not a problem now, doesn't mean it won't happen in the future.

The difference between POTS and Voip is ease of availabilty for the information being passed. One has to find the actualy wire to connect to versus a continuous search for unencrypted traffic by a machine.

Nothing is totaly secure but most of us still lock our doors just incase.

Skyla

Posts: 17

When I first signed up with Vonage, being one of them (ISC)2 CISSP types, I asked Vonage about their security intentions. Of course I got the ignorant customer service party line about it being secure.

So I asked them to send me an email saying that I'd be indemnified against all losses occurring as a result of a security breach on the part of Vonage's unsecured Voip service... and they did.

Not worth much, of course, since customer service reps aren't usually given the authority to bind a company to that kind of thing, but, hey, if someone's Vonage service actually gets hacked and they suffer a loss (even just calls billed to them that they didn't make), drop me a line, I'll send you a copy of the email so you can hand it to your lawyer as some degree of evidence that Vonage was deliberately failing its security due diligence :)

-Jay
Atlanta

Posts: 36 · Vonage Forum Junior Joined: Feb 22, 2005 Posts: 36

The primary challenge for Vonage is that doing encryption/decryption of the RTP stream induces some additional latency in the transmission time (up to 10-20ms per encrypt/decrypt DSP operation) and it also requires a faster processor in the router to handle the encryption.

As far as the signalling goes, secure SIP is a pretty good standard and there's probably little reason that Vonage could not support it, although I think Vonage uses all Cisco gear in their core and I'm not sure if Cisco even supports SSIP yet (I work for a large competitor of Cisco in the Voip space and we have security as we have a lot of military/govt accounts that require it).

As others have said, it would be extremely easy to build an ethereal filter that simply looks for one of several hundred bank phone numbers as the dialed number in that section of the SIP initiate message, then the sniffer dumps all the packets into a file. Then the hacker plays them back and writes down the credit card numbers, last four digits of your social, etc.

Believe me, this is a big deal and there are some very smart people with too much time on their hands who are already looking at ways to do this to compromise your identity.

Vonage should be taking this very seriously, it's definitely "worth someone's time" to spend a few weeks putting a scanner together if it nets them several hundred CC#s or enough information to steal someone's identity.

Posts: 47 · Posted: Sun Apr 24, 2005 6:48 am Post subject:

ToddlerTN said:

Quote:

I don't think anyone is saying don't be concerned about privacy or security in general. But this specific fear--that someone will be able to capture your Voip packets, reassemble all of your calls and extract your credit card numbers from those conversations--probably belongs at the bottom of any practical list of privacy/security concerns.

I agree completely. Even if someone DOES get my credit card number, I personally don't give a damn. My liability (at least in the US) is limited to 50 bucks, and on the two occasions that someone did get a number of mine, the CC company didn't even bother.

This whole thing strikes me as a non-issue, especially in light of the fact that NSA computers listen to every single POTS line call made in the US - and probably elsewhere.

I don't know what some of you people are up to, but whatever it is, don't do it on a phone of any kind if you are that worried about it.

There is no such thing as privacy.

Posts: 17

Since quite a few people have replied to this thread saying that they're not worried about someone reassembling their voice conversations and stealing their credit card numbers, I'd like to propose some more practical concerns about Voip insecurity.

1. That someone will co-opt the identity of your Voip adaptor and make lots of phone calls on your phone bill. Since the service is obviously "secure", you "must" have made those phone calls, and you will be expected to pay for them, right? Note that while domestic phone calls are cheap, there are still some international calls which cost real money even through Vonage. Not to mention the ongoing nuisance of having to challenge the fraudulent calls for as long as they keep appearing on your account, possibly forcing you to change your phone number...

2. That someone will use any arbitrary Voip service - not yours in particular - to activate the credit card that they just fraudulently got in your name (or more likely stole out of your physical mailbox) by having their Voip service spoof your home phone number, which is obviously "secure" so you "must" have been the one making the phone call to activate the (stolen) credit card, right? Of course, Voip is only one mechanism by which your home phone number can be spoofed to a credit card activation system. Some mobile phones suffer this problem, and anyone with a PBX can do it too. Still, like many things, it's easiest on the Internet...

3. Someone already mentioned this one, but I'll put it back out here since it is in my list of likely security compromises to be performed care of Voip: Someone targets a business which takes credit card numbers all day long over Voip. The attacker records several days' worth of packets and reassembles the conversations, then listens through those recorded conversations and writes down hundreds of credit cards, maybe yours included. Then in short order all of those credit cards are maxed out with fraudulent purchases. Someone commented that they're not concerned about that because their direct liability is limited to $50 for fraudulent charges on their credit card. That's true. It does not take in to account that every single credit card purchase you make (and for that matter, every singly purchase you make by any means from any merchant which accepts credit cards, unless they charge extra fees only on credit card purchases to cover the processing fees) contains an amount in the credit card processors' fees to cover all of that >$50 liability from fraudulent charges. Did you know that when you buy something with a credit card, anywhere from 0.5% to 7% of your purchase is given up by the store to the credit card processors, issuers, banks &etc in processing fees? And some of every processing fee necessarily goes to cover fraud perpetrated by whomever against all whatever credit cards - not just yours. Nearly every purchase you make is higher because of credit card fraud, because the stores have to raise all of their prices to cover those credit card processing fees, so you should be concerned about anyone's credit card being stolen, not just yours, despite the $50 direct liability cap we all enjoy.

-Jay Libove, CISSP
Atlanta, GA, US

Posts: 47 · Posted: Mon Apr 25, 2005 12:02 am Post subject:

Jay,

I think that your points 1 and 2 are well-taken and provide food for thought, although, as someone else pointed out, stealing credit card numbers is generally fairly easy to do without having to capture Voip packets (point 2). Simply stealing mail or going through someone's trash, while admittedly low-tech, is much easier and more effective.

Using someone's Vonage number might be more difficult, since most people do not turn their adapters off, the Vonage server uses MAC auth, and I doubt it will auth 2 identical MAC's simultaneously. You would almost need to hack the server to accept an unregistered MAC, which is not impossible but also not easy to do (point 1).

As for your last point - I am convinced that if we could magically eliminate all credit card fraud immediately, that would have no effect whatever on prices or interest rates - the credit card companies are too greedy to ever reduce charges to consumers or merchants.