Security: Lack of response from customercare...

Posts: 281 · Posted: Wed May 25, 2005 8:13 am Post subject:

robertplattbell wrote:

I'm going by what you have already admitted right here in this thread.

You have said yourself that there is no documented case of anyone anywhere hacking Voip or even e-mails in the manner you describe.

You argue that this *might* be technically possible, but for some reason no one has bothered to do it.

Then you go on to bash Vonage because some 25-cents-per-hour call center employee in Bangalore cannot answer esoteric questions about Voip security.

You realy do sound like a government employee!

Now just go away and have fun with your telco lines.

Sorry, but I'm an EE, not some IT hack. Can't pull the wool over my eyes.

Hey hey hey now Smile

My understanding is they are all employees in the U.S. up in Edison N.J.

Wow... some of these threads really use alot of database space! Smile

Posts: 46 · Full Forum Member Joined: Jun 03, 2005 Posts: 46

Security? Well I hate to be the one to let you all know this.... But locks were meant to keep an honest man (or woman) honest. There is not one encryption level or secure feature made today or tomorrow for that matter that is not breakable. There is the old saying... IF THERE IS A WILL, THERE IS A WAY.
If I really wanted your information and can get my hands on your encrypted, locked or otherwise secure information or whatever it is I want, I can un-encrypt it, un-secure it or unlock it..
You also fail to realize...
It is this simple. Man dreamed it up, man can dream a way around it.

Posts: 646 · Posted: Fri Jun 03, 2005 3:58 pm Post subject: Re: Security

linnym wrote:

It is this simple. Man dreamed it up, man can dream a way around it.

Yeah, right, "simple." Moderm public-key encryption techniques are believed by mathematicians and cryptanalysists to be practically unbreakable, unless you have access to more computing power than is available on earth today. If you know how to quickly factor a 1000-digit number, then please speak up. Crypto can only work if the people who develop it don't know how to break it.

Of course, the encryption is useless if you have control over one of the endpoints, but I think you're underestimating the power of cryptography.

Posts: 20 · Posted: Fri Jun 03, 2005 6:13 pm Post subject:

I would just add to all this that people have been hacking into telco switches and listening in on peoples conversations for decades. I believe there have even been a few cases where people have hacked into call center switches and listened in on calls specifically to compile credit card numbers, although I was not able to find any specific references so i may be mistaken. In any case, this sort of security risk has certainly existed long before Voip and will continue to exist long after. I think the valid and well argued point of this thread is that Voip could be made more secure and probably should be made more secure. I think it is unfair to the many readers who do not have a background in telecom or network security to continually imply that Voip is somehow less secure than a traditional POTS line. POTS traffic is unencrypted just like Voip traffic and is just as easy to snoop on whether you want to listen in on conversations next door or on the other side of the world.

On an unrelated note, I would also point out that as Voip becomes more and more common anyone thinking they will stick to a traditional pots line for security runs an increasingly greater risk that the other party on any given call is using a Voip service.

Posts: 17 · Vonage Forum Associate Joined: May 02, 2005 Posts: 17

Folks,

I am a telephone guy - a professional in standard voice services and Voip services. I work for a company who's name everyone in the world would recognize. With that said I must say that the most unsecure type of telephone call is the good old telephone company line to your kitchen wall. I could walk down just about any street with my tool belt on and a hardhat and listen to any good old fashioned telephone line and no one would ask a question of me - but - if you are on any type of Voip service then you just went from caveman to spaceman over night and I would be shut out. Getting into a Voip call is very, very, very difficult and the hackers just aren't willing to learn and train and purchase equipment and such to listen to your phone calls or use your line. It is too easy for them to walk down most any street with a toolbelt and a hard hat for many, many, many years to come.

Posts: 23 · Vonage Forum Associate Joined: Jul 01, 2005 Posts: 23

GardRailz wrote:

I thought Vonage would be able to save me money, and offer a similar level of security as a hard-wired phone. It turns out it can save you money, but at the cost of your privacy. These concerns can only be addressed either by setting up a lightly encrypted tunnel that the voice and SIP information can travel, OR switch the entire system over to SRTP instead of RTP.

This is very concerning and it is unfortunate that people are being apathetic and mocking this problem. An identify thief in Nigeria or Russia cannot easily tap your POTS line. Now, an international identity thief can apparently tap your Vonage calls to find out your social security number, mother's maiden name, and other personal info that you might share over a phone call (to your bank, for example).

How? All he has to do is sniff for unencrypted Vonage traffic from one of the millions of consumer computers that are under his control via spyware. If one of your neighbors computers is loaded with spyware, that computer could be remotely programmed to sniff traffic within your ISP. Then it could transmit the Vonage packets back to Russia or whereever with your voice phone calls included. Sounds a bit more anonymous and remote than POTS sniffing to me. And this can all be automated to monitor millions of calls for specific destination numbers (e.g., banks).

And once the identify thief has your packet info, it seems like he can start hijacking calls from your phone number as well, so he can apparently just call your bank as you (and from your number).

I was concerned about the potential for hijacking calls when I joined Vonage, and I had assumed they took the same precautions that Skype does. Apparently not.

It would be great if Vonage addressed these concerns. I'd like to stay with Vonage, but this is very concerning. The answer is not apathy or to point out other unsecure services. Two wrongs don't make a right. The answer is to address this and resove the problems before we have more identify theft.

If you never call a bank or don't care if someone gains your SSN, good for you. But don't assume that all Vonage users should have those same restrictions, and don't assume they will know better than to divulge sensitive info that might be forwarded to an identify thief overseas.

Vonage, what is your response to our concerns? Do we need to not use our Voip line when calling the bank or providing other sensitive info?

Posts: 281

[quote="brianguy"]

GardRailz wrote:

How? All he has to do is sniff for unencrypted Vonage traffic from one of the millions of consumer computers that are under his control via spyware. If one of your neighbors computers is loaded with spyware, that computer could be remotely programmed to sniff traffic within your ISP. Then it could transmit the Vonage packets back to Russia or whereever with your voice phone calls included. Sounds a bit more anonymous and remote than POTS sniffing to me. And this can all be automated to monitor millions of calls for specific destination numbers (e.g., banks).

Ok first of all.. with my PBX at work *I* can call your bank with your phone number... CID spoofing is extremely easy.. ever hear of camophone.com ? It's been around for ages.. anyone doing security based on CID is stupid.

How exactly is your neighbor's computer going to sniff your RTP traffic? Your RTP traffic does not bounce off your neighbors computer... it goes from YOU to Vonage. The ONLY (this has been said in this thread how many times??) way to listen in on the conversation would be to compromise a ROUTER along the way. And even then that doesn't mean anything. You'd have to have a way to CAPTURE the packets from the router and dump them to a file. It's not a trivial task and it CAN NOT be done from your NEIGHBORS computer!!!!! Your Vonage traffic does NOT bounce off other people's computers therefore they CAN NOT listen, capture, hear your conversation. And if a router were to be cracked somewhere along the way there would be other issues of concern.

Posts: 23 · Vonage Forum Associate Joined: Jul 01, 2005 Posts: 23

matth wrote:

You have got serious issues. Voip is just as secure (if not more) then a POTS line.

POTS line == climb a pole or go to the NID.. call captures
Voip == have to be an admin/hacker on a router/bridge device somewhere on the network.

As I stated above.. someone on cox cable can't access my call on ChiliTech Wireless, or Verizon DSL.

I must have serious issue, too, because I see how this can happen. An identify thief in Nigeria cannot climb a pole in my neighborhood, and even if he could, it would not be efficient nor anonymous.

However, an identify thief in Nigeria can install spyware on millions of computers local to your network and automate sniffs of local network traffic. Cable modem users would likely be more at risk than DSL users, since a neighbor's infected computer could likely sniff another neighbor's traffic (this wouldn't happen with DSL). With DSL, a computer would likely have to get infected within the ISP.

And all of this can be automated to search millions of packets for Vonage traffic. Much more efficient, anonymous, and likely to happen with Voip than with POTS.

But even if POTS were just as easy to tap remotely, two wrongs don't make a right. We shouldn't say that bank web sites don't need to be secure because it's easy to fool a bank teller. Similarly, we shouldn't say that Voip doesn't need to be secure since POTS has vulnerabilities. Perhaps modern operating systems don't need to be secure since so many versions of Windows have vulnerabilities?

Posts: 1389 · Posted: Sat Aug 27, 2005 1:48 pm Post subject:

Get over it folks...Do you really think that someone wants to listen in to the calls to grandma, you talking about your bowling score, etc? I am sure a Nigerian ID thief will have tons of fun with that!
Is it more unsecure? Possibly....But is POTS secure? Hardly.

Posts: 23 · Vonage Forum Associate Joined: Jul 01, 2005 Posts: 23

Trowski wrote:

Get over it folks...Do you really think that someone wants to listen in to the calls to grandma, you talking about your bowling score, etc? I am sure a Nigerian ID thief will have tons of fun with that!
Is it more unsecure? Possibly....But is POTS secure? Hardly.

Using your logic, since someone probably doesn't want to listen in on my web traffic to www.yahoo.com, then they wouldn't want to listen on my web traffic to bankname.com.

So bankname.com might as well quit doing https:// and go back to http://

So why do we even have https:// then?