Sign up
 Vonage  

       
 
Vonage Forum Menu

Vonage Forums
Vonage VoIP Forum
tplink Posted:
Im trying to add
my HT802 vonage
adapter to my home
network. I
currently have
...

In The Forum:
Hard Wiring - Installation
Topic:
Vonage behind switch
On Dec 05, 2016 at 06:35:11

DWSupport Posted:
After recent
Vonage update that
took place on the
4th and 5th of
Nov. E-mails with
...

In The Forum:
Vonage
Topic:
Voicemail Not Forwarding to Outlook Accounts
On Nov 10, 2016 at 12:23:26

peterlee Posted:
Had a call from a
Hospital in Ajax,
Ontario to my home
in
Scarborough, Onta
rio
...

In The Forum:
Vonage Canada
Topic:
Hospital Incoming call unable to connect
On Nov 08, 2016 at 11:59:50

TELLDOUG Posted:
I am looking for a
product that will
make my phone ring
louder so I can
hear using
...

In The Forum:
Vonage
Topic:
Looking for a ringer ameliorate
On Oct 26, 2016 at 09:21:30

HildBeft Posted:
You can recollect
password by
connecting the
router to your pc
and open the
browser
...

In The Forum:
Hard Wiring - Installation
Topic:
How to arrive at wifi password?
On Oct 20, 2016 at 05:05:49

HildBeft Posted:
Great tips..
Thanks for sharing
...

In The Forum:
Hard Wiring - Installation
Topic:
How to have Vonage and another land line?
On Oct 20, 2016 at 04:55:03

massrman Posted:
The devices are
available at
different price
margins , please
share your
estimated
...

In The Forum:
Vonage
Topic:
IP PBX for small business
On Sep 30, 2016 at 00:48:03

massrman Posted:
Hi these are most
commonly used SIP
PBX interops and
their
configuration
guides,
...

In The Forum:
Vonage
Topic:
IP PBX for small business
On Sep 30, 2016 at 00:37:45

Sammy00 Posted:
Has anyone setup a
W52p phone for
vonage? I have
a W52p with two
wireless handsets,
...

In The Forum:
Hard Wiring - Installation
Topic:
W52p Setup
On Aug 30, 2016 at 10:38:01

James44 Posted:
Hi, I am
looking for a good
Sip Trunking
provider in
Canada. they
should offer
...

In The Forum:
Vonage
Topic:
A good sip trunking provider
On Jul 17, 2016 at 23:42:46


Vonage VoIP Forums

Vonage In The News
Vonage Holdings Corp. Reports Fourth Quarter and Full Year 2013 Results

Carolyn Katz Elected to Board of Directors of Vonage Holdings Corp.

Syndication

Vonage Customer Reviews
Vonage vs. Time Warner Cable SoCal
Vonage vs. Time Warner Cable SoCal



Vonage UK Review
Vonage UK Review



Vonage Pros and Cons for 2006
Vonage Pros and Cons for 2006



Vonage, a VT2142 and a RTP300, My Experiences - A Detailed Review
Vonage, a VT2142 and a RTP300, My Experiences - A Detailed Review



Salt Lake City: impressions after several months
Salt Lake City: impressions after several months




Vonage Reviews


Post new topic   Reply to topic  Vonage® VoIP Forum - Vonage News, Reviews And Discussion » Vonage Forum Archive
Author Message
GardRailz
Full Forum Member
Full Forum Member


Joined: Jan 30, 2005
Posts: 73
Location: WV

PostPosted: Mon Apr 25, 2005 6:23 am    Post subject: Reply with quote Back to top

Wow, this topic has stired up a fair ammount of traffic.

I never expected it to go on for this long. I'm glad that people are atleast discussing the details relating to this subject and how it effects different industries. Someone still hasn't discussed HIPAA, and privacy act information associated with that subject... Yes, people can obtain credit card information, social security information, and credit card offers from your mailbox, or other locations. It doesn't justify opening up another opportunity, another security hole and ignoring it because "Well, you can get the information from other sources, it must be okay." (paraphrasing a previous post)

Someone mentioned that individuals who have entirely too much time on their hands could write utilities and just make them publically available on the internet for "script kiddies". Up until that point, script kiddies really dont concern me as the sneeky ones (the ones that actually find the holes) typically utilize their findings a while before the 'kiddies' get ahold of their techniquies.

No, I'm not CISSP, although I have gone through the class (I cant justify risking 550.00 with three kids). Yes, I am in the seurity field, and a Government contractor. Yes, I know three letter government agencies montior communications, and have the ability to do key word searches through communications. I'm both a Security and Network engineer. I voice these concerns so that people can discuss them in a neutral location and decide for themseleves what level of risk they wish to accept in their lives.

Most people dont leave mail laying in their mailbox for days, typically people pick up their mail (i would hope) within a few hours of having it dropped off in their mailbox. Most people are buying shredders (especially cross cut) to shred their junk mail, knowing that people can obtain 'private' information from that source.

Most people are looking at cordless phone technology with security features where the channel changes every so often, or there is some sort of encryption (yes, because that technology is getting cheaper).

Most people who are not very savy when it comes to technology are aware of identity theft, and are worried about that, and having their credit card's stolen. Yes, there are safeguards to protect individuals from credit card fraud, BUT what about the economy at large? Sure, it's limited to 50.00 per person (if certain conditions are met). What would happen of 100, 1k, 10k, or even 100k people said they ran into that issue? Someone has to eat the 5k, 50k, 500k, or 5M in damages. Most people that are reading this dont even think about the larger issues associated with the problems discussed in this thread. Is not the economy, energy, and information security a National Security issue (for any country) when we look at it from a wider view?
View user's profile Send private message
libove
Vonage Forum Associate
Vonage Forum Associate


Joined: Apr 27, 2004
Posts: 17
Location: Barcelona, Spain

PostPosted: Mon Apr 25, 2005 7:11 am    Post subject: Well said, GardRailz! Reply with quote Back to top

Hey GardRailz, you got someone to pay for the CISSP class - get them to pay for the test so you can add the letters to your name :) The real pain is getting them to pay for enough training each year to accumulate the continuing professional education credits (CPEs) to maintain the certification once you have it... that's my current problem. PM me if you want to talk about the CISSP &etc.

Seconding much of GardRailz's excellent statements ("it doesn't justify opening up another opportunity .. because you can get the information from other sources"), and answering Michael545's concern (or lack of concern) about credit card theft through Voip - yes, there are easier ways to steal individual credit card numbers (mailboxes on the street, though this works only a few times per year per mailbox; get a job as a waitron for a few weeks which provides a pretty steady stream of credit card numbers), however these mechanisms have a higher risk of getting caught (neighborhood watch associations looking for people sticking their hands in to your mailbox, the restaurant staff noticing that you're scribbling down something from receipts). A compromised router in line with a business' Voip traffic, accessed through a trojaned network of home PCs, simply won't get personal even if it is detected because it doesn't leave enough of an audit trail (those trojaned PC networks are a real bane of investigators' existence, as are trans-national investigations), and allows the criminal (because we really are talking about criminals here, not script kiddiez) to safely gather massive volumes of information, chew on it until it's all boiled down and financially useful to the criminal and his customers, and all at once cause a large financial loss.

To Michael545's suggestion that the MAC "authentication" used by Vonage's servers would provide useful protection against theft of a single Vonage customer's phone service (at any one moment), a denial of service targeted against an adaptor would be quite effective at preventing it from taking up its rightful spot in Vonage's servers' authentication tables. This would of course result in a noticed service outage for the legitimate customer, so the attacker would just need to go after a different Vonage adaptor when the first victim comes home and wants to use the phone... These issues are largely the same as normal IP address spoofing, and standard script-kiddie capable tools unfortunately already do exist for that.

Finally, to Michael545's point about credit card company greed and the suggestion that the fees would not go down even if we magically eliminated all fraud, I have to pin my hopes on good old fashioned capitalism and competition, driven by that very same greed (to have the most customers) - if the real costs of the credit card companies did go down, it only takes the first greedy company dropping its fees 1% in order to gain more customers, to cause the whole industry to have to follow suit. I hope :)

Finally, putting real security in to this system is not very hard and is not even very expensive. Some of the mechanisms are already standardized. Others are only a matter of time, and interim steps could be taken by a greedy company which wants to differentiate itself from the rest of the field. That makes it all the more irresponsible of the Voip providers to not do it. It's a good sign that the VOIPSA formed recently. I hope they move faster than some other such bodies have over the years.

Cheers!
-Jay Libove, CISSP
Atlanta, GA, US
View user's profile Send private message
GardRailz
Full Forum Member
Full Forum Member


Joined: Jan 30, 2005
Posts: 73
Location: WV

PostPosted: Fri Apr 29, 2005 9:15 am    Post subject: Re: Well said, GardRailz! Reply with quote Back to top

libove wrote:

To Michael545's suggestion that the MAC "authentication" used by Vonage's servers would provide useful protection against theft of a single Vonage customer's phone service (at any one moment), a denial of service targeted against an adaptor would be quite effective at preventing it from taking up its rightful spot in Vonage's servers' authentication tables. This would of course result in a noticed service outage for the legitimate customer, so the attacker would just need to go after a different Vonage adaptor when the first victim comes home and wants to use the phone... These issues are largely the same as normal IP address spoofing, and standard script-kiddie capable tools unfortunately already do exist for that.


I disagree. MAC authentication can be spoofed with the way the system is setup now. The SIP protocol, used to setup the call, is unencrypted. That would provide the would-be attacker the ability to capture the MAC address, or hash derived from it, and reverse engineer the situation. The only true way to secure this is with encryption.

libove wrote:

Finally, putting real security in to this system is not very hard and is not even very expensive. Some of the mechanisms are already standardized. Others are only a matter of time, and interim steps could be taken by a greedy company which wants to differentiate itself from the rest of the field. That makes it all the more irresponsible of the Voip providers to not do it. It's a good sign that the VOIPSA formed recently. I hope they move faster than some other such bodies have over the years.


The technology is out there. I don't believe they plan on moving to the encryption anytime soon. I just called customer service to cancel my service (yes, I've been saying I'd do it for the past few months... what can i say, i procrastinate). They insisted (both the first level, and second level support) that the service was encrypted. They are running their business on blatant misdirection of their customers.

They made it difficult for me to cancel my subscription today. They also credited my account for two months service (which I haven't used hardly at all), and have submitted a ticket for management to get back in touch with me within 24 hours.

I'll update this thread with the results of the conversation...
View user's profile Send private message
libove
Vonage Forum Associate
Vonage Forum Associate


Joined: Apr 27, 2004
Posts: 17
Location: Barcelona, Spain

PostPosted: Fri Apr 29, 2005 3:13 pm    Post subject: Re: Well said, GardRailz! Reply with quote Back to top

[quote="GardRailz"]
The technology is out there. I don't believe they plan on moving to the encryption anytime soon. I just called customer service to cancel my service (yes, I've been saying I'd do it for the past few months... what can i say, i procrastinate). They insisted (both the first level, and second level support) that the service was encrypted. They are running their business on blatant misdirection of their customers.
[/quote]

I think you're giving too much credit to the frontline customer service drones. I don't think that Vonage is running its business on blatant lies to the customers (us!), I just think that typical of poor customer service organizations someone was making stuff up. Now, if you can get on tape the customer service agent claiming that they're reading that out of the official Vonage answer book as supplied by management... Heh.

Do keep us informed. Thanks!
-Jay
View user's profile Send private message
jeeper30044
New Forum Member
New Forum Member


Joined: Apr 29, 2005
Posts: 2

PostPosted: Sat Apr 30, 2005 1:36 pm    Post subject: Packet Sniffer usage Reply with quote Back to top

Question for GardRailz or anyone else who can answer:

I have Ethereal and can capture traffic on my OWN network. Would I be correct in saying that in order for anyone else to capture packets on my network, they would have to be physically connected to my network? Unless someone was physically connected to my network then they would not be able to capture my packets. Right?

Not only that, but if they were able to somehow access my network and capture Voip packets, then they could also capture packets sent when checking my email or logging into my ISP. Since passwords are unencrypted text, then if one were to be able to use a packet sniffer, they would be able to see the password that I used to log in to my email or ISP or whatever. With that password they could log in to my ISP as me and they would have access to my credit card information that way.

So, identity theft is no more prevalent to those who use Voip then those who don't. If a hacker was trying to get personal information, he wouldn't have to sniff a voice packet and listen to endless hours of speech waiting to hear someone spill out their information. It is more likely the hacker would look for packets that contain passwords instead which would be much easier.

It is not just Voip users who need to be concerned with network security issues, but anyone who uses the internet. Especially those who use public access PC's like those in a library or coffeeshop.

That being said, I don't feel any less secure using VIP then I do using anything else that requires internet access.

Regards,
Doug
View user's profile Send private message
jmpage2
Vonage Forum Junior
Vonage Forum Junior


Joined: Feb 22, 2005
Posts: 36

PostPosted: Sat Apr 30, 2005 1:44 pm    Post subject: Re: Packet Sniffer usage Reply with quote Back to top

jeeper30044 wrote:
Question for GardRailz or anyone else who can answer:

I have Ethereal and can capture traffic on my OWN network. Would I be correct in saying that in order for anyone else to capture packets on my network, they would have to be physically connected to my network? Unless someone was physically connected to my network then they would not be able to capture my packets. Right?

Not only that, but if they were able to somehow access my network and capture Voip packets, then they could also capture packets sent when checking my email or logging into my ISP. Since passwords are unencrypted text, then if one were to be able to use a packet sniffer, they would be able to see the password that I used to log in to my email or ISP or whatever. With that password they could log in to my ISP as me and they would have access to my credit card information that way.

So, identity theft is no more prevalent to those who use Voip then those who don't. If a hacker was trying to get personal information, he wouldn't have to sniff a voice packet and listen to endless hours of speech waiting to hear someone spill out their information. It is more likely the hacker would look for packets that contain passwords instead which would be much easier.

It is not just Voip users who need to be concerned with network security issues, but anyone who uses the internet. Especially those who use public access PC's like those in a library or coffeeshop.

That being said, I don't feel any less secure using VIP then I do using anything else that requires internet access.

Regards,
Doug


The risk is of someone inserting a sniffer at an ISP that handles internet traffic.

This is not as far fetched of a prospect as you might think.
View user's profile Send private message
jeeper30044
New Forum Member
New Forum Member


Joined: Apr 29, 2005
Posts: 2

PostPosted: Sat Apr 30, 2005 11:45 pm    Post subject: Reply with quote Back to top

I'm not saying the idea of using a packet sniffer is far fetched. In an earlier post, it was stated that a hacker could catch packets containing the voice data to recover conversations containing private information such as credit card numbers. Though this may be true, it is no reason not to use Voip.

I was pointing out the fact that a hacker could just as easily look for packets containing passwords without having to listen for the information to be spoken in conversation.

Therefore, cancelling ones Voip service is not going to make them any safer from hackers using packet sniffing to collect information.
View user's profile Send private message
libove
Vonage Forum Associate
Vonage Forum Associate


Joined: Apr 27, 2004
Posts: 17
Location: Barcelona, Spain

PostPosted: Sun May 01, 2005 8:04 am    Post subject: My windows are wide open, so why should I lock the door? Reply with quote Back to top

That we suffer one information security risk (e.g. web sites which do not use SSL and so leave our information susceptible to theft) is not a good reason to willfully accept yet more unnecessary and easily resolved information risks.

To do so would be like saying "My windows are wide open, so why should I lock the door?".

-Jay Libove, CISSP
Atlanta, GA, US
View user's profile Send private message
GardRailz
Full Forum Member
Full Forum Member


Joined: Jan 30, 2005
Posts: 73
Location: WV

PostPosted: Thu May 05, 2005 6:58 am    Post subject: Reply with quote Back to top

Here's a quick update that i've been meaning to do since Saturday...

I spoke with one of the technical people and he attempted to assure me that the voice traffic was encrypted. When I told him I've decoded a call that I made to an automated service, he continued to say, Oh no, it's encrypted. When I asked him if he could give me permission to capture our call for demonstration purposes, he agreed, then put me on hold about 30 seconds later. When he came back, he said that the RTP and SIP packets are unencrypted. The only encryption, or customization they use for their protocol is with the actual device authentication to their gateways.

After we spoke more about the problem, and the possible fixes, he decided to place my contact information inside the ticket because I had some potential ideas as to how to effectively deal with these issues. I doubt i'll get a call back, but hey, it was nice to actually hear someone say "You're right, it's unencrypted...".

He said that the general support people there genuinely feel that the traffic is secure, and really don't know anything about encryption or electronic eavesdropping. They need training badly....

So, in a nutshell, the conversations are unencrypted. If you buy a business plan, you're only paying for additional usage, not encryption. If you ever run the chance of discussing private matters over the phone, Voice over IP (VoIP) may not be the technology for you. They do have plans on switching things to SRTP, however that wont be happening in the future.

on a side note, I did find out that they are beta-testing the 'call block' feature, which would disallow callers with 'out of area', or 'private' listed in their caller id. All i have to say about that feature is "YAAAAAAAAAAAAAAAAAAAAAAAY!!!"

Voip == insecure still. Hopefully it will be taken seriously in the near future.
View user's profile Send private message
robertplattbell
Vonage Forum Senior
Vonage Forum Senior


Joined: May 05, 2005
Posts: 90

PostPosted: Thu May 05, 2005 1:35 pm    Post subject: Please provide examples... Reply with quote Back to top

The internet has been around for decades.

I have heard rumors that the Internet is "not secure".

However, I have never heard of any specific example of someone intercepting an Internet message and making any use of it.

Can you provide a SPECIFIC EXAMPLE of a Voip conversation being tapped by a thrid party (not a government agency)?

Can you provide a SPECIFIC EXAMPLE of a random message on the Internet being intercepted (again, by a non-governmental third party)?

I'm curious. I hear this statement all the time. One would think that such message interceptions would make headlines all over the world.

I mean, Paris Hilton's e-mails alone would fetch huge sums from the tabloids.

But you never hear about it.

Or are all the newspapers in on the conspiracy as well?

Just asking! Inquiring minds want to know.
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


All times are GMT - 5 Hours

Vonage Service Plans


Vonage VoIP Members
Members List Members
New blanchecz2
New Today 8
Yesterday 7
Total 99024

Who Is On Site
Visitors 125
Members 1
Total 126


Vonage VoIP Forum Members:
Login Here
Not a Member? You can Register Here
As a registered member you will have access to the VoIP Speed Test, Vonage Service Announcements and post comments in the
Vonage VoIP Forums

Vonage Stock Price
Value: 6.70
Change:   N/A
Up to 15 Minute Delay

Site Search
 






†AK and HI residents pay $29.95 shipping. ††Limited time offer. Valid for residents of the United States (&DC), 18 years or older, who open new accounts. Offer good while supplies last and only on new account activations. One kit per account/household. Offer cannot be combined with any other discounts, promotions or plans and is not applicable to past purchases. Good while supplies last. Allow up to 2 weeks for shipping. Other restrictions may apply.

1Unlimited calling and other services for all residential plans are based on normal residential, personal, non-commercial use. A combination of factors is used to determine abnormal use, including but not limited to: the number of unique numbers called, calls forwarded, minutes used and other factors. Subject to our Reasonable Use Policy and Terms of Service.

2Shipping and activation fees waived with 1-year agreement. An Early Termination Fee (with periodic pro-rated reductions) applies if service is terminated before the end of the first 12 months. Additional restrictions may apply. See Terms of Service for details.

HIGH SPEED INTERNET REQUIRED. †VALID FOR NEW LINES ONLY. RATES EXCLUDE INTERNET SERVICE, SURCHARGES, FEES AND TAXES. DEVICE MAY BE REFURBISHED. If you subscribe to plans with monthly minutes allotments, all call minutes placed from both from your home and registered ExtensionsTM phones will count toward your monthly minutes allotment. ExtensionsTM calls made from mobiles use airtime and may incur surcharges, depending on your mobile plan. Alarms, TTY and other systems may not be compatible. Vonage 911 service operates differently than traditional 911. See www.vonage.com/911 for details.

** Certain call types excluded.

www.vonage-forum.com is not an official Vonage support website & is independently operated.
All logos and trademarks are property of their respective owners. All comments are property of their posters.
All other www.vonage-forum.com content is © Copyright 2002 - 2013 by 4Sight Media LLC.

Thinking of signing up for Vonage but have questions?
Business and Residential customers can call Toll Free 24 hours a day at: 1-888-692-8074
No Vonage Promotion Code or Coupon Codes are required at www.vonage.com to receive any special,
best Vonage cheap deals, free sign up offers or discounts.

[ | | | | | ]

Vonage Forum Site Maps

Vonage | VoIP Forum | How VoIP Works | Wiring and Installation Page Two | International Rate Plans 2 | Internet Phone
Promotion | Vonage Review | VoIP | Broadband Phone | Free Month | Rebate | Vonnage | Vontage | VoIP | Phone Service
Phone | llamadas ilimitadas a Mexico | Latest News | VoIP Acronyms | Deal | Philippines Globe Phone | Site Maps

The Vonage Forum provides the Vonage sign up Best Offer Promotion Deal.
If you are considering signing up for Vonage and have found our Vonage News, Customer Reviews, Forums
& all other parts of this site useful, please use our Vonage Sign up page.


Vonage VoIP Phone Service is redefining communications by offering consumers
& small business VoIP Internet phones, an affordable alternative to traditional phone service.
The Vonage VoIP Forum Generated This Page In: 0.75 Seconds and 480 Pages In The Last 60 Seconds
The Vonage VoIP Forum