July 2005
« Previous Month Main Next Month »
July 27, 2005
VOMIT: Diagnostic Tool Lets Hackers Target VoIP
Voice over IP (VoIP) is now a wildly popular technology, thanks to companies like Vonage and Skype. Who doesn't want to make cheap phone calls? But along with the low-cost advantage comes a high-cost risk that many IT managers overlook: security. Unlike Plain Old Telephone Service (POTS), which runs over copper wires through the phone company, VoIP travels over the insecure Internet and is thus subject to a number of unique threats.
Not that the Public Switched Telephone Network (PSTN) is impenetrable. It's not uncommon to find ready access to corporate phone closets and outside telco cross-connect points where phone taps can be easily installed. But POTS tappers do have to gain physical access to the copper lines, which means they likely won't be tapping your phone from, say, Moscow. VoIP, on the other hand, can be snatched out of the air from anywhere in the world, under the right circumstances. And those circumstances are more widely prevalent than you might think.
An open-source diagnostic tool with the unsavory name of VOMIT (Voice Over Misconfigured Internet Telephones) can be readily used to reconstruct VoIP conversations from TCP dump files, which brings the skill level required to tap VoIP down to script-kiddie-simple. Script kiddies, if you don't already know, are the unknowledgeable hacker wannabes that use off-the-shelf tools to crack networks without having any real skill themselves.
VOMIT converts a captured phone call into an ordinary .wav file, which can then be readily stored, e-mailed, posted on Web sites, and used to torment or extort money from victims.
Here's all a script kiddie needs to type to listen to your phone call:
$ vomit -r phone.dump | waveplay -S8000 -B16 -C1
VOMIT isn't the only VoIP tool hackers can employ to tap Internet calls, but it's one of the easiest to use. True, the hacker has to first get a TCP dump of the call, but that's not difficult to accomplish in this day and age. A single compromised host anywhere along the path the VoIP call takes is all that is needed. That could happen at an intervening ISP, in the call recipient's network, or even on your own network. The widely-available tcpdump utility is all an enterprising SK needs.
So what's the solution? Encryption, of course. "But I thought VoIP was already encrypted!" Think again, Kimosabe. Although the VoIP standard Session Initiation Protocol (SIP) supports encryption, virtually nobody enables it because it's complex to set up and CPU-intensive. Commodity VoIP carriers simply can't afford the latency and computational expense encryption imposes. In a marketplace where sound quality is king, these providers quietly sweep VoIP security issues under the rug. In enterprise VoIP deployments, the need to establish a Public Key Infrastructure (PKI) is a hurdle most IT pros run around rather than leap over.
SIP's end-to-end encryption specification is called Secure Realtime Transport Protocol, or S-RTP. To use S-RTP all parties to a VoIP call (or the associated VoIP-to-PSTN gateways) must be part of the same PKI. This is the only way to secure commercial VoIP products deployed in the enterprise today, and it should be a minimum practice for all private VoIP deployments.
But what about so-called non-commercial VoIP, specifically Skype? The good news is that Skype does use robust encryption: the Advanced Encryption Standard (AES) algorithm with 256-bit keys. Skype is actually quasi-commercial, since peer-to-peer calls between Skype users do not consume bandwidth on Skype's network. You pay for service only when one of the calling parties is on a POTS line, which must be routed through a Skype PSTN gateway. Skype implements a PKI to distribute encryption keys but then offloads the encryption to end-user computers, cleverly circumventing the most significant barrier to secure VoIP.
What's involved in building your own PKI? You can do it all yourself using open-source tools, such as IDX-PKI, or employ commercial services such as TransNexus. The open-source approach is tedious, especially if you're not a Unix guru; you may find commercial PKI products well worth their modest cost.
Commercial VoIP providers using hardware VoIP adapters will have to upgrade that hardware to support S-RTP, an unlikely proposition given the extremely competitive VoIP market -- unless users demand encryption.
Phil Zimmerman, the father of free encryption and a cyber-security folk hero, says he's working on a fix to the PKI problem. Zimmerman doesn't believe PKI is necessary for most VoIP calls, and is developing a program to secure VoIP calls without it. The program -- initially implemented for Macintosh but portable to Windows -- is still in testing, however, and Zimmerman says he won't release it until it's in better shape.
So the Pretty Good Practice for VoIP security boils down to this: Most commercial VoIP services are insecure, but Skype is safely encrypted. And if you're building your own VoIP network, enable S-RTP and build a PKI to go with it.
Posted by Mel Beckman on July 27, 2005 at 9:52 AM | Comments (1)
July 14, 2005
Important IPv6 Conference This September in San Jose, CA
The momentum toward IPv6 migration is picking up, as indicated by the extensive agenda at the North American IPv6 Technology Conference 1. Scheduled for September 19 - 22 at the San Jose State University campus, the conference kicks off with a day of tutorials to give IPv6 acolytes a solid footing in IPv6 practicalities. Then follows an intensive three-day blast of sessions on technology, transition planning, and deployment issues relating to IPv6. But the gem of the conference has got to be the tutorials day.
The tutorials provide a roadmap for implementing IPv6 in the enterprise, beginning with trasitioning the LAN to IPv6. The morning sessions explain the support mechanisms you need to have in place before enabling IPv6, how to gracefully migrate from an IPv4-only LAN to one where IPv4 and v6 coexist, and how to deal with transitory security issues that arise in a mixed v4/v6 network.
The second half of the day describes the details of enabling IPv6 on host systems -- both servers and workstations -- and how you can take advantage of IPv6 enhancements to mobile, multicast, and QoS service. IPv6 actually greatly simplifies network administration, eliminating, for example, the need for DHCP IP address assignment, since the IPv6 local address is created automatically from a device's Ethernet hardware address.
After IPv6 host enablement, you'll need to know what upgrades are required in enterprise software dealing with IP addresses: DNS, email, and other network-aware applications. The bulk of the afternoon material deals with such software issues.
At the end of the tutorials, you'll be well equipped to begin planning your own IPv6 migration, whether you choose to stay for the rest of the conference or not. At just $100 for the day, the tutorial session should be a no-brainer for anyone serious about enhancing their IPv6 expertise.
The conference proper, however, has a great slate of material that will interest enterprise network administrators. Perhaps the most important issue facing IPv6 is the business case for moving to it, a topic tackled in a session entitled "IPv6 Business Value Proposition." Several case studies describing in-progress network migrations by the likes of Northrop Grumman, Lockheed Martin, and BAE Systems can surely be mined by any prospective enterprise IPv6 guru. A session on IPv6 security tools also promises to deliver practical value.
A Solutions Demo area will let you get your hands on living, breathing (and working) IPv6 goodies.
I hope to see you there!
Posted by Mel Beckman on July 14, 2005 at 9:13 AM | Comments (0)
