Slashdot Mirror
VoIP Security
An anonymous reader writes "Whitedust are running an interesting article on the security aspects of VoIP. From the article: "The fact that VoIP operates across standard networks makes it vulnerable to all manner of IP hacking - including man in the middle attacks,sniffing, session hijacking, etc." Considering it's recent growth, how secure is VoIP?" PCM2 sent us a wired bit about Phil Zimmerman of PGP working on a privacy system for Voice over IP calling
From TFA:And all these errors are in just the introduction.
Now, I don't expect perfection, but the sheer amount of errors present here is beyond the pale, and renders the reader incapable of trusting the subject matter presented, or taking the author seriously.
Mr. Anderson, about 98% of the errors in your article could have been avoided by the use of a simple spell-checker. Nowadays, people don't actually need to know how to spell, as we have software to do that for us...but you have to actually use the software.
____
~ |rip/\/\aster /\/\onkey
There is a program called Cain that can sniff VoIP traffic (as well as other things) and turn it into a wav file if it understands the codec. There is a video on how it works at: http://www.irongeek.com/i.php?page=videos/cainvoip 1
If you're using VOIP as a transparent replacement to POTS there's no change.
POTS is wide open to MIM attacks.. in fact anyone with a cheap earpiece can do it - no need for a PC even.
Please visit the VoIPsec archives, before assuming that any one article could cover it all. There you could find links and comments from some of the most pertinent contributors to this subject.
== With enough Will Power, one could move mountains. With enough Brains, one would just leave them where they are ==
Was a neat little app a few years back for simple IP-IP VoIP that was (supposedly, never checked) well encrypted, it converted the key in to english words that you could say in your own voice to confirm that you weren't a victim of a MITM attack
http://web.mit.edu/network/pgpfone
/* FUCK - The F-word is here so that you can grep for it */
If you have a set of aligator clips and a phone. Or a set of diaganol cutters (DoS attack).
I mean, really
- Brian Roach
Their website lists their numbers as: "Tel: 00353 - (0)87 - "...etc numbers, so they're not in North America.
This: (Mon, 14 Feb 2005 16:57:12 +0000) also suggests a European country (I think). So maybe English isn't their first language.
http://www.acmqueue.org/modules.php?name=Content&p a=showpage&pid=209
Um if you hang up and 30 seconds later are still connected it means someone else on the line [on your side] is still off hook.
Check your house for nosy people and failing that call your telco to have it looked at.
Of course I've never heard of that problem before. Doesn't mean you're making it up but more than likely the reason is more than a "remote DoS" attack.
Mostly call-centers can only fake their CID information [but not ANI] which makes call display all fucked up [but not their billing]. That's about it. They don't have magical technology to jam your phone line. Once you hang up the call is released and both sides are disconnected.
Tom
Someday, I'll have a real sig.
That doesn't square with my (admittedly limited) experience. If they unleash the collection agency, you dispute the "black mark" on your credit report. There's no impact on your credit score until the dispute is settled, and a lot of companies are not going to find it worthwhile to spend time and energy on a measly $20 charge. IME your credit can't just get "ruined" because of one disputed charge. A year ago, I charged back a sneaky $29.95 fee from a dot-com, and haven't seen anything from them since. Maybe the details depend on the state; I'm in California.
Chargebacks are a powerful - in some cases the only - weapon to fight back against unfair business practices and plain ol' fraud. I'm glad they exist and have no problem using them when someone tries to screw me.
" In the case of a business, I think it would be a good idea to keep at least one POTS line, to prevent a total outage of phone service. VOIP would be very useful in the business world to keep down the cost of long distance calls, and the quality is good enough."
It is good enough, and that's exactly what we do. I have a VoIP "line" from AT&T at our business for outgoing long distance, plugged right into our phone system. It saves us probably $200 - $300 a month in long distance (You should see what business LD costs - it's ridiculous).
- Brian Roach
"few seconds". It usually takes 3-4 seconds to hang up. Anything longer and your phones and/or telco is broken.
Tom
Someday, I'll have a real sig.
Plain ol' IPSec is not a cure-all in this situation.
/ SP800-58-final.pdf
In fact, if you want to believe NIST, most of the hardened encryption algorithms can all verge on introducing too much delay into the process. The solution is to introduce a priority scheduling component into encryption engines, but given the language of the report, I'm not sure that's widely done at the moment.
NIST has a nice technical report regarding all (or most) of the VoIP security approaches. It's quite lengthy, though, so use the ToC. http://csrc.nist.gov/publications/nistpubs/800-58