Slashdot Mirror
VoIP Security Threats Defined
Zonorph writes "Information week is reporting that the recently formed industry group Voice over IP Security Alliance (VOIPSA) just published their first draft of a VoIP Security Threat Taxonomy for public comment. From the VOIPSA, 'This VoIP Security Threat Taxonomy is meant to define the many potential security threats to VoIP deployments, services, and end users. Part of the challenge of devising effective VoIP security protections requires first identifying these threats in the first place.'"
If everyone somehow thinks VOIP on the internet is some magicly secure channel, they'll use it carelessly and lots of security problems will occur.
If they think it's a public chatroom (like an IRC channel) they'll be careful what they say, and fewer problems will result.
Same for email - if it were only widely known that email can be forged by anyone and read by anyone, the nigerian spammers wouldn't have any luck finding a mark. But the damn "email security" industry and ISPs set peoples expectations incorrectly and a lot of people get hurt.
Somehow noone get's all excited about those security holes; but somehow computers have some mystical aura that makes people expect them to be locked down to a far greater extent than their physical phone or mailbox. This seems pretty odd, since my physical mailbox gets lots of stuff in it that's far more valuable than my email.
The encryption apporach should allow for easier quicker change of algos. We are now playing a game where we are fighting both crackers and govs.
I prefer the "u" in honour as it seems to be missing these days.
You think the public switched telephone network is any more secure than VOIP? Hackers have been playing around in the phone system since it's inception, via switchboard pranks, then devices like blueboxes, and finally hacking the DMS-100 switch used to route your telephone calls. Free service, free features, unbillable numbers, untracable calls, phone taps, and even controlling dial-in lines to win radio call-in prizes. This is all old hat, and VOIP is simply the new playground.
SecureThe.Net - Practical Resources for Securing Systems
The biggest single threat to the security of VOIP deployments is CALEA mandated backdoors
:-(.
Yes indeed. VoIP transmissions can be easily secured with *strong* encryption like RSA or AES with long keys. But governments will prevent it from becoming standard. Of course the caller and callee can make additional arrangements to use strong encryption, when available (ala PGP mail). And in the current political climate, that wil be marked as illegal use too. Sigh
The issue is that anything that is transmitted over a public channel is open for analysis, and hence private information need to be secure.
No, that's not the issue. The good old PSTN is public and insecure. The post (snail mail) is public and insecure. If people want to send their information securely, they scramble their phone calls and encrypt (code/cipher/whatever) their post. The same applies to VoIP (VPN, encryption etc.).
The issue here is cost.
When a VoIP system is cracked, it costs somebody money.
The problem here is a lack of understanding on how to secure (*NOT* encrypt) VoIP connections.
Nick.
But for someone to tap your phone, they have to come with alligator clips to your phone line. This means that someone can't easily "screen" a lot of different phone lines without a lot of manpower. VoIP, on the other hand, could be tapped remotely without intervening with your installation at all, and the process can be automated.
Problem is you can't mass snoop on physical mailboxes, while you can do this on electronic comms.
Two very bad examples because they are both more secure than standard unencrypted network data.
* Eavesdropping on classic PSTN requires physical access to the line or switch. If you manage to find network access to a console port, it's possible to copy a data stream from one trunk port to another. You still need to get connected to it somehow.
* Snail mail conversations also require physical access. That access is difficult to come by for more than a handful of end stations without actually working in your country's postal service. Even then, you are still limited to your ability to sort through vast amounts of mail to find the handful of correspondence that you are actually interested in looking at. Governments can do this, but only by putting an incredible burden on the ability to just deliver the mail. On top of all that, all conversations are all wrapped in an envelope (with the obvious exception of postcards). That envelope helps to keep the contents of any conversation secure from all but the more sophisticated ability to snoop.
No, both examples that you use are far more secure by design and by their nature than simple data traffic. VOIP is simply just one more example of a much larger class of problem that has already been pretty much solved from a technical standpoint. We just need vendors and customers who understand and practice basic network security. (Yes, I think that means end to end encryption for starters.
true... but... the problem is physical location. Basically it boils down to connection oriented networks vs. connectionless networks. sure someone can tap a traditional pots line, but they had to be physically "on the line". with VoIP and programs like http://ettercap.sourceforge.net/ this physical domain it extended making it possible for someone to access the path of communications from almost anywhere in the network. I'm not saying that traditional phone security was any better, but VoIP not only suffers from those security issues (DoS, toll fraud, invalid subscribers...), but also from IP inherent problems too (DoS, man-in-the-middle, packet sniffing...) ps. if you want secure voice and you secure it at the handset.
This means that someone can't easily "screen" a lot of different phone lines without a lot of manpower. VoIP, on the other hand, could be tapped remotely without intervening with your installation at all, and the process can be automated.
To remotely tap your Internet connection, this would typically be done at your Internet Service Provider.
To remotely tap your telephone connection, this would typically be done at your Telephone Service Provider.
There are lots of points where these things can be eavesdropped and they are both quite similar with the pros and cons of each comparable method.
Do you realise that almost all PSTN networks in the World now are digital packet switched? Screening a lot of different phone lines is now trivial for a telco. Do you trust your telco and its staff? I do not trust them any more than the public on the Internet. They ARE "the public" outside of 9-5 and there is lots of opportunity at a telco for the opportunistic. And hell, telcos have never been hacked remotely, right?
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?