VoIP Hackers Strike (as predicted)

Australia - A hacker recently obtained unauthorised access to the IP telephony (VoIP) system of a Perth business, making 11,000 calls costing over $120,000, according to the Western Australian police.

The calls were made over a period of 46 hours, the police said, and the business only became aware of the imposition when it received an invoice from its service provider. (more)

SpyCam Story #490 - IP Eyes on the Mains

Imagine...
(from the manufacturer's web site)
"...an easy-to-install, easy-to-use Internet camera surveillance solution that allows you to monitor [video and audio] any room in your house from anywhere over the Internet.

...uses Powerline networking, which connects the Internet camera and your router using your house’s electrical wiring, eliminating the need to run networking cables across your home.

Furthermore, the Internet camera uses a single cable to both receive power and connect to the Powerline adapter, allowing you to place the camera anywhere in your home. ...zero-configuration setup gets you up and running in no time..."

KEY FEATURES
• View and manage your camera remotely over the Internet
• Camera functions without PC turned on
• Records motion-triggered snapshots – saved to a secure server
• Receive instant e-mail notifications of motion-triggered events
• Share access to your camera with friends and family
(What could possibly go wrong here?!?!)
• 0.5 lux CMOS sensor can capture video in low-light environments
• Built-in microphone lets you hear what’s happening *
* This could turn illegal (US law) the instant the consenting party leaves in the area. Note: In some states, all parties being heard must consent, even people who are not within view of the camera.
• Adjustable stand – place and position your camera anywhere
• Uses auto-provisioning for zero-configuration network setup
• PowerLine networking – place camera by any power outlet
• Camera powered & networked through a single cable
• Easily expand network – Internet Surveillance Camera Expansion Kit
• Only $289.99 (more)

Our Point of View
Privacy nightmare. A repackageable, off-the-shelf, audio / video, surveillance system that sends digital signals (encrypted) over existing power lines, to a remote Internet connection (conceivably Wi-Fi'ed out), and then on to anywhere in the world, 24/7/365, for less than $300.00. Geeez... who you gonna call?

FutureWatch - VoIP Encryption for All

by Patrick Thorel, Alcatel-Lucent
Over the last few years adoption of VoIP has grown rapidly. ...migration to an IP network also brings a host of new security challenges that are driving a trend toward voice encryption.

Voice communication ... needs be assured 24/7 and always go to all the right people and none of the wrong ones. In recent times eavesdropping has led to a number of information leaks in legal cases. Certain industries are particularly susceptible to this type of security risk and are thus driving the trend toward voice encryption.

In finance, for example, worldwide agreements which dictate data security in the banking and finance industry make data and voice protection a legal requirement. Healthcare professionals are also aware of patient confidentiality, although no government or company is excluded from the threat of industrial espionage...

To limit the risk of such security breaches encryption of voice traffic is essential... In order to maintain total security everything within the network must be encrypted... One solution is to install hardware in front of the communication server in the gateways and use encryption-optimized firmware in the phones. (more)

Prediction...
Eventually, end-to-end telephone/data encryption will be standard – with CALEA access. Until then, the best choice is to call us (from a safe phone) to inspect for bugs and taps. We can also advise you on current encryption solutions.

Bavarian Police Seeking Skype Trojan Informant

Germany - Bavarian police searched the home of the spokesman for the German Pirate Party (Piratenpartei Deutschland) looking for an informant who leaked information about a government Trojan used to eavesdrop on Skype conversations. (more)

Your Cellular DNA - the Electronic Snitch Gene

How your cell phone evolved into a personal panopticon...
A recent article in the London Review of Books revealed that a number of private companies now sell off-the-shelf data-mining solutions to government spies interested in analyzing mobile-phone calling records and real-time location information. These companies include ThorpeGlen, VASTech, Kommlabs, and Aqsacom--all of which sell "passive probing" data-mining services to governments around the world.

...while it may be impossible for the NSA to legally obtain large-scale, real-time customer location information from Verizon, the spooks at Fort Meade can simply go to the company that owns and operates the wireless towers that Verizon uses for its network and get accurate information on anyone using those towers--or go to other entities connecting the wireless network to the landline network. The wiretapping laws, at least in this situation, simply don't apply. (more) (webinar pdf)

Steganography - Look at secrets, but not see them.

Altered with the proper steganography algorithm, this innocuous picture of a cat could be a carrier for corporate espionage.

Earlier this year, someone at the United States Department of Justice smuggled sensitive financial data out of the agency by embedding the data in several image files. Defeating this exfiltration method, called steganography, has proved particularly tricky, but one engineering student has come up with a way to make espionage work against itself.

Keith Bertolino, founder of digital forensics start-up E.R. Forensics, based in West Nyack, N.Y., developed a new way of disrupting steganography last year while finishing his electrical engineering degree at Northeastern University, in Boston.

FutureWatch...
Steganography is a moving target. Now exfiltrators are beginning to make use of streaming data technologies like voice over Internet Protocol (VoIP). Disrupting or even detecting hidden transmissions inside real-time phone calls is the next hurdle for digital forensics companies, and Hosmer says it poses a significantly more challenging problem.
(more)

Understanding CALEA, FISA - how we got this way

As telephone conversations have moved to the Internet, so have those who want to listen in...

• The advent of computer-based telephone switches and the Internet has made it more difficult for the government to monitor the communications of criminals, spies and terrorists.

• Federal agencies want Internet companies to comply with the same wiretapping requirements that apply to telecommunications carriers. This proposal, though, may stifle Internet innovation.

• Furthermore, the new surveillance facilities might be misused by overzealous government officials or hijacked by terrorists or spies interested in monitoring U.S. communications.

A Brief History of Wiretapping
To understand the current controversy over wiretapping, one must understand the history of communications technology. (more) (more) (more) (more)

Deep Packet Inspection - Computer Santa Claws

Imagine a Santa who receives bags of mail every second, reads and sorts each request, knows everybody's naughty or nice quotient and dispenses the correct 'just deserts' as fast as each request arrives.
Creep'ed out yet?
If so, stop reading now.

"Anyone who uses the Internet needs to be aware of Deep Packet Inspection (DPI), its uses, and potential misuses... DPI is next-generation technology that’s capable of inspecting every byte of every packet that passes through the DPI device, that means packet headers, types of applications, and actual packet content... DPI allows people controlling the device to know everything, including the payload of each packet in the data stream. For example, if an unencrypted e-mail is scanned, the actual body of the e-mail can be reassembled and read.

What makes DPI all the more impressive is that the packet analysis happens in real time, with data stream throughput approaching 20-30 Gb. See where I’m going with this? With no loss of throughput, ISPs are able to insert these devices directly in their data streams, forcing all traffic to pass through the devices. Procera, Narus, and Ellacoya are front-runners in development of this technology, having placed equipment throughout the world.

DPI developers are adamant that the technology is benign and will create a better Internet. experience. However, privacy groups have two major concerns: little or no oversight and the potential for losing still more individual privacy.

An optimist would say that DPI will help enhance the experience, even producing ads that are relevant to each individual user. Whereas a pessimist would say it’s “big brother” technology that only benefits ISPs." (more)
A realist would say: "history tends to repeat" "mission creep" "if a technology can be abused..."

Eavesdropping on Skype, "...not a problem..."

There’s growing speculation coming out of Europe that there’s a backdoor in Skype that allows remote eavesdropping of telephone conversations.

A report in the reputable Heise Online says the issue was discussed at a meeting with ISPs last month where high-ranking officials at the Austrian interior ministry claims “it is not a problem for them to listen in on Skype conversations.”

The report said a number of others at the meeting confirmed that claim. (more)
The public believes Skype phone calls are encrypted; eavesdropping is not possible. This may yet be true. But, what if there is a back door? Why would a government official admit it? The bigger story here may be this is a serious intelligence leak, or an intelligence red herring. Stay tuned.
In the meantime, a little history...
Oct 15, 2003 - (See FutureWatch heading)
June 9, 2008 - Expect negative 'feedback' from FBI

Grade "A" Hack Attack with VoIP Crack

GA - A college student was behind bars Friday night, accused of stealing his professor's identity to change his grades. Police called 19-year-old Christopher Fowler a computer hacker.

Investigators said the student also, "Hacked into their Voice/Internet Protocol system where it uses internet to make phone calls and intercepted phone conversations."

Fowler could get five years for an unlawful eavesdropping charge. (more) (video)

VoIP Eavesdropping - How Difficult Is It?

by Stephan Varty, Vulnerability Analyst, in Nortel's Voice Security Blog...
Many people assume a certain level of confidentiality is assured when they use their phone. Concerns have been raised about the increased risk of someone eavesdropping on a VoIP call compared to a traditional PSTN call. Although the concern applies similarly to other VoIP protocols such as UNIStim, H.323, or SCCP as well, what follows is an opinion on the susceptibility of a SIP call to remote eavesdropping...

...due to common vulnerabilities such as missing or outdated patches, misconfiguration, and undetected software defects, it is likely that in many cases a determined sophisticated attacker would be capable of eavesdropping on unencrypted SIP calls. (more)

Lessons:
• Employ encryption.
• Install all software patches and updates.
• Double check your configurations.

Extra Credit:
Eavesdropping an IP Telephony Call

"How Can I Stop My Ex From Bugging My Phone & PC?"

My ex is a Private Investigator, and I believe he is bugging my phone–and possibly my PC. What can I do to stop this and/or prosecute? I have Vonage and my phone goes through a cable connection, as does my pc.
Thank you,
Patricia
(answers)

Almost everything you wanted to know about WIRETAPPING

"DIY Wiretapping:
The Ultimate Guide
(And How to Fight Back)"
via ITsecurity.com

Even if you aren't involved in a criminal case or illegal operation, it's incredibly easy to set up a wiretap or surveillance system on any type of phone. Don't be surprised to learn that virtually anyone could be spying on you for any reason.

How to Wiretap
Did you think wiretapping was just for the FBI and mobsters? It's actually so easy that we can show you how to install and manage different wiretapping systems yourself...
(11 "tips" revealed)

Fighting Back
Defend yourself against wiretappers and spies by following these tips. You'll be able to determine if someone is eavesdropping on your home phone, cell phone or VoIP calls.
(13 "tips" revealed... including this one.)

• Check for any suspicious wires running from your phone: Spybusters LLC, a company that performs eavesdropping-detection audits, explains on its Web site the different types of wires your phone should have and which ones indicate wiretapping.
(more)

Extra Credit...
Listen Up: 17 Signs That You Are Being Wiretapped
Is someone listening to your private calls? Know the warning signs.

FutureWatch - VoIP Bug Aids Bugging

Plans to compress internet (VoIP) phone calls so they use less bandwidth could make them [more] vulnerable to eavesdropping. Most networks are currently safe, but many service providers are due to implement the flawed compression technology. (more)

The Geek Chorus Wails, "Beware VoIP. Shun GSM."

"Be careful what you say over that mobile phone or VoIP system."
The most widely used mobile phone standard, GSM, is so insecure that it is easy to track peoples' whereabouts and with some effort even listen in on calls, a security expert said late on Saturday at the LayerOne security conference.

"GSM security should become more secure or at least people should know they shouldn't be talking about (sensitive) things over GSM," said David Hulton, who has cracked the encryption algorithm the phones use. "Somebody could possibly be listening over the line."

For as little as $900, someone can buy equipment and use free software to create a fake network device to see traffic going across the network...

VoIP systems based on open standards are not encrypting the traffic, which leaves them at risk for eavesdropping, forged or intercepted calls and bogus voice messages, he said, adding that there are numerous tools for doing that, with names like "Vomit" and "Cain and Abel." (more)

The Dawn of the VoIP Bug

"...transform the existing power lines in your home or small office into a high-speed network solution. Without running wires, PLC-185S takes advantage of your existing electrical wiring to create or extend a network environment. PLC-185S is also an ideal solution for homes or small offices where concrete walls, floors in multi-storied buildings, or other architectural barriers could inhibit a wireless signal.

Just plug the PLC-185S into an electrical outlet and it can turn every electrical outlet into a possible network connection to connect to any network devices, such as wireless router, network cameras, and video servers." or VoIP bugs :) (more)

The Essential Guide to VoIP Privacy

What you need to know about protecting the privacy and confidentiality of IP phone calls.

People generally assume that their private phone calls are just that: private. VoIP users, however, shouldn't take privacy for granted. (neither group should)

The problem with most VoIP calls is that they travel over the Internet, a very public network. This means that calls are vulnerable to snooping at various points throughout their journey. And even private-network VoIP calls can be tapped if access can be gained to the physical wiring.

As a result, business competitors, employees, criminal gangs, tech hobbyists and just plain snoops can all listen in to a business's outgoing and incoming VoIP calls. All that's needed is a packet-sniffing program, easily downloaded from the Internet, and perhaps a tiny piece of hardware to tap into a physical wire undetectably.

But the news isn't all bad. Methods and systems are available to safeguard VoIP traffic... (more)

How To Make Your Phone Untappable

In 1991, Philip Zimmermann developed a humble-sounding electronic encryption technology known as Pretty Good Privacy. In fact, it was very good--so good that not even the federal government has been able to crack it, a fact that has made Zimmermann a folk hero to privacy advocates and a headache to law enforcement.

Now Zimmermann, the CEO of PGP Corp., has found himself back in the fiery debate between federal investigators and those who oppose their snooping--this time thanks to ZRTP, a technology for encrypting Internet telephone calls. ZRTP throws a wrench in the Bush administration's controversial warrant-free wiretapping program and its proposed legal immunity for the telecommunications companies. So far, not even teams of supercomputers and cyberspies at the National Security Agency have cracked ZRTP. That means anyone who uses Zimmermann's Zfone software, a ZRTP-enabled voice over Internet Protocol (VoIP) program available for free on his Web site, can skirt the feds' wiretapping altogether.

Forbes.com spoke with Zimmermann about how his small company has been able to produce an encryption product that not even the U.S. government can break, what ZRTP means for national security, and why cutting off the government's access to our phones is necessary to keep out the truly malicious spies. (more)

Free advice.
Free software.
An end to wiretapping woes.
Come on. What more do you want from me?
The least you could do is send me some M&M's. :)
~Kevin

VoIP Reminder - ZFone

The VoIP industry has been amazingly uninterested in figuring out how to protect the privacy and security of VoIP users. Of all the commercial service providers, only Skype provides encryption and authentication. Fortunately, Phil Zimmerman, the inventor of the best encryption software for all platforms, PGP (Pretty Good Privacy), has turned his talents to protecting VoIP. This is good news because eavesdropping on VoIP traffic is just as easy as sniffing any TCP/IP traffic. So we now have the ZFone.

ZFone operates invisibly, without needing administration and setup the way PGP does. With PGP you have to set up a public key infrastructure (PKI). A PKI performs authentication, verifying that the person you're communicating with really is who he or she claims to be, prevents eavesdropping and alerts you if the transmission has been altered in transit. (more) (original alert)

Extra Credit...
VoIP calls are easy to eavesdrop on—anyone with access to any wire that carries your transmissions can snoop with trivial ease. There is a possible remedy, but it's not widely used yet, and that is the ZRTP encryption protocol. I think it shows the most promise, as it is lightweight, provides very strong encryption, and—best of all—requires no user or administrator intervention; it Just Works. ZRTP is somewhat like cell phone encryption, except that it's not weak or easily broken. Zfone is the software implementation of ZRTP, and now you can get a plugin for your softphones. It costs nothing but a bit of time to try it out. (more)

Instant Education - VoIP: The Top 5 Vulnerabilities

Nothing is hacker-safe these days unfortunately, not even your VoIP service. But knowing that going in, and protecting yourself appropriately, can make a world of difference. The folks at the Sipera VIPER Lab have released what they feel are the Top 5 VoIP Vulnerabilities in 2007.

They are:
• Remote eavesdropping of VoIP phone calls...
• VoIP Hopping, one of the enablers of remote eavesdropping...
• Vishing, enables hackers to spoof caller ID... (q.v.)
• Toll fraud...
• The Skype worm...
(more)