Business Espionage Alert: Embedded Web Servers

Many types of Web-connected photocopiers, scanners, and VoIP servers have no default passwords or other security enabled to stop remote eavesdropping.

Numerous models of printers, photocopiers, and voice over IP (VoIP) systems are Internet-connected. But their embedded Web servers often use well-known default passwords or firmware that has known vulnerabilities, either of which could be used by remote eavesdroppers to intercept internal communications...

Web-accessible photocopiers and the like are essentially repositories of any recent documents or communications of interest, and thus could serve as a competitive intelligence treasure trove. 

Some devices even offer would-be attackers time-saving shortcuts. Certain models of Sharp photocopiers, for example, can be set to upload all scanned or copied documents to an external site via FTP, or email them to an outside email address. Meanwhile, some HP all-in-one printers have a feature called Webscan, which allows anyone with a browser to scan and download whatever is on the scanner bed. (more)

Tips for Securing VoIP Phones in the Cloud

Click to enlarge.

South Africa - ...accepting an unprotected Internet Protocol (IP) connection from your VOIP partner is not the safest tactic. “Besides inviting eavesdropping on your most sensitive business dealings”, says Rob Lith, Director of Connection Telecom, “It also puts you at risk of sponsoring thousands of rands ($) in phone calls made on your account.”

What can be done?
So what can be done to keep your PBX safe from spilling your trade secrets and bleeding out your cash resources? The good news is that both VOIP providers and customers can pitch in. Here are some ways to safeguard your telephony:

Customer-side
· Password generators – Cloud PBX customers should use only securely-generated random passwords. Passwords chosen by humans are often the weakest link in a company’s security posture, so invest in tools that manage and retrieve passwords easily and securely. 1password from AgileBits is a good example.
· Strong access policies – It can be as basic as allowing only known IP address ranges access to the voice platform. But this approach, while highly secure, sacrifices flexibility – for instance the ability to access the voice server while roaming overseas.
· Cloud customers can also load tools that monitor VOIP accounts for repeated failed password attempts, and block the IP address from which the attempts are coming pending administrator investigation. Fail2ban is one such tool.

Provider-side
· Tools like Zabbix monitor unusual call patterns, destinations, numbers of live calls and account balances, and trigger alarms when certain values are exceeded (too many calls, a sharp drop in account balance, unusual international prefixes being dialed etc). Anything out of place is picked up long before too much harm can come to the user enterprise.
· VPN tunneling used in an enterprise VOIP service shields calls from eavesdropping and line-jacking, making it as secure as line encryption. An MPLS network and VPN technology like ViBE are among the applications that enable secure VPN tunnelling.
· Private cloud solutions are shielded from the public Internet by virtue of the customer’s ownership of the hosted domain.

Conclusion
VOIP hacking, while not an everyday occurrence, is very possible. However, with the right tools and a few basic security habits, this form of communication can be highly secure. (more)

A Microsoft Wiretap Patent...

...what could possible go wrong?

Microsoft has been granted a patent for technology that acts as a wiretap of sorts for Internet communication, allowing governments or other law-enforcement authorities to record the data without detection.

Dubbed "Legal Intercept," using the technology means "data associated with a request to establish a communication is modified to cause the communication to be established via a path that includes a recording agent" that silently records the data, according to a filing with the U.S. Patent and Trademark Office.

In other words, the technology intercepts Internet communications data so it can be recorded for the purposes of reviewing it later by, presumably, government or law-enforcement officials.

"Sometimes, a government or one of its agencies may need to monitor communications between telephone users," Microsoft said in the filing, describing how a recording device can be placed at a central office to record communications over a traditional telephone network.

But with Voice over IP and other Internet-based communications, "the [conventional] model for recording communications does not work," according to Microsoft. (more)

Yipes Skypes! VoIP Phone Encryption - Busted.

A team of researchers and linguists have found a fatal flaw in supposedly encrypted internet phone calls that allow them to eavesdrop on conversations.

University of North Carolina scientists took a novel approach to 'listening in' on voice-over-internet-protocol (VoIP) conversations by analysing the 'encrypted' data packets used to transmit people's conversations.

VOIP services such as Skype transmit speech over the internet by encoding and the encrypting the conversation into individual data packets.

According to The New Scientist, Linguists noticed the size of each packet mirrored the composition of the original speech itself - allowing them to reconstruct words and phrases from the original voice.

By splitting the packet sequences into phonemes - the smallest sounds that make up a language - linguists were able to reconstruct the data into discernible words. (more)

U.S. Secret Service to Enhance its Telecommunications Intercept Capabilities

The U.S. Secret Service wants to replace its existing telecommunications interception system with a new, all-inclusive intercept platform that can collect, analyze, decode and reconstruct voice, data and Voice Over Internet Protocol (VOIP) communications.

The new system will be used by approximately 250 Secret Service analysts, monitors and administrators, on a 24/7 basis, according to a sources sought notice published on May 12 by the DHS component.

“The system must be able to decode multiple specified common telecommunications application & network protocols,” said the agency. It must also support the automatic translation of intercepted messages in “numerous highly specific foreign languages,” which the Secret Service did not identify. (more)

Five out of Seven Hacker Types also Bug & Tap

infoworld.com has identified seven types of hackers. Five of them (in bold) will also use standard electronic surveillance techniques to achieve their goals. 

Why? Because that information is fresher, it is available long before it becomes computer data... and some of it will never become computer data.

If you are only watching your computer networks, you are a day late and a dollar short. Traditional bugs and wiretaps remain spy staples. Two more overlooked attack points include Wi-Fi security (and compliance) and Internet telephony (VoIP).

Malicious hacker No. 1: Cyber criminals
Professional criminals comprise the biggest group of malicious hackers, using malware and exploits to steal money. It doesn't matter how they do it... (Eavesdropping is just another profit center.)

Malicious hacker No. 2: Spammers and adware spreaders
Purveyors of spam and adware make their money through illegal advertising.

Malicious hacker No. 3: Advanced persistent threat (APT) agents
Intruders engaging in APT-style attacks represent well-organized, well-funded groups -- often located in a "safe harbor" country -- and they're out to steal a company's intellectual property. They aren't out for quick financial gain like cyber criminals; they're in it for the long haul. Their dream assignment is to essentially duplicate their victim's best ideas and products in their own homeland, or to sell the information they've purloined to the highest bidder.

Malicious hacker No. 4: Corporate spies
Corporate spying is not new; it's just significantly easier to do, thanks to today's pervasive Internet connectivity. Corporate spies are usually interested in a particular piece of intellectual property or competitive information. They differ from APT agents in that they don't have to be located in a safe-harbor country. Corporate espionage groups aren't usually as organized as APT groups, and they are more focused on short- to midterm financial gains.

Malicious hacker No. 5: Hacktivists
Lots of hackers are motivated by political, religious, environmental, or other personal beliefs. They are usually content with embarrassing their opponents or defacing their websites, although they can slip into corporate-espionage mode if it means they can weaken the opponent. 

Malicious hacker No. 6: Cyber warriors
Cyber warfare is a city-state against city-state exploitation with an endgame objective of disabling an opponent's military capability. Participants may operate as APT or corporate spies at times...

Malicious hacker No. 7: Rogue hackers
There are hundreds of thousands of hackers who simply want to prove their skills, brag to friends, and are thrilled to engage in unauthorized activities.

Legal Phone Taps Vulnerable to DOS Attacks

Researchers at the University of Pennsylvania say they've discovered a way to circumvent the networking technology used by law enforcement to tap phone lines in the U.S.

The flaws they've found "represent a serious threat to the accuracy and completeness of wiretap records used for both criminal investigation and as evidence in trial," the researchers say in their paper, set to be presented Thursday at a computer security conference in Chicago.

Following up on earlier work on evading analog wiretap devices called loop extenders, the Penn researchers took a deep look at the newer technical standards used to enable wiretapping on telecommunication switches. They found that while these newer devices probably don't suffer from many of the bugs they'd found in the loop extender world, they do introduce new flaws. In fact, wiretaps could probably be rendered useless if the connection between the switches and law enforcement are overwhelmed with useless data, something known as a denial of service (DOS) attack. (more)

CALEA VoIP Taps In

The FCC has been moving to treat broadband Internet the same as phone services and with those moves, the FBI's wiretapping authority might be becoming more nebulous.

The agency is lobbying the communications commission to make sure its changes in regulation do not hinder the Communications Assistance for Law Enforcement Act which demands that telecom companies allow law enforcement to use wiretaps on phone lines and VoIP calls.

VoIP wiretapping has been challenged in court a few times unsuccessfully, but changes in regulations could hinder wiretap efforts. It seems like at this moment, however, the FCC has no plans to interfere with the wiretapping rules. (more)

Internet Steganography - Data Under the Radar

7:00 p.m., Shanghai

An employee of an electronic equipment factory uploads a music file to an online file-sharing site. Hidden in the MP3 file (Michael Jackson's album Thriller) are schematics of a new mobile phone that will carry the brand of a large American company. Once the employee's Taiwanese collaborators download the file, they start manufacturing counterfeit mobile phones essentially identical to the original—even before the American company can get its version into stores.

3:30 p.m., somewhere in Afghanistan

A terrorist hunted by the U.S. Federal Bureau of Investigation posts an excerpt from the motion picture High School Musical Three: Senior Year on Facebook. Inside are hidden instructions for a bomb attack on a commuter rail line in southern Europe. Later that day, terrorists based in Athens follow the instructions to plan a rush hour attack that kills hundreds of people.

4:00 a.m., Malibu, Calif.

A very famous actor (VFA) has a brief conversation with a well-known director (WKD) over Skype, an application that lets them make free voice calls over the Internet. They discuss the medical problems of VFA's cat in great detail. When the conversation is over, WKD's computer has a sleazy new addition—in a folder on his desktop, there is a picture of a nude teenager, along with her mobile number and the date and time at which WKD will meet her at VFA's pool party for a photo session.

What all these scenarios have in common is an information-smuggling technique called steganography—the communication of secret messages inside a perfectly innocent carrier... (more)

Vulnerable VoIP Products Almost Triple Since 2006

VoIP Vulnerabilities, a white paper issued by McAfee Labs, found almost 60 vulnerabilities in voice over internet products, compared to just under 20 vulnerabilities in 2006.

"We can credit part of this increase to better tools for finding VoIP vulnerabilities, yet this upward trend should be largely attributed to the growing number of VoIP installations", the white paper said...

Eavesdropping on VoIP conversations is possible when the default implementation of the Real Time Protocol (RTP) used to carry VoIP traffic is not encrypted, for example. Tools such as VOMIT have been published to dump unencrypted traffic between phones and turn it into playable sound. (more)

Advice from McAffee on eavesdropping attacks... For a superior solution, you should use secure RTP (SRTP), which provides both encryption and authentication. (more)

A Short History of Wiretapping and Ramifications

Communications Surveillance: Privacy and Security at Risk
AS THE SOPHISTICATION OF WIRETAPPING TECHNOLOGY GROWS, SO TOO DO THE RISKS IT POSES TO OUR PRIVACY AND SECURITY.

We all know the scene: It is the basement of an apartment building and the lights are dim. The man is wearing a trench coat and a fedora pulled down low to hide his face. Between the hat and the coat we see headphones, and he appears to be listening intently to the output of a set of alligator clips attached to a phone line. He is a detective eavesdropping on a suspect's phone calls. This is wiretapping—as it was in the film noir era of 1930s Hollywood. It doesn't have much to do with modern electronic eavesdropping, which is about bits, packets, switches, and routers.
We start with an overview of the convoluted history of wiretapping, focusing on the United States, and then turn to issues of privacy and security. (more)

Posted code enables VoIP spying

Along with keyloggers that track what you type, now we have to worry about malicious software that listens in on our voice over Internet Protocol conversations. A Symantec security blog disclosed a new Trojan horse, Tojan.Peskyspy "that records VoIP communications, specifically targeting Skype."... Eavesdropping is a risk, when it comes to industrial espionage, prying spouses or significant others, and political campaigns, as well as political dissidents. (more)

Video over IP. Convenient, but not secure.

Video about video being hacked, hijacked and insert-attacked...
• A security assessment of an IP Video Camera; think Ocean’s Eleven.

Man-in-the-middle attacks tamper with video surveillance feeds, eavesdrop on IP video phone conversations

In one attack, researchers from Viper Lab showed how a criminal could tamper with an IP video surveillance system to cover up a crime by replacing the video with another benign clip. In another demo, they eavesdropped on a private IP video call. (more)

Top Seven Emerging Threats to VoIP Services

A clear, lucid article on VoIP security (or, bad stuff that can happen to that fancy new phone on your desk that plugs into the network instead of the old phone jack). Written by one of the many vendors who offer solutions.

Summary:
• VoIP DoS attacks
• Spam over Internet Telephony (SPIT)
• VoIP service theft
• SIP registration hijacking
• Eavesdropping
• VoIP directory harvesting
• Voice Phishing, or Vishing
"WatchGuard advices all businesses using VoIP systems to review their perimeter and VoIP security." (more)

Additional solution vendors:
• Sipera
• Radware
• VoIP Security Buyer's Guide

FREE VoIP security information:
• Mark Collier's VoIP Security Blog
• Blue Box: The VoIP Security Podcast
• Security Considerations for Voice Over IP Systems

Thus driving intelligence agencies, nuts.

Skype has become the world's single largest provider of international calls, surpassing even incumbent telcos like AT&T. (more)
Skype's strong encryption has been providing the illusion of "untappable" communications to many groups security agencies would like to monitor. (more)

101 Undiscovered Freebies: The List

via PCWorld...
We scoured the Internet to come up with 101 innovative, entirely free downloads and services. Here's the whole collection.

Securing VoIP... "Give up?"

There are too many sources of vulnerability for VoIP to ever be completely secure, says Patrick Park, author of VoIP Security. Here he describes the VoIP threat landscape and offers best practices for making VoIP reasonably secure... (more)

Another Solution to VoIP Eavesdropping

From their press release...
"Paranet Solutions, LLC, a leading global provider of Data Center, Network Infrastructure and Enterprise Services and Solutions, announced today that it has expanded its Security Solutions Suite to include VoIP Security Services in order to identify and prevent Illegal Reconnaissance, Malicious Service Disruption, Eavesdropping, Message Manipulation, Services Theft, VoIP Spam, VoIP-to-Data-Exploits and Quality Degradation. Paranet's VoIP security solution is anchored with a comprehensive vulnerability and threat assessment." (release)

Q. Would you hire a long-distance baby sitter?

A. Depends on how old the baby is.

From those wonderful folks in Sweden who brought us SpyOn Voice... Now, a morphed and more palatable (ta-daaa) SpyOn Baby.

How could you resist a cute little program that calls itself, "A modern baby alarm that allows you to watch over your baby at home and over the internet." (for less than $10.00)

Besides, "If you are looking for specialists in VOIP (Voice over IP) then you have come to the right place. We are developing a series of applications based upon VOIP technology. If you can not find exactly what you are looking for maybe we can develop it for you."

And, oh, by the way, the company name is Spying Machines.

Why do we mention it?
So you know what your up against.

Skype vs. Eavesdropping

Mike Chapple handles a Skype question...
Q: Can an attacker gain important and private information from my phone through a peer-to-peer network?

A: Peer-to-peer telephone services such as Skype offer a way to save significant money on telephone services. By leveraging peer-to-peer networks to route calls around the world, every call becomes a local one. Peer-to-peer services allow telephone calls to be routed through the privately owned equipment of one or more unknown individuals. This raises a number of confidentiality, integrity and availability concerns, and little information is available about what, if any, security controls these services have put in place to protect your telephone calls.

While this is an interesting technology, I would not recommend that it be used for any private communications. (more)

Additional considerations...
• Skype says their communications is encrypted.
• Some say Skype encryption can be bypassed.