VoIP Phone Eavesdropping Prevention Tips

via Mike Chapple, Network Security

Every organization considering a Voice over Internet Protocol (VoIP) telephone system deployment hears the same dire warnings: “Routing voice calls over a data network exposes calls to eavesdropping.” 

While it’s certainly true that any telephone call carries a certain degree of eavesdropping risk, is it true that VoIP calls have an inherently higher degree of risk? In this tip, we explore the ins and outs of VoIP eavesdropping.

VoIP eavesdropping is possible
First, it’s important to be clear about one thing: It is absolutely possible to eavesdrop on a VoIP telephone call. It’s also possible to eavesdrop on a telephone call placed using the traditional public switched telephone network (PSTN). The difference lies in the tools and skill set needed to conduct the eavesdropping. (more)

Is encryption alone, the answer?

Eavesdrop on the boss to aid promotion chances? Probably not a good idea, especially if your boss is the police commissioner.

 S. Korea - On Wednesday a Cyber investigation team at Daejeon Metropolitan Police Agency sought a warrant for the arrest of “Jeong,” a 47-year-old superintendent at the same agency, on suspicion of secretly installing a recording program on the agency commissioner’s computer and recording his conversations and telephone calls.

Jeong is suspected of entering the commissioner’s office, on the seventh floor of the DMPA headquarters building, in the evening of December 14, installing recording and remote control software on a computer connected to an outside network and setting it up to automatically create recorded files, then using the computer in his own office to connect to that of the commissioner and downloading 320 files recorded up to December 17. “It appears that Jeong, who was promoted to the position of superintendent in 2006, did this in order to learn of the newly-appointed commissioner’s tendencies and personal relationships when Jeong became a candidate for promotion to senior superintendent next year.”

Police stated that, on December 16, the commissioner found it strange that his computer ran slower. He gave an order to his secretary’s office to inspect it. The main body of the computer was replaced, but Jeong entered the commissioner’s office again on the same evening and installed the remote control and other software again. (more)

Security Quote of the Day - Smartphones, the Next Target

“We’ve gotten to that perfect crossing point where all of the things which have prevented criminals from leaping into the wireless space have been eroded,” —Gareth Maclachlan, COO of security firm AdaptiveMobile

The bottom line: It’s now easier than ever for spammers to make money off wireless devices. 

Why the concern?

 “If I can infect your device by getting you to download an app, or push you to a link that cracks your phone and infects your OS, I can get your phone to make extra calls to a premium rate number which I own, or send an premium SMS or short code I’m renting through a shell company, and start taking money out of your pocket,” he says.

Criminal groups release malicious apps that get devices to send out calls and texts to premium numbers without the user’s knowledge. The charges may go unnoticed or a customer may contest the fees and the operator has to eat the charge, leaving the spammers with a neat profit. (more)

Security Tips from the book: Is My Cell Phone Bugged?

• Don't jailbreak your smartphone.

• Password protect your smartphone.

• Don't click on links sent by email spammers.

• Never loan your phone.

• Don't load an app unless you appsolutely need it, and know it is safe.

VoIP Phone Tap Taps

Tapping a VoIP phone line isn't difficult... via Janitha

Here's a quick background on what's going on. In 10/100 twisted pair ethernet networks, only two of the four pairs of wires are actually used for data transmission. From a computer's perspective, the orange pair is for RX and the green pair is for TX. The passive splice tap works by connecting a sniffer's RX to either the RX or TX of the wire being sniffed. By having two RX interfaces on the sniffer, you can capture full duplex traffic on the wire.

Recipe
Before starting, you will need the ingredients for a passive splice tap. Two punch down type 8P8C (aka RJ45) IDC connector jacks, A punch-down tool, Two regular pass-though ethernet cables, a sharp knife, clear tape, and an alibi. You also need a laptop to log the data with two ethernet interfaces (two usb to ethernet adapters will do the job). Now for the instructions.

First take the cable you want to tap and cut the casing long ways a few inches to expose the 4 pairs of wires inside. Isolate the green and the orange pair of twisted wires.



Next, take one of the jacks and find the orange and orange-white connectors (will look like two blades with a gap between). Put the jack perpendicular to the orange pair of wires. Now punch down the orange wire in to the orange connector, and the orange-white wire in to the orange-white connector. Take the another jack and repeat the process, but this time punch the green wire in to the orange connector, and the green-white in to the orange-white connector.



At this point, the tap it physically done. Yes, It's that simple. Now connect each of the jacks to the ethernet interfaces on the laptop using the two regular ethernet cables. The sniffer laptop will be like 'wtf mate' and fail at auto negotiating a link since only the RX wires are hooked up. So bring the two interfaces up manually in promiscuous mode (if in *nix, use ifconfig with the promisc switch).

Finally fire up wireshark or your favorite packet sniffer. If you are using wireshark, select capturing on the 'Any' interface as we want to capture data on both ethernet adapters at the same time. If the sniffer app does not have an 'any' interface, simply start two instances and capture the two interfaces separately. Further more, you can bond the two interfaces so you can treat the full-duplex as a single interface if you have that much free time.

Or, you can make one of these.

Why do I mention it?

Because I too often hear, "Can they really tap a digital phone?"

A Merry Christmas, Valentine - Good Work

UK - A Norfolk animal rights campaigner is taking turkey producer Bernard Matthews to court claiming she was harassed and intimidated by the company.

Wendy Valentine of Hillside Animal Sanctuary, Frettenham, also claims her car was "bugged" by security firm Richmond Day and Wilson Limited (RDW), which was working for the firm.

Bernard Matthews has confirmed its use of RDW but "emphatically denies" Ms Valentine's allegations.

Hillside Animal Sanctuary investigators went undercover at one of Bernard Matthews' turkey farms in 2006 and filmed two poultry workers using a bat to play baseball with the birds. Two people were later prosecuted...The following year, staff were again videoed abusing turkeys at Bernard Matthews, by undercover workers from Hillside.

A spokesperson for Hillside said: "We felt we had no option but to resort to legal proceedings after Hillside's founder, Wendy Valentine, had her car bugged with an electronic tracking device earlier this year." (more)

Business Espionage: 7 Million Dollar Man Sentenced for 7 Years

IN - An ex-Dow AgroSciences LLC researcher who stole trade secrets from his former employer to benefit a Chinese university was sentenced to seven years and three months in prison, prosecutors said.

Kexue Huang, 46, was sentenced yesterday by U.S. District Judge William T. Lawrence in Indianapolis, according to an e- mailed statement from U.S. Attorney Joseph Hogsett’s office.

Huang, a Chinese national, pleaded guilty in October to economic espionage. He also admitted to stealing trade secrets from the Minneapolis-based grain distributor Cargill Inc., the U.S. Justice Department said in October. Financial losses from his conduct exceed $7 million, the U.S. said. (more)

Walkie Talkie Law

The Honduran Congress has passed bills allowing authorities to wiretap the telephone conversations, emails and bank accounts of suspected criminals, and temporarily banning motorcycles from carrying passengers. (more)

"Whaaaadt?!... Hey, why don't you go see where you gotta go."

The CIA said Friday its internal watchdog found nothing wrong with the spy agency’s close partnership with the New York Police Department.

The agency’s inspector general concluded that no laws were broken and there was “no evidence that any part of the agency’s support to the NYPD constituted ‘domestic spying’,” CIA spokesperson Preston Golson said. (more)

"Al, we hardly knew you."

Russian Spy Chief Resigns

The chief of Russia’s military intelligence (GRU), Col. Gen. Alexander Shlyakhturov, resigned from his post on Saturday, the Kommersant business daily reported... Shlyakhturov has led the GRU since April 2009. The public knows nothing about General Shlyakhturov's biography and service record. Such tight secrecy implies that he is a career intelligence operative... The name of the future chief of Russia’s military intelligence is not known yet. (more)

"So, how often do journalists hack voicemail?"

Phone hacking appeared to be a "bog-standard tool" for information gathering, a former journalist for the Daily Mirror tabloid told the UK inquiry into media ethics overnight.

James Hipwell, who was jailed in 2006 for writing stories about companies in which he owned shares, told the Leveson Inquiry that phone hacking had taken place on a daily basis during his time at the paper.

He also threw doubt on former Mirror editor Piers Morgan's claim in evidence on Tuesday that he had no knowledge that hacking went on there.

"I would go as far as to say that it happened every day and that it became apparent that a great number of the Mirror's show business stories would come from that source. That is my clear memory," Hipwell said. (more)

The Cone of Silence is Coming... no, really!

FutureWatch - The Cone of Silence...

Many of the current experimental "invisibility cloaks" are based around the same idea - light coming from behind an object is curved around it and then continues on forward to a viewer. That person is in turn only able to see what's behind the object, and not the object itself. Scientists from Germany's Karlsruhe Institute of Technology have applied that same principle to sound waves, and created what could perhaps be described as a "silence cloak."

For the experiments, Dr. Nicolas Stenger constructed a relatively small, millimeter-thin plate, made of both soft and hard microstructured polymers. Different rings of material within the plate resonated at different frequencies, over a range of 100 Hertz.

When viewed from above, it was observed that sound wave vibrations were guided around a central circular area in the plate, unable to either enter or leave that region. "Contrary to other known noise protection measures, the sound waves are neither absorbed nor reflected," said Stenger's colleague, Prof. Martin Wegener (speaking from his secret lab in the South Pacific on "Nuthing Atoll"). "It is as if nothing was there."

While the plate is a small-scale proof-of-concept, the principles at play in it could perhaps ultimately be used to shield people in a "cloaked" area from loud background noises, or to keep eavesdroppers who aren't in that area from hearing those peoples' private conversations. (more)

North American Business Espionage Warnings

US - House Intelligence Committee Chairman Mike Rogers (R-Mich.) said computer hacking aimed at stealing business secrets has "reached an intolerable level, and it's getting worse," in an interview with ABC News on Wednesday night.

Rogers made the comments after The Wall Street Journal reported that Chinese hackers had gained access to the computers of the U.S. Chamber of Commerce.

He introduced a bill last month that would make it easier for companies to share information with the government about threats and cyberattacks. (more)

Canada - Corporate espionage - ranging from Dumpster diving for industrial secrets to plying vulnerable employees of competitors with booze, drugs and sex in exchange for information - is a common tactic in Canada for companies to get ahead, says a former CSIS spy and private investigator.

Tuesday, at the Canadian Industrial Security Conference, Ron Myles said Canadian companies often perceive corporate spying and infiltration as something out of Hollywood and insists the number of cases that are exposed is but a mere fraction of the problem in this country.

"I don't think even the tip of the iceberg is showing. (Corporate espionage) is more prevalent in small-and medium-sized companies because they're often just starting up and don't have massive (security) budgets." (more) (video)

Workers Warned to Keep Smartphones Safe at Christmas Parties

A new survey conducted by STS Digital has found that staff are risking data breaches by not taking care of their smartphones and tablet computers. 

The poll found that Christmas parties are particularly dangerous for staff as they are leaving themselves open to corporate espionage. 

A massive 98% of workers admitted to taking their smartphone devices to a bar and when asked about access to corporate data and sensitive information, 98% of respondents were able to access corporate information using a mobile device.

An alarming 91% of respondents revealed it was possible to access all corporate data including documents, contracts, emails and sensitive information regardless of location using the mobile device. (more)

Spybusters Tip # 645: Never loan your smartphone. It only takes a short time for a co-worker to load spyware onto it for their own evil purposes.

When Spy Worlds Collide - It's a Paranoia Ride - Hackers Stop to Shop

The intelligence operative sits in a leather club chair, laptop open, one floor below the Hilton Kuala Lumpur’s convention rooms, scanning the airwaves for spies.

In the salons above him, merchants of electronic interception demonstrate their gear to government agents who have descended on the Malaysian capital in early December for the Wiretapper’s Ball, as this surveillance industry trade show is called.

As he tries to detect hacker threats lurking in the wireless networks, the man who helps manage a Southeast Asian country’s Internet security says there’s reason for paranoia. The wares on offer include products that secretly access your Web cam, turn your cell phone into a location-tracking device, recognize your voice, mine your e-mail for anti-government sentiment and listen to supposedly secure Skype calls.

He isn’t alone watching his back at this cyber-arms bazaar, whose real name is ISS World.

For three days, attendees digging into dim sum fret about losing trade secrets to hackers, or falling prey to phone interception by rival spies. They also get a tiny taste of what they’ve unleashed on the outside world, where their products have become weapons in the hands of regimes that use the gear to track and torture dissidents. (more)

Did You Get Your Favorite Spy a Gift Yet? (Hint: International Spy Museum Store)

It's not too late. 

How about a nice set of books?

Secret Code: 17568

Product Facts: The perfect gift book set for curious, experimental, creative masterminds - - think cool science experiments, multi-function gadgets, computer science and other high- and low-tech inventions. In total you’ll be equipped with 250+ solutions, bonus applications, and resources at your disposal and be ready for almost any situation. Detailed step-by-step instructions and diagrams enable you to complete projects in just minutes.

 

A sample by volume of what you’ll be able to make amaze your friends with; Volume 1 (Sneaky): Craft a Compass and Make a Sneak Detector, Door Opener, and Power Ring/Room, Volume 2 (Sneakier): Make Invisible Ink, Sneaky Pockets, and a Metal Detector, Volume 3 (Sneakiest): Learn Scroll Message Encryption and Make Robots, Sneakbots, and Electrical Motors. This 3-volume book collection is a fun and valuable resource for transforming ordinary objects into the extraordinary. And as a bonus, you’ll be seen as a super-hero by your friends with the new and amazing, sneaky things that you can do!

 

Technical Data: Books are soft cover with B/W illustrations. Resource, recommended reading lists, and websites included, 157, 141, and 170 pages respectively, 5”W x 7”H. (more)

Seasons Greetings spies, where ever your are.