Categories
Bad Stuff End User security

Mcafee offers – how to choose anti virus software

How to choose anti virus software

how to choose anti virus softwareAs regular readers will know I don’t use Microsoft software anymore. I’ve suffered from so many problems in the past that with the advent of Chromebook and the cloud I exist happily with my head up there in the fluffy stuff.

This is not the case for all members of my family and my wife in particular still has a Windows 8 laptop (yuk). In fact I only bought it to run our CCTV monitoring software but it does very occasionally get used for other things when her iPad doesn’t cut the mustard.

Because family PCs have suffered badly from viruses over the years I made sure that when I bought the cheapo Windows 8 laptop it was covered by McAfee anti virus software. It was a deal that covered the whole family for £25 if I recall. Fair enough. Install and forget.

how to choose anti virus softwareLast week the license ran out. McAfee bless em wanted £59.99 for me to renew. I looked online and saw a number of deals including a lowball £25.50 but decided to nip into PC World so see what they had.

All they could do was £60 including a white labelled online backup service free for the first year. A bargain at £30 pa thereafter for 2TB. However I’d been stung in the past with that. Or at least one of the kids had when he installed it on his laptop only to have the thirty quid taken from his youthful bank account the following year. Phone calls to PC World revealed that they didn’t actually control the service and no way Jose could he have his cash back.

I gave him his money, deinstalled the (unused) client and asked PCW to cancel next year’s subscription. Shysters I thought. So I wasn’t going anywhere near a product that could only give me a (inadequate) discount based on taking the backup service.

how to choose anti virus softwareThe salesman/advisor simply suggested Norton at £40 (£39.99). No problemo.

I got home and commenced installation operations. To begin with I had to wait half an hour whilst the laptoip updated the Microsoft software. Then I had problems with the Norton site – their servers were overloaded – hope it wasn’t a virus.

Eventually I managed to download the executable and began to install the Norton Symantec anti virus software. This took ages because it needed to deinstall McAfee which took several reboots and a number of Microsoft updates.

Gor Blimey. The next day I found that “windows 8 has its own anti virus but I also need it to cover a kid’s Window 7 machine and a MacBook Air. Hey.

I realise that Microsoft is following Google into the cloud but it doesn’t remove my present pain. These security software vendors are also seen to be dubious wheeler dealers with all the various deals to confuse customers. Can they survive the fact that in the cloud all the security services seem to come free of charge?

Read all about how to choose anti virus software on Wikipedia.

Categories
Bad Stuff Business scams voip

Mechanics behind International Shared Revenue Fraud

VoIP fraud continues to rear its head this week with a post on ISRF mechanics.

Continuing with his week as guest editor covering VoIP fraud issues David Cargill has invited industry expert Martin John from AQL to discuss IRSF mechanics – how it actually works:

As we all know International Shared Revenue Fraud (ISRF) plays a large part in the overall fraud that we see in the industry, even though services are marketed legitimately they are widely used for fraudulent purposes and the artificial inflation of traffic, whilst some of the traffic will terminate in the target country a high percentage will never reach the expected destination (commonly referred to as short transit or short stopping)

Whilst the ITU governs the allocations of Country Codes once the code is allocated the usage and numbering plan is controlled by the responsible authority in the recipient country, the ITU publishes updates on the reported use of each numbering block for each allocated Country Code (http://www.itu.int/oth/T0202.aspx?parent=T0202) however this is based on information submitted by the responsible authority and is not always an up to date source of information.

Historically Telecoms Operators interconnected directly via TDM on a bilateral basis, a settlement rate would be negotiated with a key objective being the balance of traffic to reduce any financial settlement between the parties, using this method the majority of ISRF traffic actually terminated in the country that holds the number allocation.

isrf mechanics

Smaller countries or those with financial constraints could not justify or afford this method and opted for a cascade accounting method, cascade accounting meant that the smaller operator would make an agreement with one or two larger international operators whereby the larger operators became an aggregation point for the allocated country code and in return kept a percentage of the revenue.

isrf mechanics

With cascade accounting traffic to designated number ranges could potentially be short transited, the authority responsible for the allocation and administration of the number ranges may have requested that the cascade accounting partner terminate certain prefixes to alternate carriers/partners for other services, these opportunities were very financially rewarding due to the expensive part of the network (the international circuits) not being utilised.

isrf mechanics

 

 

As the market developed and with the establishment of VoIP clearing houses/exchanges and traffic aggregators cascade accounting has become less popular, operators favour being able to interconnect to lots of different operators in one place, increase their profitability as they no longer have to give a percentage to the cascade accounting partner and lower their cost base as they would no longer need to purchase other international routes via their previous cascade accounting partner, however this simply made ISRF easier, the telecoms market is more cost driven today than it has ever been operators strive to  maintain lcr with the minimum of man power and international destinations that are outside of their main business area are commonly terminated through large traffic aggregators or clearing houses, interconnection between the aggregators and clearing houses is a common practice it is in their business interest for a call attempt to complete and convert to revenue and therefore as the financial barriers to connect to clearing houses are small the interconnection by parties that want to abuse the situation is relatively easy.

Take for example the following scenario:-

The island of High Termination Rate is assigned the country code of +997 from the ITU the and files a numbering plan. The island of High Termination Rate Telecommunication Regulatory Authority (HTRRA), announces the following:
isrf mechanics table

 

 

The national operator of the island of HighTerminationRate HTRT is a respectable and ethical company that interconnects to a large traffic aggregator and a clearing house to not only gain access to a full international A-Z for terminating traffic but also to ease interconnection with other international carriers so that the residents of The island of HighTerminationRate are globally reachable, the per minute rate is advertised as £1.00 ppm

aql4
To this point everything is legitimate however there is nothing stopping the aforementioned opportunistic man in the middle/ISRF reseller from also interconnecting to an aggregator and clearing house and advertising a rate of £0.98 ppm supporting either the full list of breakouts or “specialising” in certain areas such as HTR Mobile +99780

aql5

 

 

In the background the ISRF reseller has been busy harvesting numbers and happily upsetting the observed statistics (reduced ASR’s etc) whilst tying up network capacity to obtain a better understanding of the utilisation of the ITU allocation.  Once this understanding has been obtained numbers can be tested and resold to customers.

Some may wish to offer chat services or other services of the like whilst avoiding any national regulation and of course this then opens the door to parties that wish to generate fraudulent traffic.  To expand further after number harvesting it is discovered that anything that starts +99780752 can NOT be completed via the legitimate route offered by HTRT.  It is a range that falls within the allocation but perhaps due to demand has not been opened yet.

Any traffic generated to this range will fail on the HTRT route if in fact it even attempts the HTRT route first due to the ISRF route being marketed at a lower rate. Once that call has failed the aggregator/clearing house would normally route advance the call to the next available route where ISRF are happy to complete it.  Legitimate traffic that the ISRF route receives is simply terminated back to another carrier. Whilst this incurs a loss with restrictive routing and capacity the impact is minimal and aesthetically legitimises the service offering provided by the ISRF route.

aql6

 

 

 

 

 

 

 

Martin John is the General Manager of aql wholesale. aql, established in 1998, is a wholesale integrated Telecommunications Operator, Regulated by Ofcom. Providing services to many of the FTSE 100 and is one of the UK’s largest IP Telephony fixed line operators.  It is recognised as a significant market force in fixed and mobile services by the UK Regulator.

Check out our other VoIP fraud posts here. Below are links to other fraud related posts this week:

PABX fraud by Manuel Basilavecchia here
IRSF Fraud by Colin Yates here
CLI Spoofing detection by Matt Anthony here

Categories
Bad Stuff Business scams security voip

Caller ID Is Broken – How Can We Fix It?

matt anthony pindropCLI spoofing doesn’t have to be as big a problem as it is.

In the third of this week’s posts on VoIP fraud guest editor David Cargill has Matt Anthony, Vice President of Marketing at Pindrop Security as a contributor.

There was once a time when people trusted the number that showed up on their Caller ID. Phone companies charged extra for the service. Even banks allowed you to activate your credit card just by calling from a registered phone number. Today, that is no longer the case.

Caller ID (CLI) and Automatic Number Identification (ANI) were originally designed as systems to be used internally by the phone companies. As such, they didn’t need any real security. As they emerged as consumer facing tools, they never developed the security features that we expect today.

The result is that spoofing Caller ID data, or ANIs, is very easy. A quick Google search turns up pages of articles on how to spoof a number. App stores are full of easy to use apps that enable spoofing. One smartphone app, Caller ID Faker, has over 1,000,000 downloads.

spook card - disguise your caller id

Adding to the problem is the fact that in general, Calling Liner ID spoofing is completely legal. Though it is always illegal to use CLI spoofing for fraud or threatening messages, it is perfectly legal to spoof a number as a friendly prank, or as a helpful business practice. (Think doctors on call who don’t want to give out their cell phone number.) While it might be fun to spoof a CLI in a prank call to your friend, too often fraudsters are the ones disguising their numbers to hide their criminal activity.

Pindrop Security tracks phone fraud activity and trends. We have found that CLI and ANI spoofing is the most common technique used by phone fraudsters. In addition, more than half of the caller ID spoofing attacks cross international boundaries, meaning they are almost impossible to track down and prosecute.

Consider the case of one attacker, known to Pindrop researchers as “Fritz.” This fraudster is likely based in Europe and works alone. Fritz is in the business of account takeover. He calls financial institution call centres, impersonating legitimate customers by spoofing ANIs, and socially engineers the bank into transferring money out of an account. In one four month period, we found that Fritz had targeted 15 accounts. We estimate that he has netted more than £650,000 a year for at least several years.

While there is no technology that can prevent CLI spoofing, it is possible to detect these calls. The key is to detect anomalies between the information being sent over the Caller ID and the actual audio characteristics of a call using phoneprintingTM, created by Pindrop Security.

Phoneprinting technology analyses the audio content of a phone call, measuring 147 characteristics of the audio signal in order to form a unique fingerprint for the call. Phoneprinting can identify the region the call originated from and determine if the call was from a landline, cell phone or specific VoIP provider. These pieces of information provide an unprecedented level of insight into caller behavior.

So, if a Caller ID says a call is coming from London, but the phoneprint of the call shows that the individual is calling from 1,000 miles away, it should be a red flag for anyone running a call centre that the caller has malicious intent.

pindrop caller id verification

 

 

 

 

 

 

 

 

One recent fraud attempt thwarted by Pindrop tools happened on a Saturday night, a time when most call centre employees are not at their most vigilant. The caller asked to transfer £63,900 from one bank to another. The Caller ID matched the phone number associated with the account, and the caller knew all the answers to the identity questions the agent asked. However, while the Caller ID said the call was coming from San Francisco, Pindrop detected that the call was actually coming from a Skype phone in Nigeria. As a result, the wire transfer was put on hold, and the bank was able to verify with the account holder that the request was fraudulent.

Pindrop phoneprinting solutions are already protecting calls to top banks, financial institutions, and retailers. The Pindrop platform is a comprehensive solution designed to protect the entire call system: inbound, outbound, live, recorded and in the IVR, customer-facing and employee-facing interactions. Pindrop uses the information from the phoneprint to create a highly accurate and highly actionable risk score for each call, which has allowed it to catch more than 80 percent of fraud calls within 30 seconds after the call has been initiated.

Historically, the phone channel has been over-trusted and under-protected, making it a major target for fraudster exploitation. Today, technology is available to detect spoofing and stop phone fraud.

Matt Anthony, Vice President of Marketing

www.pindropsecurity.com

Matt Anthony is the Vice President of Marketing at Pindrop Security. With over twenty years of experience in the technology industry, Matt is a frequent speaker at technical conferences. Prior to joining Pindrop, Matt served as Director of Marketing at Dell SecureWorks. Matt has also held marketing roles at CipherTrust, Monorail, and Dell Computer. He is a graduate of the University of Texas at Austin.

Check out our other VoIP fraud posts here. Below are links to other fraud related posts this week:

PABX fraud by Manuel Basilavecchia here
IRSF Fraud by Colin Yates here

Categories
Business scams security voip

Telecom Fraud – Investment in Prevention and Detection initiatives not always available.

colin yatesIRSF- International Revenue Share Fraud

This week we have David Cargill as guest editor. David runs the Operations Working Group at  the Internet Telephony Sevice Providers’ Association (ITSPA) and takes a special interest in VoIP Fraud. David has invited a number of experts to contribute guest posts on fraud related subjects. This ties in with the ITSPA/trefor.net Workshop on Wednesday that has VoIP fraud and WebRTC as its main themes. This is his second choice of post, in which IRSF is discussed, is written by Colin Yates, Managing Director of Yates Fraud Consulting Limited:

The telecommunications industry has a huge gap between those operators who manage fraud effectively and those who do not. Those who are effective fraud managers, whether they are a Tier 1, 2 or 3 operator, are generally those who have matured over the years with a strong mandate and support from their Executive to do the job, while being provided with the necessary budget, resources and tools to do it well. Some senior management unfortunately view fraud losses simply as a cost of business, and allocate very little budget and resource to it. In these cases fraud losses are generally not measured or reported, so will remain unknown and not reflected in quarterly, half yearly or annual financial reporting.

There are some CSP’s who have enjoyed reputations within the industry as leaders in the management of fraud, but over time these reputations have diminished and their fraud losses have increased. Some of this could be blamed on a change of senior leadership who failed to appreciate the importance of effective fraud management. This could also be a result of a fraud manager who failed to continually make it clear to the organisation how much value they were adding to the business by effectively managing fraud. An effective Fraud Manager will take whatever steps are necessary to ensure that the papers for every Board meeting will include his quarterly fraud report to clearly identify the fraud recoveries and averted losses they have achieved during the period since the last meeting.

Fraud within Telecom operators is generally measured as a percentage of total revenue, and depending on which organisation is providing the figures, this could be estimated at anywhere between 1% and 5% of total revenue. In my experience an operator with a mature fraud team with the necessary fraud detection/prevention tools, along with the support of his management team is likely to maintain their fraud losses at under 0.50%. Assuming this is a tier 2 operator with total revenues of $US1.5 billion, if the effectiveness of the fraud team was permitted to deteriorate to a point where fraud losses increased by another 0.25% of total revenue, this would add a further $US3.75 million to the annual fraud losses. To recover this revenue through adding new customers would require upwards of 10,000 new customers to be added to the business, assuming an average ARPU of around $US370 per year. Would it not make better business sense to continue to support the fraud management function with resources and tools at a cost of probably 10% of the additional fraud losses suffered.

Subscription fraud is without a doubt the biggest contributor to fraud losses across the industry. While most operators would agree that their aggregated subscription fraud loss far exceeds those suffered by any other fraud type, the drive to attract and connect new customers can make it difficult to manage. Most sales channels will require that a potential customer who meets basic identity verification checks will be provided service during that one visit to a physical or on-line store. Without investment in real time subscription fraud detection tools, this type of fraud is always going to be difficult to manage. Some of these tools are no longer expensive and can allow a CSP to take more risk when providing service to new customers.

International Revenue Share Fraud (IRSF)1 has to be regarded as the one fraud type that the industry has failed to manage effectively, primarily again because of a lack of investment in tools and resources by some to prevent and detect an attack early to minimise losses. IRSF Fraudsters can attack a business using many enablers, for example subscription fraud, roaming Fraud, PBX hacking, Mobile Malware, Wangiri Fraud and others. Some CSP’s use tools, either developed in-house or obtained from an FMS provider and do manage their IRSF risk effectively, but many others simply operate in the belief that this fraud will never impact them, so they will make no investment in a defensive strategy, and simply take the risk.  This decision is typically not taken by those accountable for managing fraud, but by those a level or two above who control the budgets. In most cases, this decision maker will have no idea what the actual risk is, and the impact of not implementing these controls may result in losses way above his delegated financial authority. It is still not unusual to hear of IRSF losses that have amounted to over $US500,000 in a 2 or 3 day period. An investment of under $US30,000 could have avoided most of these losses.

It is well documented now that around 85 to 90% of all IRSF incidents occur in the period between Friday evening and Monday morning when many CSP’s fraud monitoring staff are not in the office. Unfortunately even some of those who have made the investment in monitoring tools will continue to ‘take the risk’ over weekends and will not take that monitoring a step further to enable some automation, or diversion of outputs from their monitoring systems to a 24×7 activity within their business. In a roaming situation, NRTRDE (high roaming usage) records are delivered within 4 hours of a roaming call completing, and this includes the period right through the weekend. Having made an investment to implement this fraud control, it is hard to understand why no-one would be looking at these in real time to identify fraud, or have some automated process set up to manage an obvious fraud indicator.

Without effective monitoring tools, some operators will simply block what they consider are high risk destinations assuming that this will reduce their risk of becoming a victim to IRSF. We currently monitor destinations and numbers used for IRSF and the total Countries advertised by IPRN Providers number 221 and the test numbers we have recorded in to these countries number over 100,000. However the top 10 high risk destinations very seldom change and are as indicated in the graph below. These 10 destinations are responsible for 50% of the IPR numbers being advertised, but any of the remaining 211 country International Revenue Share numbers advertised could result in significant fraud losses being suffered.

VoIP fraud by country
Sources of telecom fraud by country

Fortunately there are more and more operators who have identified the value of 24 x 7 fraud monitoring, and have managed to make the argument for resources and tools to allow this compelling enough to obtain sufficient budget to implement this strategy.

Unfortunately this has not resulted in a reduction of the overall IRSF problem. It has simply driven the fraudsters to look for easier targets and these are currently smaller MNO’s and more recently MVNO’s. Fraudsters have come to realise that many MVNO’s do not have Fraud Management expertise in-house, or access to the information and networking industry forums that most MNO’s have available to them.

Prevention and Detection are the fundamentals of Fraud Management, which is particularly relevant for the telecommunications industry. The costs of pursuing a fraud strategy based on implementing the resources and tools required to monitor network usage are insignificant when compared to the likely losses you will suffer if you simply rely on luck. Anyone with any doubt in this area should arrange for an independent contractor to come in to their business and conduct a fraud risk review so that the full extent of the risks can be identified. A simple example of an MNO with an effective fraud monitoring process in place identifying and stopping an IRSF attack within 30 minutes, compared to an MVNO with no fraud process, allowing an IRSF attack to continue for 48 hours before detection, is demonstrated in the diagram below.

IRSF effective telecom fraud momitoring
effective telecom fraud momitoring

IRSF has now been around for at least 10 years in some form or another. Some CSP’s have lost significant amounts of money to it, and some fraudsters have generated small fortunes in fraudulent income from it. Many customers have been impacted through bill shock after their handset has been stolen or their PBX hacked, and many small countries have suffered social and economic impact as a result of their number ranges being hijacked by these fraudsters.

The argument for effective prevention and detection initiatives is compelling, but this does require some support and investment by an MNO or MVNO’s senior management team. After around 10 years of suffering from this fraud, it should be apparent that the various industry groups who have been searching for solutions are unlikely to come up with anything positive in the next year or two, so it really is up to the individual operators to take action to protect themselves.

1IRSF involves fraudsters calling international numbers that attract a high termination rate, from a stolen or fraudulently obtained connection, with an intention to inflate traffic in to those numbers and be paid a per minute fee from a number provider for each call made. Payment for these calls will eventually be required from the originating network, who will have no hope of recovering these costs.

Colin Yates is a telecommunications professional with over twenty five years’ experience, specifically in the area of fraud, investigations, RevenueAssurance and threat management. Colin specialises in the areas of Telecoms Fraud (Internal and External) and Investigations. He also has considerable experience with Personnel and Physical Security, Law Enforcement Agency Liaison,Intelligence Management, Regulatory Compliance, Revenue Assurance and Policy development.

Check out his website at www.yatesfraudconsulting.com. Also check out our other VoIP fraud posts here.

Read yesterday’s post on PABX fraud by Manuel Basilavecchia here

Categories
Business security voip

PABX fraud is on the up – by Manuel Basilavecchia of Netaxis

PABX fraud growth

This week we have David Cargill as guest editor. David runs the Operations Working Group at  the Internet Telephony Sevice Providers’ Association (ITSPA) and takes a special interest in VoIP Fraud. David has invited a number of experts to contribute guest posts on fraud related subjects. This ties in with the ITSPA/trefor.net Workshop on Wednesday that has VoIP fraud and WebRTC as its main themes. This is his first choice of post, in which PABX fraud growth and is discussed, is written by Manuel Basilavecchia – Co-owner, Sales and Marketing Director of NetAxis Solutions.

It is commonly agreed to estimate that the loss due to fraud in the telecommunication industry represents 0.5% to 5% of revenue of telecommunications operators.

Even if all of those scenarios are well known for years, many of them are still impacting the telecom industry. Of course, not only Telecom providers are impacted, as retail/corporate customers are impacted as well by telecom fraud.

In this article, we’ll focus on a specific kind of PABX fraud (and all mechanisms related) which is PABX hacking.

To make a fraud possible and generate money, a fraudster needs two things:  Traffic (generation) and a termination (Cash collection).

In order to generate the traffic the fraudster will hijack a PABX. Alternatively the fraudster will pay a third party to perform the hijacking. In that case, we’ll talk about IRSF fraud type (International Revenue Shared Fraud). Once the access to the PABX is effective, the PABX will be used as resource to generate calls to high cost destinations.  As the fraudster owns the numbers targeted by the fraud, a money flow will be established and the fraudster could retrieve the money.

At first glance, the mechanism is not that complex, but the thing is that it has worked for years and is still working nowadays.

Let’s try to figure out why

In most of the cases, hijack of the PABX is not that difficult. Indeed, very often the password by default has not been changed by the administrator. Also in case the password has been changed, a very basic password is used which is quite easy to guess by a fraudster. Alongside this, these systems are always subject to vulnerabilities which can be easily exploited by a basic hacker.

In most of the cases, that attack is made outside business hours  including weekends, assuming that the PABX activity is not monitored during these intervals.

In this way, the customer is even not aware that he has been victim of an attack.

This lack of monitoring during some times of the day/week has the consequence that very often the fraud is discovered when the customer receive his telecom supplier’s invoice.

There is also an aggravating factor which is the payment terms. Indeed, usually the billing period between retail customer and its telecom provider is monthly while the billing period for Premium rate numbers is weekly with as consequence that once the fraud is discovered, the fraudster already got the money and it is very difficult to get the money back (or withhold payment).

This is having negative consequence on the relationship between the retail or the corporate customer and the telecom provider. Indeed, as the fraud is involving international destinations, international carriers are part of the scheme.

Having several players in the scenario makes it quite complex and difficult to find a fair solution for all the parties and someone as to assume the loss generated by the fraud. Let’s consider a practical case that will illustrate all those considerations:

A fraudster buys some Premium rate numbers in a foreign country, keeping in mind the high cost per minute associated. As a second step, he will ask and pay (share revenue) somebody to generate traffic artificially towards those numbers.

Once the attacker gets access to the PABX, he will generate as much as possible traffic in the shortest time (night or week-end)

The fraudster will receive payment from the Premium rate number 7 days later.

Assuming that nobody will notice this traffic increase on customer side (same on operator side) this traffic will become visible when the customer will receive his telecom invoice; usually one month later.

Quite clearly it is too late to react and very difficult to avoid a loss. Indeed, the usual traffic flow for international traffic is the following. Traffic starts at a retail customer and is sent to his telecom operator. As it is regarding international traffic, the telecom operator will use one or several international wholesalers to terminate this traffic. Those international wholesalers could also use different suppliers to terminate the traffic. The number of intermediaries and the misalignment of the payment terms make it complex to withhold payment and very often a party will have to suffer a loss, in most cases being the retail customer of his telecom supplier

In case of fraud, the size of the operator could put him in a very difficult situation. There have been cases where the operator is forced to choose between losing the customer or have to assume the loss generated by the fraud. If the telecom supplier is not financially robust, this could have very big impact on business.

As a conclusion, to avoid risks linked to this type of fraud it is important to:

  • Take all appropriate measures to secure the PABX of the customer. This point is often difficult due to the diversity of the installed based or the lack of expertise at customer side. So a good information campaign needs to be setup.
  • Deploy a Fraud Management System that, in near real time, will look at any customer traffic patterns in order to detect abnormal activity in terms of volume or destination.

Of course, the FMS needs to be operated by people having skills in fraud detection, or better, expert consultants to detect fraud but also to avoid false positive cases and not block legitimate traffic (and revenues).

Additionally, this will provide the capabilities to the operator to mitigate the financial exposure by reacting quickly to fraud cases (reducing the impact) and by providing evidences in order to open claims towards authorities and upstream providers (Recovering losses).

Manuel Basilavecchia is Co-owner, Sales and Marketing Director of Belgium based NetAxis Solutions. Manuel Basilavecchia brings over 17 years of business strategy, innovation and technology experience to his role as co-founder. As Director of Sales and Marketing, Manuel is focused on developing NetAxis Solutions business by bringing advanced carrier-grade communications services to Service Providers and Corporations and by providing high-technology products to the industry. Manuel holds a Master in Electrical Engineering – Electronics and Physics, a Master on Medical Physics and Bioengineering, and an MBA in management.

Loads of posts on PBX fraud here. Also come back for a different VoIP fraud post each day this week.

Categories
Business security webrtc

ITSPA Spring Workshop in association with trefor.net

It’s that time of year again – the ITSPA Spring Workshop in association with trefor.net

Another hand picked packed programme with something to suit all:) This ITSPA Spring Workshop is going to cover two hot topics: WebRTC and VoIP fraud. We have an exciting competition announcement and a real live voip hacking demo to look forward to.

ITSPA Spring Workshop

Date: 29th April 2015
Time: 2.30pm – 5.00pm
Location: Charles Russell Speechlys, 6 New Street Square, London EC4A 3LX

Session 1: WebRTC

i) Announcement of the Genband Hackathon Competition in association with trefor.net
ii) WebRTC Panel session: 2 years on from our last session on WebRTC – where is the money?

Panellists:
Stuart Goble – Genband
Matthew Hodgson – Matrix
Rob Pickering – IP Cortex
Peter Dunkley – Acision

Session 2: Fraud Part 2: Keeping your business safe and how best to report telecoms fraud

i) International Revenue Share Fraud: How, why and what we can do to stop it
ii) Real-time PBX Hacking Demo
iii) Reporting Fraud to Action Fraud

Sponsored by:in association with:
Post workshop drinks, sponsored by Lonap, will take place after the workshop 
Book your tickets now by emailing: [email protected]. Tell em you know me:)

As a footnote, ITSPA, or the Internet Telephony Service Providers Association as an organisation have been getting busier and busier. There is an active calendar of events with workshops in the Spring and Autumn, a Summer Forum that is timed to coincide with the AGM, an Awards event plus the Christmas do.

These are all great opportunities to network with the ITSP industry and for companies trying to sell to this community an ideal place to get valuable visibility. ITSPA Workshops can be sponsored to get your brand seen. You should also consider running adverts on this blog during the same weeks as the events as we typically carry more VoIP specific content at these times.

If you want to know more get in touch.

ciao

Tref

Categories
Business security voip voip hardware

IP Phone Security

ip phone security lesley hansen on designing an ip phoneIP Phone Security ensures IP Telephony is not compromising the business

She’s back again. Guest editor Lesley Hansen discusses what needs to be considered in ip phone security design.

VoIP or IP phone security is a hot topic. Security attacks continue to evolve and attackers find ever more sophisticated ways of attacking systems. VoIP is only an application running on the IP network, and therefore it inherits the security issues of the IP network. This means VoIP security is only as reliable as the underlying network security and if the IP network has security vulnerabilities, these can be exploited once VoIP is implemented.

The goal of every IP network component manufacturer should be to build a product that maintains a high level of security and provides relevant data to tools to monitor the system for attacks.  Once the system in in place ongoing IP telephony security maintenance is primarily related to the IP PBX or telephony servers; keeping up-to-date with operating system and third-party service packs to eliminate well-known security holes, implementing critical support patches on servers, updating anti-virus definitions to protect against well-known worms and viruses and performing daily backups of servers with periodic data recovery tests.

But the IP handset is an important point of access into the IP network. End points such as IP handsets provide a point of vulnerability and a number of standard exist to secure the telephony network, but these are not always supported in the IP Handset, and where supported they are not always implemented by the network manager.

Avoiding Denial of Service Attacks

Denial of Service (DoS) attacks can take down telephony. A distributed DoS (DDOS) attack is a concerted and coordinated effort to flood a network with requests. Though the attacked network may not be penetrated, these attacks can “busy” a system rendering it unusable. To protect against this it is important while implementing the IP handsets to ensure that ports are not unnecessarily left open, all unnecessary ports and services should be shut down and unused services should be deactivated. This is where interoperability partners become key.

For example PBX manufacturers like 3CX and Vodia Snom 1 and Asterix PBXs support the Snom security settings from the handset – out of the box.  This means there are no configuration requirements so delivering a rapid roll out while ensuring the system is up and running with full security and minimum disruption or delays. Not all PBX manufacturers and IP handset vendors will be interoperability partners.  To ensure a wide number of PBXs can be supported and provide the business with a high degree of choice handset vendors should work with the TLS and SRTP standards for configuration setup.

TLS and SSL encrypt the data of network connections in the application layer. They use X.509 certificates and hence asymmetric cryptography to authenticate the other party with whom they are communicating, and to exchange a key. This session key is then used to encrypt data flowing between the parties.

Protect Against Unauthorised Access

When deploying an IP telephony system IT personnel and voice administrators need to take appropriate measures to prevent threats such as toll fraud. Toll fraud refers to internal or external users using the corporate phone system to place unauthorized toll calls. Toll fraud can occur with both TDM and IP-based voice systems and a standard method of protecting against it is the ability to control call type’s for example banning mobile or international calls.

This call control is sometimes handled by low cost routing within the PBX but it can also be done within the IP handset dial plans. A handset with this capability helps to protect against telephone fraud even when the PBX does not have low cost routing.

Ideally in a well-designed handset the telephone will provide security beyond that provided by the firewall. Security at the handset ensures protection from people on the inside network who have physical access to phones and can bypass the firewall. This means the handsets provide a higher level of security against phone tapping/unauthorised access. Supporting the 8021x standard helps avoids fraudulent use of the network and protects against 3rd party/un-authorised devices. Handsets that supports 8021x, where the PBX also supports the standard, will allow the device to request authentication from the switch. This ensures that if a device connecting to the switch does not have the credentials then the switch does not allow access.

Encryption Against Eavesdropping

VoIP systems that don’t use encryption make it relatively easy for an intruder to intercept calls. Any protocol analyser can pick and record the calls without being observed by the callers. In man-in-the-middle attacks, an internal user spoofs the IP address of a router or PC to spy on voice traffic as well as data entered on the phone keypad during a voice conversation, such as passwords. After copying the information, the user forwards the voice traffic to the intended destination so that neither the sender nor the recipient knows that the conversation was intercepted. Typical motives include espionage and harassment.

Eavesdropping has become easier because of widely available packet-sniffing tools. The method used to combat this is encryption. Provided that both the handset and the PBX supports the standards, encryption ensure that the audio and the signalling traffic are both protected. Products can be configured as enabled for security so that signalling is in TLS and audio in SRTP. These security encryption standards means that all communications from the handset to the PBX/Server is protected from snooping and tapping.

Greater levels of encryption are available but at a cost. At the top of the pile Secusmart in Dusseldorf provides an encryption technology currently used by the German government that can be incorporated into the IP Handset, these handsets are forbidden for sale to counties under embargo and the end users need to be checked and validated before despatching handsets. At CeBit a Snom handset with GSMK Cryptophone technology was presented, this provides an internationally accepted secure IP handset solution that sells to sells to organisations such as military, government, pharmaceutical and broadcasting where the information has such a high value that the increased cost for the handset and call manager with encryption is justified.

Once end points with the required standards are selected, for many organisations attention to detail during set up and use of passwords, plus a controlled rollout of the handsets and strictly following instructions when installing the endpoints plus using the SRTP protocol or VPN tunnels to increase network security will provide a secure solution without the additional investment in these higher levels of encryption.

Other posts in our IP phone design week:

How to design an ip phone
How to design an ip phone for voice quality
IP phone design for it departments

Check out all our VoIP posts here.

Categories
Bad Stuff End User security spam

Can you confirm your company name is self?

01213540949

Was sat on the terrace around the pool yesterday when the phone rang. It was a Birmingham number – 01213540949. I’m not sure I know anyone in brum and toyed with the idea of not answering. I was after all going to be paying for the international leg.

I clicked on the green bouton (for the pool twas in Marseille) and took the call.

‘Hello sir, can you please confirm your company name is “self”?’ I did a double take. Self??

Oh god. I asked who had sold them my mobile number. It is a new one. Then I realised it must have been EE. The b*&^%$£ds. The girl on the other end of the phone said she worked for some kind of yellow pages organisation. 118 something.

She repeated the question. ‘can you please confirm your company name is “self”?’ You can imagine the rest of the dialogue. There may be a company somewhere called self. Lots of people work for them as you often see the name in company receptions’ visitors books.

Unfortunately this is more likely to be incompetence on the part of EE rather than them selling my number. How can personal mobile phone details be given to a directory organisation for inclusion as a business number. The bigger the company the less competent their customer care becomes. This is likely to especially be the case with Ee who are probably still desperately trying to merge Orange and T-Mobile before being merged themselves into BT.

The girl promised not to put my name in the business directory. I’m not sure what advice to offer if you see an incoming call from 01213540949. It’s going to be spam but if you ignore it you might end up in a 118 directory somewhere as a company called self. Or shelf. Or shellfish. Or anything really.

01213540949 – you know it doesn’t make sense.

Lotsa posts on nuisance calls on this blog – check em out here.

Categories
End User social networking spam surveillance & privacy

fling flung over twitter

Fling – adult social network – I’m not supplying a link

Somewhat surprised that Twitter let this ad through. I’ve been pushed a promoted tweet by “fling” three times in the last few days. There’s nothing in the ad to tell you what fling is. Just looks like an odd way to push photos.

It’s only when you click to go to their website and are faced with a wall of nude photos that you realise what it is – an adult social network. For adult read porn. I find this quite distasteful of Twitter. I also find myself in the unusual situation of saying “Facebook would not have allowed that ad” although this is not based on any knowledge of fact.

You can see from the featured image in this post that the ad says “Send your snaps to 50 people around the world at random”. This must surely be something that the Advertising Standards Agency would want to take a look at. It’s something that kids might inadvertently click on. After all it suggests something like Instagram.

Fling must have some money to spend if they’ve pushed the ad to me three times. Unless I’m considered to be of a “certain demographic” which could be a bit worrying. Makes you wonder what data mining is being done by Twitter.

An individual is pretty helpless in this situation. We need the social networks as they have become part and parcel of our everyday lives but seem to have little control over what those networks might do with our data1. It feels to me that governments should start taking a much tougher stance with these guys.

Lots of posts on the subject of surveillance and privacy elsewhere on this blog. Check them out in the surveillance and privacy category here.

1 eg class action against Facebook for privacy breach & Facebook admits to tracking non-users

Categories
End User security

Eurostar fails Hotmail fraud detection test

Eurostar email fails Hotmail fraud detection test

I have a hotmail account. I don’t use it much. It gets newsletters from the golf club and the occasional Eurostar communique. It was to check the timing of a forthcoming trip to gay Paree that I came across the Hotmail fraud detection test.

I like the idea of a fraud detection test. I’m sure all the large platforms have it. What I found funny was that a blue chip such as Eurostar might have failed it. You’d think it would have been noticed by their IT department, or at least someone would have brought it to their attention.

I looked at another email from Eurostar – thought a sample of one wasn’t quite enough. The second email didn’t have the fraud message but offered another nuance. It said “Email looking a bit odd? See it online“.

hotmail fraud detection test Odd I thought. Email looked fine. Also Hotmail is a cloud service – it’s already online.  So I clicked on the link to see it online. Came up with this message.

hotmail fraud detection testAt this point I gave up. I was getting myself into an infinite loop.

From my sample of two I’d say that the Hotmail fraud detection test is failed by emails confirming financial transactions associated with journey bookings and the infinite loop gets it’s knickers in a twist on adverts. Clearly these emails originate from different departments with different approaches to confusing customers:).

Personally I’ve never had a problem with Eurostar. The booking system is convenient, seats comfortable and you get a 4G connection whilst in the tunnel under the channel. I may however have to get myself a French SIM whilst in Paree as my EE 4G data roaming charges are a total ripoff. They totally fail the Trefor Davies fraud detection test.

Arriverderchi Royaume-Uni, bonjour Paris. Croissants, cafe, biere, steak frites, vin rouge Hotmail fraud detection test:)

Categories
Bad Stuff nuisance calls and messages scams

Overseas call centre scammer

The return of the scam call

Just had a scam call. It’s not often I’m home early enough and they typically ring at tea time. You can immediately tell what sort of call it’s going to be because they use cheapo crap telephone services over the internet.

So I happened to be in a playful mood and thought I’d chat to the lad/laddette. Instead of speaking I sang the words down the line and eventually broke into a very tuneful version of Hello Dolly. At that point the scammer ended the call without having even introduced himself.

No stamina. I might have been interested in signing up for his virus repair services or whatever it was he was using to try and extract cash.

I’d be quite interested in hearing from anyone who knows someone who’s actually fallen for such a scam call. You can change the names etc to protect the innocent/unwary.

Also the most innovative scams. You don’t hear of any new ones. Maybe they think why change a winning recipe? Or maybe they aren’t imaginative enough? Probably a bit of both.

One wonders whether they have an employment category in India (or where ever else these calls originate) called “scam call operative”. It would be near surgeon and secretary on the list. Perhaps “solicitor” is what they put down. Geddit? What proportion of census entries would have the scam call operative down as occupation.

Maybe people do NVQs in such profession. It’s bound to help at the job interview. You would also want to be able to quote how much cash you had successfully extracted from people. Bump it up even. I doubt it would be verifiable. It’s the scammer’s equivalent of lying about your salary on a job application, or making up a fake doctorate you’d bought on the internet (not paid for it hopefully – the scammer has pride in his or her capability to do such things).

Anywaysenoughfernow.

Loads of scam call posts here btw.  It’s some of the most visited stuff on this blog.

Categories
End User internet online safety Regs security surveillance & privacy

Julian Huppert MP proposes that the next government implements an online rights framework of principles

Online rights framework will help safeguard privacy

The internet is increasingly key to our daily lives and a crucial part of public policy making with ramifications across all areas. However, too often what we get from politicians is poorly thought through kneejerkery. I’ve seen this myself, on far too many occasions.

Just to pick up a few examples, when we were re-writing the Defamation Bill, there was a proposal being pushed that ISPs should be required to filter out any defamatory content on their network – quite a tall order.

David Cameron has been particularly bad – you may remember his suggestion at the time of the riots that he should be able to turn off social media to avoid panic. It took a lot of work to stop that and make it something that was ‘not even considered’. More recently, he’s been insisting that we should ban any messaging system that cannot be decrypted by GCHQ, completely failing to understand the essential link between encryption and cyber-security.

But this problem strikes the opposition too. There have been some really alarming comments about filtering out legal material online that completely miss the point of what is technically possible or desirable. And of course there are people in each party who do actually get it, although not all of us get to have the necessary influence over our front benches to achieve sensible outcomes.

My party has taken these issues seriously, and there are several things we hope to achieve in this area. One of these is stable sensible regulation – something that almost shouldn’t need to be said. Brilliant new ideas can easily be killed off if regulation is tweaked unexpectedly and long term investment will drop off if there is a risk of irrational rule changes. We as politicians should set a framework of principles, which should then be relatively stable. We should call on technical experts for help and have  discussions with the community and businesses. We can then setting the detailed online rights rules in a rational way. That has to be the best way forward.

I’ve been particularly working to develop a Digital Bill of Rights, setting a basic framework for what people should expect online when it comes to issues like privacy, net neutrality and more. This has become especially important since the Snowden revelations. All of us want security, and all of us want privacy.  How do we try to achieve both of those goals? When should the police or security services be allowed to collect information on us, and for what purposes?

Typically, these issues have been dealt with largely secretively and reluctantly, and with a focus on specific data types. For example, strong controls were introduced on DNA data in the Protection of Freedoms Act, but the Police just sidestepped them when storing biometric information, without even attempting to learn the principles from DNA data.

So those are my two key points – stable and sensible regulation, and a clear principle framework for our online rights. If I’m re-elected I’ll fight for those but it would be great to have more colleagues to help with that.

If you want to help me achieve this vision, please consider helping me out – http://www.backjulian.co.uk has the details.

Julian Huppert is Liberal Democrat MP for Cambridge. He has a scientific background and is one of a very small minority of our MPs who can grasp issues relating to internet technology.

Although one or two more might creep in that pretty much concludes the week’s posts on advice to the next government. Other political week posts on trefor.net are linked to below:

James Firth on why government should stop looking to big corporates for tech innovation
Gus Hosein on Data Protection Reform and Surveillance
The Julian Huppert crowd funding campaign here
Paul Bernal suggests government should hire advisers who know what they are doing
Domhnall Dods on Electronic Communications Code reform
James Blessing Says “No matter who you vote for…
Peter Farmer on Ofcom really isn’t an all powerful deity
Dr Monica Horten on Why the Magna Carta applies to technology policy

See all our regulatory posts here.

Categories
End User piracy

Virgin Media iTunes vouchers

Virgin Media iTunes vouchers on offer to new customers

Virgin Media making some interesting ground at the moment. It was not so long ago they were in the news for being subjected to more blocking orders re websites promoting copyright infringement. We saw a lot of whingeing on Twitter about this and the traffic to our “how to bypass the Virgin Media filters” post shot up again as it periodically does.

Today the news is about how Sky have been ordered to hand over customer data of people suspected of torrenting movies. Can’t be long before the ask the same of Virgin.

At the same time Virgin have just released an offer of a £50 iTunes voucher for new customers. This is sending out the right signals to end users. Don’t download. Buy.

I’m a Spotify man meself and not an Apple fanboi but that’s a different story.

Categories
Business End User piracy Regs security

Unknown Roku streaming stick on network, Virgin Media, DEAct & Spotify

Roku streaming stick

Interesting one this. A Roku streaming stick has to be plugged into your TV. It’s a bit like a Chromecast but different. One assumes that Joel knows that he hasn’t got a Roku streaming stick plugged into his TV. It must therefore be plugged into somebody’s else’s TV hanging off Joel’s network.

This does bring up the issue of wifi network security and the fact that other people may be making use of others’ broadband bandwidth. Who hasn’t had a look at their wifi settings when in a strange place to see if there are any open networks there. There often are, at least in public places.

This issue to me is further highlighted by the fact that we are coming up to the next general election. At this time 5 years ago the Digital Economy Act was rushed through just before the election. One of the many points landed on the deaf ears of government by protesting voices at the time was the very fact that it was difficult to prove who was actually doing the downloading/copyright infringement.  The rogue Roku of our introductory Tweet reinforces this. The DEAct has still not properly been enacted.

The issues that rights holders where highlighting in pushing for the Digital Economy Act have of course not gone away. I was talking yesterday to a 21 year old recent graduate about where he got his music from. He said it was all downloaded free of charge from online sources. This was despite the fact that his broadband provider Virgin Media has a block on access to specific sites associated with this activity. He said that that none of the people that he knew ie 18-25 demographic, paid for their music.

The blocking orders imposed by the courts on ISPs are not working. I did ask him about proxies and he was very familiar with the technology.  He was very familiar with proxies and had used them. However many were also blocked by ISPs but because sites such as Pirate Bay morph very quickly into similar sites and the kids know how to follow them they never have a problem accessing music.

I asked him what he thought about the fact that if nobody paid for them there would come a time where there would no longer be any record labels. His answer was that bands seem nowadays to make more out of their live shows than they do the out of selling music.

Whatever you think about the rights and wrongs of the situation, it is what it is. I have a Spotify Premium account. It’s a great service.  For the 21 year old concerned £10 a month is actually quite a lot of money. Rob, the trefor.net developer, is a little older at 24. Rob has Spotify Premium. Rob also pays £6 a month for Netflix and doesn’t see why at £10 the music service is more expensive. He has a point maybe.

Now I’m not here to defend anyone’s business model, have a go any ones business model or anything else to do with business models other than to say that business models do change. Clearly the music industry is in the middle of a period of change that they’ve been struggling to come to grips with. Whether this is to do with legacy deals, royalties payable or cost base who knows.

We do hear of bands withdrawing their music from Spotify because the live streaming service doesn’t pay enough for the privilege of carrying their stuff. One wonders what proportion of Spotify’s royalties actually go to the band as opposed to the record label. I took a look at SpotifyArtists but it was either too complicated for my small brain to get around or it just wasn’t obvious.

We ain’t going to solve an industry’s problems in this blog post but I can only say that the efforts and the money spent on fighting online copyright infringement don’t seem to be working, at least based on my own local evidence.

PS I’d never heard of the Roku Streaming Stick before I came across this tweet. I’d get one and do a review except I already have a Chromecast in the port the Roku would use and the kids use it a fair bit.

Categories
Bad Stuff End User online safety security

I blog about nail polish – what’s wrong with your filters?

 

Web filters block list includes fashion blog

https://twitter.com/SmashleighJayne/status/559720386112552960

https://twitter.com/SmashleighJayne/status/559720218155835394

https://twitter.com/SmashleighJayne/status/559722059660795904

https://twitter.com/SmashleighJayne/status/559722582921207808

The point about this is that the only reason Ashleigh-Jayne found about about this is because she is a TalkTalk customer. TalkTalk’s own web filters block list had her site down as being adult only.

Now maybe parents wouldn’t want little girls (or boys) checking out nail polish and fashionable shoes. The little darlings grow up too quickly these days. However we hope this is just a mistake. Ashleigh-Jayne will almost certainly be able to contact TalkTalk and get her site taken off the black list.

However if she hadn’t been a TalkTalk broadband customer she might never have found out whether her site was on the list. Millions of people might be wrongly denied access to her site. This is a problem with the system. The blacklists are automatically produced by machines that tbh are inherently untrustworthy because they get it wrong too often.

The following link takes you to an Open Rights Group website that can test your own website to see if it is blocked

http://linkis.com/www.blocked.org.uk/TJZCq

I took a look at trefor.net and the results are in the featured image. The BT and TalkTalk results that are inconclusive don’t necessarily mean they are blocking me buy it is certainly raises an eyebrow or two.

Haven’t actually looked at Ashleigh-Jayne’s blog but I’m taking her word for it that it’s not pornographic. As far as I’m aware she is a fine upstanding member if the blogging fraternity (sorority?).

As I write I realise that I will soon need a new pair of shoes. I doubt I’ll find them on her site mind you but I should be OK. I don’t think that ja.net has the same filtering policy. I’ll leave you with a little story about dubious websites that perhaps should be blocked from viewing by children (once the parents have opted in to the filter of course).

A year or two ago I gave a talk on VoIP security at a ja.net conference. An engineer came up to me afterwards for a chat and the conversation got round to how ja.net would have coped had they had to implement the Digital Economy Act and monitored its hundreds of thousands of users for their downloading habits.

The guy told me a story of how they had one been alerted to a really high bandwidth usage coming out of one room in a hall of residence. They went on an investigative visit and found that the female occupant of the room had moved in with a pal. The room had been painted purple and now had a pole in the middle of it surrounded by 4 webcams. Four enterprising female undergraduates had been paying for their university education by doing some professional internet pole dancing.

Now will that get me on a web filters block list?

Categories
End User security surveillance & privacy

Pretty graphic reaction to ISP porn blocking

Thought I’d slip this one in – adult content filter eh 😉

adult content filter

I don’t know John Harvey but he seems a fairly forthright kind of guy. From Yorkshire maybe.

It’s not so much that you are telling your ISP anything when you opt out of the adult filter, or whatever it’s called. We doubt that any human intervention is involved in the process. It’s the likelihood that the information that you don’t wish adult sites to be blocked is leaked or hacked. That’s the issue.

If the information isn’t there is can’t be hacked. If this was an opt in that would sort it, aside from the fact that these filters aren’t renowned for their accuracy.

As an aside I assume that this site will henceforth be blocked by these filters. Probably already is. Parents don’t want their kids to know that they go to parties like trefbash or the pissup in a brewery. The blog was once blocked by the Timico firewall as “social media” sites were frowned upon by whoever set the policy in place (not me – I used to spend all my time on social media – I had a different set of permissions:).

The question is would Twitter be blocked. There’s a lot of graphic language on Twitter. I once unfollowed someone because of his non stop use of swear words. Not my kind of thing. Would be interesting to hear from anyone who has adult content filtering in place to see whether Twitter was visible or not.

Looking on the positive side, if you have opted out of the adult content filter, and are therefore “down on the list” you can always say it’s because you wanted to read posts on trefor.net;)

Effin read it first on trefor.net. wtf!

Read this highly popular and relevant post on the consequences of allowing government to monitor our online habits here.

Categories
End User online safety

Sky asking customers to tell them if they want to access adult content

Sky adult content filtering to be left on as standard unless asked otherwise

It was in the news yesterday. Sky is phasing in the inclusion of an enabled Sky adult content filtering as standard unless specifically requested not to. I was told by Lyssa Mcgowan herself. Well on her blog.

This is going to be an  interesting one to watch. I’m not going to rabbit on about how it should be the other way around – that families should opt in. I’m just going to see how long it takes for someone to hack in to the Sky database and publish the list of clients that have opted out. Just to show they can. Someone will take on the challenge.

It’s the same issue as why we shouldn’t be thinking about saving internet browsing data. Someone will leave it on a bus or it will get hacked and published on a server somewhere around the world.

Name and shame I say. Who wants to look at filthy pornography anyway. Bring back the high necked collar and floor length dresses. They had it right in Queen Victoria’s day. They also used to hide kids away in the nursery with their nannies. It’s no different today except now Sky provide the parental services by proxy.

The knock on effects of this type of decision will reverberate around the world. At least around the world’s browser manufacturers (does one manufacture a browser?). Sky customers that have opted out and who for reasons of privacy want to use incognito windows will now see a new message:

“Going incognito doesn’t hide your browsing from your employer, your internet service provider or the websites that you visit. ESPECIALLY IF YOU ARE A SKY BROADBAND CUSTOMER WINK WINK”

Interestingly Sky come out very well in our BROADBANDRating rankings. Getting the product mix right continues to be a difficult exercise but I’m not so sure they have it right with this one. There hasn’t been much adverse customer reaction on Twitter, as yet. Just people noting that filters are automatically on. Time will tell.

Fnar fnar.

Later – found a fair few negative tweets on this subject after all. Sample below:

https://twitter.com/kentindell/status/557654044232409088

https://twitter.com/misterjorgensen/status/557843887004606465

https://twitter.com/calh15/status/557656535485411328

https://twitter.com/Chagr1n/status/557590528188235777

Categories
Bad Stuff Business ecommerce Engineer internet online safety Regs security surveillance & privacy

A quick guide to problems that will arise if we implement further internet surveillance measures

Snoopers Charter revisited

The aftermath of the Charlie Hebdo murders has lead to goverment and opposition calling for more internet surveillance. Here are a few points for your consideration.

  1. Storing this data will inevitably result in it being hacked, left on a train/taxi on a laptop/memory stick and details of a government minister affair with another MP being made public. Example here (29 Jan 2015)
  2. The overhead associated with having to gather and store the data in a secure way will be proportionally huge compared to the size of the business and to the number of customers for smaller ISPs. This will result in the government deciding not to force these businesses to store the information and settle just for the biggest 7 ISPs aka the Digital Economy Act. The consequence will be that potential terrorists will just use these smaller ISPs for their internet services leaving a big hole in the “surveillance net”
  3. The resources required to make this happen will be huge. The French government already knew about the Charlie Hebdo killers. They just lacked the feet on the street to keep tabs on them. Diverting staff to managing the data gathering project will mean even fewer feet on the street or divert cash from adding more feet.
  4. The technical challenges with managing sender and receiver data for email clients is not small due to the hundreds of different clients out there with non standard formats.
  5. Most email is in any case encrypted these days and is run on platforms that are not necessarily owned by UK businesses. The difficulties associated with extracting these data will not be small (if not impossible). Ditto social media platforms.
  6. Forcing these platforms to provide a back door into the encrypted data (assuming it will be doable) will erode trust in areas of the economy that also rely on such encryption such as banking and ecommerce.
  7. Businesses will move away from the UK. It will be the start of the rot and leave us with a reputation akin to China et all when it comes to “surveillance society”.
  8. Terrorists will move deeper into darknets and continue to kill innocent people.
  9. On balance I’d spend the money on more feet on the street.

The rush to call for the snooper’s charter to be implemented would result in a bad law that will not have had adequate scrutiny. My wife and one of the kids were in the audience during last night’s BBC Question Time filmed in Lincoln’s Drill Hall. I watched despite it being well after my bedtime.

None of the panellists or the audience really had a grasp on the issues which reflects its highly complex nature. It’s very easy for MPs to support this type of legislation. Most right minded people will agree that it’s a good thing to stop terrorism. It’s just that they don’t understand the implications.

Check out other snoopers charter type posts here.

Categories
End User piracy

List of websites blocked by Virgin Media due to court orders

Taken from the Virgin Media website.

Found this and thought you might be interested. List of websites blocked by Virgin Media due to court orders. No comment really.  I don’t support copyright infringement. Easy to circumvent the blocks though. I wonder how effective they are. Potentially a lot of work for the ISP for little or no return.

Date of Sealed Court Order

Identity of parties who obtained the Order

Blocked Websites

27/04/2012

Members of BPI (British Recorded Music Industry) Limited and of Phonographic Performance Limited

The Pirate Bay

05/07/2012

Members of the MPA (Motion Picture Association of America Inc)

Newzbin2

28/02/2013

Members of BPI (British Recorded Music Industry) Limited and of Phonographic Performance Limited

KAT or Kickass Torrents websites

28/02/2013

Members of BPI (British Recorded Music Industry) Limited and of Phonographic Performance Limited

H33t

28/02/2013

Members of BPI (British Recorded Music Industry) Limited and of Phonographic Performance Limited

Fenopy

26/04/2013 and
19/07/2013

Members of the MPA (Motion Picture Association of America Inc)

Movie2K
Download4All

01/07/2013

Members of the MPA (Motion Picture Association of America Inc)

EZTV

16/07/2013

The Football Association Premier League Limited

First Row Sports

08/10/2013

Members of BPI (British Recorded Music Industry) Limited and of Phonographic Performance Limited

Abmp3
BeeMp3
Bomb-Mp3
eMp3World
Filecrop
FilesTube
Mp3Juices
Mp3lemon
Mp3Riad
Mp3skull
NewAlbumReleases
Rapidlibrary

08/10/2013

Members of BPI (British Recorded Music Industry) Limited and of Phonographic Performance Limited

1337x
BitSnoop
ExtraTorrent
Monova
TorrentCrazy
TorrentDownloads
TorrentHound
Torrentreactor
Torrentz

30/10/2013

Members of the MPA (Motion Picture Association of America Inc)

Primewire
Vodly
Watchfreemovies

30/10/2013

Members of the MPA (Motion Picture Association of America Inc)

YIFY-Torrents

30/10/2013

Members of the MPA (Motion Picture Association of America Inc)

Project-Free TV (PFTV)

13/11/2013

Members of the MPA (Motion Picture Association of America Inc)

SolarMovie
Tube+

18/02/2014

Members of the MPA (Motion Picture Association of America Inc)

Viooz website
Megashare website
zMovie website
Watch32 website

4/11/2014

Members of BPI (British Recorded Music Industry) Limited and of Phonographic Performance Limited

Bittorrent.am
BTDigg
Btloft
Bit Torrent Scene
Limetorrents
NowTorrents
Picktorrent
Seedpeer
Torlock
Torrentbit
Torrentdb
Torrentdownload
Torrentexpress
TorrentFunk
Torrentproject
TorrentRoom
Torrents
TorrentUs
Torrentz
Torrentzap
Vitorrent

19/11/2014

Members of the MPA (Motion Picture Association of America Inc)

Watchseries.It
Stream TV
Watchseries-online
Cucirca
Movie25
Watchseries.to
Iwannawatch
Warez BB
Ice Films
Tehparadox
Heroturko
Scene Source
Rapid Moviez
Iwatchonline
Los Movies
Isohunt
Torrentz.pro
Torrentbutler
IP Torrents
Sumotorrent
Torrent Day
Torrenting
BitSoup
Torrent Bytes
Seventorrents
Torrents.fm
YourBittirrent
Tor Movies
Demonoid
Torrent.cd
Vertor
Rar BG

List of websites blocked by Virgin Media due to court orders. By introducing filtering functionality do you run the risk of accidentally blocking innocent websites? Quite possibly.

Categories
broken gear chromebook Engineer google

This Chromebook is Dead

Deceased, kaput, no longer of this world – dead Chromebook motherboard

It is with a tinge of no real sadness that I present to you an image of a dead Chromebook motherboard. The Samsung Chromebook too is dead, on account of the non functioning motherboard.

It wasn’t a huge loss because these things are so cheap they are almost disposable. And disposing of it I am indeed doing. The dismembering of the Chromebook, I hesitate to call it a computer because that makes me think Microsoft, has been done for two reasons.

Firstly out of simple curiosity to see what it looks like inside. Secondly although I didn’t keep much data on the 16GB solid state drive there would have been some files of I know not what provenance and so it seemed to make sense to permanently delete this memory. Just what you would have done in the old hard drive days but slightly different.

As you can see the ssd now has a nail in it, driven firmly in by my handy Leatherman Multi-tool. No one should be without one.

The dead Chromebook motherboard itself is worth dwelling on. It’s diminutive nature represents beauty and the plastic shell in which it was mounted, consisting mostly of screen, keyboard and a couple of speakers, evidence of how cheap these things really are to churn out.

It is the future. Low cost, disposable computing resource and User Interface.

I include an earlier photo of the dead Chromebook motherboard for comparison together with

Categories
Business security

Theresa May anti terrorist stuff

Government proposing to introduce legislation to make ISPs keep IP address details for customers.

This one periodically raises its head. In order to properly police the growing terrorist threat the Government wants ISPs to keep records of who had which IP address and when.

When this sort of legislation gets  introduced the government normally pays for any work that must be done as a consequence. So if an ISP has to put a lot of effort into developing systems to keep the data Dave Cameron and his gang would stump up the cash.

The problem is that this always comes up against the hard rock of diminishing returns when it comes to smaller ISPs. In other words the implementation of such a system might often be considered to represent a disproportionate amount of work for a company with a small engineering team. If for example an ISP only had a couple of sys admins and a couple of network guys, to have to take on of these engineers away from the day job in order to do government related dev work could be a serious disruption to the normal business operations of the company.

On the other side the government would be paying out to set up a system that might cover a relatively few number of end users. They usually end up just asking the bigger ISPs to adhere to such a law (aka Digital Economy Act where only 7 ISPs are involved). This would then leave a huge gap in the fence for the terrorists to swarm through.

I once had a conversation with someone from the Home Office about this. The HO guy could only say “how would they find out about it”. That’s a pretty naive position. What’s GSoogle for?  Lets hope our security forces have  little more something about them.

One might also be a little concerned about the fact that this legislation, if passed will be another of those rushed through without proper scrutiny. Again remember the DEAct. The election isn’t far off now…

Categories
End User security

Potential TalkTalk Router Security Flaw?

Interesting tweet describing a potential TalkTalk router security flaw

Picked this one up on Twitter. It describes a potential TalkTalk router security flaw. I can’t for the life of me think how this scenario happens unless somehow TalkTalk are using the same IP address for more than one router – I guess with Dynamic IP addresses it will happen.

If that was the case then he certainly shouldn’t be able to access the router. Suggests there is a default username and password in play. Maybe the routers are only locked down from people outside the TalkTalk network. Seems strange to me.


Should really be locked down for everything. Bit of a worry really especially when you consider that most people will have no idea what is going on. Someone could be browsing your unsecured laptop or phone. Most will be unsecured. Laptops at least. People tend to have a pin number on their phone to stop Fraping.

Anyway though this one was worth sharing. If anyone from TalkTalk engineering would care to comment that would be great. Suspect they will keep stum though and get on sorting it out.

The whole subject of personal security where the internet is concerned is a difficult one. It’s hard for most people to get their brains past anything other than just installing anti virus software and even then it is rarely maintained. ISPs need to take responsibility as far as they can for their customers safety.

It’s in their interest really. The last thing they want is for a customer’s PC to be compromised and to be spamming the world. Gets the ISP blacklisted.

As far as the TalkTalk router security flaw goes I’m sure there must be a simple and innocent explanation. Hope so anyway.

That’s all folks. Ciao bella.

Categories
End User security

Virgin Media net nanny parental controls make internet unusable

Virgin Media net nanny parental controls cockup

On Saturday Twitter was awash with complaints from Virgin Media customers unable to surf their weekend entertainments. Apparently the Virgin Media net nanny parental control system had gone tits up. Presumably during some maintenance.

Some Tweets for your info – then scroll down for some thoughts on the subject.


The danger with this kind of technology is that it will break the internet. Normally the issue is accidental blocking of legit sites who carry on innocently with their business not knowing that a chunk of their target market has been denied access to them.

Last weekend this was taken to the extreme as most websites were blocked. I don’t really have a problem with parents being able to opt in to parental controls (ie have to switch them on as opposed to others having to switch them off) although it is worth pointing out that any kid with a soupcon of street wisdom will know how to circumvent the system.

At my kids’ school it is a daily battle between teachers and taught to limit access to proscribed sites. More on this kind of subject here and ‘ere.

Also quite a few Twitter fuelled posts that you might find an interesting read over at broadbandrating.

So long…

Categories
Business security voip

SBCs – Maintaining Your Network’s VoIP Security

Session Border Controllers (SBCs) can greatly enhance VoIP security, all but eliminating toll fraud while also maintaining voice connectivity.

Trefor.net welcomes VoIP Week contributor Simon Horton, the Director of Sales, EU for Sangoma.

The term SBC (short for Session Border Controller) is liberally used in the VoIP industry today, but from my travels around the telecom channel it’s clear that there is significant misunderstanding and distrust on the role played by SBCs and when they are required.

The uptake of Enterprise Session Border Controllers or E-SBCs is being driven by the rise of SIP trunking in the UK. The number of ISDN channels (the traditional way of connecting enterprise to the telephone network, using dedicated copper wire) is shrinking at about the same rate as SIP trunking is growing, so assuming that the market size is static my conclusion is that all of the folks leaving ISDN are going to SIP trunking. In addition to the cost benefit, flexibility, and disaster recovery capabilities of SIP trunking, the proliferation of good quality and value connectivity (e.g., leased lines, EFM) is enabling the market growth.

Why SIP is more inherently risky

In the days of legacy TDM connections (Time Division Multiplexing, or the copper wire) phone calls took place on approved equipment connected to private networks run by the telco. Nothing else was connected or could be connected. Contrast this situation with SIP, where the connection could be across a public network or a network shared with data derived from multiple devices. In addition, calls can be placed and terminated across a wide range of devices such as IP-phones, smart phones, desktops, etc.

SIP deconstructed

Before examining how SBCs can help a typical enterprise it’s worth explaining that SIP consists of two main parts. First, there is the SIP protocol that sets up the call and conveys information about that call. Second, there is the media that carries the voice in RTP packets. Both of these streams need to be considered in order to maintain security.

Attacking the SIP protocol could allow a hacker to gain access to passwords and allow an unwanted intruder to spoof calls and allow toll fraud, a hot topic in our industry today. There are other ways that SIP can be disrupted as well. Denial of Service (DoS) attacks can cause packet overload situations where the legitimate SIP messages cannot be processed and hence calls will not progress.

Media can often be tapped into and heard using tools that are readily available on the internet. The media ports can also be subjected to DoS attacks that can disrupt the audio.

The role of the SBC

The E-SBC sits at the edge of the enterprise network and manages all the voice connections made with SIP. SBCs are very feature rich and there is a lot of information out there discussing the many roles and functions that these flexible devices can perform. The SBC will be able to deal with disruptive DoS attacks by dropping packets at the network level before they become a problem. Encryption is also possible so that media and the call setup messages cannot be tracked. In addition, toll fraud is made much harder with the addition of policy control that allows only certain patterns of traffic to proceed as well as only allowing known users and IP addresses to make and receive calls.

Why not a firewall?

Traditional firewalls are great for protecting data networks, but typically they provide inadequate protection for SIP. Firewalls cannot prevent some of the threats identified here as they are not constructed with an intimate knowledge of SIP. Remember those two parts of SIP we discussed earlier? Well, the average firewall cannot tie the two of those together; this is a key component of the SBC so that only the necessary connections are allowed through the edge of the network. A typical firewall also cannot delve deep within the SIP message, ensure its legitimacy, and if necessary drop it quickly before it gets to the IP-PBX and cause damage.

Summary

The recommended best practice is to install an SBC wherever there is a change in SIP network or wherever the WAN connections join the SIP network. A correctly configured SBC can provide piece of mind in that the possibility for toll fraud is eliminated and that voice connectivity will be maintained regardless of whatever else may be happening.

Categories
Business Mobile mobile connectivity phones security voip

VOIP BYOD

Those who build or sell VoIP systems need to begin coping with BYOD, because soon enough it will inevitably be on your system’s spec sheet.

Trefor.net welcomes VoIP Week contributor Paul Hayes, ProVu Communications Ltd.’s Product Development Director

Whether you’re a developer of IP PBX or a provider of hosted VoIP telephony services, you need to be doing something about mobile BYOD. BYOD (aka Bring Your Own Device) is the concept of company employees using their own hardware in addition to, or instead of, the hardware provided by and owned by the company itself. I use the term mobile because increasingly people want to use mobile phones and not desk phones. It may be a slightly foreign concept to a lot of readers, but there is a whole generation of future business people just around the corner who will have grown up with a mobile phone in their hand at all times.

It’s a simple idea on the surface, you have an iPhone because you like it and find it easy to use, right?

It might seem like this is all about greedy employers wanting their staff to buy their own kit, but not so. It stands to reason that allowing staff to use devices that they know, trust, and perhaps even enjoy should result in good productivity.

Enough has already been written on the advantages of BYOD, so what I want to talk about instead is how you as someone who builds or sells VoIP systems copes with BYOD, because if it’s not on your system’s spec sheet in the near future you’re going to seem rather old fashioned.

In my eyes there are two main issues the VoIP platform must overcome: maintaining professionalism and management of the devices.

First is the issue of maintaining professionalism. In the early days of VoIP there was a sense of triumph whenever pressing that tick button on your shiny new VoIP phone resulted in a working call with good audio quality. Thankfully, things have moved on, but the last thing you want is for your BYOD solution to represent a step back. It has to work reliably and it has to sound good, too, just like your VoIP desk phone does. At the same time, businesses need to look professional and maintain their own presence. For instance, most businesses don’t want the outbound phone calls they place to be seen as coming from different mobile numbers.

The second issue is device management. How do you know what people are using their mobiles for? How do you control which application they are using? How do you even change a setting on the device when it’s not owned by the business? How do you do all that without crippling the device?

The key to resolving these two issues is centralised management. We’ve been doing this with desktop VoIP phones for over ten years now, the same techniques must now be applied to mobile devices as well.

A company in Sweden called Opticaller Software has an interesting take on it all, offering a solution that involves an application for mobile devices (the usual suspects: iPhone, Android, Blackberry) and a server part that (for now) runs alongside an Asterisk IP PBX. That’s fairly interesting, of course, but what really makes it relevant here is that they also have a hosted management engine, a system that allows you to push the app out to mobile devices and that manages all settings related to the operation of the app. This is absolutely essential, and it seems to make the Opticaller solution fairly unique for the moment. Thus, no matter where the mobile devices are, provided they have just a tiny bit of a data connection, it is possible to control mobile telecommunications much like you can with desktop phones. All phone calls go through the VoIP PBX where they are recorded and accounted for and, crucially, you can control the outbound caller identification used for each call.

The mobile application itself does something that is both clever and yet simple. It uses the mobile voice network for the actual phone call. Maybe one day Wifi will be good enough to be used for mobile voice whilst out and about, but today that simply is not the case.

I used the Opticaller system myself on a recent business trip to Prague and found it very handy for calling people in the office using nothing more than their internal extension numbers. Also, it was very handy in reducing costs as I only suffered roaming charges for inbound calls and not outbound one. Please don’t make the mistake of thinking this is all about saving money, though, as the real problem being solved is how to integrate mobile BYOD into a VoIP phone system.

Categories
Business security voip voip hardware

VoIP Security and Your IP Phone

Concerns about massive growth of telephone tapping incidents has led to a growing demand for IP telephone handsets that provide VoIP security.

Trefor.net welcomes VoIP Week contributor David Kirsopp, Technical Director snom UK Ltd

An IP-PBX can be reached from potentially anywhere in the world, and your communications network is vulnerable if not properly secured. As such, making sure you enhance security through your choice and implementation of your IP handsets is one of the security measures you should be considering when introducing VoIP into the organization’s network infrastructure.

Concerns about massive growth of telephone tapping incidents has led to a growing demand for secure telephone handsets. The practical availability of secure telephones is restricted by such factors as politics, export issues, incompatibility between different products, and high prices.

When the VoIP traffic over the Internet is unencrypted, anyone with network access can listen in on conversations. Unauthorized interception of audio streams and decoding of signaling messages can enable an eavesdropper to tap audio conversations in an unsecured VoIP environment, a common threat. And eavesdropping is how most hackers steal credentials and other information; for example, customers reciting their credit card numbers to an airline booking attendant. All that’s needed is a packet capturing tool, freely available on the Internet, or switch port mirroring, and hackers can save the files, take them home, and cause disaster with the stolen information.

Equally or more dangerous than the hacking of the phone calls themselves is that the phone system may enable entry into the company network, and thus the phone connection becomes as portal to all data within the company.

Of course, there are solutions and safeguards that can reduce or even eliminate security weaknesses within VoIP systems.

Authentication-Based IP Addresses

Static configuration of your IP phones to your extensions will prevent easy access by intruders into a conversation. Specifically, you can specify at the IP-PBX which IP address can use a particular extension as a trusted address.

Confidentiality

Unlike PSTN calls which traverse dedicated circuits, VoIP calls are really just data going across the Internet…data that must be protected. By using encryption techniques like TLS and SRTP, you can protect both the signaling and the media stream, preventing others from listening in on the conversation using simple tools such as port mirroring and an RTP trace.

SIP packets contain private information: the IP address of the phone, the SIP server, the signaling and media ports that it’s expecting to listen on, the MAC address of the phone, and in some cases even the management port of the phone. This information should be sent over a TLS tunnel to hide it from snoopers, who though they will be able to see TLS packets will have no idea what’s in them.

Well-designed IP phones provide secure SIP signaling via TLS and audio stream encryption by incorporating SRTP (Secure Real-time Transport Protocol), a security profile that adds confidentiality, message authentication, and replay protection to the RTP protocol. SRTP is ideal for protecting Voice over IP traffic because it can be used in conjunction with header compression and has no effect on IP Quality of Service. These factors provide significant advantages, especially for voice traffic using low-bit rate voice codecs such as G.729. Ensure your phones provide TLS-based SIP signaling (SIPS) with a SIP proxy server and audio stream encryption using secure RTP based on 128-bit AES. SIPS not only prevents message manipulation and eavesdropping, but it also assures the proxy server of the identity of the client phone; hence, identity spoofing threats are also subdued by this mechanism. Some phones, including those produced by snom, also use AES in counter mode (AES-CM) for secure RTP, which creates a unique key stream for each RTP packet and thus makes it almost impossible for eavesdroppers to retrieve the original RTP stream from the encrypted SRTP stream.

Secure Media (over UDP)

If you want to increase security further, then purchase a certificate from a Certificate Authority (CA) like VeriSign, which is equivalent to having your documents signed by a Notary Public who is a trusted third party, verifying that you are who you say you are.   Getting the certificate into the IP phones is currently the tricky part, as some phone vendors are not burning them in at the factory using the MAC address as part of the key.

Plug and Play and Certificates

Plug and play of phones on the wide area network is nothing new. The phone presents a MAC address, and based upon that MAC address the IP-PBX automatically provisions the phone so that it can make calls. The IP-PBX, however, is not able to verify the MAC address of the phone since it came from the WAN. In this case, the MAC address reflects that of the router as that is where it came into the LAN. This is a security risk, however some handsets have certificates burnt in at the factory, so after a key exchange the IP-PBX can be assured that the phone is who it says it is and that a certain MAC address belongs to a particular phone.

Centralised Security

Alternatively, security can be guaranteed from a central point independently from the individual applications and end devices. The advantages of this centralized approach is that it will be a one-off implementation with low maintenance costs and the possibility to secure communications from multiple manufacturers. One option for centrally provided security is a Virtual Private Network (VPN), which are typically used for connections with field bases employees in which a company network connects the branch offices to the computer centre or connects geographically separate servers or computer centers.

Categories
Business security surveillance & privacy voip

Why are the Major Telcos Afraid of encrypted voip?

A significant disconnect exists between the reality of today’s IP communications and the security concerns and needs of the customer (read encrypted voip).

Trefor.net welcomes VoIP Week guest contributor Peter Cox, UM Labs Ltd. Founder and CEO.

One of UM Labs’ long-standing customers is using our product to provide encrypted VoIP connections from remote users (mostly home workers) and to encrypt calls they make and receive on their SIP trunk. Their motivation is simple: They are in the USA and their business makes it necessary for them to work closely with federal government, a connection that subjects them to security and compliance requirements. This customer’s view is that applying encryption to all VoIP calls — including those made and received on their SIP trunk — is an essential step towards meeting these requirements. Even if some SIP trunk calls are then relayed in clear text, as is the case for PSTN calls, the encryption applied on the connection to their trunk provider protects their network and ensures the confidentiality of SIP trunk calls on the connection between the service provider and their office. This effort demonstrates that they are taking all reasonable steps to secure the network connections under their own control and is thus a significant step towards meeting the compliance requirements.

Recently, our customer’s existing service provider announced that they were considering discontinuing encrypted SIP trunk connections, and being unable to find an alternative they asked me for some alternative service provider recommendations. I posted the question to the SIP Trunking & Enterprise VoIP LinkedIn group and received a number of helpful replies. My question also sparked some interesting discussion. A number of the participants gave spurious reasons why encryption was too difficult or not needed on a SIP trunk. What surprised me most was that representatives of two very large and well known telcos weighed in against encryption. One claimed that providing an encrypted SIP trunk connection was incompatible with legal intercept requirements, while the other tried to claim that since enterprises trust their data on “private” networks shouldn’t they trust their voice as well?

Addressing the claim that SIP trunk connections are not compatible with legal intercept requirements, I submit that when properly implemented and with the appropriate systems encrypted VoIP does not prevent legal intercept or call recording for compliance purposes. What it does stop is unauthorised call monitoring. The risk of unauthorised call monitoring is not confined to VoIP, as there is a significant risk to calls on cellular networks (see my recent blog at http://tinyurl.com/k38suu3). Encryption also has a role to play in controlling other threats, including call fraud.

Regarding the comment about enterprises trusting their data on private network connections to service providers, this I found even more surprising. I have spent many years in network security and this is the first time I have heard a connection to a 3rd party service provider classified as sufficiently private to trust for data transmission without some form or additional security. While connection to service providers may be more controlled than the open Internet, they are not private. Most enterprises will naturally want to protect their data with a VPN, so it makes sense to do the same for voice.

Part of the problem is that part of the telecoms industry is stuck in the past, back in the days when the phone companies owned and operated the networks. Things have moved on, and a significant proportion of all communications now runs on IP networks, much of it on the Internet. The move to IP has spawned new applications such as presence and IM and is the driving force behind convergence. The use of IP networks, and specifically the Internet for voice and UC, is a big step forward, but we must recognise that a different set of security rules apply. We have the knowledge and technology to address the security issues. Rather than finding reasons to avoid implementing VoIP and UC security technologies, the industry needs to embrace them and promote their implementation.

I won’t name the two telcos, but if you are interested in seeing them incriminate themselves you can follow the full LinkedIn discussion at http://tinyurl.com/ofdqgjy.

This is a VoIP week post on trefor.net. Check out other VoIP themed posts this week:

Why are major telcos afraid of encrypted VoIP? by Peter Cox
Emergency calls and VoIP by Peter Farmer
VoIP, the Bible and own brand chips by Simon Woodhead
Why the desktop VoIP telephone isn’t going away by Jeff Rodman
Small business VoIP setup by Trefor Davies
VoIP fraud-technological-conventionality-achieved  by Colin Duffy

Categories
Bad Stuff Business ofcom scams security voip

VoIP Fraud — Technological Conventionality Achieved

VoIP has reached the mainstream. We know because the fraudsters are coming after us.

Trefor.net welcomes VoIP Week guest contributor Colin Duffy, CEO of Voipfone and ITSPA Council member.

VoIP merges two of the largest industries in the world: Telecommunications ($5.0 trillion) and the Internet ($4.2 trillion). It is big business.

Estimates of VoIP market size vary, though they are universally large. For instance, Infotenetics Research estimates the global residential and business VoIP market to be worth $64bn in 2014, growing to $88bn in 2018. Visiongain, on another hand, puts the 2018 value at $76bn. WhichVoIP (Bragg) has it as $82.7bn by 2017, and also claims that VoIP calls account for 34% of global voice traffic – 172bn call minutes. And then there is the United States Federal Communications Commission, which estimates that “In December 2011, there were 107 million end-user switched access lines in service [..in the USA and..] 37 million interconnected VoIP subscriptions.

And with opportunity comes the thief:

ICT Recent Scenarios: VoIP Week: Colin Duffy
(Corporate ICT)

 

(You have to love that New Scotland Yard hack…..)

But it’s not confined to big organisations; perhaps a little closer to home:

“A family-run business says it has ‘nowhere left to turn’ after hackers rigged its telephone system to call premium rate phone numbers — racking up a bill of nearly £6,000. ‘We reported it to the police, but we were told there was very little likelihood of them catching anyone so they wouldn’t be able to investigate’, she added.”                               

— Lancashire Telegraph

The Communications Fraud Control Association publishes a global fraud loss survey, and in 2013 they estimated that the global telecommunication industry loss to fraud was an enormous $46.3bn, which included:

  • VoIP hacking ($3.6bn),
  • PBX hacking ($4.4bn),
  • Premium Rate Services Fraud ($4.7bn),
  • Subscription Fraud ($5.2bn)
  • International Revenue Share Fraud ($1.8).

Over 90% of the telephone companies included in the CFCA’s survey reported that fraud within their company had increased or stayed the same since the last report.

Globally, the top emerging fraud type was identified as Internet Revenue Sharing Fraud, with Premium Rate Service Fraud (both international and domestic) also in the top five. Of the top five emerging fraud methods, PBX Hacking was the most important with VoIP Hacking at number three.

Who’s doing all this is a big and interesting topic, but here’s a starter:

Top Ten Countries where fraud
TERMINATES

Top Ten Countries where fraud
ORIGINATES

*Latvia
Gambia
*Somalia
Guinea
Cuba
East Timor
Lithuania
Taiwan
*UK
USA
India
*UK
Brazil
Philippines
*Latvia
Pakistan
*Somalia
Spain
Bulgaria

CFCA, Global Fraud Loss Survey, 2013

What can be done?

Earlier this year a customer of Voiceflex was hacked to the tune of £35,000 when over 10,000 calls were sent to a Polish Premium Service number over a period of 36 hours. The customer refused to pay, which resulted in a court case that the telco lost. Now the industry is looking to its terms and conditions for protection, but it’s clear that this isn’t enough – the cause needs addressing.

The best approach would be to cut off the money supply – if Telcos could withhold payments for known fraudulent calls, the activity would end. But this solution requires changes to inter-operator agreements and cross-jurisdiction interventions.

“We are currently in discussions with our fellow EU regulators about steps that may be taken to address cross-border [Dial Through] fraud and misuse. It is important that companies using VoIP systems take steps to ensure both the physical and technical security of their equipment in order to avoid becoming an ‘easy target’ for this type of criminal activity […..] We are approaching the NICC and relevant trade associations to ensure their advice is updated to help businesses better protect themselves against newer types of dial-through fraud that have emerged as technology has developed.”

— Ofcom 2013

For once I agree with Ofcom. The industry needs to work harder at target-hardening. We need to be making this industry safer for our customers.

There’s a lot to be done but a good start is to read and apply the guidance issued by ITSPA – the UK trade organisation for Internet Telcos.

I’m taking a close personal interest in VoIP fraud and security, and I invite anyone who has more information or who wishes to discuss this in more detail to contact me at colin@voipfone.co.uk email

A naive user asked me, ‘why can’t you just make safe telephones?’ Well, why can’t we?

Categories
Bad Stuff broadband End User

Broadband sentiment analysis

Broadband sentiment analysis used to examine broadband providers

When you browse an ISP website looking at the packages they have on offer it is really difficult to decide how to choose. By and large they are all very similar. Some may offer different TV bundles and you occasionally see the occasional high street store voucher thrown in as an incentive to sign up. Been trawling through various ISP streams on twitter doing a bit of broadband sentiment analysis. I though this might throw up some real world feedback on specific ISPs that might help people decide on the right one for them.

What came out was quite revealing and makes me glad I no longer work for a broadband service provider. The amount of vitriol that gets heaped on ISPs when their service goes wrong is amazing. It’s no surprise. The same probably happens when there is an electrical outage. People now rely on their internet connection as an utility.

In doing the work it is worth noting that an automated sentiment analysis tool isn’t perfect because computers can’t understand the nuances of human language. Sarcasm for example is very difficult to get right. eg

So and so is a great provider

versus

So and so is a great provider !!!???

Same words but the second would go down as negative sentiment if judged by a human. Because of this some human checking has to be performed. This human checking has brought out some interesting anomalies.

For example this tweet:

@drdeakin: Most reliable network @EE ? Rubbish! 4 mobile contracts plus mobile broadband each month and was about to add a business mobi…

was retweeted 112 times (at the time of writing). I found this curious so looked up @drdeakin. He has 177k followers. No wonder he was getting so many retweets. I also wondered how he got hold of so many followers whilst only following 412 accounts. Was he a celebrity? Turns out he just got married to the mother of someone in “One Direction” – a popular music group, apparently 🙂 (@JohannahDarling with 1.15M followers). On this basis I didn’t consider it fair to apportion negative sentiment to tweets other than the first, although a few did get through early on.

Other tweets were showing positive sentiment but clearly posted by someone with a vested interest. These were discounted (eg “@Exposure4All Get 152Mb broadband, 260+ TV channels & unlimited anytime calls to UK landlines → http://t.co/vYY5LuJFUN http://t.co/Br52f3djA0″ is on the face of it just a sales pitch)

One provider in particular, Plusnet, looked like drowning in complaints. Plusnet suffered a major outage during the window in which I was looking at the tweets. This was exacerbated by the fact that Apple had just released iOS8 and all the fanbois were at it in droves.  As such Plusnet came out very badly compared with other ISPs. However this is a constantly changing data set. I know from experience that ISPs occasionally have problems that seem to the huge disasters at the time but they are overcome. A historical trend chart of broadband sentiment analysis should reveal who is the most reliable ISP overall.

ISPs use Twitter as a means of engaging with dissatisfied customers. Twitter is used basically as an alternative inbound means of communication. Some seem to  handle it better than others.

These two examples illustrate how:

  1. @BTCare @someukbitch Happy to but need a better description of the problem, whats the problem and is the light on your Hub blue?
  2. @EE @RhodriOR Hi Rhordi, Afraid we can’t help with home broadband queries, Please call on on 0844 873 8586 from your … http://t.co/OCZ4Z8vDYs

In this case BT is doing a good job compared with EE who aren’t making it as easy as they could for their customers.

The one common thread that came out of the analysis was the number of times an engineer didn’t show up. People had usually taken days off work to wait in for the visit. This is pretty unacceptable but is unfortunately a situation that has prevailed for years now. Maintaining the copper broadband network is a nightmare.

I’ll be making the output of this broadband sentiment analysis available quite soon but thought some of my findings were interesting enough to publish beforehand.

 

Categories
Engineer security voip

Announcing ITSPA trefor.net VoIP security workshop sponsored by Yealink

trefor.net is teaming up with ITSPA, the Internet Telephony Service Providers’ Association, to produce a twice yearly VoIP security workshop. The first one is during the Convergence Summit South show at Sandown Park on October 8th, Read on to find out more.

Announcing the ITSPA/trefor.net VoIP security workshop

Telecom Fraud – Part 1 – A Case Study for the Channel by a Paul Taylor from Voiceflex @ 2.30pm

The Part 1 talk which is part of the main Convergence Summit South programme nicely sets the scene for the ITSPA/trefor.net VoIP security workshop colocated at the same venue. The ITSPA/trefor.net VoIP security workshop goes into the main types of fraud perpetrated on VoIP service providers and their customers and discusses how to stop it happening in the first place.

Telecom Fraud – Part 2 – Prevention is Better than the Cure by ITSPA (the UK VoIP trade body) & trefor.net @ 3.15pm

yealink secure voip provisioningThis VoIP security workshop is intended to provide attendees with an overview of the current fraud threats facing the Telecoms/VoIP industry, outlining its scale and discussing the ways to mitigate against these problems before it is too late. Looking from all angles (service provider, reseller and vendor perspective), there will be short presentations from various industry players, outlining their experiences, followed by a panel and Q&A session to discuss the best methods of combatting fraudulent activity and best practice tips. Nibbles and drinks will follow to continue the discussion.

The format includes:

1) Telecoms/VoIP Fraud – the current state of play and how bad is it? – Simon Woodhead of Simwood

2) An outline of three specific types of fraud and what to do to tackle it

a. PBX Hacks David Cargill

b. Accessing SIP credentials  Steve Watts of Yealink

c. Identity spoofing Colin Duffy of VoIPfone

Simon Woodhead will also do a slot on general protection against non-specific threats.

3) Audience Q&A – How to prevent fraud, spot fraudsters and adhere to best practice.

This week is also going to be VoIP week on trefor.net. We have a gang of regular contributors providing posts but if you have an idea for an interesting VoIP posts let us know. You have to be from the VoIP/ITSP industry and it should not be a blatant sales pitch for your company’s products and services.

Finally on the 8th October, the same day as the VoIP security workshop, we are having the 5th trefor.net UC Exec Dinner. This time the speaker is Dean Elwood, CEO of Voxygen. Dean is coming to talk to us about what is happening with OTT VoIP services in the big telco community. This is only open to senior execs in the UC industry. More details here.