Categories
Business security

SME’s inaction on cybersecurity is bad for business

simon chandler

SME cybersecurity – should they care?

Small retailers and businesses aren’t doing enough on cybersecurity. This, at least, is what emerges from a survey published recently from domain provider 123 Reg, who canvassed 13,000 online retailers and discovered that 10% of them aren’t taking any steps whatsoever to protect their customers’ personal data.

This is a worrying figure, and while 10% isn’t perhaps a massive percentage on its own, the survey also found that 50% of e-commerce owners admit to not being prepared for an attack and to not having a recovery plan in the event of a breach.

While such findings are already disconcerting enough in simple terms of cyber and data security, they’re also troubling for another reason, which is that they reveal how smaller online retailers are jeopardising their businesses and their trustworthiness by neglecting the security of their websites and platforms.

This isn’t something suggested only by 123 Reg’s recent survey, but also by other research. For example, in June 2016, Barclaycard conducted their own survey on SME cybersecurity, learning that only 20% of small and medium enterprises held up online security as a top business priority. This was despite the fact that 48% had knowingly been the victim of a cyberattack and the fact that 54% were concerned about hacking.

And this stands in marked contrast to larger enterprises. Larger businesses take cybersecurity more seriously and invest more in it, with the latest Thales Data Threat Report revealing that 73% of large international corporations will be increasing their security spending this year. Similarly, the report also shows that 88% are highly concerned about data security, while a similar Zurich Insurance survey of SMEs from last year found that only 8% rank cybercrime as the top risk to their business.

Of course, larger companies are targeted in more high profile ways than their smaller counterparts, yet what should be unsettling for SMEs is that attacks against them are on the increase. In 2016, smaller businesses were hit by some 230,000 attacks, while the percentage of breaches targeting SMEs grew from 18% in 2011 to 43% in 2015.

One way of interpreting such growth is that, as cybercrime grows and becomes almost ‘professionalised’, cybercriminals are increasingly realising that smaller retailers are a soft target. And as the surveys mentioned above indicate, this is because SMEs aren’t devoting enough attention to the security of their websites, servers, networks and platforms.

As a result of this inattention, 74% of SMEs suffered an information security breach in 2015, according to Government figures. And this proportion is likely to grow, especially in light of how an August 2016 survey from Close Brothers revealed that 63% of SMEs have actually decided not to invest in improved online security in light of the EU’s General Data Protection Regulation.

Somewhat luckily, SMEs lack the kind of visibility that would result in breaches being widely reported in the media. However, if attacks against them do indeed continue increasing, and if the public become increasingly aware of these attacks, then trust in smaller online businesses and retailers will be damaged.

And as the notorious TalkTalk hack from October 2015 plainly revealed, a violation of customer data wouldn’t result only in a loss of trust, but also in a loss of customers. And for smaller retailers and businesses eager to hold onto as many of their customers as possible, such losses would be very damaging.

It would result in small and independent retailers losing even more custom to giant online outlets such as Amazon and eBay, in the process strengthening even further the stranglehold such larger companies have on digital spending and shopping. At the moment, a whopping 55% of all online product searches are made on Amazon (at least in the US), and this share will only increase if SMEs continue being too inactive on cybersecurity.

This is why, even with smaller budgets, SMEs must take greater action to strengthen their data and cyber security. More of them need to adopt such measures as multifactor authentication for important company accounts, drawing up contingency plans for cyberattacks, conducting regular tests and assessments of the strength of their cybersecurity, and tightening physical and online access to sources of sensitive information.

By taking such steps, and perhaps by going so far as to employ dedicated information security officers where possible, SMEs will be in a much better position to guard themselves against the rising tide of cybercrime.

Yet more generally, they’ll be in a much better position to guard their businesses, their reputations, and their relationships with their customers. And given that they make up 99% [PDF] of all UK businesses, they’ll also be better placed to protect the British economy at a time when it needs more than ever to grow.

This is a guest post by Simon Chandler, News Editor of Choose, a consumer price comparison and information site covering broadband and personal finance services. Simon wrote the post a few weeks ago and I’ve been a delinquent in sticking it up. I don’t typically take guest posts from sites who are doing it for their own SEO benefit but in fairness to Choose they supply good quality copy and I wish them well with it.

Categories
Business Legal security

House of Commons Culture, Media and Sport Select Committee report on Cyber Security

House of Commons Culture, Media and Sport Select Committee report on Cyber Security and all that jazz

Email came through from ITSPA this morning regarding the House of Commons Culture, Media and Sport Select Committee report on  Cyber Security: Protection of Personal Data Online Contents

In general, the report focused on the need for increased consumer awareness of cyber security breaches and recommended that the Information Commissioner’s Office (ICO) should have a robust system of escalating fines to sanction those who fail to report, prepare for, or learn from data breaches. It also stated that Government need to urgently address the huge amount of data that will be created by the Investigatory Powers Bill and how this will be secured from data breaches.

I’ve listed the key recommendations together with my own comments below:

  • Companies should report their cyber security and data protection strategies to the ICO

This is somewhat naive. How many companies are there in the UK? The ICO would be swamped and in anycase to have the resources to do anything with the information.

  • The ICO should have additional powers of non-consensual audit, notably for health, local government and potentially for other sectors

More red tape and you have to question the efficacy of this. I can understand auditing the public sector but private industry???

  • The Government should initiate a public awareness-raising campaign on cyber security
  1. Waste of time though. For a campaign to be effective it would have to be prolonged, permanent even, and cost a fortune.
  • It should be easier for victims of a data breach to claim compensation

Seems like a good idea if likely to be somewhat complicated and difficult to do.

  • All relevant companies should provide well-publicised guidance to customers on how they will contact customers and how to make contact to verify that communications from the company are genuine

What makes a company relevant? In principle this sounds sensible but it is red tape.

  • All telecommunications companies should take steps to ensure that compliance with data protection rules and Cyber Essentials are key criteria when selecting third party suppliers

The more I think about this is its interference in private industry.

  • Cyber security should sit with someone able to take full day-to-day responsibility and who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber-attack

Cost. Overhead.

  • To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security

Uhuh

  • The vulnerability of the massive new data pools that will be created by the Investigatory Powers Bill needs to be urgently addressed by Government

I’ve been saying this for years but all you will get is lip service.

There you go. The UK approach to cybersecurity. I’m not saying it isn’t an important subject and that we all need to be cyber secure. I’m not sure that more rolls of red tape is the way to do it.

My thanks to the ITSPA secretariat for their contributions to this post (which is most of the post apart from my comments)

Categories
End User security surveillance & privacy

I break my silence on the Snooper’s Charter

my latest observations on the snooper’s charter

I have in the past been very vocal when it comes to the snooper’s charter. Especially when I was more active in the ISP industry. Having throttled back a bit I let others, the professionals, have their say and stuck to my own counsel.

Just received a summary of the comments from MPs in respect of the latest incarnation of the Bill from the ITSPA Secretariat. I’ve pasted it below with a few of my own observations.

Internet Connection Records

  • Burnham said that whilst the Government’s position in the draft code of practice makes it clear that URLs are not communications data and therefore, by definition, cannot be included in ICRs, it would be more useful to have a single, clear definition of ICRs in one place in the Bill.
  • Burnham stated that communications data should not be capable of being accessed to investigate any crime, regardless of how serious the offence is and the impact on victims.
  • Member of the Public Bill Committee, Gavin Newlands MP, said that the measures in the Bill are not limited to internet access, email or telephony and include, explicitly, communication without human intervention. He added that the industry has indicated a willingness to work with the Government to help implement ICRs, but the trouble is that the industry does not know what ICRs are, and it seems Government still do not know either. He said that these powers were intrusive and needed to be properly defined.
  • Member of three Committees which scrutinised the Bill, Matt Warman MP, said that people needed to be reminded that it was CSPs and not govt who would hold ICRs and govt would not be dipping into this information for any other purpose than to stop serious crime.
  • Alistair Carmichael MP said that it was unacceptable at this stage of proceedings that there is still no proper clear definition of ICRs.

 

Tref writes: Government has no idea what it is talking about in respect of ICRs and is probably keeping things deliberately vague so that they can apply the “definition” to anything that suits them.

Matt Warman is also missing the point. It doesn’t matter who keeps the data – it will be hacked into and leaked. Also we hear all sorts of stories about RIPA requests from councils wanting evidence on relatively trivial “crimes”. The concern is that once the data was available all sorts of people would come out of the woodwork wanting to look at it.

Encryption

  • Member of the Public Bill and Joint Committee, Suella Fernandes MP, said that the UK wants world-class encryption and privacy, but also wants world-class security and citizens should trust the skill and restraint of the analysts, the cryptographers, the mathematicians and the codebreakers who safeguard security and have maintained confidence and discretion in relation to the secrets they have seen.
  • Stephen Hammond MP said that encryption was hugely important to the digital economy and said it should not be undermined, however, he said he had faith in the security services that they would use restraint.

 

Tref writes: they are totally missing the point here. If encryption methods are designed to be hackable by government codebreakers then criminals and hostile foreign powers can do the same. You can’t have “world-class” encryption if it can be hacked.

Cost Recovery

  • Newlands highlighted that owing to uncertainty about the extent and definition of ICRs and the extension of CSPs that will be affected by the proposed provision, the cost is difficult to estimate, but industry figures have said that they expect it to be anywhere between £1 billion and £3 billion. He said that it was not good enough that govt had not produced robust figures which could be examined whilst the Bill was being scrutinised.

 

Tref writes: they have no idea what the implementation of the Bill is likely to cost and are keeping quiet about it because the eventual figure is likely to be unpalatable.

Categories
Bad Stuff Business security

Is encryption the answer to data loss?

Is encryption the answer to data loss?  Voipfone CEO Colin Duffy thinks not

The TalkTalk hack and subsequent data loss – and to a lesser extent the Vodafone hack only a few days later – bring the issue of data security and telecommunications into the news. In the media, much emphasis has been placed on the use of encryption as a line of defence against data loss. This is only very partially true – encryption is not a panacea.

When it is useful, the system has already been compromised, the data is already lost and can be worked on at the criminal’s leisure or sold on to more sophisticated criminals with the tools to decrypt it. Encryption is not perfect and through cryptanalysis it can be broken. For example, knowing that you are looking at a list of tens of thousands of postcodes that are encrypted with the same key can provide sufficient information to decrypt the entire list. Moreover, the encryption key itself then becomes a prime target for hackers.

Encryption is most useful when it is used to protect data transport over a hostile medium e.g. when data is exchanged between two parties over the Internet or a laptop being taken out of the office or situations where physical hardware can be stolen.

But inside private networks it is far less useful. This is because customer data is in constant use by multiple users – for billing, reporting, and customer support and by customers for updates and information. Customer databases need multiple entry points and authorisations for both human and machine access. Encrypted information is unencrypted on the fly by the computer which processes it. If the hacker gains access to that computer as a user the data is automatically unencrypted and visible.

Any breach that allows an attacker access to a component such as remote code execution and login access would also give them access to the encrypted data and the encryption key. There are very few remote attack forms where encryption would prevent data loss once the hacker has penetrated the system.

In these circumstances, encrypting data adds extra load on processors and systems, adds system and managerial complexity and cost and mostly does little more than provide a false sense of security. In reality, encryption of data inside networks is of most use not for the protection of the data, but from subsequent media accusations of security laxness.

Finally, encryption does not protect against the database deletion or interference.

For a limited number of risks, data encryption can bring some security value to a system, but for most it has no benefit whatsoever. Therefore it certainly isn’t a replacement for the other security measures – protecting access to systems, minimising SQL injection or code execution vulnerabilities. It has to be considered a last line of defence, added on top of all other reasonable measures.

Colin Duffy www.voipfone.co.uk

This week of telecoms fraud posts is edited by Manuel Basilavecchia of Netaxis.

Categories
End User security

Secure data stolen from Lloyds Bank datacentre

lloyds bank data theft

I note Police are investigating the disappearance of a storage device that contains people’s names, addresses, sort codes and account numbers, after it was taken from a data centre in July (Telegraph).

Some thoughts here.

  1. Why would the Telegraph store this kind of info unencrypted on a data device? Indeed why would they store it on a physical device that could be stolen at all? Doesn’t sound like a very secure situation to me at all.
  2. Lloyds might have argued that Datacentres themselves are inherently secure. Well yes they are but there have been a number of examples over the years where people have stolen kit, usually expensive routers, from “secure” racks in “secure datacentres”. Datacentre security usually involves multiple layers of sign-in/verification and also involves cctv. Doesn’t seem to stop this kind of thing happening though.
  3. On this basis we should consider all data to me inherently insecure and open to theft at some point and assume that it will be stolen. The only way around this is to have a regime that involves regular password changes. I assume you all do this right? Even then it doesn’t guarantee the security of your data.
  4. If we assume that data will inevitably at some point be stolen then the question arises as to whether we are storing this data unnecessarily. eg do you need to keep your online banking login information stored somewhere that may be stolen. How about on a bit of paper hidden in a sock instead? (no clues being given here btw:)
  5. We should also question it when others propose to store your personal data for their own purposes. I’m sure there are many examples of this – you can name your own.

At this stage if I let it get to me I’d be a quivering wreck. There’s a lot of stuff out there about me. What can I do about it?

Part of the problem (problem?) is that stick a lot of stuff online myself without being prompted. Yesterday’s video of a goods train passing in front of me got over 4,500 views on Facebook with no effort whatsoever.

People will know I was at that specific railway crossing at the time the video was taken. Given enough time you could build up a profile of my regular movements and habits just from information publicly available on the web.

Although I know some people who shy away from platforms like Facebook for this very reason I don’t. In fact I’ve started to use Facebook more and more as believe it or not it is good for business. I’ve even installed the Facebook app on my droid despite my previous misgivings about the personal data it wanted to access on my phone.

I’ve basically just said “to hell with it” and plunged into the deep-end instead of playing about where I was able to stand up without the water coming over my head.

I don’t know where all this is going. On Tuesday one of my kids became the proud owner of a macbook pro. During the (brief) install phase he told me the machine was asking him whether he wanted to encrypt the disk. I googled this and found that Apple had introduced this feature as standard to make it harder for governments to snoop on their customers’ data.

We probably need to rely on these big companies doing the right thing because they have the resources to be able do it right. It is a worry though especially when half their business model relies on them collecting enough personal information about you to be able to sell it.

I’ve gone on enough here and it’s nearly time to go home. I’m cooking a pork casserole so that we have something ready for when we get back from Galashiels at the weekend. Look out for a post about The Pylons gig we are going to see at the 100 Bands Festival. In fact if you are in the area come and see them. 1pm main stage Saturday.

Lots more posts on the subject of data theft and online security in the security category of this blog.

PS I am a Lloyds Bank customer and user their mobile app. I am happy to do this because they guarantee to cover any losses due to theft arising from my use of the app. It’s the way ahead.

Categories
End User security

Global village – a world where everyone knows everyone else

Online privacy is a thing of the past

My son Tom is currently editing the next broadbandrating.com video. You will have to wait and see what it is all about but if follows on from last week’s pig racing (if you haven’t seen that vid click on the link – it’s very good). The next vid is taking a while because there was lots of footage that included kids faces. Tom, having been on the BBC’s political correctness course, is blurring out the faces one frame at a time!

Anne and I were in London over the weekend. There was a big cycling event going on – thousands of cyclists pedalling around St James’ Park, down The Mall, around Trafalgar Square etc etc. It was a bit of a stop start affair – lots of tourists trying to do the usual touristy stuff – being fleeced by ice cream vendors, buying cheapo tat at top dollar, you know the kind of thing. Oh and crossing the roads which necessarily involved frequent stops to the cycling.

I took a few photos. That’s what made me think about the global village thing. That and the extreme busyness of central London. The time is not very far off where I’ll be able to scan the internet for images of the people in my photos and find out who they are. In fact I can do it now to some extent – searching for similar images. The natural extension of this is real time video streaming from my Google Glass or other wearable device and in real time telling me who it is I am looking at. LinkedIn profile, Facebook profile, the lot. Our security forces probably already do this.

The consequences are a bit obvious. If I were to stand videoing the cycle ride for an hour or so I’d capture images of each rider’s face and subsequently be able to identify everybody who took part, including children.

There are many obvious uses to this application, good and bad all bad as far as I can see. One simple one is that advertisers could identify people who liked cycling and push them as for bikes, hemlets etc etc.

As the owner of broadbandrating.com, a site that makes its money by attracting visitors specifically interested in broadband I am keen on the idea of having new ways of targeting prospective customers to the site.

As a prospective punter I am less keen. I’ve decided I don’t like seeing ads eerily pushed to me on subjects that I am interested in. As often as not they are too late anyway – I’ve normally already gone and booked the hotel room etc. It makes me think that “they” know too much about me.

I’ve decided I am ok with finding things online using search but not ok with businesses finding out about me on the basis of those searches. In other words if I stick a page up saying I like baked beans and someone searches for people who like baked beans and finds me then that is ok. It’s not ok for me to know who those searchers are.

I realise this has big implications to the business model of the internet but I’m sorry, that’s what I’ve decided:).

There is another angle to this whole subject. In the good old days (where the average life expectancy was 40 and people lived as serfs in villages working from dawn until dusk for their master and died of cholera, typhoid, rickets, polio etc etc – you know, the good old days) we all lived in villages and every one knew everyone else.

Nowadays there are 7 billion or more of us on the planet and a big chunk of us live out our sad anonymous lives in large urban conurbations where don’t talk to our neighbours. There are in any case far too many people to be able to remember their names.

This will not be a problem in the future. With our new technology we will know who everyone is. People will start talking to others. “Hello Mr Williams/Gladys/Sanjay” you will be able to cheerily say to the neighbour down the corridor as you pass them coming back from Tesco. “How’s the alcohol/problem?”photo bomb

Maybe, maybe not. I’ll leave it to you to decide.

I’ll finish with a scene from our weekend in London. I’m taking a picture of my lovely wife Anne with the Houses of Parliament in the background.

Coincidentally someone else is doing the same thing. It looks almost as if the guy is photo-bombing our shot.photo bomb

Actually from the second photo you can see that he was having his own photo taken.

I have no idea who he is but if someone can tell me his name I’ll buy them a beer. The technology is out there…

More on privacy on this blog here.

Categories
Bad Stuff End User security

Fancy a bit of stuff on the side?

Ashley Madison helps you find other people who want to cheat on their partners

The older I get the more I realise how sheltered I am. I spotted a comment by @ruskin147 on Twitter whilst whiling the time away waiting for a late train to arrive:

Intrigued I looked up Ashley Madison to find a site that arranged extra marital affairs for people and claimed it had millions of customers. Not my kind of thing. What all the attention was about however was the fact that Ashley Madison had been hacked and details of its users nicked.

Notionally the hackers wanted AM to stop charging people to remove their details. I’m not really bothered. He who lives by the sword dies by the sword. Harsh but hey…

I am more concerned with the concept that these databases can be hacked. Of course they can. Even the Pentagon apparently gets hacked every now and again. Shit happens.

I have lots of personal details held at many locations online – Facebook, Twitter, Google and maybe another hundred other places online where I have an username and password. It’s my choice to give this info to the specific websites.

What I don’t want is someone keeping all sorts of information on me without my consent that could will inevitably be hacked and published online for all to see. The government, in compiling its latest version of the Snoopers Charter would do well to note that no database is safe. They will take no notice.

It wouldn’t surprise me to find out that the Prime Minster’s voicemail account was actually hacked by the News of the World and that the information was being suppressed. Merely conjecture, rumour spreading, but entirely plausible.  I heard it on good authority from a man in a pub.

The only safe way to stop information from being stolen is not to store it in the first place.

PS note the trusted security award on the Ashley Madison site.

Categories
End User internet security surveillance & privacy

Anderson Report on Terrorism Legislation

Anderson Report on Terrorism Legislation

The Independent Reviewer of Terrorism Legislation, David Anderson QC, yesterday published his report into investigatory powers. The Anderson report on terrorism legislation is almost 400 pages long and includes 124 recommendations so you need some stamina to plough through it.

Following the report’s publication Home Secretary, Theresa May MP, gave a statement (watch it here) to the House of Commons. She set out a timetable and provided some general comments:

A draft bill (Snooper’s Charter revisited) will be published in the Autumn and subject to pre-legislative scrutiny by a Joint Committee. A Bill will then be published early in the New Year with a view to passing a final act before the DRIPA sunset clause come into effects at the end of 2016.

While generally accepting Anderson’s recommendations, May seemed to question the viability of his proposals to require judicial authorisations for warrants, highlighting the need for balancing the responsibilities of the Judiciary and Executive.

In addition to the draft bill, Government will look at a reform of the mutual legal assistance framework (in response to the Sheinwald Report which has not yet been published).

The Anderson Report

Overall approach by David Anderson is as follows:
‘A clear, coherent and accessible scheme, adapted to the world of internet-based communications and encryption, in which:

a. public authorities have limited powers, but are not shut out from places where they need access to keep the public safe;

b. procedures are streamlined, notably in relation to warrants and the authorisation of local authority requests for communications data;

c. safeguards are enhanced, notably by:

i. the authorisation of warrants by senior judges;

ii. additional protections relating to the collection and use of communications by the security and intelligence agencies in bulk;

iii. greater supervision of the collection of communications data, including judicial authorisation where privileged and confidential material is in issue or novel and contentious requests are made;

iv. improved supervision of the use of communications data, including in conjunction with other datasets and open-source intelligence; and

v. a new, powerful, visible and accountable intelligence and surveillance auditor and regulator.’

This forthcoming bill is going to require very careful scrutiny and it will be interesting to see how many of Anderson’s recommendations are implemented. Governments have a habit of listening to these things only when it suits them. Theresa May is already suggesting that she wants the power herself that Anderson is saying should be given to Judges. It’s exactly this situation that we want to avoid.

In principle I don’t think any sane person can object to a government wanting to make it easier for themselves to catch more crooks. However we don’t necessarily need to give them authority to monitor every one of us. Why can’t they stick to just monitoring suspected criminals?

Thanks to the ITSPA secretariat for some of the inputs to this post.

Other Snooper’s Charter posts (lots of them) here.

Categories
Business security surveillance & privacy

Snooper’s Charter a honeypot for security breaches

Snooper’s Charter security breach – an “accident” waiting to happen.

The Snooper’s Charter, they aren’t going to get away from that name, is the proposed law where the Government seeks to legitimise spying on all our internet communications. They of course have very legitimate reasons for wanting to do this – national security, prevention of terrorism etc and promise not to look at the information of innocent persons.

I’m not going to go into the lengthy list of issues with this (list here). Except that is to say that one of my objections to the Snooper’s Charter is the fact that once the government has gathered all this communications data it will lose it. Once lost it will eventually it will find its way into the public domain.

“No no no don’t worry it will be very secure” says a government minister (I’m sure). “Oh no it won’t” says I, as sure as hard drives will fail or get left on a bus.

It isn’t just that the information will get left on a bus. Someone will hack into the vault where it is stored and steal it.

The latest news from the US is that some overseas government (allegedly) has hacked into the Office Of Personnel Management and pinched details of the entire staff of the US government.

Just imagine if this was the Snooper’s Charter database. UK government ministers would have details of their affairs made public, or at least placed in the hands of agencies that might make “good use” of the information.

Who will be the first to be blackmailed? When will the first really serious compromise of national security happen as a result?

This is just an example of a possible scenario. It could be information about you. No national security involved but quite possibly embarrassing. Maybe you don’t want the world to know that you buy women’s underwear for your own use, or that you are a trainspotter.

It will happen if we implement the Snooper’s Charter. It’s up to you to decide whether that is a good thing or not. I don’t think it is.

Snooper’s Charter security breach – an “accident” waiting to happen.

Categories
End User Legal security

Snoopers Charter Revisited – here we go again

Gets tedious doesn’t it, this constant battle to introduce defend against the Snooper’s Charter. You will all have seen from the Queen’s Speech (gawd bless ya Ma’am) that the Comms Data Bill (Snooper’s Charter) has been reincarnated into the Investigatory Powers Bill (Snooper’s Charter).

Page 64 is what you are looking for. Details yur if you can’t be bothered to look.

The purpose of this legislation is to:

Provide the police and intelligence agencies with the tools to keep you and your family safe.

Address ongoing capability gaps that are severely degrading the ability of law enforcement and intelligence agencies ability to combat terrorism and other serious crime.

Maintain the ability of our intelligence agencies and law enforcement to target the online communications of terrorists, paedophiles and other serious criminals.

Modernise our law in these areas and ensure it is fit for purpose.

Provide for appropriate oversight and safeguard arrangements.

The main benefits of these clauses would be:

Better equipping law enforcement and intelligence agencies to meet their key operational requirements, and addressing the gap in these agencies’ ability to build intelligence and evidence where subjects of interest, suspects and vulnerable people have communicated online.

Maintain the ability of our intelligence agencies to target the online communications of terrorists, and other relevant capabilities.

Provide for appropriate oversight arrangements and safeguards.

This will respond to issues raised in the independent review by the Independent Reviewer of Counter-Terrorism legislation, which is due to be published shortly.

The main elements of the clauses are:

The legislation covers all investigatory powers including communications data, where the Government has long maintained that the gap in capabilities are putting lives at risk.

The legislation will enable the continuation of the targeting of terrorist communications and other capabilities.

On the face of it none of this text is controversial. The problem lies in the detail. My guess is it is unlikely to have changed materially from its previous incarnation although the bit that says “This will respond to issues raised in the independent review by the Independent Reviewer of Counter-Terrorism legislation” is an attempt to smooth things over.

It’s the snoopers charter revisited. Our problem this time around is that the Lib Dems aren’t around to stop it happening. We may be in for a fight.

For a general read around this subject see the multifarious blogs on this site here. For a more specific list of issues see here.

Categories
Bad Stuff End User security

Mcafee offers – how to choose anti virus software

How to choose anti virus software

how to choose anti virus softwareAs regular readers will know I don’t use Microsoft software anymore. I’ve suffered from so many problems in the past that with the advent of Chromebook and the cloud I exist happily with my head up there in the fluffy stuff.

This is not the case for all members of my family and my wife in particular still has a Windows 8 laptop (yuk). In fact I only bought it to run our CCTV monitoring software but it does very occasionally get used for other things when her iPad doesn’t cut the mustard.

Because family PCs have suffered badly from viruses over the years I made sure that when I bought the cheapo Windows 8 laptop it was covered by McAfee anti virus software. It was a deal that covered the whole family for £25 if I recall. Fair enough. Install and forget.

how to choose anti virus softwareLast week the license ran out. McAfee bless em wanted £59.99 for me to renew. I looked online and saw a number of deals including a lowball £25.50 but decided to nip into PC World so see what they had.

All they could do was £60 including a white labelled online backup service free for the first year. A bargain at £30 pa thereafter for 2TB. However I’d been stung in the past with that. Or at least one of the kids had when he installed it on his laptop only to have the thirty quid taken from his youthful bank account the following year. Phone calls to PC World revealed that they didn’t actually control the service and no way Jose could he have his cash back.

I gave him his money, deinstalled the (unused) client and asked PCW to cancel next year’s subscription. Shysters I thought. So I wasn’t going anywhere near a product that could only give me a (inadequate) discount based on taking the backup service.

how to choose anti virus softwareThe salesman/advisor simply suggested Norton at £40 (£39.99). No problemo.

I got home and commenced installation operations. To begin with I had to wait half an hour whilst the laptoip updated the Microsoft software. Then I had problems with the Norton site – their servers were overloaded – hope it wasn’t a virus.

Eventually I managed to download the executable and began to install the Norton Symantec anti virus software. This took ages because it needed to deinstall McAfee which took several reboots and a number of Microsoft updates.

Gor Blimey. The next day I found that “windows 8 has its own anti virus but I also need it to cover a kid’s Window 7 machine and a MacBook Air. Hey.

I realise that Microsoft is following Google into the cloud but it doesn’t remove my present pain. These security software vendors are also seen to be dubious wheeler dealers with all the various deals to confuse customers. Can they survive the fact that in the cloud all the security services seem to come free of charge?

Read all about how to choose anti virus software on Wikipedia.

Categories
Bad Stuff Business scams security voip

Caller ID Is Broken – How Can We Fix It?

matt anthony pindropCLI spoofing doesn’t have to be as big a problem as it is.

In the third of this week’s posts on VoIP fraud guest editor David Cargill has Matt Anthony, Vice President of Marketing at Pindrop Security as a contributor.

There was once a time when people trusted the number that showed up on their Caller ID. Phone companies charged extra for the service. Even banks allowed you to activate your credit card just by calling from a registered phone number. Today, that is no longer the case.

Caller ID (CLI) and Automatic Number Identification (ANI) were originally designed as systems to be used internally by the phone companies. As such, they didn’t need any real security. As they emerged as consumer facing tools, they never developed the security features that we expect today.

The result is that spoofing Caller ID data, or ANIs, is very easy. A quick Google search turns up pages of articles on how to spoof a number. App stores are full of easy to use apps that enable spoofing. One smartphone app, Caller ID Faker, has over 1,000,000 downloads.

spook card - disguise your caller id

Adding to the problem is the fact that in general, Calling Liner ID spoofing is completely legal. Though it is always illegal to use CLI spoofing for fraud or threatening messages, it is perfectly legal to spoof a number as a friendly prank, or as a helpful business practice. (Think doctors on call who don’t want to give out their cell phone number.) While it might be fun to spoof a CLI in a prank call to your friend, too often fraudsters are the ones disguising their numbers to hide their criminal activity.

Pindrop Security tracks phone fraud activity and trends. We have found that CLI and ANI spoofing is the most common technique used by phone fraudsters. In addition, more than half of the caller ID spoofing attacks cross international boundaries, meaning they are almost impossible to track down and prosecute.

Consider the case of one attacker, known to Pindrop researchers as “Fritz.” This fraudster is likely based in Europe and works alone. Fritz is in the business of account takeover. He calls financial institution call centres, impersonating legitimate customers by spoofing ANIs, and socially engineers the bank into transferring money out of an account. In one four month period, we found that Fritz had targeted 15 accounts. We estimate that he has netted more than £650,000 a year for at least several years.

While there is no technology that can prevent CLI spoofing, it is possible to detect these calls. The key is to detect anomalies between the information being sent over the Caller ID and the actual audio characteristics of a call using phoneprintingTM, created by Pindrop Security.

Phoneprinting technology analyses the audio content of a phone call, measuring 147 characteristics of the audio signal in order to form a unique fingerprint for the call. Phoneprinting can identify the region the call originated from and determine if the call was from a landline, cell phone or specific VoIP provider. These pieces of information provide an unprecedented level of insight into caller behavior.

So, if a Caller ID says a call is coming from London, but the phoneprint of the call shows that the individual is calling from 1,000 miles away, it should be a red flag for anyone running a call centre that the caller has malicious intent.

pindrop caller id verification

 

 

 

 

 

 

 

 

One recent fraud attempt thwarted by Pindrop tools happened on a Saturday night, a time when most call centre employees are not at their most vigilant. The caller asked to transfer £63,900 from one bank to another. The Caller ID matched the phone number associated with the account, and the caller knew all the answers to the identity questions the agent asked. However, while the Caller ID said the call was coming from San Francisco, Pindrop detected that the call was actually coming from a Skype phone in Nigeria. As a result, the wire transfer was put on hold, and the bank was able to verify with the account holder that the request was fraudulent.

Pindrop phoneprinting solutions are already protecting calls to top banks, financial institutions, and retailers. The Pindrop platform is a comprehensive solution designed to protect the entire call system: inbound, outbound, live, recorded and in the IVR, customer-facing and employee-facing interactions. Pindrop uses the information from the phoneprint to create a highly accurate and highly actionable risk score for each call, which has allowed it to catch more than 80 percent of fraud calls within 30 seconds after the call has been initiated.

Historically, the phone channel has been over-trusted and under-protected, making it a major target for fraudster exploitation. Today, technology is available to detect spoofing and stop phone fraud.

Matt Anthony, Vice President of Marketing

www.pindropsecurity.com

Matt Anthony is the Vice President of Marketing at Pindrop Security. With over twenty years of experience in the technology industry, Matt is a frequent speaker at technical conferences. Prior to joining Pindrop, Matt served as Director of Marketing at Dell SecureWorks. Matt has also held marketing roles at CipherTrust, Monorail, and Dell Computer. He is a graduate of the University of Texas at Austin.

Check out our other VoIP fraud posts here. Below are links to other fraud related posts this week:

PABX fraud by Manuel Basilavecchia here
IRSF Fraud by Colin Yates here

Categories
Business scams security voip

Telecom Fraud – Investment in Prevention and Detection initiatives not always available.

colin yatesIRSF- International Revenue Share Fraud

This week we have David Cargill as guest editor. David runs the Operations Working Group at  the Internet Telephony Sevice Providers’ Association (ITSPA) and takes a special interest in VoIP Fraud. David has invited a number of experts to contribute guest posts on fraud related subjects. This ties in with the ITSPA/trefor.net Workshop on Wednesday that has VoIP fraud and WebRTC as its main themes. This is his second choice of post, in which IRSF is discussed, is written by Colin Yates, Managing Director of Yates Fraud Consulting Limited:

The telecommunications industry has a huge gap between those operators who manage fraud effectively and those who do not. Those who are effective fraud managers, whether they are a Tier 1, 2 or 3 operator, are generally those who have matured over the years with a strong mandate and support from their Executive to do the job, while being provided with the necessary budget, resources and tools to do it well. Some senior management unfortunately view fraud losses simply as a cost of business, and allocate very little budget and resource to it. In these cases fraud losses are generally not measured or reported, so will remain unknown and not reflected in quarterly, half yearly or annual financial reporting.

There are some CSP’s who have enjoyed reputations within the industry as leaders in the management of fraud, but over time these reputations have diminished and their fraud losses have increased. Some of this could be blamed on a change of senior leadership who failed to appreciate the importance of effective fraud management. This could also be a result of a fraud manager who failed to continually make it clear to the organisation how much value they were adding to the business by effectively managing fraud. An effective Fraud Manager will take whatever steps are necessary to ensure that the papers for every Board meeting will include his quarterly fraud report to clearly identify the fraud recoveries and averted losses they have achieved during the period since the last meeting.

Fraud within Telecom operators is generally measured as a percentage of total revenue, and depending on which organisation is providing the figures, this could be estimated at anywhere between 1% and 5% of total revenue. In my experience an operator with a mature fraud team with the necessary fraud detection/prevention tools, along with the support of his management team is likely to maintain their fraud losses at under 0.50%. Assuming this is a tier 2 operator with total revenues of $US1.5 billion, if the effectiveness of the fraud team was permitted to deteriorate to a point where fraud losses increased by another 0.25% of total revenue, this would add a further $US3.75 million to the annual fraud losses. To recover this revenue through adding new customers would require upwards of 10,000 new customers to be added to the business, assuming an average ARPU of around $US370 per year. Would it not make better business sense to continue to support the fraud management function with resources and tools at a cost of probably 10% of the additional fraud losses suffered.

Subscription fraud is without a doubt the biggest contributor to fraud losses across the industry. While most operators would agree that their aggregated subscription fraud loss far exceeds those suffered by any other fraud type, the drive to attract and connect new customers can make it difficult to manage. Most sales channels will require that a potential customer who meets basic identity verification checks will be provided service during that one visit to a physical or on-line store. Without investment in real time subscription fraud detection tools, this type of fraud is always going to be difficult to manage. Some of these tools are no longer expensive and can allow a CSP to take more risk when providing service to new customers.

International Revenue Share Fraud (IRSF)1 has to be regarded as the one fraud type that the industry has failed to manage effectively, primarily again because of a lack of investment in tools and resources by some to prevent and detect an attack early to minimise losses. IRSF Fraudsters can attack a business using many enablers, for example subscription fraud, roaming Fraud, PBX hacking, Mobile Malware, Wangiri Fraud and others. Some CSP’s use tools, either developed in-house or obtained from an FMS provider and do manage their IRSF risk effectively, but many others simply operate in the belief that this fraud will never impact them, so they will make no investment in a defensive strategy, and simply take the risk.  This decision is typically not taken by those accountable for managing fraud, but by those a level or two above who control the budgets. In most cases, this decision maker will have no idea what the actual risk is, and the impact of not implementing these controls may result in losses way above his delegated financial authority. It is still not unusual to hear of IRSF losses that have amounted to over $US500,000 in a 2 or 3 day period. An investment of under $US30,000 could have avoided most of these losses.

It is well documented now that around 85 to 90% of all IRSF incidents occur in the period between Friday evening and Monday morning when many CSP’s fraud monitoring staff are not in the office. Unfortunately even some of those who have made the investment in monitoring tools will continue to ‘take the risk’ over weekends and will not take that monitoring a step further to enable some automation, or diversion of outputs from their monitoring systems to a 24×7 activity within their business. In a roaming situation, NRTRDE (high roaming usage) records are delivered within 4 hours of a roaming call completing, and this includes the period right through the weekend. Having made an investment to implement this fraud control, it is hard to understand why no-one would be looking at these in real time to identify fraud, or have some automated process set up to manage an obvious fraud indicator.

Without effective monitoring tools, some operators will simply block what they consider are high risk destinations assuming that this will reduce their risk of becoming a victim to IRSF. We currently monitor destinations and numbers used for IRSF and the total Countries advertised by IPRN Providers number 221 and the test numbers we have recorded in to these countries number over 100,000. However the top 10 high risk destinations very seldom change and are as indicated in the graph below. These 10 destinations are responsible for 50% of the IPR numbers being advertised, but any of the remaining 211 country International Revenue Share numbers advertised could result in significant fraud losses being suffered.

VoIP fraud by country
Sources of telecom fraud by country

Fortunately there are more and more operators who have identified the value of 24 x 7 fraud monitoring, and have managed to make the argument for resources and tools to allow this compelling enough to obtain sufficient budget to implement this strategy.

Unfortunately this has not resulted in a reduction of the overall IRSF problem. It has simply driven the fraudsters to look for easier targets and these are currently smaller MNO’s and more recently MVNO’s. Fraudsters have come to realise that many MVNO’s do not have Fraud Management expertise in-house, or access to the information and networking industry forums that most MNO’s have available to them.

Prevention and Detection are the fundamentals of Fraud Management, which is particularly relevant for the telecommunications industry. The costs of pursuing a fraud strategy based on implementing the resources and tools required to monitor network usage are insignificant when compared to the likely losses you will suffer if you simply rely on luck. Anyone with any doubt in this area should arrange for an independent contractor to come in to their business and conduct a fraud risk review so that the full extent of the risks can be identified. A simple example of an MNO with an effective fraud monitoring process in place identifying and stopping an IRSF attack within 30 minutes, compared to an MVNO with no fraud process, allowing an IRSF attack to continue for 48 hours before detection, is demonstrated in the diagram below.

IRSF effective telecom fraud momitoring
effective telecom fraud momitoring

IRSF has now been around for at least 10 years in some form or another. Some CSP’s have lost significant amounts of money to it, and some fraudsters have generated small fortunes in fraudulent income from it. Many customers have been impacted through bill shock after their handset has been stolen or their PBX hacked, and many small countries have suffered social and economic impact as a result of their number ranges being hijacked by these fraudsters.

The argument for effective prevention and detection initiatives is compelling, but this does require some support and investment by an MNO or MVNO’s senior management team. After around 10 years of suffering from this fraud, it should be apparent that the various industry groups who have been searching for solutions are unlikely to come up with anything positive in the next year or two, so it really is up to the individual operators to take action to protect themselves.

1IRSF involves fraudsters calling international numbers that attract a high termination rate, from a stolen or fraudulently obtained connection, with an intention to inflate traffic in to those numbers and be paid a per minute fee from a number provider for each call made. Payment for these calls will eventually be required from the originating network, who will have no hope of recovering these costs.

Colin Yates is a telecommunications professional with over twenty five years’ experience, specifically in the area of fraud, investigations, RevenueAssurance and threat management. Colin specialises in the areas of Telecoms Fraud (Internal and External) and Investigations. He also has considerable experience with Personnel and Physical Security, Law Enforcement Agency Liaison,Intelligence Management, Regulatory Compliance, Revenue Assurance and Policy development.

Check out his website at www.yatesfraudconsulting.com. Also check out our other VoIP fraud posts here.

Read yesterday’s post on PABX fraud by Manuel Basilavecchia here

Categories
Business security voip

PABX fraud is on the up – by Manuel Basilavecchia of Netaxis

PABX fraud growth

This week we have David Cargill as guest editor. David runs the Operations Working Group at  the Internet Telephony Sevice Providers’ Association (ITSPA) and takes a special interest in VoIP Fraud. David has invited a number of experts to contribute guest posts on fraud related subjects. This ties in with the ITSPA/trefor.net Workshop on Wednesday that has VoIP fraud and WebRTC as its main themes. This is his first choice of post, in which PABX fraud growth and is discussed, is written by Manuel Basilavecchia – Co-owner, Sales and Marketing Director of NetAxis Solutions.

It is commonly agreed to estimate that the loss due to fraud in the telecommunication industry represents 0.5% to 5% of revenue of telecommunications operators.

Even if all of those scenarios are well known for years, many of them are still impacting the telecom industry. Of course, not only Telecom providers are impacted, as retail/corporate customers are impacted as well by telecom fraud.

In this article, we’ll focus on a specific kind of PABX fraud (and all mechanisms related) which is PABX hacking.

To make a fraud possible and generate money, a fraudster needs two things:  Traffic (generation) and a termination (Cash collection).

In order to generate the traffic the fraudster will hijack a PABX. Alternatively the fraudster will pay a third party to perform the hijacking. In that case, we’ll talk about IRSF fraud type (International Revenue Shared Fraud). Once the access to the PABX is effective, the PABX will be used as resource to generate calls to high cost destinations.  As the fraudster owns the numbers targeted by the fraud, a money flow will be established and the fraudster could retrieve the money.

At first glance, the mechanism is not that complex, but the thing is that it has worked for years and is still working nowadays.

Let’s try to figure out why

In most of the cases, hijack of the PABX is not that difficult. Indeed, very often the password by default has not been changed by the administrator. Also in case the password has been changed, a very basic password is used which is quite easy to guess by a fraudster. Alongside this, these systems are always subject to vulnerabilities which can be easily exploited by a basic hacker.

In most of the cases, that attack is made outside business hours  including weekends, assuming that the PABX activity is not monitored during these intervals.

In this way, the customer is even not aware that he has been victim of an attack.

This lack of monitoring during some times of the day/week has the consequence that very often the fraud is discovered when the customer receive his telecom supplier’s invoice.

There is also an aggravating factor which is the payment terms. Indeed, usually the billing period between retail customer and its telecom provider is monthly while the billing period for Premium rate numbers is weekly with as consequence that once the fraud is discovered, the fraudster already got the money and it is very difficult to get the money back (or withhold payment).

This is having negative consequence on the relationship between the retail or the corporate customer and the telecom provider. Indeed, as the fraud is involving international destinations, international carriers are part of the scheme.

Having several players in the scenario makes it quite complex and difficult to find a fair solution for all the parties and someone as to assume the loss generated by the fraud. Let’s consider a practical case that will illustrate all those considerations:

A fraudster buys some Premium rate numbers in a foreign country, keeping in mind the high cost per minute associated. As a second step, he will ask and pay (share revenue) somebody to generate traffic artificially towards those numbers.

Once the attacker gets access to the PABX, he will generate as much as possible traffic in the shortest time (night or week-end)

The fraudster will receive payment from the Premium rate number 7 days later.

Assuming that nobody will notice this traffic increase on customer side (same on operator side) this traffic will become visible when the customer will receive his telecom invoice; usually one month later.

Quite clearly it is too late to react and very difficult to avoid a loss. Indeed, the usual traffic flow for international traffic is the following. Traffic starts at a retail customer and is sent to his telecom operator. As it is regarding international traffic, the telecom operator will use one or several international wholesalers to terminate this traffic. Those international wholesalers could also use different suppliers to terminate the traffic. The number of intermediaries and the misalignment of the payment terms make it complex to withhold payment and very often a party will have to suffer a loss, in most cases being the retail customer of his telecom supplier

In case of fraud, the size of the operator could put him in a very difficult situation. There have been cases where the operator is forced to choose between losing the customer or have to assume the loss generated by the fraud. If the telecom supplier is not financially robust, this could have very big impact on business.

As a conclusion, to avoid risks linked to this type of fraud it is important to:

  • Take all appropriate measures to secure the PABX of the customer. This point is often difficult due to the diversity of the installed based or the lack of expertise at customer side. So a good information campaign needs to be setup.
  • Deploy a Fraud Management System that, in near real time, will look at any customer traffic patterns in order to detect abnormal activity in terms of volume or destination.

Of course, the FMS needs to be operated by people having skills in fraud detection, or better, expert consultants to detect fraud but also to avoid false positive cases and not block legitimate traffic (and revenues).

Additionally, this will provide the capabilities to the operator to mitigate the financial exposure by reacting quickly to fraud cases (reducing the impact) and by providing evidences in order to open claims towards authorities and upstream providers (Recovering losses).

Manuel Basilavecchia is Co-owner, Sales and Marketing Director of Belgium based NetAxis Solutions. Manuel Basilavecchia brings over 17 years of business strategy, innovation and technology experience to his role as co-founder. As Director of Sales and Marketing, Manuel is focused on developing NetAxis Solutions business by bringing advanced carrier-grade communications services to Service Providers and Corporations and by providing high-technology products to the industry. Manuel holds a Master in Electrical Engineering – Electronics and Physics, a Master on Medical Physics and Bioengineering, and an MBA in management.

Loads of posts on PBX fraud here. Also come back for a different VoIP fraud post each day this week.

Categories
Business security webrtc

ITSPA Spring Workshop in association with trefor.net

It’s that time of year again – the ITSPA Spring Workshop in association with trefor.net

Another hand picked packed programme with something to suit all:) This ITSPA Spring Workshop is going to cover two hot topics: WebRTC and VoIP fraud. We have an exciting competition announcement and a real live voip hacking demo to look forward to.

ITSPA Spring Workshop

Date: 29th April 2015
Time: 2.30pm – 5.00pm
Location: Charles Russell Speechlys, 6 New Street Square, London EC4A 3LX

Session 1: WebRTC

i) Announcement of the Genband Hackathon Competition in association with trefor.net
ii) WebRTC Panel session: 2 years on from our last session on WebRTC – where is the money?

Panellists:
Stuart Goble – Genband
Matthew Hodgson – Matrix
Rob Pickering – IP Cortex
Peter Dunkley – Acision

Session 2: Fraud Part 2: Keeping your business safe and how best to report telecoms fraud

i) International Revenue Share Fraud: How, why and what we can do to stop it
ii) Real-time PBX Hacking Demo
iii) Reporting Fraud to Action Fraud

Sponsored by:in association with:
Post workshop drinks, sponsored by Lonap, will take place after the workshop 
Book your tickets now by emailing: [email protected]. Tell em you know me:)

As a footnote, ITSPA, or the Internet Telephony Service Providers Association as an organisation have been getting busier and busier. There is an active calendar of events with workshops in the Spring and Autumn, a Summer Forum that is timed to coincide with the AGM, an Awards event plus the Christmas do.

These are all great opportunities to network with the ITSP industry and for companies trying to sell to this community an ideal place to get valuable visibility. ITSPA Workshops can be sponsored to get your brand seen. You should also consider running adverts on this blog during the same weeks as the events as we typically carry more VoIP specific content at these times.

If you want to know more get in touch.

ciao

Tref

Categories
Business security voip voip hardware

IP Phone Security

ip phone security lesley hansen on designing an ip phoneIP Phone Security ensures IP Telephony is not compromising the business

She’s back again. Guest editor Lesley Hansen discusses what needs to be considered in ip phone security design.

VoIP or IP phone security is a hot topic. Security attacks continue to evolve and attackers find ever more sophisticated ways of attacking systems. VoIP is only an application running on the IP network, and therefore it inherits the security issues of the IP network. This means VoIP security is only as reliable as the underlying network security and if the IP network has security vulnerabilities, these can be exploited once VoIP is implemented.

The goal of every IP network component manufacturer should be to build a product that maintains a high level of security and provides relevant data to tools to monitor the system for attacks.  Once the system in in place ongoing IP telephony security maintenance is primarily related to the IP PBX or telephony servers; keeping up-to-date with operating system and third-party service packs to eliminate well-known security holes, implementing critical support patches on servers, updating anti-virus definitions to protect against well-known worms and viruses and performing daily backups of servers with periodic data recovery tests.

But the IP handset is an important point of access into the IP network. End points such as IP handsets provide a point of vulnerability and a number of standard exist to secure the telephony network, but these are not always supported in the IP Handset, and where supported they are not always implemented by the network manager.

Avoiding Denial of Service Attacks

Denial of Service (DoS) attacks can take down telephony. A distributed DoS (DDOS) attack is a concerted and coordinated effort to flood a network with requests. Though the attacked network may not be penetrated, these attacks can “busy” a system rendering it unusable. To protect against this it is important while implementing the IP handsets to ensure that ports are not unnecessarily left open, all unnecessary ports and services should be shut down and unused services should be deactivated. This is where interoperability partners become key.

For example PBX manufacturers like 3CX and Vodia Snom 1 and Asterix PBXs support the Snom security settings from the handset – out of the box.  This means there are no configuration requirements so delivering a rapid roll out while ensuring the system is up and running with full security and minimum disruption or delays. Not all PBX manufacturers and IP handset vendors will be interoperability partners.  To ensure a wide number of PBXs can be supported and provide the business with a high degree of choice handset vendors should work with the TLS and SRTP standards for configuration setup.

TLS and SSL encrypt the data of network connections in the application layer. They use X.509 certificates and hence asymmetric cryptography to authenticate the other party with whom they are communicating, and to exchange a key. This session key is then used to encrypt data flowing between the parties.

Protect Against Unauthorised Access

When deploying an IP telephony system IT personnel and voice administrators need to take appropriate measures to prevent threats such as toll fraud. Toll fraud refers to internal or external users using the corporate phone system to place unauthorized toll calls. Toll fraud can occur with both TDM and IP-based voice systems and a standard method of protecting against it is the ability to control call type’s for example banning mobile or international calls.

This call control is sometimes handled by low cost routing within the PBX but it can also be done within the IP handset dial plans. A handset with this capability helps to protect against telephone fraud even when the PBX does not have low cost routing.

Ideally in a well-designed handset the telephone will provide security beyond that provided by the firewall. Security at the handset ensures protection from people on the inside network who have physical access to phones and can bypass the firewall. This means the handsets provide a higher level of security against phone tapping/unauthorised access. Supporting the 8021x standard helps avoids fraudulent use of the network and protects against 3rd party/un-authorised devices. Handsets that supports 8021x, where the PBX also supports the standard, will allow the device to request authentication from the switch. This ensures that if a device connecting to the switch does not have the credentials then the switch does not allow access.

Encryption Against Eavesdropping

VoIP systems that don’t use encryption make it relatively easy for an intruder to intercept calls. Any protocol analyser can pick and record the calls without being observed by the callers. In man-in-the-middle attacks, an internal user spoofs the IP address of a router or PC to spy on voice traffic as well as data entered on the phone keypad during a voice conversation, such as passwords. After copying the information, the user forwards the voice traffic to the intended destination so that neither the sender nor the recipient knows that the conversation was intercepted. Typical motives include espionage and harassment.

Eavesdropping has become easier because of widely available packet-sniffing tools. The method used to combat this is encryption. Provided that both the handset and the PBX supports the standards, encryption ensure that the audio and the signalling traffic are both protected. Products can be configured as enabled for security so that signalling is in TLS and audio in SRTP. These security encryption standards means that all communications from the handset to the PBX/Server is protected from snooping and tapping.

Greater levels of encryption are available but at a cost. At the top of the pile Secusmart in Dusseldorf provides an encryption technology currently used by the German government that can be incorporated into the IP Handset, these handsets are forbidden for sale to counties under embargo and the end users need to be checked and validated before despatching handsets. At CeBit a Snom handset with GSMK Cryptophone technology was presented, this provides an internationally accepted secure IP handset solution that sells to sells to organisations such as military, government, pharmaceutical and broadcasting where the information has such a high value that the increased cost for the handset and call manager with encryption is justified.

Once end points with the required standards are selected, for many organisations attention to detail during set up and use of passwords, plus a controlled rollout of the handsets and strictly following instructions when installing the endpoints plus using the SRTP protocol or VPN tunnels to increase network security will provide a secure solution without the additional investment in these higher levels of encryption.

Other posts in our IP phone design week:

How to design an ip phone
How to design an ip phone for voice quality
IP phone design for it departments

Check out all our VoIP posts here.

Categories
Bad Stuff End User security spam

Can you confirm your company name is self?

01213540949

Was sat on the terrace around the pool yesterday when the phone rang. It was a Birmingham number – 01213540949. I’m not sure I know anyone in brum and toyed with the idea of not answering. I was after all going to be paying for the international leg.

I clicked on the green bouton (for the pool twas in Marseille) and took the call.

‘Hello sir, can you please confirm your company name is “self”?’ I did a double take. Self??

Oh god. I asked who had sold them my mobile number. It is a new one. Then I realised it must have been EE. The b*&^%$£ds. The girl on the other end of the phone said she worked for some kind of yellow pages organisation. 118 something.

She repeated the question. ‘can you please confirm your company name is “self”?’ You can imagine the rest of the dialogue. There may be a company somewhere called self. Lots of people work for them as you often see the name in company receptions’ visitors books.

Unfortunately this is more likely to be incompetence on the part of EE rather than them selling my number. How can personal mobile phone details be given to a directory organisation for inclusion as a business number. The bigger the company the less competent their customer care becomes. This is likely to especially be the case with Ee who are probably still desperately trying to merge Orange and T-Mobile before being merged themselves into BT.

The girl promised not to put my name in the business directory. I’m not sure what advice to offer if you see an incoming call from 01213540949. It’s going to be spam but if you ignore it you might end up in a 118 directory somewhere as a company called self. Or shelf. Or shellfish. Or anything really.

01213540949 – you know it doesn’t make sense.

Lotsa posts on nuisance calls on this blog – check em out here.

Categories
End User security

Eurostar fails Hotmail fraud detection test

Eurostar email fails Hotmail fraud detection test

I have a hotmail account. I don’t use it much. It gets newsletters from the golf club and the occasional Eurostar communique. It was to check the timing of a forthcoming trip to gay Paree that I came across the Hotmail fraud detection test.

I like the idea of a fraud detection test. I’m sure all the large platforms have it. What I found funny was that a blue chip such as Eurostar might have failed it. You’d think it would have been noticed by their IT department, or at least someone would have brought it to their attention.

I looked at another email from Eurostar – thought a sample of one wasn’t quite enough. The second email didn’t have the fraud message but offered another nuance. It said “Email looking a bit odd? See it online“.

hotmail fraud detection test Odd I thought. Email looked fine. Also Hotmail is a cloud service – it’s already online.  So I clicked on the link to see it online. Came up with this message.

hotmail fraud detection testAt this point I gave up. I was getting myself into an infinite loop.

From my sample of two I’d say that the Hotmail fraud detection test is failed by emails confirming financial transactions associated with journey bookings and the infinite loop gets it’s knickers in a twist on adverts. Clearly these emails originate from different departments with different approaches to confusing customers:).

Personally I’ve never had a problem with Eurostar. The booking system is convenient, seats comfortable and you get a 4G connection whilst in the tunnel under the channel. I may however have to get myself a French SIM whilst in Paree as my EE 4G data roaming charges are a total ripoff. They totally fail the Trefor Davies fraud detection test.

Arriverderchi Royaume-Uni, bonjour Paris. Croissants, cafe, biere, steak frites, vin rouge Hotmail fraud detection test:)

Categories
End User internet online safety Regs security surveillance & privacy

Julian Huppert MP proposes that the next government implements an online rights framework of principles

Online rights framework will help safeguard privacy

The internet is increasingly key to our daily lives and a crucial part of public policy making with ramifications across all areas. However, too often what we get from politicians is poorly thought through kneejerkery. I’ve seen this myself, on far too many occasions.

Just to pick up a few examples, when we were re-writing the Defamation Bill, there was a proposal being pushed that ISPs should be required to filter out any defamatory content on their network – quite a tall order.

David Cameron has been particularly bad – you may remember his suggestion at the time of the riots that he should be able to turn off social media to avoid panic. It took a lot of work to stop that and make it something that was ‘not even considered’. More recently, he’s been insisting that we should ban any messaging system that cannot be decrypted by GCHQ, completely failing to understand the essential link between encryption and cyber-security.

But this problem strikes the opposition too. There have been some really alarming comments about filtering out legal material online that completely miss the point of what is technically possible or desirable. And of course there are people in each party who do actually get it, although not all of us get to have the necessary influence over our front benches to achieve sensible outcomes.

My party has taken these issues seriously, and there are several things we hope to achieve in this area. One of these is stable sensible regulation – something that almost shouldn’t need to be said. Brilliant new ideas can easily be killed off if regulation is tweaked unexpectedly and long term investment will drop off if there is a risk of irrational rule changes. We as politicians should set a framework of principles, which should then be relatively stable. We should call on technical experts for help and have  discussions with the community and businesses. We can then setting the detailed online rights rules in a rational way. That has to be the best way forward.

I’ve been particularly working to develop a Digital Bill of Rights, setting a basic framework for what people should expect online when it comes to issues like privacy, net neutrality and more. This has become especially important since the Snowden revelations. All of us want security, and all of us want privacy.  How do we try to achieve both of those goals? When should the police or security services be allowed to collect information on us, and for what purposes?

Typically, these issues have been dealt with largely secretively and reluctantly, and with a focus on specific data types. For example, strong controls were introduced on DNA data in the Protection of Freedoms Act, but the Police just sidestepped them when storing biometric information, without even attempting to learn the principles from DNA data.

So those are my two key points – stable and sensible regulation, and a clear principle framework for our online rights. If I’m re-elected I’ll fight for those but it would be great to have more colleagues to help with that.

If you want to help me achieve this vision, please consider helping me out – http://www.backjulian.co.uk has the details.

Julian Huppert is Liberal Democrat MP for Cambridge. He has a scientific background and is one of a very small minority of our MPs who can grasp issues relating to internet technology.

Although one or two more might creep in that pretty much concludes the week’s posts on advice to the next government. Other political week posts on trefor.net are linked to below:

James Firth on why government should stop looking to big corporates for tech innovation
Gus Hosein on Data Protection Reform and Surveillance
The Julian Huppert crowd funding campaign here
Paul Bernal suggests government should hire advisers who know what they are doing
Domhnall Dods on Electronic Communications Code reform
James Blessing Says “No matter who you vote for…
Peter Farmer on Ofcom really isn’t an all powerful deity
Dr Monica Horten on Why the Magna Carta applies to technology policy

See all our regulatory posts here.

Categories
Business End User piracy Regs security

Unknown Roku streaming stick on network, Virgin Media, DEAct & Spotify

Roku streaming stick

Interesting one this. A Roku streaming stick has to be plugged into your TV. It’s a bit like a Chromecast but different. One assumes that Joel knows that he hasn’t got a Roku streaming stick plugged into his TV. It must therefore be plugged into somebody’s else’s TV hanging off Joel’s network.

This does bring up the issue of wifi network security and the fact that other people may be making use of others’ broadband bandwidth. Who hasn’t had a look at their wifi settings when in a strange place to see if there are any open networks there. There often are, at least in public places.

This issue to me is further highlighted by the fact that we are coming up to the next general election. At this time 5 years ago the Digital Economy Act was rushed through just before the election. One of the many points landed on the deaf ears of government by protesting voices at the time was the very fact that it was difficult to prove who was actually doing the downloading/copyright infringement.  The rogue Roku of our introductory Tweet reinforces this. The DEAct has still not properly been enacted.

The issues that rights holders where highlighting in pushing for the Digital Economy Act have of course not gone away. I was talking yesterday to a 21 year old recent graduate about where he got his music from. He said it was all downloaded free of charge from online sources. This was despite the fact that his broadband provider Virgin Media has a block on access to specific sites associated with this activity. He said that that none of the people that he knew ie 18-25 demographic, paid for their music.

The blocking orders imposed by the courts on ISPs are not working. I did ask him about proxies and he was very familiar with the technology.  He was very familiar with proxies and had used them. However many were also blocked by ISPs but because sites such as Pirate Bay morph very quickly into similar sites and the kids know how to follow them they never have a problem accessing music.

I asked him what he thought about the fact that if nobody paid for them there would come a time where there would no longer be any record labels. His answer was that bands seem nowadays to make more out of their live shows than they do the out of selling music.

Whatever you think about the rights and wrongs of the situation, it is what it is. I have a Spotify Premium account. It’s a great service.  For the 21 year old concerned £10 a month is actually quite a lot of money. Rob, the trefor.net developer, is a little older at 24. Rob has Spotify Premium. Rob also pays £6 a month for Netflix and doesn’t see why at £10 the music service is more expensive. He has a point maybe.

Now I’m not here to defend anyone’s business model, have a go any ones business model or anything else to do with business models other than to say that business models do change. Clearly the music industry is in the middle of a period of change that they’ve been struggling to come to grips with. Whether this is to do with legacy deals, royalties payable or cost base who knows.

We do hear of bands withdrawing their music from Spotify because the live streaming service doesn’t pay enough for the privilege of carrying their stuff. One wonders what proportion of Spotify’s royalties actually go to the band as opposed to the record label. I took a look at SpotifyArtists but it was either too complicated for my small brain to get around or it just wasn’t obvious.

We ain’t going to solve an industry’s problems in this blog post but I can only say that the efforts and the money spent on fighting online copyright infringement don’t seem to be working, at least based on my own local evidence.

PS I’d never heard of the Roku Streaming Stick before I came across this tweet. I’d get one and do a review except I already have a Chromecast in the port the Roku would use and the kids use it a fair bit.

Categories
Bad Stuff End User online safety security

I blog about nail polish – what’s wrong with your filters?

 

Web filters block list includes fashion blog

https://twitter.com/SmashleighJayne/status/559720386112552960

https://twitter.com/SmashleighJayne/status/559720218155835394

https://twitter.com/SmashleighJayne/status/559722059660795904

https://twitter.com/SmashleighJayne/status/559722582921207808

The point about this is that the only reason Ashleigh-Jayne found about about this is because she is a TalkTalk customer. TalkTalk’s own web filters block list had her site down as being adult only.

Now maybe parents wouldn’t want little girls (or boys) checking out nail polish and fashionable shoes. The little darlings grow up too quickly these days. However we hope this is just a mistake. Ashleigh-Jayne will almost certainly be able to contact TalkTalk and get her site taken off the black list.

However if she hadn’t been a TalkTalk broadband customer she might never have found out whether her site was on the list. Millions of people might be wrongly denied access to her site. This is a problem with the system. The blacklists are automatically produced by machines that tbh are inherently untrustworthy because they get it wrong too often.

The following link takes you to an Open Rights Group website that can test your own website to see if it is blocked

http://linkis.com/www.blocked.org.uk/TJZCq

I took a look at trefor.net and the results are in the featured image. The BT and TalkTalk results that are inconclusive don’t necessarily mean they are blocking me buy it is certainly raises an eyebrow or two.

Haven’t actually looked at Ashleigh-Jayne’s blog but I’m taking her word for it that it’s not pornographic. As far as I’m aware she is a fine upstanding member if the blogging fraternity (sorority?).

As I write I realise that I will soon need a new pair of shoes. I doubt I’ll find them on her site mind you but I should be OK. I don’t think that ja.net has the same filtering policy. I’ll leave you with a little story about dubious websites that perhaps should be blocked from viewing by children (once the parents have opted in to the filter of course).

A year or two ago I gave a talk on VoIP security at a ja.net conference. An engineer came up to me afterwards for a chat and the conversation got round to how ja.net would have coped had they had to implement the Digital Economy Act and monitored its hundreds of thousands of users for their downloading habits.

The guy told me a story of how they had one been alerted to a really high bandwidth usage coming out of one room in a hall of residence. They went on an investigative visit and found that the female occupant of the room had moved in with a pal. The room had been painted purple and now had a pole in the middle of it surrounded by 4 webcams. Four enterprising female undergraduates had been paying for their university education by doing some professional internet pole dancing.

Now will that get me on a web filters block list?

Categories
End User security surveillance & privacy

Pretty graphic reaction to ISP porn blocking

Thought I’d slip this one in – adult content filter eh 😉

adult content filter

I don’t know John Harvey but he seems a fairly forthright kind of guy. From Yorkshire maybe.

It’s not so much that you are telling your ISP anything when you opt out of the adult filter, or whatever it’s called. We doubt that any human intervention is involved in the process. It’s the likelihood that the information that you don’t wish adult sites to be blocked is leaked or hacked. That’s the issue.

If the information isn’t there is can’t be hacked. If this was an opt in that would sort it, aside from the fact that these filters aren’t renowned for their accuracy.

As an aside I assume that this site will henceforth be blocked by these filters. Probably already is. Parents don’t want their kids to know that they go to parties like trefbash or the pissup in a brewery. The blog was once blocked by the Timico firewall as “social media” sites were frowned upon by whoever set the policy in place (not me – I used to spend all my time on social media – I had a different set of permissions:).

The question is would Twitter be blocked. There’s a lot of graphic language on Twitter. I once unfollowed someone because of his non stop use of swear words. Not my kind of thing. Would be interesting to hear from anyone who has adult content filtering in place to see whether Twitter was visible or not.

Looking on the positive side, if you have opted out of the adult content filter, and are therefore “down on the list” you can always say it’s because you wanted to read posts on trefor.net;)

Effin read it first on trefor.net. wtf!

Read this highly popular and relevant post on the consequences of allowing government to monitor our online habits here.

Categories
Bad Stuff Business ecommerce Engineer internet online safety Regs security surveillance & privacy

A quick guide to problems that will arise if we implement further internet surveillance measures

Snoopers Charter revisited

The aftermath of the Charlie Hebdo murders has lead to goverment and opposition calling for more internet surveillance. Here are a few points for your consideration.

  1. Storing this data will inevitably result in it being hacked, left on a train/taxi on a laptop/memory stick and details of a government minister affair with another MP being made public. Example here (29 Jan 2015)
  2. The overhead associated with having to gather and store the data in a secure way will be proportionally huge compared to the size of the business and to the number of customers for smaller ISPs. This will result in the government deciding not to force these businesses to store the information and settle just for the biggest 7 ISPs aka the Digital Economy Act. The consequence will be that potential terrorists will just use these smaller ISPs for their internet services leaving a big hole in the “surveillance net”
  3. The resources required to make this happen will be huge. The French government already knew about the Charlie Hebdo killers. They just lacked the feet on the street to keep tabs on them. Diverting staff to managing the data gathering project will mean even fewer feet on the street or divert cash from adding more feet.
  4. The technical challenges with managing sender and receiver data for email clients is not small due to the hundreds of different clients out there with non standard formats.
  5. Most email is in any case encrypted these days and is run on platforms that are not necessarily owned by UK businesses. The difficulties associated with extracting these data will not be small (if not impossible). Ditto social media platforms.
  6. Forcing these platforms to provide a back door into the encrypted data (assuming it will be doable) will erode trust in areas of the economy that also rely on such encryption such as banking and ecommerce.
  7. Businesses will move away from the UK. It will be the start of the rot and leave us with a reputation akin to China et all when it comes to “surveillance society”.
  8. Terrorists will move deeper into darknets and continue to kill innocent people.
  9. On balance I’d spend the money on more feet on the street.

The rush to call for the snooper’s charter to be implemented would result in a bad law that will not have had adequate scrutiny. My wife and one of the kids were in the audience during last night’s BBC Question Time filmed in Lincoln’s Drill Hall. I watched despite it being well after my bedtime.

None of the panellists or the audience really had a grasp on the issues which reflects its highly complex nature. It’s very easy for MPs to support this type of legislation. Most right minded people will agree that it’s a good thing to stop terrorism. It’s just that they don’t understand the implications.

Check out other snoopers charter type posts here.

Categories
Business security

Theresa May anti terrorist stuff

Government proposing to introduce legislation to make ISPs keep IP address details for customers.

This one periodically raises its head. In order to properly police the growing terrorist threat the Government wants ISPs to keep records of who had which IP address and when.

When this sort of legislation gets  introduced the government normally pays for any work that must be done as a consequence. So if an ISP has to put a lot of effort into developing systems to keep the data Dave Cameron and his gang would stump up the cash.

The problem is that this always comes up against the hard rock of diminishing returns when it comes to smaller ISPs. In other words the implementation of such a system might often be considered to represent a disproportionate amount of work for a company with a small engineering team. If for example an ISP only had a couple of sys admins and a couple of network guys, to have to take on of these engineers away from the day job in order to do government related dev work could be a serious disruption to the normal business operations of the company.

On the other side the government would be paying out to set up a system that might cover a relatively few number of end users. They usually end up just asking the bigger ISPs to adhere to such a law (aka Digital Economy Act where only 7 ISPs are involved). This would then leave a huge gap in the fence for the terrorists to swarm through.

I once had a conversation with someone from the Home Office about this. The HO guy could only say “how would they find out about it”. That’s a pretty naive position. What’s GSoogle for?  Lets hope our security forces have  little more something about them.

One might also be a little concerned about the fact that this legislation, if passed will be another of those rushed through without proper scrutiny. Again remember the DEAct. The election isn’t far off now…

Categories
End User security

Potential TalkTalk Router Security Flaw?

Interesting tweet describing a potential TalkTalk router security flaw

Picked this one up on Twitter. It describes a potential TalkTalk router security flaw. I can’t for the life of me think how this scenario happens unless somehow TalkTalk are using the same IP address for more than one router – I guess with Dynamic IP addresses it will happen.

If that was the case then he certainly shouldn’t be able to access the router. Suggests there is a default username and password in play. Maybe the routers are only locked down from people outside the TalkTalk network. Seems strange to me.


Should really be locked down for everything. Bit of a worry really especially when you consider that most people will have no idea what is going on. Someone could be browsing your unsecured laptop or phone. Most will be unsecured. Laptops at least. People tend to have a pin number on their phone to stop Fraping.

Anyway though this one was worth sharing. If anyone from TalkTalk engineering would care to comment that would be great. Suspect they will keep stum though and get on sorting it out.

The whole subject of personal security where the internet is concerned is a difficult one. It’s hard for most people to get their brains past anything other than just installing anti virus software and even then it is rarely maintained. ISPs need to take responsibility as far as they can for their customers safety.

It’s in their interest really. The last thing they want is for a customer’s PC to be compromised and to be spamming the world. Gets the ISP blacklisted.

As far as the TalkTalk router security flaw goes I’m sure there must be a simple and innocent explanation. Hope so anyway.

That’s all folks. Ciao bella.

Categories
End User security

Virgin Media net nanny parental controls make internet unusable

Virgin Media net nanny parental controls cockup

On Saturday Twitter was awash with complaints from Virgin Media customers unable to surf their weekend entertainments. Apparently the Virgin Media net nanny parental control system had gone tits up. Presumably during some maintenance.

Some Tweets for your info – then scroll down for some thoughts on the subject.


The danger with this kind of technology is that it will break the internet. Normally the issue is accidental blocking of legit sites who carry on innocently with their business not knowing that a chunk of their target market has been denied access to them.

Last weekend this was taken to the extreme as most websites were blocked. I don’t really have a problem with parents being able to opt in to parental controls (ie have to switch them on as opposed to others having to switch them off) although it is worth pointing out that any kid with a soupcon of street wisdom will know how to circumvent the system.

At my kids’ school it is a daily battle between teachers and taught to limit access to proscribed sites. More on this kind of subject here and ‘ere.

Also quite a few Twitter fuelled posts that you might find an interesting read over at broadbandrating.

So long…

Categories
Business security voip

SBCs – Maintaining Your Network’s VoIP Security

Session Border Controllers (SBCs) can greatly enhance VoIP security, all but eliminating toll fraud while also maintaining voice connectivity.

Trefor.net welcomes VoIP Week contributor Simon Horton, the Director of Sales, EU for Sangoma.

The term SBC (short for Session Border Controller) is liberally used in the VoIP industry today, but from my travels around the telecom channel it’s clear that there is significant misunderstanding and distrust on the role played by SBCs and when they are required.

The uptake of Enterprise Session Border Controllers or E-SBCs is being driven by the rise of SIP trunking in the UK. The number of ISDN channels (the traditional way of connecting enterprise to the telephone network, using dedicated copper wire) is shrinking at about the same rate as SIP trunking is growing, so assuming that the market size is static my conclusion is that all of the folks leaving ISDN are going to SIP trunking. In addition to the cost benefit, flexibility, and disaster recovery capabilities of SIP trunking, the proliferation of good quality and value connectivity (e.g., leased lines, EFM) is enabling the market growth.

Why SIP is more inherently risky

In the days of legacy TDM connections (Time Division Multiplexing, or the copper wire) phone calls took place on approved equipment connected to private networks run by the telco. Nothing else was connected or could be connected. Contrast this situation with SIP, where the connection could be across a public network or a network shared with data derived from multiple devices. In addition, calls can be placed and terminated across a wide range of devices such as IP-phones, smart phones, desktops, etc.

SIP deconstructed

Before examining how SBCs can help a typical enterprise it’s worth explaining that SIP consists of two main parts. First, there is the SIP protocol that sets up the call and conveys information about that call. Second, there is the media that carries the voice in RTP packets. Both of these streams need to be considered in order to maintain security.

Attacking the SIP protocol could allow a hacker to gain access to passwords and allow an unwanted intruder to spoof calls and allow toll fraud, a hot topic in our industry today. There are other ways that SIP can be disrupted as well. Denial of Service (DoS) attacks can cause packet overload situations where the legitimate SIP messages cannot be processed and hence calls will not progress.

Media can often be tapped into and heard using tools that are readily available on the internet. The media ports can also be subjected to DoS attacks that can disrupt the audio.

The role of the SBC

The E-SBC sits at the edge of the enterprise network and manages all the voice connections made with SIP. SBCs are very feature rich and there is a lot of information out there discussing the many roles and functions that these flexible devices can perform. The SBC will be able to deal with disruptive DoS attacks by dropping packets at the network level before they become a problem. Encryption is also possible so that media and the call setup messages cannot be tracked. In addition, toll fraud is made much harder with the addition of policy control that allows only certain patterns of traffic to proceed as well as only allowing known users and IP addresses to make and receive calls.

Why not a firewall?

Traditional firewalls are great for protecting data networks, but typically they provide inadequate protection for SIP. Firewalls cannot prevent some of the threats identified here as they are not constructed with an intimate knowledge of SIP. Remember those two parts of SIP we discussed earlier? Well, the average firewall cannot tie the two of those together; this is a key component of the SBC so that only the necessary connections are allowed through the edge of the network. A typical firewall also cannot delve deep within the SIP message, ensure its legitimacy, and if necessary drop it quickly before it gets to the IP-PBX and cause damage.

Summary

The recommended best practice is to install an SBC wherever there is a change in SIP network or wherever the WAN connections join the SIP network. A correctly configured SBC can provide piece of mind in that the possibility for toll fraud is eliminated and that voice connectivity will be maintained regardless of whatever else may be happening.

Categories
Business Mobile mobile connectivity phones security voip

VOIP BYOD

Those who build or sell VoIP systems need to begin coping with BYOD, because soon enough it will inevitably be on your system’s spec sheet.

Trefor.net welcomes VoIP Week contributor Paul Hayes, ProVu Communications Ltd.’s Product Development Director

Whether you’re a developer of IP PBX or a provider of hosted VoIP telephony services, you need to be doing something about mobile BYOD. BYOD (aka Bring Your Own Device) is the concept of company employees using their own hardware in addition to, or instead of, the hardware provided by and owned by the company itself. I use the term mobile because increasingly people want to use mobile phones and not desk phones. It may be a slightly foreign concept to a lot of readers, but there is a whole generation of future business people just around the corner who will have grown up with a mobile phone in their hand at all times.

It’s a simple idea on the surface, you have an iPhone because you like it and find it easy to use, right?

It might seem like this is all about greedy employers wanting their staff to buy their own kit, but not so. It stands to reason that allowing staff to use devices that they know, trust, and perhaps even enjoy should result in good productivity.

Enough has already been written on the advantages of BYOD, so what I want to talk about instead is how you as someone who builds or sells VoIP systems copes with BYOD, because if it’s not on your system’s spec sheet in the near future you’re going to seem rather old fashioned.

In my eyes there are two main issues the VoIP platform must overcome: maintaining professionalism and management of the devices.

First is the issue of maintaining professionalism. In the early days of VoIP there was a sense of triumph whenever pressing that tick button on your shiny new VoIP phone resulted in a working call with good audio quality. Thankfully, things have moved on, but the last thing you want is for your BYOD solution to represent a step back. It has to work reliably and it has to sound good, too, just like your VoIP desk phone does. At the same time, businesses need to look professional and maintain their own presence. For instance, most businesses don’t want the outbound phone calls they place to be seen as coming from different mobile numbers.

The second issue is device management. How do you know what people are using their mobiles for? How do you control which application they are using? How do you even change a setting on the device when it’s not owned by the business? How do you do all that without crippling the device?

The key to resolving these two issues is centralised management. We’ve been doing this with desktop VoIP phones for over ten years now, the same techniques must now be applied to mobile devices as well.

A company in Sweden called Opticaller Software has an interesting take on it all, offering a solution that involves an application for mobile devices (the usual suspects: iPhone, Android, Blackberry) and a server part that (for now) runs alongside an Asterisk IP PBX. That’s fairly interesting, of course, but what really makes it relevant here is that they also have a hosted management engine, a system that allows you to push the app out to mobile devices and that manages all settings related to the operation of the app. This is absolutely essential, and it seems to make the Opticaller solution fairly unique for the moment. Thus, no matter where the mobile devices are, provided they have just a tiny bit of a data connection, it is possible to control mobile telecommunications much like you can with desktop phones. All phone calls go through the VoIP PBX where they are recorded and accounted for and, crucially, you can control the outbound caller identification used for each call.

The mobile application itself does something that is both clever and yet simple. It uses the mobile voice network for the actual phone call. Maybe one day Wifi will be good enough to be used for mobile voice whilst out and about, but today that simply is not the case.

I used the Opticaller system myself on a recent business trip to Prague and found it very handy for calling people in the office using nothing more than their internal extension numbers. Also, it was very handy in reducing costs as I only suffered roaming charges for inbound calls and not outbound one. Please don’t make the mistake of thinking this is all about saving money, though, as the real problem being solved is how to integrate mobile BYOD into a VoIP phone system.

Categories
Business security voip voip hardware

VoIP Security and Your IP Phone

Concerns about massive growth of telephone tapping incidents has led to a growing demand for IP telephone handsets that provide VoIP security.

Trefor.net welcomes VoIP Week contributor David Kirsopp, Technical Director snom UK Ltd

An IP-PBX can be reached from potentially anywhere in the world, and your communications network is vulnerable if not properly secured. As such, making sure you enhance security through your choice and implementation of your IP handsets is one of the security measures you should be considering when introducing VoIP into the organization’s network infrastructure.

Concerns about massive growth of telephone tapping incidents has led to a growing demand for secure telephone handsets. The practical availability of secure telephones is restricted by such factors as politics, export issues, incompatibility between different products, and high prices.

When the VoIP traffic over the Internet is unencrypted, anyone with network access can listen in on conversations. Unauthorized interception of audio streams and decoding of signaling messages can enable an eavesdropper to tap audio conversations in an unsecured VoIP environment, a common threat. And eavesdropping is how most hackers steal credentials and other information; for example, customers reciting their credit card numbers to an airline booking attendant. All that’s needed is a packet capturing tool, freely available on the Internet, or switch port mirroring, and hackers can save the files, take them home, and cause disaster with the stolen information.

Equally or more dangerous than the hacking of the phone calls themselves is that the phone system may enable entry into the company network, and thus the phone connection becomes as portal to all data within the company.

Of course, there are solutions and safeguards that can reduce or even eliminate security weaknesses within VoIP systems.

Authentication-Based IP Addresses

Static configuration of your IP phones to your extensions will prevent easy access by intruders into a conversation. Specifically, you can specify at the IP-PBX which IP address can use a particular extension as a trusted address.

Confidentiality

Unlike PSTN calls which traverse dedicated circuits, VoIP calls are really just data going across the Internet…data that must be protected. By using encryption techniques like TLS and SRTP, you can protect both the signaling and the media stream, preventing others from listening in on the conversation using simple tools such as port mirroring and an RTP trace.

SIP packets contain private information: the IP address of the phone, the SIP server, the signaling and media ports that it’s expecting to listen on, the MAC address of the phone, and in some cases even the management port of the phone. This information should be sent over a TLS tunnel to hide it from snoopers, who though they will be able to see TLS packets will have no idea what’s in them.

Well-designed IP phones provide secure SIP signaling via TLS and audio stream encryption by incorporating SRTP (Secure Real-time Transport Protocol), a security profile that adds confidentiality, message authentication, and replay protection to the RTP protocol. SRTP is ideal for protecting Voice over IP traffic because it can be used in conjunction with header compression and has no effect on IP Quality of Service. These factors provide significant advantages, especially for voice traffic using low-bit rate voice codecs such as G.729. Ensure your phones provide TLS-based SIP signaling (SIPS) with a SIP proxy server and audio stream encryption using secure RTP based on 128-bit AES. SIPS not only prevents message manipulation and eavesdropping, but it also assures the proxy server of the identity of the client phone; hence, identity spoofing threats are also subdued by this mechanism. Some phones, including those produced by snom, also use AES in counter mode (AES-CM) for secure RTP, which creates a unique key stream for each RTP packet and thus makes it almost impossible for eavesdroppers to retrieve the original RTP stream from the encrypted SRTP stream.

Secure Media (over UDP)

If you want to increase security further, then purchase a certificate from a Certificate Authority (CA) like VeriSign, which is equivalent to having your documents signed by a Notary Public who is a trusted third party, verifying that you are who you say you are.   Getting the certificate into the IP phones is currently the tricky part, as some phone vendors are not burning them in at the factory using the MAC address as part of the key.

Plug and Play and Certificates

Plug and play of phones on the wide area network is nothing new. The phone presents a MAC address, and based upon that MAC address the IP-PBX automatically provisions the phone so that it can make calls. The IP-PBX, however, is not able to verify the MAC address of the phone since it came from the WAN. In this case, the MAC address reflects that of the router as that is where it came into the LAN. This is a security risk, however some handsets have certificates burnt in at the factory, so after a key exchange the IP-PBX can be assured that the phone is who it says it is and that a certain MAC address belongs to a particular phone.

Centralised Security

Alternatively, security can be guaranteed from a central point independently from the individual applications and end devices. The advantages of this centralized approach is that it will be a one-off implementation with low maintenance costs and the possibility to secure communications from multiple manufacturers. One option for centrally provided security is a Virtual Private Network (VPN), which are typically used for connections with field bases employees in which a company network connects the branch offices to the computer centre or connects geographically separate servers or computer centers.

Categories
Business security surveillance & privacy voip

Why are the Major Telcos Afraid of encrypted voip?

A significant disconnect exists between the reality of today’s IP communications and the security concerns and needs of the customer (read encrypted voip).

Trefor.net welcomes VoIP Week guest contributor Peter Cox, UM Labs Ltd. Founder and CEO.

One of UM Labs’ long-standing customers is using our product to provide encrypted VoIP connections from remote users (mostly home workers) and to encrypt calls they make and receive on their SIP trunk. Their motivation is simple: They are in the USA and their business makes it necessary for them to work closely with federal government, a connection that subjects them to security and compliance requirements. This customer’s view is that applying encryption to all VoIP calls — including those made and received on their SIP trunk — is an essential step towards meeting these requirements. Even if some SIP trunk calls are then relayed in clear text, as is the case for PSTN calls, the encryption applied on the connection to their trunk provider protects their network and ensures the confidentiality of SIP trunk calls on the connection between the service provider and their office. This effort demonstrates that they are taking all reasonable steps to secure the network connections under their own control and is thus a significant step towards meeting the compliance requirements.

Recently, our customer’s existing service provider announced that they were considering discontinuing encrypted SIP trunk connections, and being unable to find an alternative they asked me for some alternative service provider recommendations. I posted the question to the SIP Trunking & Enterprise VoIP LinkedIn group and received a number of helpful replies. My question also sparked some interesting discussion. A number of the participants gave spurious reasons why encryption was too difficult or not needed on a SIP trunk. What surprised me most was that representatives of two very large and well known telcos weighed in against encryption. One claimed that providing an encrypted SIP trunk connection was incompatible with legal intercept requirements, while the other tried to claim that since enterprises trust their data on “private” networks shouldn’t they trust their voice as well?

Addressing the claim that SIP trunk connections are not compatible with legal intercept requirements, I submit that when properly implemented and with the appropriate systems encrypted VoIP does not prevent legal intercept or call recording for compliance purposes. What it does stop is unauthorised call monitoring. The risk of unauthorised call monitoring is not confined to VoIP, as there is a significant risk to calls on cellular networks (see my recent blog at http://tinyurl.com/k38suu3). Encryption also has a role to play in controlling other threats, including call fraud.

Regarding the comment about enterprises trusting their data on private network connections to service providers, this I found even more surprising. I have spent many years in network security and this is the first time I have heard a connection to a 3rd party service provider classified as sufficiently private to trust for data transmission without some form or additional security. While connection to service providers may be more controlled than the open Internet, they are not private. Most enterprises will naturally want to protect their data with a VPN, so it makes sense to do the same for voice.

Part of the problem is that part of the telecoms industry is stuck in the past, back in the days when the phone companies owned and operated the networks. Things have moved on, and a significant proportion of all communications now runs on IP networks, much of it on the Internet. The move to IP has spawned new applications such as presence and IM and is the driving force behind convergence. The use of IP networks, and specifically the Internet for voice and UC, is a big step forward, but we must recognise that a different set of security rules apply. We have the knowledge and technology to address the security issues. Rather than finding reasons to avoid implementing VoIP and UC security technologies, the industry needs to embrace them and promote their implementation.

I won’t name the two telcos, but if you are interested in seeing them incriminate themselves you can follow the full LinkedIn discussion at http://tinyurl.com/ofdqgjy.

This is a VoIP week post on trefor.net. Check out other VoIP themed posts this week:

Why are major telcos afraid of encrypted VoIP? by Peter Cox
Emergency calls and VoIP by Peter Farmer
VoIP, the Bible and own brand chips by Simon Woodhead
Why the desktop VoIP telephone isn’t going away by Jeff Rodman
Small business VoIP setup by Trefor Davies
VoIP fraud-technological-conventionality-achieved  by Colin Duffy