Cloud & Telecom Security

It’s very exciting to get the login page of https://imo.im. It’s amazing. It’s a web-based multi-client instant messager. At this moment, it can support MSN, Yahoo, AIM / ICQ, Google Talk, MySpace, and Skype. Yes, and Skype.

I used my MSN account to do the first ride. It has multiple crisp and slim windows embeded in the webpage, one small window for a session. The login and chatting are very responsive.  It support Chinese (double byte characters) very well.

Then I began to test Skype. The Skype login is quite fast. It works! I am wondering how these guys simulate a Skype client to login. You know two years ago it became top news when somebody re-engineered the Skype protocol and developed their own Skype-compatible client.

I know imo.im is using SSL. However, before users are rushing to transfer to imo.im, they must solve security concerns. That’s far away to convince users at its security. For example, how they handle the user data, including the account information, password, and chat history.  Actually when I recommend imo.im to one of my friends, I was told that he did not want to test this because he didn’t want to exposure his account information.

All in all, this is my first ride with imo.im. Its user experience is by far better than previous web IMs. In addition, it supports Skype. It’s great plus. However, there is a long way for them before users are convinced to drop their trational GUI IM clients.

SPIT是指Spam over Internet Telephony，在互联网电话（稍微不同于IP电话）上的垃圾骚扰性活动，可能是个莫名奇妙的留言、广告，或者一段自动播放的恶意、其他蓄意的电话等。很多报道和文章中都将它列为VoIP的一个重要安全威胁之一。换句话说，那时的电话不像当前的PSTN那样被运营商严格控制，从信令到话音信息都在当前这个极具威胁的互联网上传输，这样就可能会被Man-In-The-Middle攻击，可能会被窃听，可能会被劫持，可能会被插入，欺骗等等。

Gartner的专家Lawrence Orans在一篇报道中指出SPIT不会和当前的SPAM这样泛滥起来，原因是SPIT没有SPAM那样的业务模式 – business model.

SPAM – 发出垃圾邮件，用户看到了其中的诱惑性内容，点击链接，引导到某个网站，可能完成某种交易或者操作。从而，SPAMMER就盈利了。而SPIT则不会，播放一段录音，用户即使耐心的听完，也不可能、不方便拿笔记下来某个链接，到某个website上输入，完成某个交易。所以，SPIT不会带来特别明显的利益，所以也就不会泛滥。

据说未来可能会出现，听广告、打免费电话的业务。LO的观点有道理，但是SPIT也可能会出现新的业务模式，从而带来前来的利欲熏心者。

According to Zeroday Initiative report, Skype has a vulnerability, which could result in a denial of service or arbitrary code execution. A remote attacker could attempt to exploit this issue by convincing a user to visit a specially-crafted Web page. To remove this vulnerability, all clients need to be updated or installed as of 11/15/2007 or later versions.

In order to avoid other guys to break into your computer, please upgrade your Skype to 3.6. Read more…

We have talked about VOIP legal monitoring and source location. In H.323 , softswitch or IMS VOIP network, it can possibly be done through signaling analysis. But as to P2P VOIP, especially encrypted P2P VOIP such as SKYPE, it is very difficult to identify P2P voice traffic.

Traffic classification and traffic identification can be useful in both ISP and enterprise environment, as well as in various occasions:

• Network planning and design
• Security policy such as legal monitoring, blocking
• QOS policy such as rate limitation, prioritization
• Pricing

Now there are two kinds of P2P traffic identification algorithms: transport layer based or payload based. Read more…

This morning, when I checked my gmajl account, I found the below email from skype@security.co.uk. It notified me to update my Skype account by following the embeded link, otherwise my account might be suspended temporarily:

Dear valued skype� member:

It has come to our attention that your skype� account informations needs to be
updated as part of our continuing commitment to protect your account and to
reduce the instance of fraud on our website. If you could please take 5-10 minutes
out of your online experience and update your personal records you will not run into
any future problems with the online service.

However, failure to update your records will result in account suspension.
Please update your records on or before May 15, 2007.

you are requested to update your account informations at the following link.

https://secure.skype.com/login_update_done=1115487

*Important*
We have asked few additional information which is going to be the part of secure login process. These additional information will be asked during your future login security so, please provide all these info completely and correctly otherwise due to security reasons we may have to close your account temporarily.

Note the embeded link. What it shows is a link to skype.com, but actually it’s a link to:

http://interflightstudio.com/store/images/screenname/index-ie_files

/okhc3QwlKBNmvFLueSMJ-jrk7rKBryuYQVUSNUiV33wyG-sD5ar6ik
WPdvonrkiYMq1Cdfh2TO1cNTi&shva/login.html

That’s a typical phishing cheating. Please be noted.

[tags]Skype,Phishing,Security[/tags]

VoIP security is an interesting topic in the circle. VoIPsa is a very good community where you can find much of valued discussions and knowledge sharing. It’s highly recommended to register to their mailing list if you are interested to keep in touch with the latest research on VoIP security.

I recommend a very good article to you. It’s from DataStronghold, by Mr. Michael Talbert, where you can find very comprehensive summary of security threats to VoIP systems. The below is some points of the article.

• SPIT: The new Spam for VoIP
• Eavesdropping
• Phishing the Waters of Voice over IP
• SIP Registration Hijacking
• Spoofing Read more…

There have been a lot of discussions and even debate on whether or not enterprises should permit Skype. The focus point here is its security issues. I list out ten security concerns to Skype before. However, it’s indeed of value. It can help lower the voice communication cost and very convenient. There are more and more value-added service on it. Anyway, nobody can oversee the existence of hundreds of millions subscribers of Skype. It means business opportunity to many startups and technical geeks. They are proud of their hacking and breaking-into of Skype. Read more…

Solomon’s blog shared an very interesting idea: to use Skype as a home security system. When you work at office or go out for travel, you can connect back to watch what’s happening at your home. So cool !

1. Open two new accounts.
* 2. On account 1 add new user two as your ONLY contact
* 3. Re-log in as account 1 and set as follows:
Go to tools–>options–>advanced–>(tick) automatically answer Incoming calls–>
Then go to Tools–>options–>Video–>(tick) start video automatically and Only People in My contacts–>save.
Leave this account online
* 4)Log in as account 2 from another PC.

But I am wondering if there is not some security here, the world will share your home view with you, as long as they find that account. So please do remember to configure youself as the only person can talk with this account.

Skype is now proud of its millions of online subscribers. At the same, those Trojan makers are becoming more interested at Skype too. It’s a news at NetworkAsia by: Network World Asia Staff

During this trip to Raleigh, NC, I bought some credit at Skype so that I can call China using the free Internet at the Hotel. The quality of SkypeOut is very impressively good, while the price is just 0.17c. Skype has been an International carrier, without nation barriers, even to China.

Another Trojan horse is spreading through the Internet telephone network of Skype Ltd.

The malicious code, known as both Warezov and Stration, is similar to an earlier version detected in February, but with a new URL (uniform resource locator) and a new version of the malicious code, according to an alert posted Thursday by Websense Inc.

Websense warns Skype users to watch for the message “Check up this,” with a URL containing a hyperlink.

The code itself isn’t self-propogating but when it runs, the URL is sent to everyone on the user’s contact list.

When users click on the link, they are redirected to a site that is hosting a file named file_01.exe. Users are then prompted to run the file and if they do, several other files are downloaded and run. The downloaded files are other versions of the Waresov/Stration malicious code.

Once the Trojan is installed in a system, it tries to connect to a Yahoo Inc. mail server to send an SMTP (Simple Mail Transfer Protocol) message.

However, that server doesn’t appear to be operating, according to Websense.

Skype, a division of eBay Inc., offers a number of Internet-based services, including VOIP (voice over Internet Protocol) and instant messaging.

During these days, I am struggling to find an answer for myself – Will VoIP really help enterprises save money?

In the industry, VoIP is almost a “must” for newly deployed voice systems, particularly for long distance calls. The reason to do so seems to be obvious – VoIP helps save money. After checking the data on WAN costs and the cost saved with VoIP, I find it’s very difficult for me to convince myself. The data comes from my direct data from real world and some other reference data from a huge MNC told me the same story.

If you use dedicated leased lines to carry  VoIP, it’s not cost-saving, while VoIP over Internet saves money. 

In fact, during an open discussion, consultants from a very famous VoIP vendor admitted this judgement. But they insisted that VoIP/IP Telephony will help improve productivity, by short numbers, enterprise announcement, and etc. However, productivity is very difficult to measure, isn’t it? Of course, the last reason to deploy VoIP/IPT devices is to protect investment. This is another difficult-to-measure reason.

By accident, I found this old article by Tim Hills which discussed VoIP vs PSTN very interestingly. Here is some of its contents:

Why Bother With VOIP?

It’s NOT about old wine in new bottles

VOIP Risks

VOIP + IP/MPLS works – but how well?

VOIP Reliability

Failures will happen – will new technologies help?

Management Challenges

IP/MPLS management is at last coming up to speed for voice needs

Improving VOIP QOS

Carriers are learning to reimplement the past to improve VOIP QOS

The question seems to have very straight forward answer. Access routers, firewalls, security proxies, and optional intrusion detection systems (IDS) or intrusion prevention systems (IPS) and DMZ … That’s enough? For a small to medium size enterprise, maybe yes. However, for a MNC with tens of offices worldwide, the thing becomes much more complicated.

Generally speaking, almost every security manager or IT manager agree that Internet interfaces are one of most important security threat sources. Every Internet interface means money to protect them. In the orther hand, in CIO’s notebook, there has always been one strategy to make use of cheap and reliable Internet when possible. Local Internet access means lower WAN cost.

That’s something complex that need your balancing between security risk and protection cost and WAN cost. See diagram. A easy answer you’d better permit Internet for most of sites where the Internet is cheap and reliable, while choose different security safeguards at the Internet border and VPN borders. Back to your real world, that’s up to you, my friend.

Tonight Dan summarized one new offering by Skype – SkypePrime, a creative fee-based voice service. That’s means everybody can create a voice information service with Skype, becoming a VISP (Voice Information Service Provider). Then you can try to list your services at some directory or indexing services. Potentially this might be an evolvement model of booming podcasting at Internet.  At the same time, this kind of service might give birth to some kind of sex/porn calls.

Dan York’s blog is very attractive. I often find his novel ideas and discovery about VoIP and security related  there. Please check out his personal blog at: disruptivetelephony. If you wang to know more about him, check this link.

Almost every enterprise IT security managers are facing the same problems: how to control the internet? how to implement the granular security policy at the perimeter ? When you dig the Internet, you must find a bunch of discussions and threads, among which the discussions and debates between Thomas and Antishinder are quite interesting.

The assertions by Bluecoat is as the following:

• The ISA firewall cannot be as secure as Blue Coat proxies because it runs on a general purpose server that has ongoing security vulnerabilities
• The ISA firewall is unable to inspect traffic inside an SSL tunnel
• The ISA firewall is unable to inspect and manage peer-to-peer, instant messaging and multimedia connections
• The ISA firewall has limited support for granular access control
• The ISA firewall’s network performance is inferior to Blue Coat’s proxy performance

The fight back from Thomas is very strong. Personally speaking, I think the origin of this debate depends on your attitude of hardware or software security devices. The former will help lower the installation and operation cost, while the latter has lower price. So if your enterprise is very lucky to be mature on server operations, the software proxy solution is as good as, or better than the hardware solution.

More and more colleagues start to use Skype to talk with their family when they are in business trip, enjoying free oversea communications with earphones. No doubt, I do the same way. Why not? Do you like to pay those telecom companies at around tens of cents per minutes while you can talk freely? That’s the right reason why Skype has been growing so fast.

When I checked their newest version at their website tonight, I found a beta version 3.1 with an interesting feature, SkypeFind. That’s something like a business bulletin, but with a unprecedented large number of subscribers. The current beta version is 3.1.0.112, while the latest stable version is 3.0.0.218.

At the new version, unyte is a built-in feature, which enables friends share desktop and applications remotely. Another new feature – Shared Sketch Pad is very interesting too.

[Tags]Skype,Web2.0[/Tags]

Bill recommended one “new” application to me. That’s Hamachi. It gave me a very complicated feeling.

It’s a wonderful software application, which provides us a virtual LAN over Internet. It’s a typical overlay network application, which makes use of P2P technology and has the capability to tranverse the NAT/FW enterprise perimeter. Additionally, it brings us an interesting function – Web Proxy:

Built-in Web proxy
An option to use Hamachi as a simple web proxy. This way your Hamachi peers may configure their Web browsers to access the Internet via your computer and therefore protect their Web traffic while it is in transition between you and them.

This feature is typically used for securing Web surfing from untrusted locations including cybercafes, coffee houses, hotels, etc

Obviously, founders of Hamachi have learned the lesson from Skype. They has done a lot of effort to open their protocols and algorithm in the identity, authentication, and communications among system components. That will be a door-knocker to those enterprise IT managers, because there must be growing security and system management software to support Hamachi, as long as Hamachi’s installation get enough base. According to their website, Hamachi has over 3,000,000 users at June 17, while this number was merely 2,000,000 in April, growing 50% in two months.

It’s a wonderful remote collaboration tool, as well as a virtual networking platform, particularly in the current booming broadband world.

At the other hand, the overspreading of such kind of softwares (for others, see vnn.cn, softether.com) has been eroding and further eliminating the enterprises’ network perimeter, leading the compomise of security policy. It requires that firewalls and networking devices should support more and more layer-7 applications, in particular P2P overlay networking traffic. Morever, Traditional IDS and UTM won’t work in face of virtual LANs.

Let’s keep an eye on them together. See my comment in chinese.