Cloud & Telecom Security

Skype is now proud of its millions of online subscribers. At the same, those Trojan makers are becoming more interested at Skype too. It’s a news at NetworkAsia by: Network World Asia Staff

During this trip to Raleigh, NC, I bought some credit at Skype so that I can call China using the free Internet at the Hotel. The quality of SkypeOut is very impressively good, while the price is just 0.17c. Skype has been an International carrier, without nation barriers, even to China.

Another Trojan horse is spreading through the Internet telephone network of Skype Ltd.

The malicious code, known as both Warezov and Stration, is similar to an earlier version detected in February, but with a new URL (uniform resource locator) and a new version of the malicious code, according to an alert posted Thursday by Websense Inc.

Websense warns Skype users to watch for the message “Check up this,” with a URL containing a hyperlink.

The code itself isn’t self-propogating but when it runs, the URL is sent to everyone on the user’s contact list.

When users click on the link, they are redirected to a site that is hosting a file named file_01.exe. Users are then prompted to run the file and if they do, several other files are downloaded and run. The downloaded files are other versions of the Waresov/Stration malicious code.

Once the Trojan is installed in a system, it tries to connect to a Yahoo Inc. mail server to send an SMTP (Simple Mail Transfer Protocol) message.

However, that server doesn’t appear to be operating, according to Websense.

Skype, a division of eBay Inc., offers a number of Internet-based services, including VOIP (voice over Internet Protocol) and instant messaging.

It’s a good site on “Telecom Terminology”. I found it when I search “TFN” at google.com. Hope it help you also. Check it out.

During these days, I am struggling to find an answer for myself – Will VoIP really help enterprises save money?

In the industry, VoIP is almost a “must” for newly deployed voice systems, particularly for long distance calls. The reason to do so seems to be obvious – VoIP helps save money. After checking the data on WAN costs and the cost saved with VoIP, I find it’s very difficult for me to convince myself. The data comes from my direct data from real world and some other reference data from a huge MNC told me the same story.

If you use dedicated leased lines to carry  VoIP, it’s not cost-saving, while VoIP over Internet saves money. 

In fact, during an open discussion, consultants from a very famous VoIP vendor admitted this judgement. But they insisted that VoIP/IP Telephony will help improve productivity, by short numbers, enterprise announcement, and etc. However, productivity is very difficult to measure, isn’t it? Of course, the last reason to deploy VoIP/IPT devices is to protect investment. This is another difficult-to-measure reason.

By accident, I found this old article by Tim Hills which discussed VoIP vs PSTN very interestingly. Here is some of its contents:

Why Bother With VOIP?

It’s NOT about old wine in new bottles

VOIP Risks

VOIP + IP/MPLS works – but how well?

VOIP Reliability

Failures will happen – will new technologies help?

Management Challenges

IP/MPLS management is at last coming up to speed for voice needs

Improving VOIP QOS

Carriers are learning to reimplement the past to improve VOIP QOS

We must admit that Jobs is a genius, not only in technology sense, but also at business marketing sense. When Jobs returned to a languishing Apple in 1997 after his 1985 ouster, Apple has been getting rebirth at all. Most of young people are just talking Apple’s innovative products, buying them and taking them as a fashion.

USAToday has a very good article to outline the secrets behind Jobs’ success in

• 1 Make innovative products
• 2 Keep in simple
• 3 Create truly memorable ads
• 4 Find an enemy
• 5 Work the taste-makers
• 6 Offer surprises
• 7 Put on a show

Read more…

Tonight Dan summarized one new offering by Skype – SkypePrime, a creative fee-based voice service. That’s means everybody can create a voice information service with Skype, becoming a VISP (Voice Information Service Provider). Then you can try to list your services at some directory or indexing services. Potentially this might be an evolvement model of booming podcasting at Internet.  At the same time, this kind of service might give birth to some kind of sex/porn calls.

Dan York’s blog is very attractive. I often find his novel ideas and discovery about VoIP and security related  there. Please check out his personal blog at: disruptivetelephony. If you wang to know more about him, check this link.

Almost every enterprise IT security managers are facing the same problems: how to control the internet? how to implement the granular security policy at the perimeter ? When you dig the Internet, you must find a bunch of discussions and threads, among which the discussions and debates between Thomas and Antishinder are quite interesting.

The assertions by Bluecoat is as the following:

• The ISA firewall cannot be as secure as Blue Coat proxies because it runs on a general purpose server that has ongoing security vulnerabilities
• The ISA firewall is unable to inspect traffic inside an SSL tunnel
• The ISA firewall is unable to inspect and manage peer-to-peer, instant messaging and multimedia connections
• The ISA firewall has limited support for granular access control
• The ISA firewall’s network performance is inferior to Blue Coat’s proxy performance

The fight back from Thomas is very strong. Personally speaking, I think the origin of this debate depends on your attitude of hardware or software security devices. The former will help lower the installation and operation cost, while the latter has lower price. So if your enterprise is very lucky to be mature on server operations, the software proxy solution is as good as, or better than the hardware solution.

More and more colleagues start to use Skype to talk with their family when they are in business trip, enjoying free oversea communications with earphones. No doubt, I do the same way. Why not? Do you like to pay those telecom companies at around tens of cents per minutes while you can talk freely? That’s the right reason why Skype has been growing so fast.

When I checked their newest version at their website tonight, I found a beta version 3.1 with an interesting feature, SkypeFind. That’s something like a business bulletin, but with a unprecedented large number of subscribers. The current beta version is 3.1.0.112, while the latest stable version is 3.0.0.218.

At the new version, unyte is a built-in feature, which enables friends share desktop and applications remotely. Another new feature – Shared Sketch Pad is very interesting too.

[Tags]Skype,Web2.0[/Tags]

Today SANS announced the 2006 version of their annual “Top-20 Internet Security Attack Targets” and for the first time, VoIP is included as one of the threats. It was listed as N1:

 N1.1 Description

VoIP technology has seen rapid adoption during the past year. At the same time, there has been an increase in security scrutiny of typical components of a VoIP network such as the call proxy and media servers and the VoIP phones themselves. Various products such as Cisco Unified Call Manager , Asterisk and a number of VoIP phones from various vendors have been found to contain vulnerabilities that can either lead to a crash or a complete control over the vulnerable server/device. By gaining a control over the VoIP server and phones, an attacker could carry out VoIP phishing scams, eavesdropping, toll fraud or denial-of-service attacks.

Since many VoIP servers especially the ones at VoIP service providers are an interface between SS7 (traditional phone signaling) and IP networks, an attacker capable of compromising a vulnerable VoIP server could even potentially manipulate the SS7 signaling interconnection to disrupt services on the Public Switched Telephone Network (PSTN).

See more comments and report at VoIPsa blog.

Bill recommended one “new” application to me. That’s Hamachi. It gave me a very complicated feeling.

It’s a wonderful software application, which provides us a virtual LAN over Internet. It’s a typical overlay network application, which makes use of P2P technology and has the capability to tranverse the NAT/FW enterprise perimeter. Additionally, it brings us an interesting function – Web Proxy:

Built-in Web proxy
An option to use Hamachi as a simple web proxy. This way your Hamachi peers may configure their Web browsers to access the Internet via your computer and therefore protect their Web traffic while it is in transition between you and them.

This feature is typically used for securing Web surfing from untrusted locations including cybercafes, coffee houses, hotels, etc

Obviously, founders of Hamachi have learned the lesson from Skype. They has done a lot of effort to open their protocols and algorithm in the identity, authentication, and communications among system components. That will be a door-knocker to those enterprise IT managers, because there must be growing security and system management software to support Hamachi, as long as Hamachi’s installation get enough base. According to their website, Hamachi has over 3,000,000 users at June 17, while this number was merely 2,000,000 in April, growing 50% in two months.

It’s a wonderful remote collaboration tool, as well as a virtual networking platform, particularly in the current booming broadband world.

At the other hand, the overspreading of such kind of softwares (for others, see vnn.cn, softether.com) has been eroding and further eliminating the enterprises’ network perimeter, leading the compomise of security policy. It requires that firewalls and networking devices should support more and more layer-7 applications, in particular P2P overlay networking traffic. Morever, Traditional IDS and UTM won’t work in face of virtual LANs.

Let’s keep an eye on them together. See my comment in chinese.

Here is coming an eye-catching blog at VoIP security at VoIPsa Blog.

See comment at Register, named "Net Neutrality bid gone for good" by Andrew.  A bunch of Internet giants expressed their discontent to Net Neutrality, for its mistiness and injustice. Andrew is hoping a "more coherent and professional fashion", and even "with better branding". The key point in my brain, for its possible recoming, is the benefit balance between transmission network (typically those tradional telcos) operators and CP/SPs. The latter would not like to let the former "tame" the Internet, but "foster".  

See the story by Andrew…. Read more…

There was an interesting description on SMA (Secure Mobile Architecture) by another Richard from Boeing . SMA is expected to address security issues in VoIP and identity for those enterprise networks with some sample implementation inside Boeing

---

There have to be some fundamental changes in the way the Internet operates. One way is through a framework and architecture called the Secure Mobile Architecture (SMA). This architecture is published by The Open Group and is available at the following URL:
http://www.opengroup.org/bookstore/catalog/select.tpl?text=secure+mobile+arch The architecture addresses many of the issues you have been talking about. Until we actually address the issues of basing security on the MAC and IP addresses, all of your approaches will not address the basic problem.I have an example of the issues hiding our heads in the sand can lead to. I have been a member of IEEE 802.11 since about 1995. Boeing got involved in 802.11 because of the potential solutions 802.11 provided for both Internet access onboard airplanes and for the mobile enterprise communications. So I got involved early in the security provided for the Wireless LANs. The initial group of 802.11 standards developers felt, as I did, that the WEP was sufficient (good enough) to get the standard rolling. It wasn’t! The work around was VPNs for any wireless connections, but it definitely slowed and inhibited the growth of WLANs. It took six years to provide a WEP replacement that was cryptographically secure.

If IEEE 802.11i is any example, the VOIP growth and viability is inexorably tied to how secure our telephone calls are. I have always been incredulous that we never cared very much how vulnerable our telephone conversations are. The wire makes us seem less vulnerable, but in fact, backbone communications links are sometimes over major microwave links. Many of the Fortune 500 contractually stipulate that none of their business communications are sent over microwave links. In addition to the microwave links, we have wholly trusted our telephony companies to protect us and they have done quite a good job in that most of the connections are in central offices that have not been broken into. This is all changing now and this mailing list is at the forefront of the discussion. What do we do about voice security now that our telephone conversations are riding over the Internet and have all the Internet vulnerabilities of viruses, MAC address spoofing, IP address spoofing, replay, spamming, etc?

In the big picture, end-to-end secure sessions with cryptographically based mechanisms to identify people and machines are the only way to assure secure VOIP communications. In our work with the Secure Mobile Architecture (SMA), we have been exposed to all the regulatory requirements for privacy and legality. These requirements include Sorbannes-Oxley, HIPPA, and many others. They are quite extensive and demanding, especially of privacy and protection from exposure on the Internet. Without addressing the requirement of an end-to-end cryptographically secure infrastructure, we are not addressing the problem and those of us responsible for unleashing VOIP on the world have a responsibility to address this problem in a big picture way.

The core of the problem comes from the relationship of security and identity. When I first heard and participated in discussions on identity management, I was very skeptical that this was a required discipline at all. In fact, I still think that identity management is not the right term for what we need to address in Internet VOIP and WLAN infrastructure contexts. We do not need to manage the identities. In reality, the people, organizations, and enterprises need to be assured that their identities are protected when they use the Internet. So, the identity of a person or machine must be protected in a business context or in an individual context. By the way, this identity of a machine is an imperative one to address. We are still not doing a good job of identifying a computer or intelligent machine’s identity. In fact, as VOIP gets more integrated into the business processes and telephony becomes more versatile and VOIP applications are used for event notification, the validity of such processes is dependent on getting the cryptographically validated sources of the VOIP information you get.

The architecture The Open Group developed called the Secure Mobile Architecture (SMA) deals with these issues through the use of four elements (Boeing deployment); 1. Public Key Infrastructure (PKI) access, 2. use of the Host Identity Protocol (HIP), 3. a Network Directory Service (NDS), and 4. use of a Location Enabled Network Service (LENS). I will treat each of these and their relationship to VOIP and VOIP security in the following four paragraphs. Read more…

Gary Audin wrote a good post on VoIP and SOX, very unique view point and insight. Gary reviewed the goal and criticized the maturity and operationality of SOX and even predicted the modification in the near future.

The SOX goal is to insure the reliability of publicly reported financial information. Corporate boards, enterprise executives and directors, attorneys, auditors, small business owners, rank and file employees and security analysts have expanded duties as well as penalties as result of the SOX act. The legislation was not thoroughly debated. The result is being questioned, delayed and will probably be modified. It is a moving target where auditors may develop new policies and requirements in the future. My initial comments on SOX will found in the previous Blog, “Putting up with SOX”.

Further, Gary discussed what IP telephony (IPT) / VoIP systems might bring to SOX compliance.

IP Telephony systems will have IP phones that may access the Internet and softphones that are compromised. These could be the man-in-the-middle for attacks or malicious behavior. The call server could be hijacked to create denial of service for the VoIP service. Trojan break-ins could access financial information from an IPT device. Even when there are security personnel and procedures in place, if they are handled poorly and the CEO and CFO falsely report that they are diligent in their control, penalties may occur.

….

Do not wait for the audit. The results can be costly. Be proactive as you move to VoIP/IPT.

IMHO, because SOX is a financial oriented act, so if VoIP/IPT is not your business, ie. revenue generator, you might not cover VoIP auditing in your SOX compliancy audit, because in general they are not used to process and control those financial numbers. However, it's different to those VoIP operators, where security control of VoIP billing directly impact the final financial results and morever the shareholders' benefit.

There are flooding IM clients waiting for your choice, isn’t it? But which one do you like? which one fit your interests the best? I believe you must not have time to review them on by one. In fact, even if you have time, you just won’t like to do that.

IM Watch is doing that for you. It lists out and reviews almost each one you have heard of, (except the most popular one at China – QQ of Tecent,) covering Gtalk, Skype, GAIM, AIM, Unyte, Gizmo Project, Chatzilla, Psi, PhoneGaim, Yahoo Messenger, …..

For a more comprehansive collection of various IM clients, see Betanews.

CNET reported public, drastic debate of the Net Neutrality, and careful considerations of a bill at backside, among stakeholders. As the representatives of the new voice from internet, those giants, Google, Yahoo, Microsoft criticized that the Net Neutrality bill might bring unpredicted potential demage to the internet users, while leaving a loophole to those triple-players or tradional operators who own and operate the internet transmission services. A good blog post pointed out what the world will become if the net neutrality is killed off:

In other words, customers might only get to run applications approved by the carriers. Not only would that result in dramatically higher costs for consumers and businesses, but many speculate it would seriously hamper innovation.

Of course, there must be a long way for the Net Neutrality into a real bill, but this kind of argument will help improve the maturity,integrity, fairness, will eventually benefit the end users.

At China, the anticipated Telecommunications Act is not enacted yet, under longer than 25 year's tough development. The Act, at its draft stage, according to the MII, will be finalized at 2006. It was said the reason for continuously postponing was the uncertainty of the convergency of three networks (telephone, vedio, and data). Comparing to the openness and public participation reflected by the above report, we might better our legislation process to let more people and experts, enterprises involved.

Technorati Tags: telecom, 3G, china, p2p, skype