Archive for VoIP
Author: Dave Lewis
February 14, 2008 at 8:25 am · Filed under VoIP, Vulnerability
There comes word today of some rather nasty vulnerabilities that effect Cisco IP phones. Some of the affected Cisco (CSCO) devices are:
The following Cisco Unified IP Phone devices running Skinny Client Control Protocol (SCCP) firmware:
7906G, 7911G, 7935, 7936, 7940, 7940G, 7941G, 7960, 7960G, 7961G, 7970G, 7971G
The following Cisco Unified IP Phone devices running Session Initiation Protocol (SIP) firmware:
7940, 7940G, 7960, 7960G
The version of firmware running on an IP Phone can be determined via the Settings menu on the phone or via the phone HTTP interface.
There are numerous vulnerabilities involved here. I have listed the lot after the jump.
More after the jump »
Author: Dave Lewis
February 6, 2008 at 8:00 am · Filed under VoIP, Vulnerability
For those Skype users out there we get word this morning of a problem that can result in system access from a remote attacker. As a result Skype has released a new version of their software client to address the problem. This problem is apparently restricted to the Windows version.
From Secunia:
Description:
An update has been released for Skype, which implements security enhancements to prevent compromise of users’ systems.
Skype uses the Internet Explorer web control to render HTML from certain websites (e.g. DailyMotion, Metacafe, and SkypeFind). As the content is rendered in the “Local Machine” security zone, this allows execution of arbitrary script code on a user’s system via script insertion vulnerabilities present in these websites.
Various vulnerabilities have been discovered in these sites, which provide vectors when a user e.g. uses the Skype video gallery browser section or finds a video uploaded to the DailyMotion gallery with a specially crafted video title.
Successful exploitation requires that a displayed website is vulnerable to script insertion.
The vulnerability is reported in the following Skype for Windows versions:
- All versions including 3.5.*
- Version 3.6.*.244 and prior
Article Link
Tags: Skype, Skype Cross Zone Scripting, Skype Security
Author: Dave Lewis
December 7, 2007 at 7:23 am · Filed under VoIP, Vulnerability
Skype, the popular VoIP client and the favoured method of communication for Kasparov, is a little less secure today. This was released as a part of Tipping Point’s Zero Day initiative. This particular vulnerability can potentially lead to a system compromise by a remote attacker.
The vendor has posted an updated version of the client with the fix.
From Secunia:
Description:
A vulnerability has been reported in Skype, which can be exploited by malicious people to compromise a user’s system.
The vulnerability is caused due to an error in the “skype4com” URI handler when processing short string values and can be exploited to corrupt memory.
Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website.
The vulnerability is reported in versions prior to 3.6 Gold released on 2007-11-15.
Article Link
Tags: Skype Vulnerability, Skype URI Handler, Skype, VoIP Security
Author: Dave Lewis
October 25, 2007 at 8:47 am · Filed under VoIP
I had this article sent in this morning from a reader (thx Carl).
From Reuters:
Hackers with a Vonage Holdings Corp (VG.N: Quote, Profile , Research) phone subscriber’s name and telephone number could intercept Internet phone calls by exploiting a weakness in the system, a security firm said on Wednesday.
Vonage spokesman Charles Sahner declined comment on the report by Sipera Systems of Richardson, Texas, which said it informed Vonage of the problem more than a month ago. Vonage had not responded, Sipera said.
Vonage, which has almost 2.5 million customers, was a pioneer in the business of selling low-cost phone services that use the Internet to connect calls instead of traditional phone wires.
Vonage has posted huge losses since it went public in 2006 as it has spent heavily on advertising to recruit customers.
For the rest of the article read on.
Article Link
Tags: Vonage, VoIP Security, Vonage Security, Vonage Calls Diverted
Author: Dave Lewis
September 26, 2007 at 9:04 am · Filed under Legal Aspects, VoIP
The VoIP provider Vonage received the bad news yesterday. The jury returned a judgement against Vonage to the tune of $69.5 million plus royalties.
From the Globe and Mail:
A jury of five women and three men reached the verdict after two days of deliberations and three weeks of testimony in Kansas City, Kan., federal court.
Vonage said in a written statement that it would appeal the decision but would also begin developing technological workarounds that it said would skirt the disputed technology.
“We are disappointed that the jury did not recognize that our technology differs from that of Sprint’s patents,” said Sharon O’Leary, chief legal officer for Vonage. “Our top priority is to provide high-quality, reliable digital phone service to our customers.”
It was the second verdict against the Holmden, N.J.-based company this year. A jury in Virginia determined in March that Vonage had violated three Verizon patents in building its Internet phone system. The jury awarded Verizon $58-million in damages plus 5.5 per cent royalties on future revenues.
That decision also is under appeal.
Read on.
Article Link
Tags: Vonage, Vonage Lawsuit, Vonage Penalty
Author: Dave Lewis
August 20, 2007 at 7:46 am · Filed under DR/BCP, VoIP
So late last week Skype basically messed the bed and left millions of users stranded without access to the popular software. I noticed this as well when I tried to login. At times it would allow me to login but, it showed my status as being “offline” as well as that off all my contacts.
So, what did happen?
In an interview with the New York Times, one Skype executive said that the problem was caused by a flaw in Skype’s four-year-old software and that it was unclear why the problem had remained dormant until this week.
“The longer this goes on, and the more promises that Skype breaks, the more trust in Skype will fall and the worse the long-term damage,” wrote Jupiter Research analyst Ian Fogg in a report on the New York firm’s Web site.
“It cost me some serious phone charges this morning as I had a two-hour conference call with a client for which I had to use my higher-priced land line,” complained one user in a posting on The Washington Post’s Web site.
But Michael Hamm, a Skype user in California who has used the service for about a year, said the glitch wouldn’t change his loyalties.
“Not at all. It’s free, man!” he said.
Indeed. So, my curiousity remains…what did happen?
Article Link
UPDATE: Ah, now here we go. This from Villu Arak today.
On Thursday, 16th August 2007, the Skype peer-to-peer network became unstable and suffered a critical disruption. The disruption was triggered by a massive restart of our users’ computers across the globe within a very short timeframe as they re-booted after receiving a routine set of patches through Windows Update.
The high number of restarts affected Skype’s network resources. This caused a flood of log-in requests, which, combined with the lack of peer-to-peer network resources, prompted a chain reaction that had a critical impact.
The full Skype response.
Tags: Skype, Skype Outage
Author: Ben Blakely
July 3, 2007 at 7:53 am · Filed under Telecom, VoIP
Recently I bought a new house which left me without Internet for about 3 weeks. Sasktel takes forever when you need your internet hooked up! Anyways… the day I moved in I started a scan for some Wifi access points. Luckily my neighbor had a open Wifi access point so I jumped all over that.
Article Link
Tags: Sasktel, Digital Cable, IP Telephony
Author: Dave Lewis
March 20, 2007 at 1:31 pm · Filed under VoIP
This has all the hallmarks of a bad idea. Then again, if they implement proper security controls this could be very handy. But, my gut tells me this will end badly.
“You can send money over Skype,” Zennstrom said of the upcoming service plan. “This is basically connecting the Skype community over PayPal. All the user needs is a PayPal account.”
A Skype spokesman said following Zennstrom’s remarks that the service should be formally unveiled within a month.
Skype had 171 million registered users worldwide at the end of 2006. A year ago, PayPal began limited experiments allowing users to send money to other mobile phone users via text messages, but has done little to promote that service so far.
The likelihood that this is actively attacked by phishers I’d hazard will be off the charts. I hate to seem like an alarmist (no really) but, this does not sit well with me.
Article Link
Tags: VoIP Security, Skype, Paypal, Skype Money Transfer
Author: Dave Lewis
February 16, 2007 at 2:35 pm · Filed under Tools, VoIP
When Myrcurial and I had the opportunity to meet with Phil Zimmerman last week he mentioned his upcoming release of Zfone. Well, he released it last Friday and I missed the boat. Better late than never.
What is Zfone?
Zfone is a new secure VoIP phone software product which lets you make secure encrypted phone calls over the Internet. Zfone lets you whisper in someone’s ear from a thousand miles away. The ZRTP protocol used by Zfone will soon be integrated into many standalone secure VoIP clients, but today we have a software product that lets you turn your existing VoIP client into a secure phone. The current Zfone software runs in the Internet Protocol stack on any Windows XP, Mac OS X, or Linux PC, and intercepts and filters all the VoIP packets as they go in and out of the machine, and secures the call on the fly. You can use a variety of different software VoIP clients to make a VoIP call. The Zfone software detects when the call starts, and initiates a cryptographic key agreement between the two parties, and then proceeds to encrypt and decrypt the voice packets on the fly. It has its own little separate GUI, telling the user if the call is secure. It’s as if Zfone were a “bump on the wire”, sitting between the VoIP client and the Internet. Think of it as a software bump-on-the-wire. Maybe a bump in the protocol stack.
Link
Download
Tags: Phil Zimmerman, Zfone, VoIP, Encryption, Secure Communication
Author: Dave Lewis
February 11, 2007 at 10:09 pm · Filed under VoIP
The good folks at The Register have an interesting piece about a piece of software from a company called EasyBits that Skype uses to manage plug-ins. Apparently is reads your device information and sends it back to the mothership.
Among other things, EasyBits offers DRM features that prevent the unauthorized use or distribution of plug-ins, and that’s why Skype 3.0 has been nosing around in users’ bios. Reading the serial number allows EasyBits to quickly identify the physical computer the software is running on. The practice was discontinued on Thursday, when Skype was updated to version 3.0.0.216.
“It is quite normal to look at indicators that uniquely identify the platform and there is nothing secret about reading hardware parameters from the BIOS,” Skype’s blog author, Kurt Sauer, assured us. He also says Skype never retrieved any of this data. We’re not sure that’s the point.
The article goes on to describe how Skype swears up an down that it’s users aren’t being fed spyware.
Um, ok. Read on. (short story, Skype has removed the EasyBits DRM piece.)
Article Link
Nice! We got an mention from Ryan Naraine over on ZDNet. Thanks Ryan.
Tags: Skype, Skype Spyware, EasyBits
Next entries »
