Security Basics mailing list archives
Re: using Skype, hosted voip, etc. in SMB
From: "Morgan Reed" <morgan.s.reed () gmail com>
Date: Tue, 25 Jul 2006 23:14:41 +1000
The guys at http://www.rstack.org have done quite a bit of work on Skype (and more particularly Skype security), the Chinese DIDN'T "crack" the Skype protocol they were simply the first people to release an alternative client. Rstack.org's were the first to "crack" the protocol, the details can be found in Philippe Biondi's and Fabrice Desclaux's blackhat briefings eu 2006 presentation "Silver Needle in Skype"; http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf Further work was done later into Skype-based botnets, details are available in Cedric Blancher's "Fire in the Skype" presentation; http://sid.rstack.org/pres/0606_Recon_Skype_Botnet.pdf Depending on what type of phone system (PABX) you have currently there are a number of approaches you could take, if your phone system already supports VoIP setting up a VPN and having your road warriors connect to that then use a "soft-phone" client (assuming there is one available for your PABX) to make and receive phone calls. Alternatively if you don't have a VoIP capable phone system (and can't afford to upgrade to a VoIP capable PABX) installed it is conceivably possible to set up an Asterisk box with some FXS cards in it which are then connected to internal extensions on your phone system and use this (once again preferably via a VPN) as a "SIP Gateway" into your phone system, then you have your road warriors connect to the VPN and use one of the many SIP clients which are available to connect to Asterisk. With regards to VPN systems, I generally recommend m0n0wall (http://www.m0n0.ch) to my SME clients as a firewall system, it provides IPSec and PPTP VPN services, and is also highly capable of serving exclusively as a VPN server, there are several companies who provide the m0n0wall systems in an embedded form-factor (details are available on their website), some of these embedded systems include hardware-based VPN accelerators too (they can also be purchased separately). Regards, Morgan On 7/22/06, Daniel DeLeo <danielsdeleo () comcast net> wrote:
If you have the resources, the best thing to do would be to set up a VPN protected VoIP system. Barring that, you should have a look at Phil Zimmermann's Zfone. The code is available for review, so you're not just trusting Skype's claims. Zfone works with any SIP softphone; I personally use it with Gizmo, which is a free Skype-like service (based on SIP, of course). You should also be able to use Zfone with hosted VoIP services, if you go that route. I remember reading a powerpoint produced by a French group that used some pretty advanced reverse engineering techniques to get into Skype's guts. If I remember correctly, they concluded that the way the Skype network is managed provided a few possible avenues of attack. Unfortunately, I can't quite remember the link. Daniel DeLeo On Jul 21, 2006, at 10:33 AM, Andrew Stewart wrote: > I work for a SMB automotive manufacturer based in the US. In the > process of planning for a new project for which we > will have a number of people traveling international, there was a > proposal to use Skype to save on long distance phone > charges when they travel to Europe and Mexico. Skype kind of > concerns me as an unknown quantity. They do have some > security information, including one security evaluation report, > listed on their site <http://www.skype.com/security/>. > They claim to use 256-bit AES "in order to actively encrypt the > data in each Skype call or instant message." Has this > claim been substantiated by any neutral third-parties? > > I see that a Chinese company claims to have "cracked" the Skype > protocol <http://www.voipwiki.com/blog/?p=16> > <http://www.voipwiki.com/blog/?p=31>. Does anyone see any security > risks coming out of this? > > What about hosted VOIP services like NewCross Technologies <http:// > www.newxt.com/> and Pandora Networks > <http://www.pandoranetworks.com/> that use open protocols (ie. > SIP)? Has anyone used any of these? What security > features should I look for in choosing one? > > ------------------- > Andrew Stewart > astewart () notre1 com > (205) 585-2980 - cell > > ---------------------------------------------------------------------- > ----- > This list is sponsored by: Norwich University > > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE > The NSA has designated Norwich University a center of Academic > Excellence > in Information Security. Our program offers unparalleled Infosec > management > education and the case study affords you unmatched consulting > experience. > Using interactive e-Learning technology, you can earn this esteemed > degree, > without disrupting your career or home life. > > http://www.msia.norwich.edu/secfocus > ---------------------------------------------------------------------- > ----- > --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
-- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin, 1759 --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- using Skype, hosted voip, etc. in SMB Andrew Stewart (Jul 21)
- Re: using Skype, hosted voip, etc. in SMB Daniel DeLeo (Jul 24)
- Re: using Skype, hosted voip, etc. in SMB Morgan Reed (Jul 25)
- Re: using Skype, hosted voip, etc. in SMB Dragos Ruiu (Jul 26)
- Re: using Skype, hosted voip, etc. in SMB Morgan Reed (Jul 27)
- Re: using Skype, hosted voip, etc. in SMB Morgan Reed (Jul 25)
- Re: using Skype, hosted voip, etc. in SMB Daniel DeLeo (Jul 24)
- Re: using Skype, hosted voip, etc. in SMB Michael Krymson (Jul 25)