Top VOIP Security Threats Continued

vishing

So in the last post, you saw how DoS attacks and eavesdropping would be big concerns this year. Here are the last 3 points that Jim Higdon wrote about earlier this year:

3. Microsoft Office Communications Server: Hackers love attacking Microsoft, and Microsoft loves being unprepared. VIPER Lab predicts that hackers will find vulnerabilities in Microsoft Office Communications Server’s VoIP client and use it to access networks that had previously been secure, and the organization is not alone in reaching this conclusion. Network World blogger Mitchell Ashley suggests that Microsoft could learn from Vonage’s vulnerability to spoofing attacks.

I guess those of us who are using Windows are out of luck in this point. Then again, this is why business are leaning towards alternatives.

4. Vishing by VoIP: The FBI has been aware of vishing for nearly a year now, and the IC3 (Internet Crime Complain Center) recently released a report stating that vishing attacks are on the rise. With caller ID spoofing, the criminals can be very difficult to track, “due to rapidly evolving criminal methodologies,” according to the IC3.

Yup, first it was phishing, now it’s vishing.

5. VoIP Attacks Against Service Providers: These sorts of attacks will escalate, VIPER Lab predicts, because of readily available, anonymous $20 SIM cards. As UMA (Unlicensed Mobile Access) technology becomes more widely deployed to allow calls to switch from cell networks to VoIP networks, VIPER Labs warns that “service providers are, for the first time, allowing subscribers to have direct access to mobile core networks over IP, making it easier to spoof identities and use illegal accounts to launch a variety of attacks.” Such attacks include scripting “various flood, fuzzing and spoofing attacks,” according to VoIP blogger Rich Tehrani. “The hacker could set up multiple IPSec tunnels to various PDGs in the network or across multiple GPRS sessions [generating] up to 10,000 messages per second … equal [to] the traffic of 10 million users,” he wrote.

Knowledge is power. I hope that exposing these threats will help you make your VOIP system more secure.

The Skype Outage: A Reality Check on VOIP Reliability

When Skype experienced a massive service outage two weeks ago, it sent a kind of panic to its users and the industry watchers. During the outage, the number of Skype users who are online, which usually fluctuates in the number of 5 million to 8 million users, stayed on a flatline at 1 million. For the more than 4 Million users affected by the outage, the service outage caused inconvenience, frustration, and very probably, disruptions to businesses who rely on the popular peer to peer voice over internet application. But beyond these effects to the users, the outage highlights a very important point about the reality of VOIP: as people and businesses become more and more dependent on VOIP technology and services, VOIP reliability will become more and more important.

Two weeks after the outage, the cause is clearer now, having been discussed and analyzed by the blogosphere. The culprit of course lies in Skype’s server software, specifically, on the part of the Skype system that handles user logins. The bug has been sitting in the code and was just waiting to be triggered. And last August 16, Thursday, the trigger happened. Having just received a security update to the operating system, millions of Skype users who are also using Windows almost simultaneously rebooted as a part of the autmated update. This caused a peak in number of users trying to login to the Skype peer to peer network. The added effect of these millions of skype users simultaneously trying to login and the few available node resources (which are important in a peer to peer network) caused a massive outage to Skype’s servers. The outage lasted for almost three days before things were fixed and the root cause of the problem eventually identified.

While it’s clear that the peer to peer nature of the Skype nature was an integral part of the problem that caused the outage (and the Windows udpate causing a reboot on many users the trigger), this is actually of the reality of any distributed software system with a massive user base. And VOIP software fits very well to this profile. So this brings up an important point: if VOIP is indeed the future of voice telecomunnication, the technology must be improved to the point where outages like this would be remote if not impossible. VOIP, before it can become truly mainstream and replace traditional telephone systems must pass the reliability test with flying colors.

Introducing: The Wing

Last Tuesday, May 22, T-Mobile launched its newest gadget, The Wing. Like the iPhone, which is scheduled to ship in about a month, the Wing is a Wi-Fi equipped combined PDA and mobile phone. It was developed by Taiwan’s High Tech Computer Corp. exclusively for T-Mobile.

The Wing boasts of plenty of features, including a slide-out QWERTY keyboard, Wi-Fi for Internet access, a 2-megapixel camera, stereo Bluetooth, extended battery life and a microSD slot for expanding the storage capacity. It also has a 2.8-inch diagonal color display made up of 240×320 pixels and features music and video playback capabilities. It’s available for $299 with a two-year contract.

The Wing is the first Windows Mobile 6 smartphone built by HTC that’s equipped with Microsoft Windows Mobile 6 to go on sale in the United States, although HTC has been selling similarly-equipped phones in Europe for months. It’s the successor to the MDA smartphone. The biggest news about the Wing is that it runs the latest version of Microsoft Windows Mobile 6. Windows Mobile 6 provides a better experience than Windows Mobile 5 and includes some nice updates such as native Active Sync/Exchange wireless e-mail support. Windows Mobile 6 connects easily with Microsoft Office documents and HTML e-mail, enabling users to use e-mail in original HTML format with live links to Internet sites. A Microsoft Live Search function can be used for online searches.

“The T-Mobile Wing is 30% smaller than its predecessor, the T-Mobile MDA, and is packed with broad functionality that enables users to experience the best in connectivity, productivity and mobility,” said Todd Achilles, VP of HTC America, in a statement.

Making Mobile Calls With EQO

Here’s another player offering a downloadable mobile VoIP-enabling software application. EQO Communications (pronounced “echo”), a provider of mobile Internet phone services, announced its new EQO Mobile version. EQO was originally designed to add Skype functionality to mobile phones, however EQO is now offering their own mobile VoIP solution with EQO Out “credits” for PSTN termination. The new version, which still runs on Java compatible phones, will let users make international and long distance calls as well as send and receive IM and text messages on their mobile phones at local calling and messaging rates.

After you sign up on the EQO site, you’ll receive an SMS link on your phone for download & installing the app. You’ll be able to send instant messages through EQO on many of your favorite IM services–AIM, Google Talk, ICQ, MSN Messenger, Jabber and Yahoo Messenger. Calling another EQO user is free, but calling a regular mobile or landline phone requires using EQO Out credits, which is still cheaper than standard mobile rates since it uses a local gateway (and therefore you get local rates).

Joanna Stern from Laptop Magazine was able to test the new software from a Blackberry Pearl. According to her:

“The easily navigable interface makes chatting through numerous IM services extremely easy. We especially liked the ability to close certain IM network lists to make our list more succinct. While we didn’t get to try out any overseas phone calls, we called one of our colleagues here in New York on his cell phone. We could hear him just fine, but he reported a slight delay on his end. We were able to try an EQO-to-EQO call with EQO’s CEO Bill Tam. We heard Bill quite clearly on the other end and found the calls to go through very quickly. In both cases the voice quality was much clearer than calls over a Wi-Fi network.”

Another plus is that EQO’s new mobile application is available for hundreds of mainstream mobile handsets. Its Java application is available for BlackBerry, Motorola, Nokia, Sony Ericsson, Samsung & other devices. A Windows Mobile version is expected to be released in the coming months. For more info, check out www.eqo.com.

Microsoft Unveils New Gen Phones

Get ready for the latest salvo from Microsoft. Microsoft Corp. announced last Monday, May 13, at the Windows Hardware Engineering Conference (WinHEC) 2007 in Los Angeles, its plan to build telephony gear compatible with its soon-to-be-released unified communications software. Microsoft Corp. and nine manufacturers unveiled 15 IP telephones that will become available for use in the public beta program of Microsoft® Office Communications Server 2007 and Microsoft Office Communicator 2007. The manufacturers are ASUSTek Computer Inc., GN, LG-Nortel Co. Ltd., NEC Corp., Plantronics Inc., Polycom Inc., SAMSUNG, Tatung Co. and ViTELiX.

This new generation of devices, combined with other Microsoft programs, will connect the workplace phone to e-mail, provide instant messaging and videoconferencing functions so that users can do things like click on an e-mail message to make a voice-over-IP call to its sender. The software also supports standard desk phone features.

“Today’s office phone is marooned on an island, separate from the rest of the communications tools that information workers rely on to do their jobs,” said Jeff Raikes, president of the Microsoft Business Division. “By weaving the business phone together with e-mail, instant messaging, presence, conferencing and the productivity software people use most, we are putting voice communications back into business.”

Microsoft is also intent on ensuring that all phones work out of the box. According to Eric Swift, senior director of unified communications product management at Microsoft, they will set up a new qualification program for hardware makers. Microsoft will provide the device manufacturers with design specifications, and the products will be tested by Microsoft to assure buyers that the new phones and devices will work easily with Office Communications Server or Office Communicator.

Certified handsets must include wideband audio support, comply with a wide range of VoIP codecs and include specific user-interface elements. Swift also said that most existing VoIP gear today that works with services such as Vonage or Skype should work fairly well too. “We’re looking to ignite partner innovation to bring software economics to what has been proprietary,” he said.

Some of the new phones connect directly to a USB port, so mobile workers can bring the phone with them and use it along with their laptops to access features typically only supported on desk phones, like call forwarding and conferencing. Other new phones include Bluetooth and video capabilities.

Using an open approach and published software interfaces, Microsoft is enabling companies to innovate new workplace phones and devices that make business communications more effective and productive. The products are nearing the end of the Microsoft qualification cycle, which will help ensure the devices and phones deliver the following:

• “Just Works” experience. The qualified phones and devices work out of the box with Microsoft unified communications software. It’s as simple as plug-and-play.

• Greater choice and innovation. With an active partner community building phones and devices, customers are offered more choices when it comes to designs, cost and feature innovations. The 15 phones and devices to be unveiled tomorrow include Internet protocol (IP) phones, Universal Serial Bus (USB) phones, wired and wireless headsets, conferencing phones, LCD monitors and laptops.

• Improved economics. Because many companies will deliver Microsoft-qualified devices, customers will have more options, including devices tailored to the needs of specific types of workers and that deliver more value for less cost. According to Gartner Inc., “handsets typically cost around 40 percent to 45 percent of the total telephony installation.”*

To learn more about microsoft’s newest offering, just visit http://www.microsoft.com/presspass/press/2007/may07/05-13NewGenWorkPhonesPR.mspx

However, most analysts believe that Microsoft still has a long way to go before it can compete with entrenched IP PBX vendors like Avaya and Cisco. A Computerworld article quoted Blair Pleasant, an analyst at Santa Rosa, Calif.-based CommFusion LLC, who said in an e-mail: “By themselves, none of the phones offers as many features as those from Cisco or Avaya,” Pleasant said. “But when integrated with [Microsoft's software] these devices offer capabilities like presence, integration with the Microsoft Office Suite, the ability to view missed calls and return a call. It’s not the Microsoft partner devices in and of themselves that are powerful, it’s the fact that they offer seamless or embedded integration with [Microsoft's software], which is very powerful.”

Voipnews also got the opinion of Dell’Oro Group Analyst Alan Weckel: “I think right now OCS is a step in the right direction, but it still doesn’t include all the necessary call control features an Avaya or Cisco or Nortel have in their PBXs. As a standalone product it doesn’t work, so in this round they have to cooperate with all the PBX vendors in order for this product to be successful.” However, Weckel added, “If I ask you in the future what’s in the next version of Office Communications Server, say in 2009 or 2010, you might say they’ve added enough functionality that you no longer need another PBX for call control. The basic call control resides in the Office Communications Server, and the PBX is a peripheral device to do international call control and a couple of complex things like that.”

Microsoft Announces Office Communications Server 2007 Public Beta

We earlier mentioned that Microsoft’s Office Communications Server beat out hardware-based VoIP telephone systems in terms of quality. Now Microsoft has launched the public beta of its Office Communications Server 2007.

Microsoft says virtual PC images of the OCS 2007 will be available for download this week on www.microsoft.com/uc, with supporting video demos being made available soon after. The OCS 2007 is meant for use with both software clients and a yet-to-be-announced Microsoft office communicator VoIP phone. In short, this means Microsoft is serious about getting into the VoIP business, both in the server and client space.

Should this be a reason to worry for open-source solutions providers that run off Asterisk? It’s too soon to say now, but that’s one thing being pointed out by some VoIP industry analysts.

One advantage touted by Microsoft is the audio and video codec that runs on the Office Communications Server. They say that this not only provides for clear and crisp audio-visual communications in high speed scenarios, but also in limited bandwidth (including dial-up!). The codec is also meant to run smoothly on Windows Mobile 5 devices (which includes some cellphones). Microsoft credits its forward error correction (FEC), which makes their codec work well even with high packet loss. These are, however, similar features used by other providers, such as those that use the Global IP Sound (GIPS) codec, including Skype, Google Talk and a handful of other software-based VoIP phones.

While this is not about Asterisk per se, it might be interesting to note some serious competition from the big guy over at Redmond. TMCnet has screenshots here.

AsteriskWin32 Version 0.60 Released

Apparently Asterisk is not Linux-only. Version 0.60 of the Windows version of Asterisk has been released recently. This comes from Asterisk build 1.2.14. According to asteriskwin32.com, the following are the features of this new release:

  • Loadable Modules Support : no longer a standalone application (unload supported)
  • Native sound support for MOH: mpg123 no longer requested (but still supported)
  • AEL support (Asterisk Extension Language v1)
  • DUNDI support
  • CAPI: upgraded to v0.7.0 + added new feature Remote CAPI support : ISDN Router w/Remote CAPI support
  • TAPI: upgraded to v0.2.0
  • CELLIAX: Cellular Network connection via audio drivers (soundcard & bluetooth dongle)
  • Voicemail: send only 1 voicemail while installed as service application
  • SIP Channel bug with IP PHONE : audio confusing
  • TAPI: problem with dialogic hardware
  • GPL Compliant: usage of GNU Readline & Interoperability Key (for loadable modules)
  • New Management Application: PBX MANAGER F.E (Multi-lingual)

AsteriskWin32 will work over PSTN through voice-enabled modems installed on your computer, ISDN via ISDN controllers, or through a mobile network via GSM adaptor.