OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Voice over IP security - anyone?
From: Alex Libenson (alexDAN.LV)
Date: Mon Oct 09 2000 - 05:16:27 CDT

RADCOM (http://www.radcom-inc.com) have a product called AudioPro - it can
convert recorded VoIP packets back to voice and record it to .wav file fith
a few mouse clicks

-----Original Message-----
From: Craig, Scott [mailto:SCraigKMART.COM]
Sent: Wednesday, October 04, 2000 8:42 PM
To: VULN-DEVSECURITYFOCUS.COM
Subject: Q: Voice over IP security - anyone?

Does anyone know of any shortcomings of any commercial voice over IP
product? I'd like to know if encryption is standard across all vendor
products (same implementation or a requirement that it exists in any form)
and what the details are. I'd also like to know of any vulnerabilities that
may have been exploited already.

I'd like to know if any product on the market can actually have it's data
traffic recorded and played back. There's mention of encryption but I don't
have the details. In the past companies have spun stuff off as secure and
encrypted, yet it's only a bit operation, compression, or whatever.

Can't freely download the standard... so it's hard to see what standards are
there for encryption or not being able to reassembler intelligible speech
after capturing packets.

Here's some info I've found relating to voice over IP standards (H.323)..
I've only skimmed the info, but from what I saw I need more.

H.323 Standards
http://www.openh323.org/standards.html
<http://www.openh323.org/standards.html>

Voice over IP background:
http://www.symbol.com/products/whitepapers/whitepapers_converging_tech.html
<http://www.symbol.com/products/whitepapers/whitepapers_converging_tech.html
>

Primer on H.323 standard:
http://www.databeam.com/h323/h323primer.html
<http://www.databeam.com/h323/h323primer.html>

Security

In development for months, the H.235 standard addresses four general issues
when dealing with security, Authentication, Integrity, Privacy, and
non-Repudiation. Authentication is a mechanism to make sure that the
endpoints participating in the conference are really who they say they are.
Integrity provides a means to validate that the data within a packet is
indeed an unchanged representation of the data. Privacy/Confidentiality is
provided by encryption and decryption mechanisms that hide the data from
eavesdroppers so that if it is intercepted, it cannot be viewed.
Non-Repudiation is a means of protection against someone denying that they
participated in a conference when you know they were there.

http://www.itu.int/osg/sec/spu/ni/iptel/index.html
<http://www.itu.int/osg/sec/spu/ni/iptel/index.html>

. Many countries ban IP telephony completely, yet IP calls can be made to
almost any telephone in the world.

Some voice over IP links:
http://www.packetizer.com/people/paulej/
<http://www.packetizer.com/people/paulej/>

Table of Contents on H.323
http://www.itu.int/itudoc/itu-t/rec/h/s_h323.htm
<http://www.itu.int/itudoc/itu-t/rec/h/s_h323.htm>

 H323 Annexes

* Annex D - Real Time fax over H.323

* Annex E - Multiplexed call signalling

* Annex F - Simple Endpoint Terminal (SET)

* Annex G - Text SET

* Annex H - Mobility

* Annex I - Operation over low QoS Networks

* Annex J - Secure SET

* Annex K - HTTP Service Control Transport

* Annex L - Stimulus Signalling

* Annex M - QSig Tunneling

* Annex N - QoS

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - -
Scott Craig
Technical Specialist - Information Security
Kmart Corporation MS: E2 ; 3100 West Big Beaver Rd; Troy, MI 48084
Phone: (248) 643-1346
Fax : (248) 614-2963