Re: using Skype, hosted voip, etc. in SMB



The guys at http://www.rstack.org have done quite a bit of work on
Skype (and more particularly Skype security), the Chinese DIDN'T
"crack" the Skype protocol they were simply the first people to
release an alternative client.

Rstack.org's were the first to "crack" the protocol, the details can
be found in Philippe Biondi's and Fabrice Desclaux's blackhat
briefings eu 2006 presentation "Silver Needle in Skype";
http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf

Further work was done later into Skype-based botnets, details are
available in Cedric Blancher's "Fire in the Skype" presentation;
http://sid.rstack.org/pres/0606_Recon_Skype_Botnet.pdf

Depending on what type of phone system (PABX) you have currently there
are a number of approaches you could take, if your phone system
already supports VoIP setting up a VPN and having your road warriors
connect to that then use a "soft-phone" client (assuming there is one
available for your PABX) to make and receive phone calls.
Alternatively if you don't have a VoIP capable phone system (and can't
afford to upgrade to a VoIP capable PABX) installed it is conceivably
possible to set up an Asterisk box with some FXS cards in it which are
then connected to internal extensions on your phone system and use
this (once again preferably via a VPN) as a "SIP Gateway" into your
phone system, then you have your road warriors connect to the VPN and
use one of the many SIP clients which are available to connect to
Asterisk.

With regards to VPN systems, I generally recommend m0n0wall
(http://www.m0n0.ch) to my SME clients as a firewall system, it
provides IPSec and PPTP VPN services, and is also highly capable of
serving exclusively as a VPN server, there are several companies who
provide the m0n0wall systems in an embedded form-factor (details are
available on their website), some of these embedded systems include
hardware-based VPN accelerators too (they can also be purchased
separately).

Regards,


Morgan




On 7/22/06, Daniel DeLeo <danielsdeleo@xxxxxxxxxxx> wrote:
If you have the resources, the best thing to do would be to set up a
VPN protected VoIP system. Barring that, you should have a look at
Phil Zimmermann's Zfone. The code is available for review, so you're
not just trusting Skype's claims. Zfone works with any SIP
softphone; I personally use it with Gizmo, which is a free Skype-like
service (based on SIP, of course). You should also be able to use
Zfone with hosted VoIP services, if you go that route.

I remember reading a powerpoint produced by a French group that used
some pretty advanced reverse engineering techniques to get into
Skype's guts. If I remember correctly, they concluded that the way
the Skype network is managed provided a few possible avenues of
attack. Unfortunately, I can't quite remember the link.

Daniel DeLeo

On Jul 21, 2006, at 10:33 AM, Andrew Stewart wrote:

> I work for a SMB automotive manufacturer based in the US. In the
> process of planning for a new project for which we
> will have a number of people traveling international, there was a
> proposal to use Skype to save on long distance phone
> charges when they travel to Europe and Mexico. Skype kind of
> concerns me as an unknown quantity. They do have some
> security information, including one security evaluation report,
> listed on their site <http://www.skype.com/security/>.
> They claim to use 256-bit AES "in order to actively encrypt the
> data in each Skype call or instant message." Has this
> claim been substantiated by any neutral third-parties?
>
> I see that a Chinese company claims to have "cracked" the Skype
> protocol <http://www.voipwiki.com/blog/?p=16>
> <http://www.voipwiki.com/blog/?p=31>. Does anyone see any security
> risks coming out of this?
>
> What about hosted VOIP services like NewCross Technologies <http://
> www.newxt.com/> and Pandora Networks
> <http://www.pandoranetworks.com/> that use open protocols (ie.
> SIP)? Has anyone used any of these? What security
> features should I look for in choosing one?
>
> -------------------
> Andrew Stewart
> astewart@xxxxxxxxxx
> (205) 585-2980 - cell
>
> ----------------------------------------------------------------------
> -----
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic
> Excellence
> in Information Security. Our program offers unparalleled Infosec
> management
> education and the case study affords you unmatched consulting
> experience.
> Using interactive e-Learning technology, you can earn this esteemed
> degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ----------------------------------------------------------------------
> -----
>


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------




--
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-- Benjamin Franklin, 1759

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages