[VOIPSEC] Soft Phone Vulnerabilities

FOUCHE Nicolas ROSI/DAS nicolas.fouche at francetelecom.com
Wed Jun 7 09:44:28 CDT 2006 

Ok with that. I'm just saying that Skype isn't a security model like you said.
But you must admit that it's hard to control P2P. Enterprises like control what occurs in their network. That's mean to know what flow goes where. P2P don't ensure that... And particularly Skype which we don't know many thing.

Nicolas

-----Message d'origine-----
De : Henry Sinnreich [mailto:henry at pulver.com]
Envoyé : mercredi 7 juin 2006 16:20
À : FOUCHE Nicolas ROSI/DAS; 'Martyn Davies'; 'Jacobs, Marcia'; Voipsec at voipsa.org; 'Mark Baugher'
Objet : RE: [VOIPSEC] Soft Phone Vulnerabilities

The arguments about Skype security must not imply P2P cannot be secure.

Please see the just published I-D:

http://www.softarmor.com/dwillis/docs/draft-willis-p2psip-concepts-00.html

Thanks, Henry

-----Original Message-----
From: FOUCHE Nicolas ROSI/DAS [mailto:nicolas.fouche at francetelecom.com]
Sent: Wednesday, June 07, 2006 8:44 AM
To: henry at pulver.com; Martyn Davies; Jacobs, Marcia; Voipsec at voipsa.org
Subject: RE: [VOIPSEC] Soft Phone Vulnerabilities



> Skype has been attested as being secure

It seems that some vulnerabilities have been discovered in Skype...

"The vulnerability is caused due to a boundary error within the handling of
command line arguments. This can be exploited to cause a stack-based buffer
overflow by e.g. tricking a user into visiting a malicious web site, which
passes an overly long string (more than 4096 bytes) to the "callto:" URI
handler.

Successful exploitation may allow execution of arbitrary code."

And this is not the only one.

We can't say that Skype is "secure" because it is completely unknown !
Darkness don't do security... it is often the opposite. Skype is an
application like many others and suffer of the same problems. And why it
becomes dangerous ? Precisely because no control can be done on what Skype
do (encrypted flows, bypass proxies and FW...).

> We can only hope the "pre-standard" Skype will get some competition from a
standards based system.

I hope not !

Regards,

Nicolas


-----Message d'origine-----
De : Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] De la
part de Henry Sinnreich
Envoyé : mercredi 7 juin 2006 15:03
À : 'Martyn Davies'; 'Jacobs, Marcia'; Voipsec at voipsa.org
Objet : Re: [VOIPSEC] Soft Phone Vulnerabilities

> This is why people worry about Skype being used in the workplace,

I am afraid this is just sour grapes. Skype has been attested as being
secure, enhances the productivity in the enterprise, supports communications
worldwide with customers and partners and may become the AT&T of VoIP.

And is profitable as well, which is an exception to the rule in the VoIP
provider world.

We can only hope the "pre-standard" Skype will get some competition from a
standards based system.

Thanks, Henry

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Martyn Davies
Sent: Wednesday, June 07, 2006 3:02 AM
To: Jacobs, Marcia; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] Soft Phone Vulnerabilities

A softphone is just a normal executable application, no more and no less.
Its just that (unlike, for example, Word) its main job is to handle
streaming audio.

As an application it has full access to all the resources of the PC, and
runs with the rights of the user that started the softphone.  Therefore if
you login with administrative rights (which I guess an awful lot of people
do), the softphone application has all administrative rights to the machine.
Therefore if a softphone is carrying some kind of Trojan or backdoor inside
it, an attacker could do any of the following:

* Listen to any inputs on the soundcard
* Read all your files and transmit them somewhere else
* Capture data being sent to the screen, or coming in from the keyboard
* Scour your machine looking for passwords, etc.
* Disable antivirus or other protective tools
* Monitor the LAN that the computer is attached to, and perhaps even attack
other machines

Since the soundcard is always powered on in a PC, there's nothing to stop an
application switching on the mic at any time and listening.

In summary, its not just 'softphone vulnerablities' that are the worry per
se, but that fact that the whole PC is vulnerable to attack if the wrong
kind of malware gets run on it.


This is why people worry about Skype being used in the workplace, because
(a) a lot of desktops have it across the world, which is an opportunity for
hackers and (b) if they succeed in compromising Skype then not just audio
but all kinds of secrets could be funneled out of the organization without
anyone even knowing that an attack was underway.

Regards,
Martyn


-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Jacobs, Marcia
Sent: 06 June 2006 19:04
To: Voipsec at voipsa.org
Subject: [VOIPSEC] Soft Phone Vulnerabilities

Wondering if anyone can recommend a good security document on softphones,
and the potential of turning on microphone remotely.

Thanks!

Marcia Jacobs
Sandia National Labs
CA Telecommunication Ops
Phone & Fax:  925.294.1586
mjacob at sandia.gov

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org



_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

********************************
Ce message et toutes les pieces jointes (ci-apres le "message") sont
confidentiels et etablis a l'intention exclusive de
ses destinataires.
Toute utilisation ou diffusion non autorisee est interdite.
Tout message electronique est susceptible d'alteration. Le Groupe France
Telecom decline toute responsabilite au titre de
ce message s'il a ete altere, deforme ou falsifie.
Si vous n'etes pas destinataire de ce message, merci de le detruire
immediatement et d'avertir l'expediteur.
*********************************
This message and any attachments (the "message") are confidential and
intended solely for the addressees. Any unauthorised
use or dissemination is prohibited.
Messages are susceptible to alteration. France Telecom Group shall not be
liable for the message if altered, changed or
falsified.
If you are not the intended addressee of this message, please cancel it
immediately and inform the sender.
********************************



*********************************
Ce message et toutes les pieces jointes (ci-apres le "message") sont confidentiels et etablis a l'intention exclusive de
ses destinataires.
Toute utilisation ou diffusion non autorisee est interdite.
Tout message electronique est susceptible d'alteration. Le Groupe France Telecom decline toute responsabilite au titre de
ce message s'il a ete altere, deforme ou falsifie.
Si vous n'etes pas destinataire de ce message, merci de le detruire immediatement et d'avertir l'expediteur.
*********************************
This message and any attachments (the "message") are confidential and intended solely for the addressees. Any unauthorised
use or dissemination is prohibited.
Messages are susceptible to alteration. France Telecom Group shall not be liable for the message if altered, changed or
falsified.
If you are not the intended addressee of this message, please cancel it immediately and inform the sender.
********************************

More information about the Voipsec mailing list