How to stop Skype using ISA server, and why

Skype is a good example of how defying open standards can result in a better product. H.323, the first attempt at VoIP standard, failed miserably. SIP stands much better chance but there are numerous issues with SIP operator interconnections and crossing organisational perimeter. Skype doesn’t have any of these issues: it doesn’t interconnect with third parties, using PSTN as the only interface available; and it supports HTTP proxy for connectivity, effectively eliminating difficulties sending voice/video traffic to external parties.

Of course, Skype is scary (as in: buy a firewall, and may it protect you against Skype). It is the perfect backdoor, can only slow down the exploitation of it, and may protect a 0-day – Desclaux Fabrice of EADS does a decent research only to come to wrong conclusions. What’s certain – Skype is a perfect target for hacking.

Some security people hate Skype and want to stop it. rootn0de provides a smart way of doing that (see Blocking Skype Using Squid and OpenBSD). Skype doesn’t rely on DNS resolution for contacting its supernodes (because Internet DNS resolution may not be available on semi-isolated networks) – so rootn0de configures Squid proxy to block CONNECT tunneling connections to destinations represented by IP address. You cannot even modify the list of supernodes so that DNS resolution will work – so this is a really good hack. It doesn’t require OpenBSD.

What about numerous organisations using Microsoft ISA Server as their Internet connection gateway? The solution is even easier. Configure ISA to require Windows integrated authentication and Skype will not work. Just checked – that’s fixed recently in Skype for Windows 3.2 hotfix. Back to square one – no easy solution for ISA. You can be creative with Winsock client, or write custom filter, or channel traffic through Squid (defying the purpose of ISA to an extent). Besides, getting arount restriction to use Windows integrated authentication only can be relatively easily worked around – by modifying the client.

Solution, did I say? No. Trying to block Skype on the Internet access gateway is an example of wrong approach taken because of wrong problem definition. Skype is just a videophone with chat, that can also send files – most of potential Skype users on corporate network have Web access that allows chatting, sending files and placing telephone calls.  If you don’t want users to run software that you don’t approve – don’t let them by strictly controlling their operating environment (thin client solutions help here). If you don’t want them to share information – don’t give access, or protect it (RMS solutions help with this). But don’t try to cripple the functionality that is already given to the users – they may as well have business need for it.

VoIP Scaremongers

DEF CON, an “underground” information security conference (appropriately held in an upscale hotel in the entertainment capital of the US) is on, together with sister Black Hat Briefings, and the fresh crop of FUD is already making it to the business press worldwide. There’s nothing like a catchy headline, and Forbes has got one of those: VoIP Vandals. Let’s see what it’s about:

Security professionals at the Black Hat conference in Las Vegas spent Wednesday outlining the exploitable vulnerabilities in voice over Internet protocol technology, or VoIP. In a series of presentations, they demonstrated ways in which cybercriminals can eavesdrop on VoIP calls, steal data from Internet telephony devices, intercept credit card numbers from VoIP connections and shut connections down altogether.

I wonder if there’s something radically new. Some details:

“VoIP is about convergence. The idea is that you save money and resources and time,” said Barrie Dempster, a senior security consultant at Next Generation Security Software who made a presentation at the conference. “But convergent systems give you more avenues of attack, more ways in. It’s not a secure environment.” Because VoIP connects telephone calls via the Internet, it shares the Internet’s weaknesses, Dempster argued. Those include vulnerability to denial of service attacks, which overload servers with thousands of simultaneous requests for data, as well as basic hacking tactics like guessing the password of users who fail to change default settings.

Environments become secure if and when we chose to secure them. VoIP set of technologies gives countless ways to achieve integrity and privacy of communications. It’s much better in that regard that POTS, the pretty old telephony service it’s replacing. And by the way – many people who witnessed major disaster, or attended a sports event, or just tried to call relatives in a developing country on a public holiday, know of limitations of POTS is its susceptability to load-based denial of service. Plus, legacy telephones don’t have passwords to speak of, so there’s nothing even to guess.

Well Mr. Dempster may have said FUD without substance, but other guys conducted cool demonstrations. They have shown weaknesses resulted in insecure iplementation of MGCP, and lack of touch tone protection in ZRTP, o VoIP protocol invented by Phil Zimmermann of PGP fame. Nice hacks they may be. Pity no one’s using the protocols. SIP and proprietary protocols like Skype have won the protocol race.

Of course, Microsoft’s embrace of the realtime communications and VoIP is considered no less than upcoming doom:

Eric Winsborrow of Sipera Systems says that the wave of threats has been brought on by VoIP’s new popularity in the business world as well as the technology’s growing connection to the Internet at large, instead of smaller networks. He also points to plans at Microsoft to introduce VoIP applications into upcoming software as a sign that the technology’s security issues are reaching a tipping point.

I don’t know where Mr. Winsborrow has spent last several years, but conf.exe is a part of Windows for a long while, and we are long past the tipping poing. There will be no VoIP crash boom bang. It is secure. Mr. Winsborrow and his squad managed to crash a BlackBerry handheld and a D-Link phone by injecting packets into Wi-Fi network (as if you couldn’t crash any of those networks entirely with a microwave), and simulated the theft of private data via VoIP from a laptop. I invite them to exploit a setup with Kerberos authentication and SIP signaling secured with TLS. That is common in Microsoft world and is used to interconnect organisations as well as internally.

VoIP scaremongering is pathetic.