How To Counter SpIT



Similar documents
CE Advanced Network Security VoIP Security

Voice Printing And Reachability Code (VPARC) Mechanism for prevention of Spam over IP Telephony (SPIT)

KISUMU LAW COURTS: SPECIFICATIONS FOR A UNIFIED COMMUNICATION SYSTEM / VOICE OVER INTERNET PROTOCOL (VOIP) SOLUTION. Page 54 of 60

Identification and Tracking of Individuals and Social Networks using the Electronic Product Code on RFID Tags

Privacy and Data Protection (and more) for Big Data

Prevention of Spam over IP Telephony (SPIT)

VOICE OVER IP SECURITY

A Model-based Methodology for Developing Secure VoIP Systems

Authentication and Authorisation for Integrated SIP Services in Heterogeneous Environments 1

R&S IP-GATE IP gateway for R&S MKS9680 encryption devices

8x8 Virtual Office Mobile User Guide for ios

Fact Sheet. N-fon Case Study

A Phased Framework for Countering VoIP SPAM

Kommunikationsdienste im Internet Möglichkeiten und Risiken

The user interface of SIPPS is fully skinnable

optipoint 410/420 S General configuration instructions for VoIP suppliers

VoIP telephony over internet

Managing Risks at Runtime in VoIP Networks and Services

ABC SBC: Software Defined Communication Networks. FRAFOS GmbH

ARTICLE 29 Data Protection Working Party

Release Notes for MyPBX SOHO X

IP-PBX Buyers Guide 2006

VoIP Fraud and Misuse

Quick Reference Guide for Avaya Distributed Office voice mail

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

SIP Messages. 180 Ringing The UA receiving the INVITE is trying to alert the user. This response MAY be used to initiate local ringback.

NCAS National Caller ID Authentication System

VoIPOffice. VoIPOffice Hosted Edition provides advanced features such as Unified Messaging, Automatic Call Distribution,

Avaya IP Office 8.1 Configuration Guide

SIP SECURITY WILEY. Dorgham Sisalem John Floroiu Jiri Kuthan Ulrich Abend Henning Schulzrinne. A John Wiley and Sons, Ltd.

6 Steps to SIP trunking security. How securing your network secures your phone lines.

Direct IP Calls. Quick IP Call Mode

MICROSOFT FULL ACCESS MAILBOX (50GB) MICROSOFT OUTLOOK CLIENT ROARING PENGUIN SPAM FILTER ROARING PENGUIN 3-YEAR ARCHIVING UNIQUE FEATURES

HOW WE DELIVER A SECURE & ROBUST HOSTED TELEPHONY SOLUTION

Mark and Sweep Robocall Detection and Prevention. By Dan Weber, Alan Basinger, Dean Willis, and David Schwartz

VoIP SPAM and a Defence against this Type of Threat

How to make free phone calls and influence people by the grugq

VoIP some threats, security attacks and security mechanisms. Lars Strand RiskNet Open Workshop Oslo, 24. June 2009

Ingate Firewall/SIParator SIP Security for the Enterprise

How to Build a Simple Virtual Office PBX System Using TekSIP and TekIVR

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1

Vonage Business Solutions for Android User Guide

Extension Manual. 3CX Assistant, MyPhone User portal, Dial codes & Voice mail for 3CX Phone System Version 8.0

To ensure you successfully install Timico VoIP for Business you must follow the steps in sequence:

D3 TECHNOLOGIES SPAM FILTER

MODELLING OF INTELLIGENCE IN INTERNET TELEPHONE SYSTEM

Application Notes for Configuring Intelepeer SIP Trunking with Avaya IP Office Issue 1.0

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data

Using Advanced Phone Features

Extension Manual. User portal, Dial codes & Voice mail for 3CX Phone System Version 7.0

VoIP Resilience and Security Jim Credland

Countering Unsolicited Calls in the Internet Telephony: An anti-spit Architecture

SERVICE DESCRIPTION Web Proxy

THINKTEL COMMUNICATIONS 3CX PHONE SYSTEM V.11. 3CX Phone System THINKTEL SIP TRUNK from scratch

SIP Service Providers and The Spam Problem

8x8 Virtual Office Mobile User Guide for ios

Voice over Internet Protocol (VOIP) By: Ahmed Said Mahmoud Supervisor: Prof.Dr. Shawkat K.Guirguis

R&S IP-GATE IP gateway for ISDN encryption devices

Implementing Intercluster Lookup Service

Spam goes VoIP. Number Harvesting for Fun and Profit. Hack in The Box 2007 Dubai Hendrik Scholz

CONFIGURING TALKSWITCH FOR RUBICON SERVICE

Implementing SIP and H.323 Signalling as Web Services

Visocall IP PBX Connection

Dramatically simplifying voice and data networking. IVR Editor HOW-TO Guide

Call-Blocking Technology

Eliac Call Recording - Configurator Guide. Eliac. Call Recording System Ver. 2.x.

Swisscom Service description for Microsoft Office 365

Connecting with Vonage

Service Announcements for Hot-Spots: Enabling Automated Access and Provider Selection for (WLAN-based) Voice Upperside WiFi Voice 2005

Extension Manual User portal, Dial codes & Voice mail for 3CX Phone System Version 6.0

EZLoop IP-PBX Enterprise SIP Server

Configuring Quadro IP PBXs with "SIP Connect"

An outline of the security threats that face SIP based VoIP and other real-time applications

Vulnerability Analysis on Mobile VoIP Supplementary Services and MITM Attack

How To Protect Your Privacy On The Net

Auto Attendants. Call Management

Connecting with Free IP Call

Transcription:

Countering SPAM over Internet Telephony (SPIT) Markus Hansen Independent Centre for Privacy Protection Schleswig-Holstein markus@privacyresearch.eu International Symposium Privacy and Security in Internet Telephony / VoIP 2006-09-04 Berlin IFA

Countering SPIT: Motivation Internet Telephony has developed, allows costsaving use of VoIP technology. VoIP will affect audio communication as e-mail affected written communication. Unsolicited calls are already annoying PSTN customers. => SPAM over Internet Telephony (SPIT) will become a problem similar to e-mail SPAM.

Countering SPIT: Motivation SPIT is expected to increase dramatically with cheaper calls. => Privacy protection needed. Laws prohibiting such calls are most often effectless against calls from other countries. => Technical approach needed. Telecommunication is regulated by several laws. Sanctions are up to five years in prison. => Legal compliance needed.

Legal Aspects of Filtering SPAM & SPIT Secrecy of Telecommunication (European level): Art. 8 ECHR: Respect for private life and correspondence Secrecy of Telecommunication and SPAM: c.f. Art 29 Data Protection Working Party Opinion 2/2006 on privacy issues related to the provision of email screening services (WP118).

Art. 29 Group: WP 118 European regulations concerning SPAM filtering derive from the interpretation of Dir. 95/46/EC and Dir. 2002/58/EC in compliance with the ECHR and the corresponding case law of the Court of Human Rights. Other Directives (as e.g., e-privacy) can be relevant as well. Equivalent application to telephone calls as far as no differences derive from the syncronism of the medium.

Art. 29 Group: WP 118 Art. 4, 5 Dir. 2002/58/EC: Confidentiality of electronic communication has to be secured (e.g., by technical-organisational means). Personal data processing in the course of filtering viruses can be justified for the purpose of safeguarding the security of applications and services. Personal data processing in the course of filtering spam can be justified for the purpose of safeguarding the security of applications and services under certain requirements.

Art. 29 Group: WP 118 Personal data processing in the course of detecting any predetermined content CANNOT be justified for the purpose of safeguarding the security of applications and services. In all cases transparency and adequate user information has to be secured.

SPIT-AL: Legal Aspects Secrecy of Telecommunication, e.g. in Germany: Art. 10 GG, 88 TKG, 206 StGB Protecting content of communication and fact that it has taken place (or been unsuccessful). Binding any person involved in providing telecommunication services Control over any SPIT filter therefore has to be in hands of user as one of the communication partners.

SPIT-AL: Legal Aspects Telecommunication law (TKG) 88 Secrecy of Telecommunication 148 f. Suppression of Communication (Reject call, Greylisting) VoIP has not yet gone through courts.

SPIT-AL: Legal Aspects Privacy Law (aka: Data Protection Law) 91 107 TKG Different SPIT-AL actions and configuration presets for private citizens, companies oder administrations. (Administrative Law: Right to be heard) Whitelists / Blacklists is processing of personal data => Infrastructure für consent / withdrawel => web interface => Teleservices Law

SPIT-AL: Legal Aspects Consequences for Development: Completely user-controlled filtering! Transparency and control of data processing and its consequences. Configuration presets for different types of users. Configuration options fine-grained.

The SPIT-AL Project SPIT-AbwehrLösung Public Funding 2005 2006: e-region Plus (Schleswig-Holstein) ERDF European Regional Development Fund Project Partners: TNG The Net Generation AG Internet Service Provider and Telecommunication Company www.tng.de ICPP Independent Centre for Privacy Protection Privacy Protection Authority of Schleswig-Holstein www.datenschutzzentrum.de

The SPIT-AL Project White Paper download at www.spit-filter.com Prototype Implementation in progress <= Test Run with 1000 users by end of 2006 Open Source Project Public funding, public benefit! Diploma Thesis at Dresden University of Technology

SPITting into your Ear Calls from Humans: Call Centres Calls from Automated Devices: Spam Bots Ringtone SPIT: Alert-Info Header Combinations

SPIT-AL: Technical Approach E-mail SPAM: Header & Content Analysis Content Analysis of Audio Communication: Synchronous Communication, impossible to do before call is established. Technically complex, binding resources. (C.f.: Microsoft V-Priorities. Patents?) Unneccessary once caller and callee talk. Not planned within SPIT-AL.

SPIT-AL: Technical Approach Analyze Information about Caller: Caller ID? (Lacking Authenticity with SIP) Origin: PSTN / SIP (Proxy, IP Range)? On Whitelists / Buddylists / Blacklists? Recursive Lists / Web of Trust Statistiscal Analysis (backbone) Analyze Information about Call: E.g.: 6 a.m.? Sorry, Mum. Weighten results, sum up.

SPIT-AL: Technical Approach Different Actions according to results: Establish call. (implementation: easy) Busy on first try. (greylisting) Challenge the caller: Please press *42#. (simple voice menu) What is 10 devided by 2? (tricky :-)) Voice Box => asynchronous Announce alternate reachability

SPIT-AL: Technical Approach Different Actions according to results: Simulate Callee (c.f. Telecrapper2000) binding your resources! Honeyphones (as in Honeypots, Honeynets) collect and analyse information on SPIT Reject call Implementation: Easy Legal: Suppression of Communication All not in SPIT-AL 'Filtering' not appropriate. Therefore: Reachability Management to counter SPIT

INCOMING CALL 1 2 3 4 2 3 4 INCOMING CALL 1 VOICE DATA

Conclusions The SPIT problem will increase, countermeasures are needed. Countermeasures have to take effect before caller and callee talk to each other. Reachability management is a possible approach. Can be expanded/integrated into identity management system.

Future VoIP needs Security and Privacy Enhancements! E.g. strong end-to-end encryption E.g. end-to-end authentication VoIP could use a lot of other development, too. Thanks for listening! :-) Project: www.spit-filter.com Contact: markus@privacyresearch.eu

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information