Researchers at Secure Science have discovered methods to make unauthorized calls from both Skype and the Google Voice services.  Add botnets for massive dialing and let the fun (not) begin. Google says it has patched the hole; Skype isn't commenting.

Secure Science was able to leverage an online service called SpoofCard to display a different caller ID and leveraged the fact that neither Google Voice or Skype require a password to access their voicemail systems. The Skype attack would require a victim to visit a website within 30 minutes of being logged into Skype, but once done an attacker could add a specific call forwarding number, grant an attacker ability to receive the victim's incoming calls, get a Skype-To-Go number, and the ability to access victim's a voicemail, speed dial, and outbound calling via spoofed Caller-ID (i.e. where SpoofCard comes in).

Within Google Voice, an attacker could even intercept or listen on incoming calls, using the Temporary Call Forwarding feature to add another number to an account, then using something like Asterisk to answer the call before a victim could hear a ring. An attacker would need to know the victim's phone number, but Secure has figured out a way to do this through Google's Voice SMS feature.

Google said it has patched the bugs enabling Secure Science's attack, and has added a password for its voice system. It also said that a lot of things would have to go right at the same time for Secure's technique to work.

A spokesperson for Secure Science says the Skype vulnerabilities have not yet been fixed and Skype parent eBay wasn't commenting.

For more:
- IDG News Service via PC World. Post.

Related articles
Skype responds to earlier security breach - FierceVoIP
A Skype Back Door? - FierceVoIP
Skype Wiretap Nuances - FierceVoIP

How do you avoid being phished over VoIP? No, we're not talking about a Ben and Jerry's flavor, we're discussing the tactic of being called up over the phone and being socially engineered into disclosing confidential information.  

Phishing is now a widespread tactic, with bogus emails spammed out on a daily basis. Initial attacks were mostly for-profit in nature, with an inbox letter posing as a bank or the IRS requesting security and personal information. The information would then be utilized by the attacker for either a simple credit card exploit or a more elaborate identity theft exploit. Varients such as Spear Phising and Vishing are now in vogue, but phishing attacks can be broken down into four parts: Redirect, Disclosure, Impersonation and Unauthorized Usage.

Vishing is a faster way to gain information if the attacker feels confident in his or her social engineering skills. In the days before computers, this was known as "The art of the con."  Regardless, we still have to wonder if J. Michael Straczynski understood he was writing a double-entendre when he penned the line, "Who do you serve? And who do you trust?" A look at the general practices of phishing can help in the development of strategies against vishing.

For more:
- TopTechNews breaks down Phishing and Vishing. Article

Related articles
Trend: "Vishing," VoIP phishing on the rise - FierceVoIP
VoIP Security and the Circle of Trust - FierceVoIP

If you haven't worried enough about VoIP security, UCSniff has been released officially by the Sipera Viper Lab.

First unveiled at the Toorcon security conference in late September, UCSniff allows you to target users based on corporate directory and/or extensions, record entire voice conversations, discover and hope VLANs, perform man-in-the-middle (MitM) redirection and plenty more. Sipera has now made the tool available for public download, so, if you want to really torque off your security and IT people, you could record and email them a couple of their phone calls.

If you want really scary/really paranoid thoughts, since UCSniff (and of course, a lot of other security tools) are written in C and available for Linux systems, an attacker could buy a $300 Netbook, install it in a phone closet somewhere, and with a little hackwork, record and email your conversations outside the office.

Hmm, maybe its time to re-install the old key system...

For more:
- Read the quick blog post at Dark Reading.

Related articles
UCSniff targets VoIP, UC, and the inside job - FierceVoIP
Sipera Systems, Top VoIP Company 2008: FierceVoIP, Fierce 15 ...