VoIP Security and Cybersecurity in the Spotlight - are you Listening Now?

Well, that's certainly been the story for me lately, and it's as good a time as any to post about it.

Starting with this week, I was interviewed by both the Globe and Mail, and the Toronto Star about a cyber attack that hit Bell Canada a few days ago. More specifically, the attack hit one of their third party partners, and the hackers posted the usernames and passwords of over 20,000 business customers on the Web, along with credit card numbers of business customers.

This may seem like small potatoes compared to the recent breaches among the likes of Target and Neiman Marcus, but it all comes from the same swamp, and until we - you and me - get smarter about how we protect our personal information online, this activity is going to keep escalating.

Working with third parties is a fact of business life these days, and as a sidebar, it's good to know that the unnamed partner was based in Ottawa - and not some faraway country you've never heard of. With the Sochi Olympics about to kick off - in a faraway city you had never heard of before they got (I mean bought) the games, concerns about surveillance - and that's saying it nicely - have never been higher.

Not to mention closer to home, where the Canadian government is trying to assure us that the metadata they're monitoring NSA-style on our mobile devices is not spying. Makes you just want to walk away from anything related to the Internet. I'm almost there, and looking at the copper wiring still stapled around the perimeter of my apartment, y'know, I could just about do it - all I need now is a rotary phone....

Anyhow, back to the news - for the record, I was quoted here in the Globe on Monday, and here in the Star yesterday.

Now, let's take things down a notch from cybersecurity to VoIP security. If you don't associate VoIP with security, then you need to think again. Not only is VoIP highly vulnerable to threats for telephony-based security like toll fraud, but it's often the weak link in the overall IT security perimeter. This makes it an attractive point of entry for hackers going after much bigger game, and that's when this becomes a cybersecurity threat.

You may save a ton of money on telephony with VoIP, but if you're not careful, you'll be exposing all your corporate data to a community with very sophisticated tools - along with some that are free or OTS - and they know how to use them. As Bell Canada found out, once the breach has been detected, the damage has already been done. Like anything else, when a competitive advantage can be established, you win more than you lose, and in this arena, the hackers have the edge.

On that note, I'll continue the theme of being newsworthy with a profile that ran yesterday in IT World Canada. I recently authored a White Paper on VoIP security for an Ottawa-based company called VoIPshield, and the publication ran a nice backgrounder on them, along with some context for why VoIP security is an issue. The article also interviewed their CEO, Rob Gowans, and he added some color to Howard Solomon's analysis.

Regarding my White Paper, it's getting a lot of readership, and you can learn more it about from my earlier post when it was published in December. If you want a condensed read about what your really need to know, I can steer you to a couple of articles; this writeup from FierceITSecurity, and my own article about the topic which ran about two weeks ago in No Jitter.

I'm not a technical expert in this area, but I see enough in my research to know these threats are real and they're with us now. With all the above items bubbling up around the same time, I thought it was high time to pull them together and help get the word out.

Are you listening now?

WikiLeaks and Stuxnet - Smart Grid Wakeup Call

I don't often blog about the writing I do for our Smart Grid portal, but with all the buzz and sobering implications around Stuxnet and WikiLeaks, I thought my blog readers would find this of interest. In case you haven't seen this on the portal, here's the link. This topic can take many side routes, and I just might take one of those in another posting. Until then, I hope you enjoy this, and would welcome your comments!

Shadow Network Revealed - Taking Cybercrime to a WNL

Canada sure is on a roll. The Vancouver Olympics were great, we got Gold in hockey, the loonie is now at par with the greenback, and now this. We all know how the Web can be used for evil just as well as for good, but as they say on MAD TV, this takes it WNL - to a whole, nutha, level.

Today we have news about Shadow Network, the latest big reveal about just how far cybercrime is going, with a lot of insidious links to China. There are a number of threads here, so just bear with me. Shadow Network is the name for an extensive series of sleuth-like discoveries made by the University of Toronto along with Ottawa-based security experts SecDev, and U.S.-based Shadowserver Foundation. The findings are summarized in a report that was just released today. It's titled "Shadows in the Cloud", and you can download it here (after a quick registration on Scribd - if you don't have that already).

If this is news, and you have concerns about cybercrime and online privacy - and you damned well should - you'll definitely want to explore this. Quickly...

First - the above link is to the front page story in today's Globe & Mail.

Second - from this link, you can read a profile of the guys behind these discoveries - particularly Canadians Nart Villeneuve, Greg Walton and Prof. Ron Deibert. This stuff reads right out of a spy novel, and I don't think Ian Fleming could have done a better job.

Third - this story builds on an equally jarring discovery this group made almost exactly a year ago. This was called GhostNet, and I've written about it a few times, especially here.

When you look at what's happening with Shadow Network and GhostNet, it's pretty hard to feel safe on the Web, especially if you have reasons to be critical of some things that go on in China. I'm not trying to single out one country in particular - we know bad stuff happens everywhere - but it's particularly interesting given Google's recent pullback from China. I wrote about this recently, especially about what this milieu could mean for service providers of all stripes.

You can proclaim all day long that Google left on principle and did not wish to continue catering to China's censorship demands. That's all true, but I suspect the reasoning is just as much related - if not more - to the security hacks Google experienced in China. That's not just bad for business, but breaches like this can fatally undermine their intellectual property - and in the Internet world, that's the foundation of the business. Needless to say, they weren't about to let that continue - would you?

Finally, all of this hits closer to home in a very timely way. As we speak, the blogerati and twitterati are furiously talking up today's Net Neutrality news. As you no doubt know by now, the FCC has lost its case against Comcast, and the cablecos - and other facilities-based operators - are free to manage their networks as they see fit. Needless to say, this has negative implications for competitors who bring traffic over their pipes, and it won't be long now before "traffic shaping" becomes another four letter word.

This may seem a bit of a stretch, but Net Neutrality and Shadow Network are really not that far apart. In theory, nobody owns the Internet, but clearly powerful and/or devious players can make this a very uneven playing field. This is a far cry from the Arpanet vision, and the dark side of human nature seems to be getting the upper hand right now. Let's hope it doesn't stay that way, and that the good guys behind Shadow Network keep up the good work. Go Canada!

Project GhostNet - Canada (and Google) Saves the World From Cyber-Spying - Again!

Wow, what a story. While most people I know are at either VoiceCon or CTIA this week, this one is worth staying home for. Also, I'm sure all the Skype followers are focused today on the news about working with the iPhone - and that IS a big story. However - for very different reasons - I'm sure you'll find this one of interest too.

This was a front page story in today's Globe and Mail, and no doubt many other Canadian dailies. I don't particularly follow cyber-crime, but this story is pretty incredible, and for the VoIP crowd there's an important Skype tangent. This will make a great thriller movie some day (maybe I should write it!) with all kinds of angles that normally don't have much to do with one another - China/Tibet, cyber-spying Toronto, Canada, Google and Skype. Are you intrigued? Read on, please.

In short, a team of academics/tech researchers based at the University of Toronto's Munk Centre for International Studies, discovered a Dr. Evil-like cyber-spying network with global implications. The threat is largely around how data that is sensitive to Tibet's security is being poached and monitored from PC's all over the world, and how many of the links point to servers located in China. I'll stop there - am sure you can imagine for yourself just how charged these issues and allegations are. Phew!

I'll leave the politics aside, but as the reports describe, it's a story that took a life of its own with one small discovery leading to many others, and finally to the news that went public today. I'm no hacker, but can appreciate how complex these things are, and how you have to think like a hacker to reveal the Rosetta Stone that gets you on the trail to the source.

Incredibly, the breakthrough that cracked the code was not an ingenious repeat of what went into Colossus (the famous Bletchley Park-developed computer that solved the code of Nazi messages - arguably saving Britain from defeat in WWII) - but a simple Google search!!! Amazing, Mr. Smart, as Harry Hoo would have said to Agent 86 in his slow, incredulous manner.

If that doesn't get you going, I don't know what else will. There's a lot to this story, and I'll steer you straight to the article from today's paper. I love citing the online edition of stories because you also get the reader comments. At last count there was well of over 500 comments, so if cyber-spying is your thing, you could be reading for a while.

This story should be of huge interest to anyone working in PC/Internet security, as it highlights just how vulnerable we can be. As smart as we think we are, the bad guys are often smarter, but in the end - and here's the scary part - nobody is smarter than Google! What does it say about cyberspace when an operation this sophisticated can ultimately be exposed by searching on Google? Sure makes you wonder what else about our personal/private lives is just a few clicks away from those don't have the best of intentions.

So many implications to consider here, but I want to just touch on a couple here - and perhaps this will lead to some interesting dialog about other things...

First, waving the flag, it's great to say that this discovery/expose came from Canada, primarily Toronto, and some from Ottawa. The article provides quite a bit of detail about them, but the key players are Nart Villeneuve, Greg Walton and Ron Deibert from the lab at U of T, and the Ottawa-based SecDev Group.

Second - here's where the Skype connection comes in. This isn't the first time China has been associated with compromised data security. Last fall, just after the Beijing Olympics, there was an unsettling discovery about how Skype traffic was being monitored in China. Ugh. I posted about it, and the story was widely covered in the media and blogosphere.

So why am I dragging Skype back into this messy place again? Well - the same team at U of T that just exposed this cyber-spy operation also discovered what was happening to Skype in China. I know what you're thinking --- if they're smart enough to do GhostNet, when you've got a cyber-spy problem, who ya gonna call?