Topic 'Re: TekTalk and call security/privacy' in forum 'TekSavvy' - dslreports.com

Re: TekTalk and call security/privacy

Wed, 04 Feb 2015 16:20:34 EDT

AsherN posted : There's no guarantee of anything. Your POTS calls could also be intercepted.

Re: TekTalk and call security/privacy

Wed, 04 Feb 2015 15:54:38 EDT

anon posted :

the best option is a router capable of VLAN's.

Only if it can't be switched into a Promiscuous mode available with Wireshark »en.wikipedia.org/wiki/Pr ··· ous_mode .

But again, this aims at protecting VoIP calls from PC sniffers, but not from intercepting VoIP packets on hops outside of user's LAN. There is also no hard core guarantee that "lawful intercept" ISP's hardware features accessible by their staff will be used ONLY for lawful purposes whatever it means, neither a guarantee that a VoIP call can't be recorded without invoking such features. :)

Re: TekTalk and call security/privacy

Wed, 04 Feb 2015 12:42:27 EDT

KaylaIT posted : Can't be done only one modem per line. Either conenct the DSL modem to a switch and the to two routers one having VOIP the other your LAN or the best option is a router capable of VLAN's.

Re: TekTalk and call security/privacy

Wed, 04 Feb 2015 12:30:26 EDT

dutox101 posted : Would using 2 DSL modems on the same phone line (one for VOIP only) be a good way to isolate the 2 LAN's ?

Re: TekTalk and call security/privacy

Wed, 04 Feb 2015 04:30:04 EDT

JeanInNepean posted :

said by CallbackDev :

Will connecting 2 routers to a modem via an unmanaged switch give the same (non-bridged) result? I ask since it looks like a cheaper solution. Would the sniffer be able to monitor traffic on the modem's Ethernet port instead of each router's Out port?

Yes, this should do the same as long as the routers aren't in bridge mode. For a hacker to be able to monitor the modem's out port, he/she would need physical access, or be able to log in to your routers and modems. It's always possible, but if you've protected your devices with proper passwords, it's hard to do.

Re: TekTalk and call security/privacy

Tue, 03 Feb 2015 14:20:45 EDT

HELLFIRE posted :

said by CallbackDev :

said by HELLFIRE:

The stuff you get from the likes of DLINK, LINKSYS, BELKIN, et al permits all outbound by default, so my personal response would be "what

firewall?"

Do you have any suggestions for the router model or firmware providing better firewall?

"Better" is a relative term CallbackDev ... my view has been "design the network to YOUR needs."

For a "explicit deny outbound" config, offhand, enterprise-level gear from the likes of Juniper, Watchguard, Sonicwall, Fortigate, Cisco, et al
can do this. Any *nix-based routing/firewall distro running on a PC can do this as well -- pfsense, smoothwall, ipcop, etc.

Regards

Re: TekTalk and call security/privacy

Tue, 03 Feb 2015 12:45:26 EDT

anon posted :

said by HELLFIRE:

The stuff you get from the likes of DLINK, LINKSYS, BELKIN, et al permits all outbound by default, so my personal response would be "what firewall?"

Do you have any suggestions for the router model or firmware providing better firewall?

said by fantom :

I am hoping that TS will clarify the issue soon.

SRTP can be a subject to man-in-the-middle attack. ZRTP presumably can't, but its not supported by most VoIP providers, and again even when its supported, there is no guarantee that some moll at ISP's end won't use hardware or firmware features available for lawful intercept, as the above linked cellphone story said. Of course such recordings can't be used as evidence in court, but they are never made for that purpose. You can safely assume that there is NO encryption or privacy of your phone calls, and they can be recorded in clear (you can do it with Wireshark too just for fun), and then processed by voice recognition soft into a text, then keywords / bank passwords / pins filtered. It doesn't mean however its done routinely, or the info collected is routinely used against customers or sold out. There are no massive complaints on the web about it.

The point here is, most banks etc. don't provide any privacy means for phone conversations to begin with, so what can you do on your end anyway? Encryption must be supported on both ends to work. :)

Re: TekTalk and call security/privacy

Tue, 03 Feb 2015 12:40:07 EDT

AsherN posted :

said by fantom :

To clarify: my original question was about the last mile security. I do realize, that my land line conversation is likely to go over IP at some point between me and the bank. It is the security of the line into my house, that I am trying to understand.

There are a lot more physical points to intercept on the POTS last mile. VoIP, you need a packet sniffer inside your network or Teksavvy's network. You could have one in one of the hops, but the route is subject to change. And all of those are in secure facilities.

Re: TekTalk and call security/privacy

Tue, 03 Feb 2015 12:32:12 EDT

anon posted : To clarify: my original question was about the last mile security. I do realize, that my land line conversation is likely to go over IP at some point between me and the bank. It is the security of the line into my house, that I am trying to understand.

Re: TekTalk and call security/privacy

Tue, 03 Feb 2015 12:10:39 EDT

anon posted : All good thoughts and a nice thought exercise.

I am not concerned about a legal intercept.

We all only have so many neighbors and a chance of one of the few trying to be so nasty is slim to none. In the case of the Internet the number of "neighbors" is much higher and there is a good chance that some of them might gains access to some of the servers/routers (for fun or otherwise). Add to that the tools for automated traffic analysis, and the final picture becomes grim: you can tap into may lines at once.

The law of big numbers has a big role in this.

There was a post form a TS person in this thread; I am hoping that TS will clarify the issue soon.

Re: TekTalk and call security/privacy

Tue, 03 Feb 2015 10:59:41 EDT

HELLFIRE posted :

said by CallbackDev :

Would the sniffer be able to monitor traffic on the modem's Ethernet port instead of each router's Out port?

Part of setting one up is knowing where to put it to get the most useful capture. If I were to put on my "black hat" hacker hat, I'd say
screw getting some home / family type to click a malicious link to install wireshark and go straight for the jugular and set a SPAN session
within the central office and/or ISP core network.

said by CallbackDev :

would the sniffer's upload traffic to a hacker's server be blocked by one's firewall?

The stuff you get from the likes of DLINK, LINKSYS, BELKIN, et al permits all outbound by default, so my personal response would be "what firewall?"

said by CallbackDev :

Of course traffic masking as Windows service related will still flow and hard to identify with Wireshark as "foreign".

Offhand, do you ever LOOK at what's running under Windows services? Can you identify and confirm all are "clean" ?

Granted, this is all theoretical, but such a lovely thought exercise.

My 00000010bits

Regards

Re: TekTalk and call security/privacy

Tue, 03 Feb 2015 10:26:44 EDT

anon posted :

said by JeanInNepean:

I meant two physical networks, whether they're managed by 1 (managed switch)

said by JeanInNepean:

I'm not sure how you block a hacker from uploading data, unless your firewall blocks ALL outgoing traffic

May be blocking ALL out traffic except for permitted applications will do? Of course traffic masking as Windows service related will still flow and hard to identify with Wireshark as "foreign". Are there any tools for that?

Re: TekTalk and call security/privacy

Tue, 03 Feb 2015 10:02:33 EDT

JeanInNepean posted :

said by CallbackDev :

I meant two physical networks, whether they're managed by 1 (managed switch) or 2 or more separate routers, as long as the two networks aren't bridged. My WiFi router (used to connect PCs and laptops) has its own subnet. Traffic on other subnets aren't bridged, thus providing isolation.

said by CallbackDev :

Also, would the sniffer's upload traffic to a hacker's server be blocked by one's firewall? Or it would usually mask under Windows service traffic? Any recommendations in this case?

I'm not sure how you block a hacker from uploading data, unless your firewall blocks ALL outgoing traffic... No hackers would establish connections on any open port that allows an outgoing connection. You'd have to block traffic by IP address, but you'd have to know the IP address first...

Re: TekTalk and call security/privacy

Tue, 03 Feb 2015 09:40:28 EDT

anon posted :

said by JeanInNepean:

It's fairly easy to put your VoIP traffic on a separate sub-net, yet, very few personal networks have more than one LAN.

Did you mean using 2 routers hooked to a modem via an unmanaged LAN switch? Then you connect an ATA or VoIP phone to one router, and your PCs to another? But in this case your softphone calls can still be sniffed. Even if you use 2 network adapters on your PC, what prevents a sniffer to monitor traffic on both?

Also, would the sniffer's upload traffic to a hacker's server be blocked by one's firewall? Or it would usually mask under Windows service traffic? Any recommendations in this case?

Re: TekTalk and call security/privacy

Tue, 03 Feb 2015 09:13:13 EDT

squircle posted :

said by JeanInNepean:

There is one big caveat to all that's been said so far... It's much easier for a hacker to infect your (or your children's) computer/tablet/cell phone with a piece of malware and sniff your local internet traffic (including your VoIP packets) than to put a tap on your physical line.

I don't know about that. As a layman, I could do some reading on the internet about how POTS is set up, use a knife as a punchdown tool and tap into a phone line at a pedestal or with a screwdriver at a demarc. I certainly wouldn't be able to learn how to induce somebody to infect themselves with malware in that kind of time period. Of course, this assumes you have a specific target and you're not on a fishing expedition.

If you'd said "easier [to be done] remotely", then I'd obviously agree with you since it would be very difficult to intercept the local loop without physical access.

VoIP will deter a casual neighbour/rogue house cleaner, but neither POTS nor VoIP will deter a determined adversary. :)

Re: TekTalk and call security/privacy

Tue, 03 Feb 2015 08:23:08 EDT

JeanInNepean posted : There is one big caveat to all that's been said so far... It's much easier for a hacker to infect your (or your children's) computer/tablet/cell phone with a piece of malware and sniff your local internet traffic (including your VoIP packets) than to put a tap on your physical line.

It's fairly easy to put your VoIP traffic on a separate sub-net, yet, very few personal networks have more than one LAN.

That being said, I don't think hackers are all that interested in listening to hours of conversation to be able to pick your banking security code that give them very little access.

Re: TekTalk and call security/privacy

Mon, 02 Feb 2015 18:30:45 EDT

btech805 posted : Also to add, as far as POTS goes, Ive seen more than one case of neighbors using each other's demarcs for long-distance and 1-900 calls. You won't have that with voip (unless someone really hates you of course, then anything is possible)
--
My opinions are my own and do not represent the opinions or wishes of BCE or any of it's subsidiaries.

Re: TekTalk and call security/privacy

Mon, 02 Feb 2015 18:26:02 EDT

sambul92 posted :

said by fantom :

Is the voice data encrypted?

Generally not - its a legal requirement in some countries for providers to be able to tap your calls in clear. There are also some hardware limitations when switching VoIP calls to POTS networks, but POTS quickly become a rarity nowadays, at least in developed nations. If you need more privacy, call peer-to-peer via VoIP ATA or Softphone by using SIP URI addresses of yours and your party phones instead of regular phone numbers. You can use ZRTP encryption in this case with a secure VoIP phone or softphone even if both parties ISPs don't support passing encrypted calls, since such direct calls won't go through their phone servers. But don't expect banks to support this calling method. Even peer-to-peer calls privacy via VPN (and also ZRTP?) is in question if you read this »Re: [Voip.ms] 2015 and concerned about security :)

There are numerous topics about VoIP (in)security in this forum section »VOIP Tech Chat , just search. Intercepting your calls is likely possible at any hop along the route to destination, but may not be that easy for an average Joe as tapping to a neighbor's POTS line.

Re: TekTalk and call security/privacy

Mon, 02 Feb 2015 15:50:33 EDT

anon posted : traceroute to p.teksavvy.com and voip.teksavvy.com
all the servers in your traceroute are the ones who can monitor your calls.

Re: TekTalk and call security/privacy

Mon, 02 Feb 2015 13:51:56 EDT

HELLFIRE posted :

said by fantom :

Is ii safe to use TekTalk to call bank, credit company, etc without a risk a kid around the world being able to listen to the conversation easily?

said by fantom :

Is the voice data encrypted?

2nd squircle that VOIP is no less secure than a POTS line, but VOIP protocols generally are not encrypted unless explicitly so,
like SRTP and Skype.

From a networking standpoint, the two immediate ways I can see your VOIP calls being intercepted are as follows :

- a) someone sets up a packet sniffer, either at your computer, within Teksavvy's network, or within the Tektalk network and starts scanning
the stream for RTP packets, then reassembling and playing back the subsequent calls.

- b) lawful intercept mode -- pretty much all voip gear has this, and it can be mis/ab/used to basically tap calls wherever they're set
up.

said by Mango:

I haven't in recent memory heard of someone who has experienced identity or other types of theft caused by someone listening in on a VoIP call (or any telephone call).

Try this little gem of a stunt . You can easily take the "best practices" in securing your computer / network, but within Teksavvy and Tektalk's infrastructure -- and all others that your call takes to get to where it needs to go -- you're trusting whoever runs it to have done the same.

My 00000010bits

Regards

Re: TekTalk and call security/privacy

Mon, 02 Feb 2015 13:19:46 EDT

Mango posted : I agree with those who say VoIP is more secure than POTS.

I haven't in recent memory heard of someone who has experienced identity or other types of theft caused by someone listening in on a VoIP call (or any telephone call). Even if a hacker could do it, they would have to listen to hours of audio before you said something useful. Other types of scams require much less effort, are more profitable, and unfortunately happen all the time - phishing and phone fraud are two examples that come to mind.

In spite of that, you should be sure that your equipment is configured securely.

- Use antivirus software on your PCs and take care when installing software or opening email attachments.

- Use a restricted cone NAT router. If you have a Windows computer, you can run the utility at »Re: [Future9] PAP2 optimal settings? to test the type of NAT your router uses.

- Never use port forwarding or DMZ; this disables your firewall.

- If you use WiFi, use strong encryption.

- Configure your networking equipment with strong passwords.

- Physically secure your networking equipment.

If your equipment is secure, the only practical way to gain access to your conversations is to be a high level employee at a telecom company - a risk you assume whether your use VoIP or POTS.

Re: TekTalk and call security/privacy

Mon, 02 Feb 2015 12:48:32 EDT

btech805 posted : I'd argue that VOIP is more secure. it is a point to point service route through your isp to the local telco exchange. With POTS as everyone has mentioned, there is a demarc on the outside of your house easily accessible to anyone. Want to be more sneaky? Theres an access terminal probably 50 yards away either on the pole or in the ground with yours and up to 25 other lines available. Go further down the line and within 1km, there is a crossbox with yours and up to 1000 other lines available. Then theres the COs. At any point, a basic recorder could be put on. I couldnt tell you how many conversations Ive accidentally heard working in COs or crossboxes because another tech didn't update records to show that there is a working line on the pair i thought was vacant.
--
My opinions are my own and do not represent the opinions or wishes of BCE or any of it's subsidiaries.

Re: TekTalk and call security/privacy

Mon, 02 Feb 2015 11:57:12 EDT

rodjames posted : not so much, with digital phones you can't just tap into the line without an ATA

Re: TekTalk and call security/privacy

Mon, 02 Feb 2015 11:17:54 EDT

TimL posted : I am talking with our team here to get you an answer too. Snow Day has kind of delayed everything - apologies.

Re: TekTalk and call security/privacy

Mon, 02 Feb 2015 11:14:51 EDT

KaylaIT posted : This may be true but as long as you are not opening your VOIP adapter to the outside would then it is a non issue. Traffic on the internet is point to point not broadcast to every corner. So the only way for someone to intercept the traffic would to have access to an intermediate device such as a router which is run by Teksavvy and mirror the traffic from it. So in reality it is no different than a POTS line as you just intercept the traffic at some point.

Re: TekTalk and call security/privacy

Mon, 02 Feb 2015 10:48:18 EDT

anon posted : There was a post about the use of SRTP, but it was removed by the moderator; not sure why.

Does TekTalk support SRTP?

Re: TekTalk and call security/privacy

Mon, 02 Feb 2015 10:42:40 EDT

anon posted : I understand all of that, but I am looking for some shielding from a "crime of opportunity": it takes determination and targeting to tap into a POTS line. There is no way to protect from that, I realize that.
The Internet seems to be all open for all: anyone from all over the world seems to be able to connect to anyone else...

Re: TekTalk and call security/privacy

Mon, 02 Feb 2015 10:30:44 EDT

squircle posted : To answer simply, it's no less secure than a landline. No, the calls are not encrypted, but landline phone calls aren't either. In fact, I'd argue it's somewhat more secure in the sense that an adversary wouldn't achieve anything by showing up outside your house and tapping your lines (unlike with a landline).

There no risk that a "kid around the world" could listen to the conversation "easily"; your VoIP packets don't circumnavigate the earth before being terminated at Teksavvy's equipment. With POTS, you're trusting your telco and an arbitrary set of upstream telcos that your call is routed through. With VoIP, you're trusting Teksavvy, Rogers/Bell/Telus/Shaw/Cogeco, and the same arbitrary set of telcos.

TL;DR you can make any call on VoIP you'd make on POTS, but don't be fooled into thinking either is secure.

Re: TekTalk and call security/privacy

Mon, 02 Feb 2015 10:29:57 EDT

notfred posted : News for you, the PSTN is not secure. Look for a demarc on the side of a house using POTS, clip on a recording device and you have everything they say over the phone.

TekTalk is secure in terms of it going straight from your home over your Internet connection to TSI to their equipment. It doesn't encrypt the voice data, very few VoIP services do.

TekTalk and call security/privacy

Mon, 02 Feb 2015 10:17:13 EDT

anon posted : Hi, I have been considering switching to VoIP for a while now and the main issue I can not figure out is how secure the VoIP calls, specifically TekSavvy. Is ii safe to use TekTalk to call bank, credit company, etc without a risk a kid around the world being able to listen to the conversation easily? Is the voice data encrypted?
Thanks in advance.