[VoiceOps] PCI Compliance and VoIP

Matt Yaklin myaklin at g4.net
Fri Oct 21 02:18:05 EDT 2011 


On Fri, 21 Oct 2011, Paul Timmins wrote:

>
> On Oct 20, 2011, at 10:55 PM, Jay Hennigan wrote:
>
>> On 10/20/11 6:07 AM, Hiers, David wrote:
>>> I've no doubt that they are correct; card information encapsulated in a codec needs to be encrypted over unsecure networks, which includes the Internet.
>>>
>>> We can safely assume that they are in contact with the PCI standards people, and getting advice from other PCI compliant entities.
>>
>> But is not the analog/TDM PSTN also a public, insecure, unencrypted
>> network?  What's more difficult, tapping an analog phone line with a
>> simple recorder coupler from Rat Shack or intercepting a specific RTP
>> stream over a random route mixed in with gigabytes of pornography and
>> other assorted cruft?
>>
>> It boggles how people who think nothing about using cordless phones are
>> so paranoid about VoIP security over the Internet.
>
> Attached to my backpack is a massive PCI standard violation. I think nothing of carrying it every day.
>
> How long until they either try to ban my fluke ts44 deluxe, or wake up to the idea that POTS is less secure but still not considered a problem. It's not like it's hard to decode the 300 baud FSK datastream of a credit card terminal.
>
> A T1 is no match for my T-Berd 224, comparatively a relic but perfectly capable of doing what my harris can do to a t1. Even if that's some high rent money for you, my phoenix networks t1 test unit can do it and cost less than the buttset on ebay.
>
> Preaching to the choir here, of course, but it's just plain silly. Any of these devices could be used relatively anonymously with nothing more than a $30 assortment of various tools (can wrench, inverted hex wrench used on a lot of remote terminal and cell tower enclosures, smartjack enclosure key). If you're broke and your adversary has a pots line, climbing the pole and taking a corded phone with the jack hacked off to expose the wires will give you more access and anonymity than you could ever want.
>
> But here we are talking about military grade encryption for some RTP streams over a generally saturated backbone network with 10 gige links brimming with porn. LOL. Talk about killing an ant by running it over with a semi truck.
>

Comparing an analog phone line or smaller TDM circuits to >= 1 gig
backbone data connections does not seem very fair.

Heck, my T-Berd can pick out and listen to a DS0 on a DS3 let alone
a T1. But try doing that with an OC48. I am not even sure if they
make gear to be able to do that easily let alone having a monitor
point to jack into in most cases.

Yet with a data connection, depending on the hardware and speed
of the port, you can just mirror a port and dump all or selectively
dump the traffic to a cheap linux box with monster size HDs. Retrieve
it after business hours and pick out calls at your liesure.

Data seems equally weak everywhere while larger TDM circuits seem
more difficult. To me at least. I am also making an assumption one
cannot take down any circuit for any amount of time to accomplish
the goal of "listening in/recording".

Hey.. someone has to attempt to defend the PSTN/TDM networks :-)

matt



> -Paul
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>

More information about the VoiceOps mailing list