Dan York

Just a guy in Vermont trying to connect all the dots...

Author's posts

Dec 19

SS7 Security On Techmeme? A Reminder About Interconnected Systems…

techmeme-ss7SS7 security issues reported on Techmeme?  I did a double-take yesterday and, as Jay Cuthrell noted on Twitter, wondered if this was a “ThrowbackThursday” taken to the extreme.  But no, there was indeed a report in the Washington Post about German security researchers discovering that aspects of SS7 signaling that could be used to listen to phone conversations and/or read text messages on mobile networks.  As the article notes:

The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.

The researchers noted that one of the attackers could get around existing encryption mechanisms used on mobile networks:

For calls or texts transmitted using strong encryption, such as is commonly used for advanced 3G connections, hackers could request through SS7 that each caller’s carrier release a temporary encryption key to unlock the communication after it has been recorded.

SS7, or Signalling System 7, is of course the dominant set of telephony signaling protocols used in the legacy Public Switched Telephone Network (PSTN) made up of today’s wired and wireless (mobile) telephone networks.  As such, we don’t write about SS7 hardly at all here on the VOIPSA blog as it is not related to VoIP.

However, there were three important thoughts to me coming out of this article:

1. VoIP can be more secure than the PSTN. The report mentions the encryption of the underlying 3G transport infrastructure being subverted.  However, with VoIP apps that are “Over-The-Top” (OTT) riding on the mobile data network, the encryption can happen from within the app on one mobile device all the way to the app on the other mobile device – or at least back to a central set of servers.  Now, there can be other security vulnerabilities with such a system, but the transport layer could at least be secured.

2. Telecommunication systems are only as secure as their weakest link – and are interconnected.  The bigger concern is of course that most of our telecom systems are all interconnected… and you can have the most secure VoIP system in the world, but if you wind up connecting to the PSTN – and specifically in this case to mobile PSTN networks – then you are open to exactly these kind of attacks.  Obviously if you are communicating only within an OTT “walled garden” where you only talk to others using the same OTT app you can be secure, but the moment you go out to the PSTN you are open to all the issues there.

3. Fixed lines are no safer if you talk to mobile users. The article ends with a German senator saying “When I really need a confidential conversation, I use a fixed-line phone“.  I don’t know about that.  For one thing, if the person you are calling is a mobile phone user, you are again open to these kind of attacks.  Secondly the Snowden revelations of the past year have certainly shown us that large agencies have the ability to listen in to communications on the networks of the PSTN.  If I absolutely want a confidential conversation, I’m personally going to use one of the VoIP applications that has end-to-end encryption. I’m NOT going to trust a fixed line any more than I would trust a mobile phone.

And I guess the final thought is of course that the legacy PSTN is full of security issues – they just aren’t necessarily as open to all to see because of the more closed nature of the traditional telephone networks.

A good reminder, though, that telephony security has always been a problem – and we need to ensure that both our VoIP and traditional networks have adequate security.

Meanwhile, it was rather fun to see SS7 mentioned on Techmeme… not something you’d expect to see!

Dec 19

Friday Humor – Hipku Encodes An IPv6 Address As Haiku

hipkuFor your Friday enjoyment, here is the IPv6 utility you never knew you needed – Hipku will encode an IP address as haiku.  For instance, here is the IPv6 address of our Deploy360 website:

Chilled apes and fat smew
aid chilled ace ace ace ace ants.
Ace ants aid ace clans.

Now, I’m not personally sure that helps me a great amount… but it’s certainly something amusing to try on a Friday.  You may get something more memorable for your address. :-)   You can visit the site at:

http://gabrielmartin.net/projects/hipku/

and get the actual source code on Github at:

https://github.com/gabemart/hipku

It does work for IPv6 and IPv4 addresses and if you click on the link for your current IP address (under “Example”) you’ll get a nice page with an image behind it.

As author Gabriel Martin explains, he did this entirely for fun … and he does go into great detail about how he did it all.

Anyway… have fun with it!

P.S. And when you are ready to get serious about implementing IPv6, please head over to our Start Here page to find resources designed to help you get started today!

P.P.S. And if you are asking yourself, “why would I remember an IPv6 address? That’s what DNS is for!”  We agree… and we also think DNS should be made secure!  If you aren’t familiar with DNSSEC, why not learn about it today?

Dec 19

Norway’s .NO Passes 22,000 DNSSEC-signed Domains

It’s fun watching on Twitter as Norway’s .NO grows in the number of DNSSEC-signed second-level domains. Norid’s Unni Solås tweeted out today that they had passed 22,794 signed .NO domains – and also provided an explanation for this ongoing growth:

Congrats to the Norid team – it’s great to see the growth… you may recall that only a week ago we wrote about .NO crossing the 5,000 signed domain mark!  Quite a good increase in the space of only a week! Given that Norid’s main page states there are 650,211 .NO domains in total, this brings them to about 3.5% of all .NO domains being signed with DNSSEC.   Not a bad start for a newly signed domain.

Norid has also published its “DNSSEC Policy and Practice Statement (DPS)” that outlines their policies and procedures.  We’ve added that to our list of DPS documents that can be found at:

http://www.internetsociety.org/deploy360/resources/dnssec-practice-statements/

If you are with a top-level domain, or even with an enterprise seeking to sign your own domain(s), these DPS documents can be useful to understand the degree of security that some TLDs are undertaking.

Congrats again to the Norid team and we’ll look forward to seeing their continued growth!

P.S. If you want to sign your domain with DNSSEC or enable DNSSEC validation on your network, please visit our Start Here page to find resources aimed at your type of organization or role.

Dec 18

TDYR 200 – WordPress 4.1 Brings Improved Distraction-Free Writing

WordPress 4.1 is out today and brings a MUCH improved "distraction-free writing" experience... More info: http://www.disruptiveconversations.com/2014/12/new-wordpress-41-provides-much-improved-distraction-free-writing-experience.html

Dec 18

New WordPress 4.1 Provides Much Improved Distraction-Free Writing Experience

WordPress version 4.1 is out today and the greatest feature I like is a new and MUCH improved "distraction-free writing" experience.

Wordpress4 1 dfw

The beautiful part about this is that when you click in the window and start typing, all the sidebars and menus fade way so that you can just focus on writing...

BUT...

... the moment you move your mouse outside the writing window all the sidebars and menus come back!

This is a huge improvement over the previous experience with WordPress 4.0 where once you clicked the button you were in a white screen with no way out unless you scrolled up and clicked the link in the menu bar that appeared:

Wordpress4 0 dfw

I found the WordPress 4.0 way so annoying that I never used it. Inevitably after I entered the mode I needed to change categories or tags or something like that - and so it was simply easier to NOT use the distraction-free mode.

The WordPress development team produced a video that shows how well this new writing mode works.

I like it because it lets me write but also makes it super easy for me to get back to the menus and sidebars.

All you need to do to enable the "distraction-free writing" mode is to click on the box on the right top of the editing window:

Dfw

It acts as a toggle to turn the "DFW" mode on or off.

Very nicely done!

There were of course many other aspects of the WordPress 4.1 release. The release post and the field notes as well as the codex entry go into much more detail. The Twenty Fifteen theme is pretty cool... and some of the other features are also interesting. But for me... I just like this new writing environment!

What do you think? What do you like best about WordPress 4.1?

An audio commentary is available as TDYR 200:

If you found this post interesting or useful, please consider either:

Dec 18

ICANN Seeking Volunteers For DNSSEC Root KSK Rollover Plan Design Team

ICANN.jpgDo you want to help ICANN plan the best was to roll the root key used for DNSSEC?  Are you interested in being considered as a volunteer member of ICANN’s Root KSK Rollover Plan Design Team?  Recently ICANN staff sent a message to the public dnssec-coord mailing list and other various mailing lists asking for volunteers.  The “Solicitation of Statement of Internet for Membership in the Root Zone Key Signing Key Rollover Plan Design Team” (say that 10 times fast!) begins:

ICANN, as the IANA functions operator, in cooperation with Verisign as the Root Zone Maintainer and the National Telecommunications Information Administration (NTIA) as the Root Zone Administrator, together known as the Root Zone Management (RZM) partners, seek to develop a plan for rolling the root zone keysigning key (KSK). The KSK is used to sign the root zone zone-signing key (ZSK), which in turn is used to DNSSEC-sign the Internet’s root zone. The Root Zone Partners are soliciting five to seven volunteers from the community to participate in a Design Team to develop the Root Zone KSK Rollover Plan (“The Plan”). These volunteers along with the RZM partners will form the Design Team to develop The Plan.

The document goes on to list the requirements and the process.  Essentially, if you meet the requirements you need to send a message with the requested information to ksk-rollover-soi@icann.org by the end of the day on Friday, January 16, 2015.  The Root Zone Management partners will then choose from among the applicants to form the Design Team.

We’ve written here before about how incredibly important it is to get the Root KSK Rollover right, and so we commend ICANN for going through this process to create an appropriate Design Team.  We would encourage people with operational knowledge of DNSSEC and DNS in general to definitely read over the document and consider applying!

P.S. And if you don’t know about DNSSEC, or want more information, please visit our Start Here page to find out how to begin!

Dec 17

TDYR 199 – WordPress Content Creation Statistics – The Plugin I Want

TDYR 199 - WordPress Content Creation Statistics - The Plugin I Want by Dan York

Dec 17

Skype Translator Looks Intriguing

While it is only a "preview" release and is only available to people using Skype on Windows 8.1, Microsoft's new Skype Translator announced on Monday looks very cool! As they state:
The preview program will kick-off with two spoken languages, Spanish and English, and 40+ instant messaging languages will be available to Skype customers who have signed-up via the Skype Translator sign-up page and are using Windows 8.1 on the desktop or device.

The very well-done video shows the real potential, though:

I think many of us have always wanted the Star Trek Universal Translator and while this "preview" from Microsoft is not yet near that sci-fi ideal, it's definitely a very intriguing step along that direction. I like the idea that it can do both speech and text translation. Given my travel to different parts of the world, the idea of being able to whip out my smartphone and be able to translate to and from another language is definitely welcome.

I'm told the Windows 8.1 restriction is because it is based on Microsoft's Cortana 'personal assistant' technology. Given that I have no Windows 8.1 devices nor expect to anytime soon, I won't personally get a chance to check out this Skype Translator preview. (Although obviously I would expect Microsoft is hoping that perhaps this may help drive some people to use Windows 8.1.)

On a macro level, I think it's great that Microsoft/Skype is undertaking this kind of research and development. Certainly anything that can help bridge communication challenges is welcome in this global age!

If you found this post interesting or useful, please consider either:

Dec 17

BT Releases Results of 2014 DNSSEC Survey

BT-Diamond-IP-2014-DNSSEC-SurveyBT Diamond IP just published the results of their 2014 DNSSEC survey and the report is available for all to download for free.  Back in October, I’d encouraged people to take the survey to help gain an understanding of DNSSEC deployment and BT’s Tim Rooney noted in his post about the survey that this year there was a high amount of participation by people who had already deployed DNSSEC:

Clearly this year’s survey attracted active deployers of DNSSEC, which contrasts sharply with the 2012 survey where less than 25 percent of respondents had already deployed or were actively deploying DNSSEC validation and signing.

In fact, the way I read his tables on page 4 over 60% of respondents had deployed DNSSEC and another 10% were in the process of doing so.  Not exactly representative of the overall industry! (Unfortunately)  Still, though, I think the report provides useful insight into DNSSEC deployment from the point of view of people who have deployed the technology.  (By the way, we did write about the 2012 report back when it came out.)

Tim also relays these highlights of the 2014 report:

  • Nearly all respondents agreed with the statement that DNSSEC can or does provide value to their organization and over 85 percent likewise agreed that DNSSEC technology is mature and can be reliably deployed.
  • Forty-seven percent of respondents agreed that deploying and maintaining DNSSEC is very complex, 12 of the 47 percent strongly. Only 22 percent disagreed. This is rather telling in that DNSSEC is not only considered complex to the uninitiated, but that experience shows this to be the case.
  • Nearly half of respondents disagreed with the statement that only external (Internet-facing) zones need be signed, while 28 percent agreed with the statement. This majority position debunks the theory that internal name spaces are of little concern when it comes to DNSSEC.
  • Only 20 percent of respondents agreed that dedicated hardware security module (HSM) appliances or cards are required to store private keys.
  • Over 75 percent of respondents assign their DNS groups as responsible for DNSSEC implementation and management, sometimes alone or often in conjunction with other groups. It’s interesting to note that about 25 percent of respondents do not involve the DNS group in the process!
  • As an industry, simplifying the deployment process to reduce complexity and therefore costs to some degree could help spur further DNSSEC deployments.

I’ll definitely agree with his last point about reducing complexity and that’s something that I know we and others within the industry continue to champion … any way that we can add more automation or make the user experience simpler will go far to help advance DNSSEC deployment.

I found a number of the other charts quite interesting such as the reasons for NOT deploying DNSSEC as well as those about what software was being used.  All in all I think the report is a useful contribution to the ongoing discussions around DNSSEC.  I’d like to see more of these type of surveys so that we can continue to build out a picture of DNSSEC deployment as well as the challenges that need to be addressed.

Thanks to Tim Rooney and the others at BT Diamond IP for compiling this survey!

 

Dec 16

TDYR 198 – Living In The IPv6 Bubble

TDYR 198 - Living In The IPv6 Bubble by Dan York