A software developer who designed a way to tap and record calls made on Skype and other VoIP networks has made the source code of the spying program public, a move he said will allow other programmers to build workarounds to the potential threat. The programmer, Ruben Unteregger, was tasked by his former company ERA IT Solutions to write a Trojan horse program that could tap VoIP calls for the Swiss government.

Apparently, the program bypassed Skype’s heralded encryption process, one that has vexed security officials in Europe multiple times.

In a translated interview, Untregger discussed his rationale for releasing the code.

“The code will be published, it will get analyzed as soon as the binaries got uploaded, signature patterns will be created by anti-virus companies, the malware will be detected, blocked and deleted, if it tries to infect a system,” Untregger said.

Untregger’s motives appear to be genuinely in the interest of private citizens and enterprises that use VoIP services like Skype, as the publicizing of the code makes its use by security agencies redundant, according to a Computer World report. However, making this code available could have negative repercussions if hackers can use it to build even more powerful tapping programs. Other instances of Skype hacking, such as China’s purported monitoring of dissident communication via VoIP programs, gives one pause when considering the public availability of such information.

With the advent of wireless networks and other technologies, we are increasingly exposing our data to the risk of theft and interception by third parties with nothing more than a notebook computer and some freely available tools, which can be acquired online.

Whilst most home users and many organizations are now aware of the security implications of having unsecured private networks, the truth is that not many are aware of the limitations and the vulnerabilities that exist with wireless communications.

Wireless networks using older encryption technology are easily attackable using brute force attack.  By snooping encrypted packets for long enough, potential intruders can extrapolate the encryption key and gain access to the network.

This means the whole network becomes compromised and as a direct result of poor encryption standards, e-mails and other communications can be intercepted with ease.

To secure wireless networks, it is recommended to ensure that more popular and recognized encryption protocols are used and that key strength is strong enough to mitigate the risks of brute force attack.

However, many networks can still be breached so it is important to ensure that networks offer multiple layers of protection.  One way of protecting data, file transfer and VOIP communications that occur on a wireless network is to ensure that third party encryption software is used that effectively ‘double-encrypts’ any sensitive data being broadcasted wirelessly.

This ensures not only that the information is secure, but also reduces the value of data which is sniffed off the air, as it is essentially worthless due to the fact it is encrypted.

Various world governments have started significant research into one-touch hacking tools, which can be utilized on the battlefront.  These tools are being designed to be able to target weaknesses in Wi-Fi networks as well as intercept VoIP communications and satellite relays.

Following recent developments, the United States government has publicized the fact that it is researching such technologies in order to empower and increase the role of the battlefront soldier.  This technology should enable users to exploit weaknesses in security, control power grids and manipulate security systems remotely.

This is of great concern to any organization because this technology is just a showcase of what is actually currently available online.  Things such as packet sniffers, WEP and WPA-PSK key decryptors have been available online from one source or another for years and it is only now that the government is starting to adopt the practices of experienced hackers and adapt them for battlefield use.

The modern organization faces a real threat of digital attack on a daily basis, and with tools on this being developed by the government; one can only imagine what is available to the digital underground.

Traditional security measures in the forms of IDS systems, firewalls and others are no longer adequate when it comes to protecting security.  Organizations need to stop thinking about ‘if’ they are breached, but ‘when’ they will be breached.  By changing company focus from that of prevention to limitation ensures that should the worst-case scenario occur, companies can still minimize risk by ensuring all assets are secure with technologies such as advanced Encryption amongst others.

Gold Lock Enterprise not only serves as a military grade voice encryptor, but actually works to ensure that all file and text communications are also protected from hackers at a level equivalent to that in use by the NSA and worldwide military organizations.

Recent reports have surfaced that have revealed weaknesses in the ever-popular Google Voice and Skype protocols.  These weaknesses have allowed attackers to eavesdrop on third party calls and make unauthorized calls using another person’s account.

Such a vulnerability in a service as popular as this is highly concerning, but the attacks have been proven to work according to many different sources, and also the Slashdot website.  It would seem that we are now looking at two protocols, which remained secure for a long time, which now have a major vulnerability that calls into question the whole security of the architecture.

Any organization that is reliant on Google voice or Skype should now be asking themselves the question: “is it really safe for my company”? Even though according to both companies, the vulnerabilities have been fixes the truth is once a major weakness is exposed it can be very hard to trust it again.

Certainly, the fact that these technologies have been breached must be a concern for both organizations and individuals that are dependent on secure calls.  However, what alternatives are available and how do people utilize them?

One can avoid the dangers of integrating non secure solutions from Skype, Google Voice, or other non secure VOIP systems into organizations infrastructure and instead utilize technologies, which are tested, and proven more secure.

We are living in a world where almost a third of all businesses and home users in America are utilizing some form of VOIP technology. This may be to empower whole calling centers, or alternatively it may be on a smaller scale for inter-departmental communication.

2008 saw a record growth year in VOIP technology, and it also saw attacks against VoIP networks increase exponentially. As a result, many corporate networks whilst protected against internet-based attacks are still vulnerable against VOIP targeted breaches.

It is surprising to see the lackadaisical approach to security that many organizations are taking. In three years, analysts predict that VOIP will overtake traditional PSTN technology, and given the vulnerabilities of VOIP, organizations need to ensure that they have acted appropriately in order to mitigate the security risks.

What are the Security Risks of VOIP?
VOIP is an IP-based technology. Given the fact that data travels throughout the internet, this means that it is vulnerable to multiple points of interception unlike that of PSTN communications, which have remained relatively, secure in comparison.

IP Data is Vulnerable to Eavesdropping. Because many businesses are using VOIP equipment to conduct sensitive business transactions, they are becoming victims of direct man-in-the-middle attacks. Such attacks are preventable with good security policy.

VOIP Networks are Vulnerable to Direct Attack. Malicious attacks are increasing that are targeted specifically to VOIP networks. These attacks normally flood VOIP traffic to try to cripple the organizations infrastructure and effectively it allows attackers to gain unlawful access to information systems.

Given the main risks of VOIP technology, organizations have had to develop truly multi-layered security policies, which can safeguard voice and data systems at the same time. A typical multi-layered security policy does not aim to stop attackers entirely, but uses technologies such as VOIP encryption and file encryption to ensure that if networks are breached, then sensitive information will never be vulnerable.