Telecom Security India 2003

Security critical to widespread use of telecom networks for business

Rajendra Prabhu

NEW DELHI -- E-commerce opportunities are so extensive that the digital community is yet to realise the potential of this sector, says Dr. Ashok Khemka, director and joint secretary, Electronics and IT Department of Haryana Government. Dr. Khemka was delivering the keynote address at the second Telecom Security conference organised recently in the capital by Convergence plus. As of now, only 10 percent of the total US sales is by e-commerce. However, it is already a US $230-billion market. The Forrester Research has forecast that the annual growth rate for this market would be at 19 percent per annum between 2003 and 2008.

Addressing transactional issues will help grow this market, he adds. This has three aspects -- financial, legal and market access. Describing how true e-cash would work, Dr. Khemka said that by using a second tracking number, the purchaser introduces a blinding factor and sends the e-cash to the vendor. From the vendor, it goes to the bank that verifies the digital signature. A tracking number avoids the duplicate use of the e-cash issued.

The extensive use of e-commerce depends on the proper legal protection to the data. The OECD has already laid down universal standards for data protection that obliges data collectors and controllers to obtain information fairly and lawfully, use it in a manner compatible with the purpose for which it was collected, keep it for specified purposes and periods only, and ensure that there is no unauthorised disclosure. Dr. Khemka stressed the need for a Prevention of Computer Misuse Act that would also define data related, network related and access offences, as well as offences affecting individuals. In e-governance projects, there should be a state data center with adequate measures for its confidentiality, integrity, availability and accountability that would hold all people concerned accountable for any security lapses. He notes that policies on managerial security and physical security also need to be in place as well.

In wireless networks, security features have evolved from simple, practical ones to complex, standard-based, comprehensive suite of security features, pointed out Amajit Gupta, general manager, sales and marketing, Lucent Technologies, in a detailed presentation. "In today's Internet age, security is commonly interpreted as access control plus content privacy. However, in wireless networks in addition to protection against fraud, accounting for access and privacy issues related to content have also become important." Security is often a trade off between cost, user convenience, security and international laws, and technology deployment and adoption have to work out a compromise in this regard. Different security models are employed in GSM and CDMA markets.

On specific GSM/GPRS security problems, Gupta cautioned: "The root key is vulnerable. Security of SIM cards have been broken through. Once the root key is compromised, the security model fails." Operators re-use security triplets to save on the cost of the intersystem traffic. This encourages repeat attacks by hackers." There is also "no explicit confirmation to the home network that authentication is properly used when customers roam." Common ciphering becomes necessary to protect simple TDMA traffic. According to him, pre-call validation was not practical. Breaking through the GSM/GPRS fortress was not difficult.

On the other hand, hacking was extremely difficult in CDMA wireless systems, Gupta said. "Very complicated CDMA air interface prevents active false base station attacks," he noted. Soft hands off prevented following and intercepting the user communications link. Cryptographic authentication with pre-call validation prevented fraudulent access. The 64-bit validation and the upcoming 128-bit encryption were used to promote data protection. There was additional protection in the private long code mask and high data throughputs. "2G CDMA systems provide effective practical security" the Lucent executive said. There are some common limitations of 2G security in both CDMA and GSM, Gupta recalled. However, in 3G, there were significant security enhancements in cdma2000 and UMTS, which he described in detail.

On the issue of WLAN security, Amajit Gupta said, "At present WLAN security is weak," being "misconfigured or bypassed" and based on "faulty protocol and weak ciphering." However, the upcoming 802.11 security enhancements "can provide better network control of the airlink security. Nevertheless, "even with improved protocol and algorithms, its configuration must be enforced by proper network based functionality."

On the wireless system itself, Gupta said: "It is a secure technology. Substantial investments and learnings have culminated in a robust and proven security environment in a modern 3G wireless system. These have a strong, underlying, secure CDMA air interface standard. Security, as a network concern, is sufficiently well addressed in digital wireless cellular domain today."

Lawful interceptions and monitoring of networks

As important as securing telecom networks against illegal interceptions was enabling lawful interceptions and monitoring of these networks in the over all interests of national security. The conference focused as much on these legal interceptions and monitoring. Voxtron's Verbatym, said Karanvir Singh, president, Voxtron Dezign Lab Pvt. Ltd., could monitor wireline and wireless networks, international gateways and packet data networks. It could record different kinds of voice, data and messages using network switch-based or passive access. The system features 20 simultaneous calls per server, SMS, fax, data in primary and secondary storage configurations. It correlates real time call content with location etc., which is target-based and complaint to standards set by the Telecom Engineering Center (TEC). Among other things, it manages database of intercepted calls and facilitates playback, transcription, review, and analysis.

In the interests of fighting crime and terror, interception is an important tool of security agencies against the increasingly sophisticated crime syndicates and terror merchants. NiceTrack from NICE Systems is a suitable solution for such purposes. The Internet has become the preferred medium of traffic by criminal and anti-national elements. Therefore, the interception of Internet traffic has become a national necessity. NICE's Frederick Manasseh described the tools the firm has for facilitating interception of telecom and Internet traffic.

He added that maintaining subscriber anonymity was a big challenge in interception. He presented different scenarios where legal interception had been carried out. NiceTrack enabled wider coverage of the target's traffic and simpler administration of the data obtained. It not only had sophisticated telecom monitoring solution, but a flexible and state-of-the-art Internet front-end, comprehensive monitoring center functionality as well. Designed with real intelligence and operational experience, it was easy to use, utilising intuitive geographic user identity. It provided enhanced analysis tools, as well as centralised and distributed layouts. It was designed to easily adopt and manage emerging technologies, the NICE executive said. NICE, founded 1986, is a global supplier of multimedia recording solutions, value-added applications and related professional services. It had revenue of US $154 million in 2002 and employs over 1,000 people. Its clients constitute some 58 percent of Fortune 100 companies. It is partnering with industry leaders for applications and has offices already in several countries.

On the subject of secure electronic financial transactions, Euronet model differs considerably from the traditional approaches, says Ravikumar and Srinivasa Rao, executives of Euronet Worldwide. With a single connection to Euronet's network, it is possible to handle bank connections and integration, and the time to market is just three months, half the time that traditional approach takes. It is a single payment gateway from the customer's touch-point to the Euronet and the mobile operator, whether it is for an ATM recharge transaction, or an Euronet mobile recharge. The latter facility enables GSM subscribers to electronically recharge their prepaid accounts directly from their mobile phones.

The Euronet mobile recharge benefits include the ultimate in customer convenience and control for prepaid replenishment using bank debit or credit cards. The recharge is available even while the customer is abroad. A Web recharge facility is available as well, besides electronic bill presenting and payment systems (EBPP), which is possible through mobile phones, ATMs and Web PCs. A multi-tiered security that ensures integrity of the customer and his financial data protects the system. The sensitive data has a triple encryption protection.

Eric Greenberg, channel sales manager, Mercom, pointed out that the vendor has installed over 20,000 recording channels within Asia in 2002, and has leading market share. He added that flexibility is the key in any security system. Greenberg pointed out that investments were protected in his system using the latest, industry standard technologies and off-the-shelf components from top companies like Microsoft, Avaya, Cisco, Nortel, Siemens and Aspect. The multi-function single server architecture encompasses voice recording, screen recording, fax recording, archiving and integral CTI interfaces using open architecture.

"Mercom's audiolog digital voice recorder enables compliance-based recording, criteria-driven recording, as well as quality-focussed recording of the VoIP network," Greenberg added. He illustrated the simplicity of the operation by pointing out that by simply right clicking of the mouse, the last call can be replayed at the dispatchers desktop through a sound blaster card, while a left click displays the list of all calls taken by that dispatcher only. Mercom is a leading provider of advanced multimedia recording solutions for public safety, military, local and state governments and call centers.