Calling up exploits


Businesses who switch over to internet telephony systems in a bid to slash telephony costs have been warned to guard against hacking attacks.


The latest VoIP security threats and countermeasures were outlined at a presentation at the Black Hat security conference in Las Vegas on Wednesday. The talk, by security experts from SecureLogix and 3Com's Tipping Point security appliance division, was accompanied by the release of 13 new security tools.




SecureLogix CTO Mark Collier and David Endler, director of security research at 3Com explained how the scope and severity of attacks on VoIP networks is likely to increase as adoption increases. That much is well enough understood in security circles but the talk aimed at going further by explaining the types of attacks that are likely to occur and how to defend against these exploits. A variety of VoIP attack scenarios were outlined by Collier and Endler, the chairman of the Voice over IP Security Alliance (VOIPSA).


Alongside the talk, the security researchers released 13 new tools designed to illustrate generic flaws on insecure VoIP systems. These tools, released to assist penetration testers and corporate sys admin, illustrated how it might be possible to overload phones with spurious traffic, flood IP telephony phones with calls, force hang-ups, reboot phones or reassign devices to other users. The tools all target systems using Sessions Initiation Protocol (SIP). Most current systems from leading vendors such as Cisco and Nortel are moving from proprietary protocols towards SIP, so the threats outlined are more for future reference than current use. Greater adoption of SIP will bolster interoperability between the equipment of various vendors.

"The majority of VoIP systems out there are not SIP enabled. Most of them are pushing forward with SIP adoption," Endler told News.com. IP telephony system vendors, such as Mitel, have welcomed the release of the tools as a positive step towards VoIP security. However Endler acknowledged that the availability of security testing tools has its downside. "Obviously, releasing any security tools is a double-edged sword in that you can't restrict who has access,"

he said.



Related Articles: The Growing Need for VOIP Security | VoIP Vulnerabilities Still Aparent | Phishers Come Calling on VoIP

The Communications Assistance for Law Enforcement Act (CALEA), passed in 1994, has powered its way back onto the front page this summer, and if you 1) live in the US and 2) pay taxes, you might soon be paying to implement it. And if you're a drug-dealing mobster, you might soon be experiencing it.


The FBI wants the ability to tap VoIP calls. To do this, the agency also wants access to all of your network traffic—and it looks like it's on the way to getting it. Following a long set of legal battles, the US Court of Appeals in June upheld 2-1 a newer and broader definition of CALEA's scope that could affect every university and library in the country.


While the case may not be fully settled until the Supreme Court hears it, the Justice Department has announced plans to cut the legs out from beneath it. The DoJ proposed a series of amendments to the original legislation which explicitly give the FBI the authority it seeks. Unfortunately for network operators, these amendments could be costly—and the government has no plans to help them foot the bill. If either 1) the amendments pass or 2) the courts uphold the FCC decision, CALEA will open the floodgates for easy government surveillance of Internet activity, and it could cost taxpayers a bundle.


What's included in the amendments, and how might they affect you? Let's take a look.

Read more »

It's the standard procedure – new technology allows greater freedom, the long arm of the law gets a sweat on and clamps down. According to today's Guardian, police and intelligence agencies are to ask the government for the power to listen to and identify VoIP (voice over internet protocol) callers.


To be entirely fair, the lobbyists claim that their main concern is VoIP's inability to deliver a 999 service. But the Guardian article quotes a submission to Ofcom, made on 3 May by one detective superintendent Stuart Macleod, outlining the worries of the Data Communications Group – a police and industry liaison body that reports to Acpo (the Association of Chief Police Officers), Revenue and Customs, and Soca (the Serious and Organised Crime Agency), among others:

"At present, law enforcement agencies have great difficulty in tracing the origin of VoIP calls," wrote DS Macleod. "This poses significant threats to our democratic society.

"And it is for this reason that the DCG believes that it must be mandatory for VoIP service providers to be required to retain adequate records in respect of calls made using this technology."

There are echos here of attempts in the US courts to get Google to cough up details of people’s internet searches. We await the outcome with interest.


Source: PC Advisor


Related Articles: The Growing Need for VOIP Security | VoIP Vulnerabilities Still Aparent | In Depth: Five Things You Must Know About VoIP

With the use of Voice Over Internet Protocol (VoIP) by all reports rapidly expanding, several recent cases have exposed serious vulnerabilities with the service.


However fraud is an everyday occurrence so I for one wouldn't base my decision solely on these events.


Security vulnerabilities for VoIP do exist and have been and continue to be seriously examined and worked through by the industry. However two recent cases act as a reminder that all holes have not been closed.


Engin (Australia)
In Australia it has been reported that a very public VoIP provider Engin had it's Customer Relationship Management (CRM) software cracked by a hacker who publicly exposed how to obtain details of other customer's orders in a post on the broadband site Whirlpool. Engin reportedly resolved the problem the next morning before any advantage was gained.

Engin appeared very honest and forthright admitting the problem and fixes that would be put in place with blame attributed to a third party programming consultancy responsible for programming of the CRM. Despite credit card details apparently not recorded in the area that became accessible, it does highlight the ease at which confidential personal information can be accessed, not something that is usually considered a security problem related to VoIP.

Read more »

Convergence and security top the list of "hot" technologies that will have the greatest impact in 2006, according to the results of a new poll.


The web survey conducted by the Computing Technology Industry Association (CompTIA) found that voice/data convergence technologies, such as VoIP and unified messaging, will have the greatest impact this year.


Convergence was selected by 34 per cent of the nearly 2,200 respondents in the poll as top of their enterprise IT priorities. Security solutions came a close second, chosen by 33 per cent of respondents.


RFID technology was the third most popular choice, at 19.2 per cent, followed by virtualisation (9.3 per cent) and service-oriented architecture (4.7 per cent).

"The poll results are in tune with what we're hearing from our members and the customers they work with," said John Venator, president and chief executive at the CompTIA.

"VoIP and related technologies are delivering real business value, security issues and preparedness are top of mind in most organisations today, and RFID adoption is moving from the trial and evaluation stage to full-scale production deployments."

Source: VNU Net