VOIPShield has released a new raft of vulnerabilities that it found in IP telephony systems from Cisco, Avaya and Nortel (announcement here; vulnerability details here). Unlike its previous such announcement, VOIPShield has this time coordinated the release with the affected vendors, avoiding the criticism it faced the last time, when VOIPShield went public with the vulnerabilities before the affected vendors could address all of them.
The U.S. is the biggest source of security threats in the world. So says the Sophos “Security Threat Report Q1 08”.
This is a sexist piece of crap, right? I mean, I get the part about tricking people into giving up information to prove that they're not careful enough about security. But the chocolate bar stuff? Give me a break.
On the VOIPSA blog, Dan York offers some concerns about the way VOIPShield handled its recent announcement of the vulnerabilities it had found, an announcement that just happened to be coupled to a new product release.
VOIPShield, a VOIP security company, says it's found some 80 vulnerabilities in Avaya, Cisco and Nortel IP-telephony gear, and another 44 vulnerabilities in the SIP protocol. More detail on each vulnerability is spelled out in the Research section of VOIPShield's website. According to the website, the vendors are working on fixes for their respective vulnerabilities, and in cases of 3 vulnerabilities rated as "critical," patches are already available.
Fritz Nelson of TechWeb TV interviews Mark Collier, CTO of SecureLogix, about the state of VOIP Security. Mark pegs denial-of-service attacks aimed at the underlying IP infrastructure as the greatest security threat to enterprise IP telephony at this point.
Let's go to the video:
Back in February, I read Confessions of a Caller-ID Spoofer by Paul McNamara over at Network World.
Caller-ID spoofing is a “feature” in many telephony platforms.
Let me explain further. Showing the main billing number or master directory number listing on digital trunks for outbound calls is an old practice but substituting the number for someone else isn’t. This is what McNamara points out in his article and this substitution is perfectly legal today, probably because it wasn’t given any thought.
Here's another great post by Dustin Trammell over at VOIPSA about a practical concern in ensuring VOIP security: The need for VOIP hardware to have enough processing power so it can be upgraded as security demands require.
Over at VOIPSA, Dustin Trammell offers a bleak assessment of VOIP Security in real-world products, basing his judgment on a recent Cisco advisory concerning a number of vulnerabilities.
Once again via the invaluable VOIPSA, comes word that some IETF members are exploring a more formal effort to pre-emptively deal with the nascent problem of SPIT (spam over IP telephony), with a proposed BoF session at the next IETF meeting. Enterprises and their vendors should support any effort to have defenses in place for this next generation of spam.
As SIP continues to seep into the mainstream, more attention is being paid to security issues, especially in public IP networks/the Internet. At VoiceCon Orlando in March, we're bringing back Cullen Jennings and Eric Rescorla to once again give their "SIP Security" tutorial, which offers enterprises a jump on many of the key issues. And, via VOIPSA, I've discovered a trove of SIP-related and other Internet security presentations from the most recent ETSI Security Workshop (click on the Agenda link for the topics of each presentation).
Sipera, a VOIP security company, has come out with its Top 5 VOIP Threat Predictions for 2008. Their top concern is denial-of-service attacks through SIP trunks and mobile infrastructures. This makes sense both in its own right, and because DoS attacks are a legitimate concern based on their effect on the underlying data network.
Dan York presents a conundrum: Once VOIP has reached critical mass in the enterprise, how will you filter out SPIT (spam over IP telephony) while allowing legitimate traffic such as notifications to go through?
Lending some credence to the idea that VOIP hacking will increase in 2008 is the hacking of Cisco phones that occurred on a hotel network earlier this year (the exploit is described here. Cisco has now confirmed that this exploit is possible (Cisco's response is here.
The SANS Institute has compiled its year-end list of security vulnerabilities, and there's quite a bit of detail on VOIP. Their suggestions for mitigation:
VOIP security makes McAfee's list of Top 10 Threat Predictions for 2008, taking the ninth spot based on McAfee's projection that VOIP attacks will increase 50% next year (link to the PDF is at VOIPSA).
One of the gospel truths since the first IP voice packets were put on a data network is that you have to establish separate VLANs for voice and data traffic. But that piece of conventional wisdom may not be so wise.
Sign up for our weekly newsletters and receive the latest news, blogs, event information covering the convergence market.
VoiceCon makes its European debut 14-16 October, 2008, with Johan Krebbers of Shell keynoting. More information HERE
Small-medium business VOIP adoption lags the large enterprise, so SMB is a target-rich environment for vendors. READ MORE »
Mobile UC isn't just a subset of Unified Communications. And although it's emerging quicker in Europe, it will soon affect enterprises everywhere. READ MORE »
Advertisement
 |
||||||||||||||||||||||||||||
|
||||||||||||||||||||||||||||
