The InformationWeek -- Blogs

InformationWeek's Unified Communications Weblog

Topics:   Unified Communications

  • Email this page E-mail this page
  • Print this page Print this page
  • Bookmark and Share
  • icon

UC Security


Posted by Eric Krapf, Editor, Jun 27, 2008 09:21 AM

It's become conventional wisdom in the VoIP/IP telephony/UC security space that the major vulnerability for voice-over-IP traffic today remains the simple fact that it runs on IP infrastructures that may be the targets of attacks that have been plaguing data networks for years. In other words, all those exotic types of attacks with names like SPIT (spam over IP telephony); VOMIT (voice over misconfigured IP telephony); or eavesdropping via packet capture -- these have not yet materialized to any significant degree. But there is plenty of reason to stay vigilant when it comes to VoIP/UC security.

I'll break the types of threat down into three categories:

1.) New types of attacks unique to voice, along with voice-oriented versions of traditional attacks -- These include eavesdropping by capturing packets, or SPIT, which would consist of overwhelming an IP telephony line with voice messages, comparable with overwhelming an e-mail box with spam. As I noted above, these aren't really being considered a top threat today.

2.) Voice traffic as collateral damage in an IP network attack -- This is the second type of attack I described above, where an attack on a router brings down the entire IP network, let's say. Since the voice is riding on that network, it suffers the same fate as all the other traffic on the network.

3.) Traditional types of attacks aimed at VoIP/IP telephony systems -- This is yet another threat that hasn't materialized to a great extent in the wild yet, but probably ought to be taken more seriously as a near-term danger than category #1 above. This is, for example, when vulnerabilities to packet flooding and other types of DoS exploits are found within IP telephony gear such as IP-PBXs and related servers. A relatively new security company called VoIPShield has been making news by discovering these types of vulnerabilities in the most popular IP telephony systems, namely those from Avaya, Cisco, and Nortel.

I recently moderated a VoiceCon Webinar (replay here) in which Ted Ritter of Nemertes Research discussed some survey data Nemertes had gathered on the issue of security. Ted reported that:

  • 55% of respondents were concerned about denial-of-service attacks
  • 37% were concerned about eavesdropping
  • 36% were concerned about "vishing" or VoIP phishing, in which a hacker redirects packets from a business that takes credit card information from its customers over the phone, and sends the traffic to a phone he controls, permitting the hacker to steal the credit card information
  • 31% were concerned about toll fraud

    That's in today's environment. Ted Ritter, who's a CISSP, explained in the Webinar that the security threat will become more amorphous as enterprises migrate their IP telephony infrastructure to a Unified Communications implementation. As voice enablement moves into traditional "data" applications, the lines will blur and the notion of a security "perimeter" will further dissolve.

    Ted noted that many of the most important characteristics of UC -- openness, integration -- work against the technologies and principles of security, such as confidentiality. Specifically:

  • Encrypting all [UC] traffic ensures confidentiality, but it may negatively affect availability

  • A fully open [UC] architecture may ensure availability, but it may negatively affect confidentiality and integrity

  • Multifactor authentication with encryption may ensure integrity, but it may negatively affect availability

    « Second Life Artist Faces Setback in Struggle For American Citizenship | Main | Google Hears Your Complaints, Revamps Mobile Services Web Site »



    • Sign Up Now
    For InformationWeek News Alerts




    This is a public forum. United Business Media and its affiliates are not responsible for and do not control what is posted herein. United Business Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

    Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of United Business Media LLC and may be edited and republished in print or electronic format as outlined in United Business Media's Terms of Service.

    Important Note: This comment area is NOT intended for commercial messages or solicitations of business.


     
     

    1. Detecting Scalability Problems With Intel Parallel Universe Portal
    2. Just Say No To SFAQL Parallelism
    3. QuickThread: A New C++ Multicore Library
    Join The InformationWeek Group On LinkedIn


                               


    1. Thoughts On The Motorola Droid
    2. Repurposing Quack Science
    3. Specs For Next Motorola Android Phone Leak
    4. Motorola Promises Fix For Droid's Goofy Camera

    1. Cisco Rolls Out iPhone Security App
    2. Review: Bluetooth Headsets For Mobile Pros
    3. Wolfe's Den: Intel CTO Envisions On-Chip Data Centers
    4. So Much Data, So Little Encryption
    5. Lessons Learned From PCI Compliance
    6. Practical Analysis: How Locked In To Vendors Are You?

     
      Ars Technica
    Boing Boing
    Channel 9 Forums
    CRN Blogs
    Dr.Dobb's Portal: Blogs
    Engadget
    Gizmodo
    GrokLaw     		  Lifehacker
    Schneier on Security
    Slashdot
    TechCrunch
    Techdirt
    Techmeme
    Valleywag
      DECEMBER 2008
    NOVEMBER 2008
    OCTOBER 2008
    SEPTEMBER 2008
    AUGUST 2008
    JULY 2008
    JUNE 2008
    MAY 2008     		  APRIL 2008
    MARCH 2008
    FEBRUARY 2008
    JANUARY 2008
    DECEMBER 2007
    NOVEMBER 2007
    OCTOBER 2007
    SEPTEMBER 2007