Does Your VoIP System Play A Greeting Message For Hackers?
Most big companies have yet to install Internet-based phone systems, but many are considering it. Here's a warning for them: VoIP presents big security risks, a pair of Interop speakers said Thursday.
Most big companies have yet to install Internet-based phone systems, but many are considering it. Here's a warning for them: VoIP presents big security risks, a pair of Interop speakers said Thursday.Fuzzing, Footprinting, SIP Enumeration…familiar with these terms?
Better be, if you're moving to VoIP, according to David Endler, director of security research at TippingPoint, a developer of intrusion prevention systems. That's because the technology is becoming a sexy target for hackers. "It's what happens when an app comes to be considered a killer app," said Endler.
Fuzzing is a kind of denial of service attack in which a hacker sends malformed data packets to a VoIP system, causing it to crash. Footprinting is a technique that the black hatters employ to gather information about a VoIP network using search engines like Google.
Among other things, phone extensions for a corporate VoIP network can often be found on Google, Endler cautioned--great for a little social engineering. (BTW, I hate the term "social engineering." Let's call it what it is: Lying to people to get them to divulge information they otherwise wouldn't.)
Endler likened SIP enumeration--where hackers look for vulnerable ports on a network--to a burglar checking for unlocked doors on a house. Once inside, they can glean all sorts of valuable data from a VoIP system. Certain tools can even recreate conversations that took place on a VoIP network.
That's pretty handy if you want advance notice on, say, a big corporate merger.
At the same session, Mark Collier, CTO at VoIP management vendor SecureLogix, said the two biggest sellers of VoIP systems--Cisco and Avaya--could improve their security methods.
"Avaya could do a better job of not putting juicy things in TFTP files…like passwords," said Collier. VoIP users usually need to download those Trivial File Transfer Protocol files to set up their systems out of the box.
Collier also noted that the default settings on Avaya and Cisco systems leave many access services turned on. "That leaves it up to the user or integrator to make sure things are set up properly," said Collier.
VoIP systems can be vastly more flexible and economical than traditional corporate PBX phones. But here's the bottom line: if they're exposed to the Web, they require the same attention to security that other critical network systems receive.
VoIP security, said Collier, "is a real issue."
Collier and Endler operate a Web site devoted to VoIP security topics.
The Business of Going DigitalDigital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.