04:35 PM
Paul McDougall
Paul McDougall
Connect Directly
Repost This

Does Your VoIP System Play A Greeting Message For Hackers?

Most big companies have yet to install Internet-based phone systems, but many are considering it. Here's a warning for them: VoIP presents big security risks, a pair of Interop speakers said Thursday.

Most big companies have yet to install Internet-based phone systems, but many are considering it. Here's a warning for them: VoIP presents big security risks, a pair of Interop speakers said Thursday.Fuzzing, Footprinting, SIP Enumeration…familiar with these terms?

Better be, if you're moving to VoIP, according to David Endler, director of security research at TippingPoint, a developer of intrusion prevention systems. That's because the technology is becoming a sexy target for hackers. "It's what happens when an app comes to be considered a killer app," said Endler.

Fuzzing is a kind of denial of service attack in which a hacker sends malformed data packets to a VoIP system, causing it to crash. Footprinting is a technique that the black hatters employ to gather information about a VoIP network using search engines like Google.

Among other things, phone extensions for a corporate VoIP network can often be found on Google, Endler cautioned--great for a little social engineering. (BTW, I hate the term "social engineering." Let's call it what it is: Lying to people to get them to divulge information they otherwise wouldn't.)

Endler likened SIP enumeration--where hackers look for vulnerable ports on a network--to a burglar checking for unlocked doors on a house. Once inside, they can glean all sorts of valuable data from a VoIP system. Certain tools can even recreate conversations that took place on a VoIP network.

That's pretty handy if you want advance notice on, say, a big corporate merger.

At the same session, Mark Collier, CTO at VoIP management vendor SecureLogix, said the two biggest sellers of VoIP systems--Cisco and Avaya--could improve their security methods.

"Avaya could do a better job of not putting juicy things in TFTP files…like passwords," said Collier. VoIP users usually need to download those Trivial File Transfer Protocol files to set up their systems out of the box.

Collier also noted that the default settings on Avaya and Cisco systems leave many access services turned on. "That leaves it up to the user or integrator to make sure things are set up properly," said Collier.

VoIP systems can be vastly more flexible and economical than traditional corporate PBX phones. But here's the bottom line: if they're exposed to the Web, they require the same attention to security that other critical network systems receive.

VoIP security, said Collier, "is a real issue."

Collier and Endler operate a Web site devoted to VoIP security topics.

Comment  | 
Print  | 
More Insights
The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government, May 2014
NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.