Does Your VoIP System Play A Greeting Message For Hackers?
Most big companies have yet to install Internet-based phone systems, but many are considering it. Here's a warning for them: VoIP presents big security risks, a pair of Interop speakers said Thursday.
Most big companies have yet to install Internet-based phone systems, but many are considering it. Here's a warning for them: VoIP presents big security risks, a pair of Interop speakers said Thursday.Fuzzing, Footprinting, SIP Enumeration…familiar with these terms?
Better be, if you're moving to VoIP, according to David Endler, director of security research at TippingPoint, a developer of intrusion prevention systems. That's because the technology is becoming a sexy target for hackers. "It's what happens when an app comes to be considered a killer app," said Endler.
Fuzzing is a kind of denial of service attack in which a hacker sends malformed data packets to a VoIP system, causing it to crash. Footprinting is a technique that the black hatters employ to gather information about a VoIP network using search engines like Google.
Among other things, phone extensions for a corporate VoIP network can often be found on Google, Endler cautioned--great for a little social engineering. (BTW, I hate the term "social engineering." Let's call it what it is: Lying to people to get them to divulge information they otherwise wouldn't.)
Endler likened SIP enumeration--where hackers look for vulnerable ports on a network--to a burglar checking for unlocked doors on a house. Once inside, they can glean all sorts of valuable data from a VoIP system. Certain tools can even recreate conversations that took place on a VoIP network.
That's pretty handy if you want advance notice on, say, a big corporate merger.
At the same session, Mark Collier, CTO at VoIP management vendor SecureLogix, said the two biggest sellers of VoIP systems--Cisco and Avaya--could improve their security methods.
"Avaya could do a better job of not putting juicy things in TFTP files…like passwords," said Collier. VoIP users usually need to download those Trivial File Transfer Protocol files to set up their systems out of the box.
Collier also noted that the default settings on Avaya and Cisco systems leave many access services turned on. "That leaves it up to the user or integrator to make sure things are set up properly," said Collier.
VoIP systems can be vastly more flexible and economical than traditional corporate PBX phones. But here's the bottom line: if they're exposed to the Web, they require the same attention to security that other critical network systems receive.
VoIP security, said Collier, "is a real issue."
Collier and Endler operate a Web site devoted to VoIP security topics.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.