asterisk users - May 2004 - Fwd: [ISN] Voice Over IP Can Be Vulnerable To Hackers, Too

Hope this isn't too far OT, but its relevant to us. From isn.attrition.org


>http://www.informationweek.com/story/showArticle.jhtml?articleID=20300851
>
>By W. David Gardner
>TechWeb News
>May 13, 2004
>
>As voice over IP sweeps across the high-tech landscape, many IT
>managers are being lulled into a dangerous complacency because they
>look upon Internet phoning as a relatively secure technology--not as
>an IP service susceptible to the same worms, viruses, and other
>pestilence that threatens all networked systems.
>
>"With VoIP," security specialist Mark Nagiel said Thursday in an
>interview, "we're inserting a new technology into an unsecured and
>unprotected environment. VoIP is essentially availability driven, not
>security driven, and that's the problem." But Nagiel, manager of
>security consulting at NEC Unified Solutions, said that there are
>measures that can be taken to protect voice over IP from the threats
>that confront Web telephoning.
>
>The first step--an obvious one, he says--is to secure existing TCP/IP
>networks. Nagiel is finding that the new government-required
>regulations--such as Sarbanes-Oxley, which stipulates improved
>accounting record-keeping, and HIPAA in health care--are helping IT
>managers because they impose security discipline across-the-board.
>"The financial and health-care fields are getting secured very
>quickly," Nagiel said.
>
>Even so, there can be difficulties. He noted that although hospitals'
>protection of patient records generally has been excellent, they often
>neglect to completely secure physicians' conversations. Security
>managers can overlook the fact that voice over IP conversations can
>reside on servers that can be hacked.
>
>The traditional voice model utilized PBXs, which were stable and
>secure, Nagiel noted. If the voice over IP infrastructure isn't
>properly protected, it can easily be hacked and recorded calls can be
>eavesdropped. He says the networks utilized to transmit voice over
>IP--routers, servers, and even switches--are more susceptible to
>hacking than traditional telephony equipment.
>
>It's also relatively easy to launch an attack against a voice over IP
>network because the software tools available to hackers and others
>bent on invading a network are more available and easier to use. "And
>the exposure levels have gone up because there are so many nets," he
>said.
>
>What's the solution? "You need strong encryption over VoIP servers
and
>VoIP client devices," Nagiel said. He observed that extensive
>encryption can slow down efficiency of networks, but encryption is a
>small price to pay to avoid denial-of-service attacks and invasions of
>networks. Another useful defense tactic is to use virtual LANs
>"whenever possible to separate traffic," according to Nagiel. In
this
>way, transmitted data can be segregated into unique virtual LANs for
>data and voice transmission.
>
>However, Nagiel cautioned that security managers should resist using
>shared Ethernet network segments for voice.
>
>
>
>_________________________________________
>ISN mailing list
>Sponsored by: OSVDB.org

I'm sorry, but any IT Manager who looks "upon Internet phoning as a
relatively secure technology" doesn't deserve their job.. and any IT
Manager that doesn't realise that VoIP is "an IP service" and
hence susceptible to the "pestilence that threatens all networked
systems" should be shot where they stand


Andy



On 14/05/2004 at 14:57 tmpm wrote:
>Hope this isn't too far OT, but its relevant to us. From
isn.attrition.org
>
>
>
>>http://www.informationweek.com/story/showArticle.jhtml?articleID=20300851
>>
>>By W. David Gardner
>>TechWeb News
>>May 13, 2004
>>
>>As voice over IP sweeps across the high-tech landscape, many IT
>>managers are being lulled into a dangerous complacency because they
>>look upon Internet phoning as a relatively secure technology--not as
>>an IP service susceptible to the same worms, viruses, and other
>>pestilence that threatens all networked systems.
>>
>>"With VoIP," security specialist Mark Nagiel said Thursday in
an
>>interview, "we're inserting a new technology into an unsecured
and
>>unprotected environment. VoIP is essentially availability driven, not
>>security driven, and that's the problem." But Nagiel, manager
of
>>security consulting at NEC Unified Solutions, said that there are
>>measures that can be taken to protect voice over IP from the threats
>>that confront Web telephoning.
>>
>>The first step--an obvious one, he says--is to secure existing TCP/IP
>>networks. Nagiel is finding that the new government-required
>>regulations--such as Sarbanes-Oxley, which stipulates improved
>>accounting record-keeping, and HIPAA in health care--are helping IT
>>managers because they impose security discipline across-the-board.
>>"The financial and health-care fields are getting secured very
>>quickly," Nagiel said.
>>
<snip>

Folks seem to have forgotten that
the original hackers were hacking
"stable and secure" traditional PBXs 
with captain crunch whistles!

Mitnik ran wild through PBX's and mobille networks.

Let's work to set up secure VOIP, but 
don't let anyone kid you about the golden days when telephones were secure!


(for extra points, why's the hacker mag called 2600?)



tmpm <tmpm@softhome.net> wrote:
__________
>Hope this isn't too far OT, but its relevant to us. From
isn.attrition.org