[ISN] Voice Over IP Can Be Vulnerable To Hackers, Too

From: InfoSec News (isn@private)
Date: Fri May 14 2004 - 01:41:20 PDT

  • Next message: InfoSec News: "[ISN] Secunia Weekly Summary - Issue: 2004-20"

    http://www.informationweek.com/story/showArticle.jhtml?articleID=20300851
    
    By W. David Gardner
    TechWeb News
    May 13, 2004 
    
    As voice over IP sweeps across the high-tech landscape, many IT
    managers are being lulled into a dangerous complacency because they
    look upon Internet phoning as a relatively secure technology--not as
    an IP service susceptible to the same worms, viruses, and other
    pestilence that threatens all networked systems.
    
    "With VoIP," security specialist Mark Nagiel said Thursday in an
    interview, "we're inserting a new technology into an unsecured and
    unprotected environment. VoIP is essentially availability driven, not
    security driven, and that's the problem." But Nagiel, manager of
    security consulting at NEC Unified Solutions, said that there are
    measures that can be taken to protect voice over IP from the threats
    that confront Web telephoning.
    
    The first step--an obvious one, he says--is to secure existing TCP/IP
    networks. Nagiel is finding that the new government-required
    regulations--such as Sarbanes-Oxley, which stipulates improved
    accounting record-keeping, and HIPAA in health care--are helping IT
    managers because they impose security discipline across-the-board.  
    "The financial and health-care fields are getting secured very
    quickly," Nagiel said.
    
    Even so, there can be difficulties. He noted that although hospitals'
    protection of patient records generally has been excellent, they often
    neglect to completely secure physicians' conversations. Security
    managers can overlook the fact that voice over IP conversations can
    reside on servers that can be hacked.
    
    The traditional voice model utilized PBXs, which were stable and
    secure, Nagiel noted. If the voice over IP infrastructure isn't
    properly protected, it can easily be hacked and recorded calls can be
    eavesdropped. He says the networks utilized to transmit voice over
    IP--routers, servers, and even switches--are more susceptible to
    hacking than traditional telephony equipment.
    
    It's also relatively easy to launch an attack against a voice over IP
    network because the software tools available to hackers and others
    bent on invading a network are more available and easier to use. "And
    the exposure levels have gone up because there are so many nets," he
    said.
    
    What's the solution? "You need strong encryption over VoIP servers and
    VoIP client devices," Nagiel said. He observed that extensive
    encryption can slow down efficiency of networks, but encryption is a
    small price to pay to avoid denial-of-service attacks and invasions of
    networks. Another useful defense tactic is to use virtual LANs
    "whenever possible to separate traffic," according to Nagiel. In this
    way, transmitted data can be segregated into unique virtual LANs for
    data and voice transmission.
    
    However, Nagiel cautioned that security managers should resist using
    shared Ethernet network segments for voice.
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Fri May 14 2004 - 03:06:18 PDT