[ISN] German security agency warns of VoIP security risks

From: InfoSec News (isn@private)
Date: Thu Oct 27 2005 - 00:10:58 PDT


http://www.computerworld.com/securitytopics/security/story/0,10801,105728,00.html

By John Blau
OCTOBER 26, 2005
IDG NEWS SERVICE

Germany's Federal Office for Security in Information Technology (BSI)
is warning businesses of potential security risks with voice-over-IP
(VoIP) technology, in a study presented at the Systems IT exhibition
and conference in Munich.

The VoIPSec report, released Monday at the opening of Systems,
appeared one day before Skype Technologies SA, one of the world's
largest providers of VoIP service, acknowledged critical flaws in its
software and urged users to upgrade to the latest version.

In its report, the BSI warned that although no spectacular attacks in
the business world have been reported yet, it's only a matter of time
before problems emerge.

The report lists 19 varieties of attacks on VoIP systems that can lead
to a number of security threats, such as identity theft, data
manipulation, transmission errors and incorrect billing. Also, VoIP
opens the door to the various forms of malicious software that can
spread wildly in data networks, such as viruses, worms and Trojan
horses, according to the report.

Authors of the VoIPSec study are urging companies to analyze where
they plan to implement VoIP, how crucial secure communication is to
that particular business process and what level of security can be
ensured. And although one of the biggest sales pitches of companies
supplying VoIP systems is the convergence of voice and data networks,
the authors are recommending a separation of IP voice and IP data
networks."

The study is available online in German [1].

In a panel discussion at the Systems conference, Manfred Fink,
president of Manfred Fink Security Consulting, urged businesses to be
aware of the hype surrounding VoIP. "Manufacturers are telling
businesses how they can save money by converging their voice and data
networks," he said. "But IT managers should be aware that the money
they may save in combining their IP voice and data networks could be
offset by the money they will need to spend to make these networks
secure."

Detlev Henze, a security expert in the IT security unit of the safety
control agency TUV Rheinland Group, urged users to move "very
carefully" in deploying VoIP technology, especially on a global basis.  
"It's best to start in small, closed user groups and to work closely
with security experts who are aware of the many potential risks
involved in VoIP," he said. "This is a moving target."

The Systems event runs through Friday.

[1] http://www.bsi.de/literat/studien/VoIP/index.htm



_________________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org 



This archive was generated by hypermail 2.1.3 : Thu Oct 27 2005 - 00:29:45 PDT