http://www.mercurynews.com/mld/mercurynews/13859672.htm By Jessie Seyfer Mercury News Feb. 13, 2006 The allure of Internet phone calling is understandable -- dirt-cheap calls to anywhere in the world, sound quality that's at times superior to the traditional land-line and the ability to take your phone number with you when you travel. But, buyer beware. These calls are just like any other form of digital communication, like e-mail, which can be hacked, spammed and saved on servers. While Internet calling programs from Skype and Vonage to Google and Yahoo are getting more and more popular, security experts warn that they're not as secure as your traditional land-line. ``Lots of people are ignoring the risks about it,'' said Rodney Thayer, a Mountain View security consultant. ``Sometimes there's absolutely no encryption. Someone could listen to your conversation. It's not clear that these services have been hardened so that no inappropriate activity could take place.'' Thayer is one of several experts who will be in San Jose this week for the RSA Conference at the McEnery Convention Center, which highlights just about every aspect of computer security -- data encryption, spam-blocking and anti-fraud methods, for example. Thayer will lead a daylong seminar on Internet phone-calling security. The conference comes on the heels of a national debate over President Bush's authorization of wiretaps without first obtaining a warrant, and a battle between Google and the Department of Justice over privacy. The Mountain View company is fighting a subpoena it received, as did Yahoo, America Online and Microsoft, asking them to provide information to the government about people's search habits. Adding more heat to the issue is an ongoing legal conflict between several Internet phone-calling providers -- as well as privacy advocates -- with the government over whether companies should be required to make it easy for law enforcement to conduct wiretaps over their networks. The providers argue that taking steps to make wiretapping easier will actually make networks more vulnerable to malicious attacks. Federal regulators believe Internet phone systems should follow the same rules as traditional ones, and should offer a standardized level of access to law enforcement. The matter remains before a federal appeals court. Spoken e-mail In thinking about the threats Internet callers may face, experts say it's helpful to think of the calls as spoken e-mails -- after all, they both consist of packets of data zipping across the Internet. Therefore, it's possible for Internet phone calls to be plagued by the same attacks that dog e-mail: Hackers listening to your calls, automated spam messages that call you, and so-called ``phishing'' requests -- phone messages that seek personal financial information from recipients with the intention of raiding their bank accounts. ``I think the next generation of spam is spam voice mail over VoIP,'' said Chris Rouland, chief technology officer at the Atlanta-based Internet Security Systems company, which supplies security for large phone networks and other businesses. VoIP stands for Voice Over Internet Protocol, and is the industry term for Internet phone-calling. At home, people using Internet phone calls should take the same precautions they do for Web and e-mail communications: ``Never accepting calls from people they don't know and don't trust. Never giving out personal information to strangers and people you don't trust,'' said Terrell Karlsten of Yahoo. Skype uses encryption, or hiding data with difficult-to-break codes, and Yahoo uses other methods, to protect conversations. Experts suggest anyone thinking of signing up for Internet calling services ask or make sure they're clear about a specific company's policy toward security and privacy. No spam yet So far, there have not been any major documented incidents of fraud or spamming from using Internet phone-calling. But while growing in popularity, Internet phone calling is still in its infancy. Eleven percent of American households will be using some form of Internet phone service by 2010, according to Forrester Research. Industry analysts at In-Stat reported that the number of people using the technology worldwide grew by 62 percent from 2004 to 2005. Cisco Systems, which makes routing and switching equipment that sends Internet data where it needs to go, believes businesses and Internet service providers should safeguard voice conversations for their staff and customers in the same way they can protect e-mail and instant messaging. ``Secure your phones, secure your routers, secure your VoIP call centers, secure your applications,'' said Jayshree Ullal, senior vice president of Cisco's DataCenter, Switching and Security Technology group. Securing the network Many security options can be installed on the computer network, rather than on people's individual desktop computers, Ullal said. Yet security experts say that if people want to listen to your Internet telephone conversations, they can. In fact, a simple Web search produced a site offering a program to do just that. The program is designed to break into networks and then capture the packets of data containing the conversation, and reconstruct them into an audio file. But the experts also point out that while it's possible for hackers to record conversations, it's unlikely that such attacks will occur randomly. Attacks are more likely to occur on office networks than home networks and are likely to involve conversations that will give hackers information they can sell. For businesses dealing with financial or legal transactions, additional protection is a must, said Kelli Long, of CallTower, a Utah company that sets up phone networks for businesses. ``From a consumer's perspective, if I'm out browsing the Internet and if I'm sending e-mails back and forth, I should expect basically the same amount of security for my voice calls, and at this point, probably even less,'' Long said. Saving conversations So what happens to Internet voice conversations once they're finished? Like any data, an Internet phone call can be saved. And there generally aren't any guidelines about who has a right to save what information. Yahoo's Instant Messaging service does not save conversations, nor does Skype's, according to representatives. ``Privacy is very important to our users,'' Yahoo's Karlsten said. ``We also have preventative measures we've implemented . . . detecting sending patterns and habits associated with spammers.'' Google would not release information about the security of its Google Talk application. But the terms of service for the program state: ``Google may access or disclose your personal information, including the content of your communications, if Google is required to do so in order to comply with any valid legal process or governmental request.'' Rouland admitted that rules around Internet phone calls are just starting to be developed, but the security concerns shouldn't scare people off from Internet phone-calling entirely. ``VoIP is a great application and we expect it to revolutionize the telephone systems today,'' he said. But right now, ``We're in a little bit of the Wild West.'' _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Mon Feb 13 2006 - 22:45:21 PST