|
|
|
|
|
|
|
|
|
|
|
|
The release in March of the WarVOX war dialing tool may attract attention to an area that might not have been receiving enough focus lately. At an abstract level War dialing involves scanning a series of phone numbers to see what responds. In essence that's not really very different from running a tool like nmap to scan a network for open ports. Reasons to run such a scan are not all that different either. It might be done as part of a security assessment, or by an attacker looking for a target. If you have deployed a VPN to reduce your dependence on modems for remote access, you might feel that your organization isn't exposed to much risk from war dialing. This highlights what is in my opinion one of the benefits of the ‘buzz' generated by WarVOX. It is an opportunity to generate awareness. War dialing is a threat to much more than just unsecured modems that might give access to corporate networks. If you haven't read this presentation found on the WarVOX site, you should, since it provides insight into some of the potential uses of war dialing tools beyond simply the identification of modems and fax machines.
Hasler Hayes from Nortel's Security Governance & Compliance team joins us with a post which approaches Voice Security from a different perspective: In this blog post we will discuss Voice Security from the viewpoint of its role in life line healthcare. This post was inspired by my 83 year old mother's adventures with VoIP. Retired people are often very concerned in reducing the cost of their daily expenses, especially since they typically have a very limited pension income to live on. They seek every opportunity to reduce the cost of their basic necessities so they are able to support themselves better. This led my mother to replace her traditional voice service with a newer, cheaper, voice service (VoIP but she never knew that). As her son, one unexpected benefit that I saw was the self image boost she got by being in tune with the technology world, besides saving money.
Another post from Jeff Lewis with some thoughts on Voice Security In December, I had the opportunity to speak at a Secure Trunks seminar hosted locally here in Ottawa. During the Q&A, some interesting questions about voice security in general were raised. Today, I will address them here in the interest of sharing the answers with everyone who may be curious about them, and perhaps to initiate a discussion on them. Q: How real are voice security threats? A: I think this is a fascinating question to answer. One of the reasons it is so interesting, is because the industry is on the cusp of moving over from traditional TDM technology to IP based voice systems. It is a fairly significant and fundamental change to the way we will communicate. It is useful to draw a parallel to the personal computer security industry, during the early days of their adoption. They too were a fundamentally different way of communicating. Computer viruses were something we had ‘heard' about, but how real a problem were they? Without widespread deployment of malware detection and mitigation tools, the scope of the problem was largely unknown. We knew it existed, but couldn't set an accurate boundary to the size of it. Fast forward to where we are today. According to Symantec, there were 500,000 new threats introduced in the second half of 2007 alone. Now that so many PCs connected to the internet have some form of malware detection capabilities, we have a much better picture of the scope of the problem.
After a brief hiatus the Voice Security Blog has returned. We once again welcome Eric Winsborrow, the Chief Marketing Officer of Sipera Systems. This post is based on an article he originally wrote for SC Magazine in June 2008, and is the second of two parts detailing how a real VoIP exploit can lead to the loss of confidential data....Lawrence Exploiting VoIP Vulnerabilities - Part 1/2In we covered some basic background on VoIP exploits, as well as detailed the first 2 steps in a fuzzing based buffer overflow attack using the SIP protocol. Today, we’ll continue looking at this attack including some mitigation techniques. Let’s start where we left off – at executing remote shell code.
Jeff Lewis is back with a post on TDM Voice Systems -- Lawrence A colleague of mine, just tipped me off on a fantastic article written by Vassilis Prevelakis and Diomidis Spinellis over at the IEEE Spectrum Online. It is an absolutely enthralling read about a real life example of voice systems espionage, and I highly recommend it. Voice security is increasingly being associated with VoIP and Unified Communications. What is being called the “ Greek Watergate” shows us quite clearly that legacy TDM systems are just as much at risk, and always have been. But it also shows us that there are individuals that are capable of attacks at level of sophistication we may find surprising, alarming and downright frightening.
I sit writing this in the airport lounge in Toronto on the way to the Nortel Tech Conference in Orlando. What strikes me is the number of connected road warriors that surround me – connected at least in a data sense. I begin to wonder if the growing concern with the environment and the recent spike in gasoline prices will have an impact on business travel. I know many companies are asking themselves how they can support the road warrior to help diminish costs associated with travel. In fact, enabling the road warrior is not all that different from enabling the teleworker. One key business driver is the productivity enhancement that comes with an enterprise voice solution that allows an employee to transition from the office, to the home and to the road. An enterprise communications system must support employee mobility and remote workers seamlessly, in order to maintain productivity.
|
|
|
|
|
|
|
|
|
Nortel Voice Security Categories
