Eye on the Carriers By Johna Till Johnson, Network World, 07/24/06

You've probably already heard about the latest VoIP scam: vishing.

It works as follows: An unwary user gets an e-mail (or an automated phone call) advising him that his credit card is displaying fraudulent activity, and warning him to call a phone number immediately. It's answered by a computer-generated voice instructing him to enter the credit card number and other identifying details (security code or user's date of birth).

The VoIP-specific part of the scam has to do with the phone number. Unlike with traditional telephony, it's fairly straightforward for a potential scammer to obtain an 800 or local number, set up the system and start collecting credit card numbers. With traditional telephony, phone companies typically confirm a business is legitimate and assign local numbers only to companies with physical facilities in a specific geography.

Vishing's just the latest VoIP security horror story. As Network World reported last week, VoIP systems - including the well-known open source package Asterisk - can be vulnerable to distributed denial-of-service (DoS) attacks, which demolish a company's ability to make or receive calls.

And of course there's the well-known FoIP (fraud over IP) case in which two men hacked into corporate and service provider networks and routed an estimated 10 million minutes of calls through them, leaving the victims paying as much as $300,000 apiece in interconnect fees. Such cases are on the rise.

What should companies do to protect themselves against the new security threats and vulnerabilities posed by VoIP? For starters, make sure there's someone on staff who explicitly assumes responsibility for VoIP security. This may sound obvious to some, but you wouldn't believe how often the voice folks assume VoIP security is the responsibility of the security folks, while the security team assumes the opposite. If it's the least bit unclear who's responsible, sort it out right away.

The next step: Assess your vulnerabilities and concerns. Corporate VoIP threats fall into four main categories: availability, privacy, theft of service and gaining access to sensitive information. Availability refers to vulnerability to distributed DoS or other attacks that can take the VoIP system offline. Privacy has to do with the ability to tap into VoIP calls. Theft of service, of course, has to do with a system's vulnerability to abuse, such as the FoIP scam noted above. And on the last issue, consider the corporate version of vishing: A hacker modifies the caller ID portion of a VoIP call to read "IT Department," then calls Mr. Bigshot's secretary and asks for Mr. Bigshot's passwords under some pretext or other. The secretary, believing she's speaking to the IT department, readily complies with the hacker's request.

Finally, address each threat specifically. To ensure availability, make sure general distributed DoS protections are in place and use IP PBXs based on hardened operating systems. To ensure privacy, use appropriate encryption. Protecting against theft of service or the release of sensitive information requires training and accurate call monitoring.

The bottom line? VoIP security threats are here today - but so are the tools and techniques for combating them.