Internet phones a hacking risk?

[scratchONtheBOX]

Internet phones a hacking risk?

Source - http://money.cnn.com/2005/03/18/tech...ex.htm?cnn=yes
Some Internet phone services allow scam artists to make it appear that they are calling from another phone number -- a useful trick that enables them to drain credit accounts and pose as banks or other trusted authorities, online fraud experts say.

-Almost 2 years now, I am using VOIP (Phoneserve) and had been aware of such problems arising from using it like lost of minutes by sort of technical problems and other issues. The internet is getting old. And more newer tricks each day pops up and threat the cyberspace, including services rendered through it.

Internet worms that snarl online networks can render VOIP lines unusable, and experts at AT&T (Research) say VOIP conversations can be monitored or altered by outsiders.

-Worm again.

I guess Und3ertak3r's worm free internet idea that is really being prevented by BIG businesses really happening as of this moment...

What really can be done to achieve a lesser worm/viri internet or much more a lesser scam net? Since the biggest threat with developing more secured system is the identity verification in which more bad news we received everyday about BOGUS accounts or entities that phishes over cyberspace.

Yo!

[MrLinus]

This is why you need to put security practises in place for VoIP. Ironically I just sent a new article off to phernandez for EnterpriseITPlanet on VoIP security and specifically referencing Security Considerations for Voice Over IP Systems. Quite good and narrows it down to nine specific points:

• 1. Ensure that you have an adequate network design. (Have separate data and voice networks -- lag can be an issue)
  
  2. Do a risk analysis of the viability for using VoIP in your company and ensure you know all the benefits and costs as well as dangers. This is one of those no duh comments.
  
  3. You'll need to look at how to deal with emergency services (E911) since not all VoIP will identify where you are physically are located and route the 9-1-1 call to the appropriate center. It's nice to get help.
  
  4. Ensure physical controls for VoIP components. Kinda helps to still have the boxes and networking components when making a call.
  
  5. Look at backup power supplies for VoIP. Kinda hard to call for help when the power goes out (remember that landlines are usually required by law (at least here they are) to have a separate power source (deemed an essential service)
  
  6. Ensure you have appropriate security layers in place. Another no duh statement. Keep in mind that it's here that we'd use encryption, either IPSec or SSH tunnel or some other encryption layer
  
  7. Avoid using “softphones”. Like the one you're using, scratchONtheBOX.
  
  8. If you must use 802.11x, use WPA. Better than no security
  
  9. Pay a visit to the legal beagles about any potential laws or issues that the company needs to be aware of.

A lot of the security has to be added afterwards since VoIP was designed at a time when security was an afterthought.

As for worms, this can be mitigated by not using softphones. I'm sure someone will create something for the hardware based phones but doesn't mean that we need to be susceptiable to the every day crap.

[michael737n]

I my self would stay away from software phones on your computer and go with linksys hardware voip phone and dont switch at all if you have dsl because with dsl u can use your phone any time anyways but if u have cable give it a try but follw mittins safety guidelines

[scratchONtheBOX]

Originally posted here by MsMittens
This is why you need to put security practises in place for VoIP. Ironically I just sent a new article off to phernandez for EnterpriseITPlanet on VoIP security and specifically referencing http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf"]Security Considerations for Voice Over IP Systems[/url]. Quite good and narrows it down to nine specific points:

• 1. Ensure that you have an adequate network design. (Have separate data and voice networks -- lag can be an issue)
  
  2. Do a risk analysis of the viability for using VoIP in your company and ensure you know all the benefits and costs as well as dangers. This is one of those no duh comments.
  
  3. You'll need to look at how to deal with emergency services (E911) since not all VoIP will identify where you are physically are located and route the 9-1-1 call to the appropriate center. It's nice to get help.
  
  4. Ensure physical controls for VoIP components. Kinda helps to still have the boxes and networking components when making a call.
  
  5. Look at backup power supplies for VoIP. Kinda hard to call for help when the power goes out (remember that landlines are usually required by law (at least here they are) to have a separate power source (deemed an essential service)
  
  6. Ensure you have appropriate security layers in place. Another no duh statement. Keep in mind that it's here that we'd use encryption, either IPSec or SSH tunnel or some other encryption layer
  
  7. Avoid using “softphones”. Like the one you're using, scratchONtheBOX.
  
  8. If you must use 802.11x, use WPA. Better than no security
  
  9. Pay a visit to the legal beagles about any potential laws or issues that the company needs to be aware of.

A lot of the security has to be added afterwards since VoIP was designed at a time when security was an afterthought.

As for worms, this can be mitigated by not using softphones. I'm sure someone will create something for the hardware based phones but doesn't mean that we need to be susceptiable to the every day crap.

- I'll remember this MsM... Thanks! And for other users of VoIP, better read carefully the terms of use of the provider before making any moves especially doing transaction online (Credit/Debit Card) with the providers (because maybe it is not the provider at all whom you are transacting with, too much phishing these days). As of now, I only pay in cash basis with my VoIP services (as it is convenient to buy PREPAID cards for it). Just an additional thought, you'll experience some transmission delay while using VoIP, it's just it. Even in at least a 512Kbps DSL connection (In my case here).

And michael737n,

For the HARDWARE VoIP, I had heard news about it being used here already but I haven't got a chance to try it.

Cheers!

Yo!

[hypronix]

Caller ID masquerading isn't anything new - almost anybody with a PBX can do it. As Mitnick said, institutions should not blindly believe whatever the CID tells them; as for private citizens, given that there still exist problems with opening unknown e-mail attachments, there will take some time until they will come around understading what VoIP is all about.

P.S. this is just one quick point, maybe if I have time later on I shall attempt to go on about some other apects that I find relevant.

[scratchONtheBOX]

michael737n,

About your signature as of this moment

(Great I get neged for Telling the truth that mac is better than windows. So much for free speach. Dang commies. You out of the gene pool --->

- Sometimes here in AO, people neg you not because of the idea that you have provided, but because of the attitude you are showing (you see, in this thread you don't even say bad reaction about VoIP [IMO, it is even encouraging], but because of your signature, someone negged you), I am not saying I am cool all the time, but "blending with the community" is the word, then you get smarter and feel happy after.

For the thread AP givers, thanks guys! I am glad that more AO members would love to hear such comments.

hypronix,

Caller ID masquerading isn't anything new - almost anybody with a PBX can do it.

- I had read about an article regarding masking the caller ID and it gives a BIG impact as to hindering the use of VoIP in more important fields like Medicine and emergency situation (although globally, in my observation, it would be very hard to implement CALLER-ID-SYSTEM), the thing is I will give you 2 examples that I would like to point out:

In Medicine

A) A doctor with regular patient keeps the contact in his mobile. Since VoIP may not support the CALLER-ID, the doctor could ignore that very important VoIP call.

B) in 911 situation, the operator would probably have a hard time pinpointing the exact location of the emergency or even would not verify quickly about the reliability of the call.

These things, like MsM told, should be carefully studied and answered in the future coverage of VoIP.

Yo!

[MrLinus]

This just highlights a bigger issue. It would appear that Vonage will have to deal with this:

Source: Web service sued over consumer access to 911

HOUSTON, Texas (AP) -- Texas sued the nation's largest Internet-based phone service provider Tuesday, saying Vonage failed to clearly inform customers they cannot automatically dial 911 when they sign up.

The lawsuit follows a case last month when a 17-year-old Houston girl was unable to call 911 on her family's Vonage service during an armed robbery in which her parents were shot and wounded. The girl ran to a neighbor's home and called for help.

The suit was filed under the Texas Deceptive Trade Practices Act and seeks to require Vonage Holdings Corp. to more clearly inform consumers that they must separately sign up for the 911 feature.

"People find out too late that this service might not be available," Texas Attorney General Greg Abbott said at a news conference Tuesday attended by members of the family whose home was robbed.

Vonage spokeswoman Brooke Schulz said customers are informed of the separate activation on two pages on the Internet registration form. She also said that e-mail notifications are sent to customers who fail to activate the emergency service.

"We're at a loss as to what they want us to change, but we're open to any changes they want," Schulz said.

Abbott wants Vonage to include the information in advertising and include a checkoff on the service agreement to make sure people know.

He said information about the type of emergency service Vonage offers is found in the fine print on the Web site, but it is not explained on television commercials or brochures. Customers who sign up for service through call centers also are not told.

The lawsuit seeks $20,000 per violation. Abbott said he did not know how many violations there would be.

Edison, New Jersey-based Vonage has more than 500,000 subscribers.

[scratchONtheBOX]

Abbott wants Vonage to include the information in advertising and include a checkoff on the service agreement to make sure people know.

- Most of businesses promote their product this way. In marketing a product or services, most companies will not highlight disadvantages. So, people who had no extra time reading the whole review about the product, could end up dis-satisfied afterwards (for not ordering the one with cheese and BIGGY SIZE fries and soda, I mean they just go to the REGULAR order 'coz it is cheaper).

Customers who sign up for service through call centers also are not told.

-I never wonder why. They (SALES PEOPLE) beat the time, quota for the sales. Without realizing that these small things (forgetting to clarify 'other' terms) could end up to a BIGGER LOSS once the AGENDA leaked or the IDEA that it would affect the daily life happened. Imagine how credit card companies close their deal to new customers, who eventually will cry for the 'hidden' interest schemes they have and when PROBLEMS arises (unexpected amount of bills in the statement, the CC company will brag about computations, taxes, most misleading just to avoid followups and such). Well, 'nuff said on marketing ideas.

This is indeed a BIGGER ISSUE but not actually on the TECHNOLOGY thing, it's about something else. That's it, the optional services are there, but the company fail to emphasize it since customers might not buy the idea for an additional cost. Since their aim is to show that VoIP is much much cheaper than the normal tel. line.

Imagine what majority of the 'more than 500,000 subscribers' would think now knowing that the cheaper way of communication sometimes fail the most important use of it - TO COMMUNICATE.

Yo!